All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yah.  And ole Lizzy Li, the principal product manager, indicated in a .conf session that "parity" between Classic and DS was their intent.  So much for parity.
Does splunk support fill-forward or "last observation carried forward". I want to create a daily based monitoring. One example is getting the version of all reported items. I'm getting the versi... See more...
Does splunk support fill-forward or "last observation carried forward". I want to create a daily based monitoring. One example is getting the version of all reported items. I'm getting the version only if it is changed. For each day I need the last available version of the item. How can this be realized with splunk to realize a line-chart?   Thank you in advance Markus
I have promote multiple events into a case. From the case, I will run a playbook.  I understand that I can use the following container automations to set the status to close. phantom.update() p... See more...
I have promote multiple events into a case. From the case, I will run a playbook.  I understand that I can use the following container automations to set the status to close. phantom.update() phantom.close() phantom.set_status() However, these 3 playbook is only able to set the case's status to close. Is it possible to set the status of the promoted events within the case to close also?  For example, I have the following events. Event #1 Event #2 Event #3 When these 3 events are promoted to a case. And I run the playbook from this case, is it possible to set the status of this case and the 3 events to close . 
@Leonardo1998  In addition to other recommendations: You can configure a dedicated VM and install either syslog-ng or rsyslog, making it act as a syslog forwarder. Network Devices (such as firewal... See more...
@Leonardo1998  In addition to other recommendations: You can configure a dedicated VM and install either syslog-ng or rsyslog, making it act as a syslog forwarder. Network Devices (such as firewalls, routers, and switches) can then be configured to send logs over a custom port to this syslog forwarder. On the syslog forwarder, update the syslog-ng.conf or rsyslog.conf to capture these logs and store them in a specific directory. From here, you have two options: Install the Splunk Universal Forwarder (UF) on the server and configure it to forward the logs to the Splunk indexers. Or, install the full Splunk Enterprise package on the server and use it as a Heavy Forwarder (HF). If the server is used as a Heavy Forwarder, you can also install the relevant Technology Add-ons (TAs) for parsing. For example, if you're onboarding Fortinet firewall logs, you can install the Fortinet Add-on on this HF for proper parsing before forwarding the logs to the indexers. https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html?locale=en_us 
I started looking into Splunk Connect for SNMP (SC4SNMP) and I'm reviewing the documentation and requirements. One thing I'm not entirely sure about: Can I install SC4SNMP (Docker container) on the... See more...
I started looking into Splunk Connect for SNMP (SC4SNMP) and I'm reviewing the documentation and requirements. One thing I'm not entirely sure about: Can I install SC4SNMP (Docker container) on the same machine where I already have my Intermediate Forwarder, or would it be better to run it on the Deployment Server?
Thanks a lot for your reply! For log collection, SC4S looks like a great fit — we'll definitely look into it. That said, we’re also interested in the infrastructure-level monitoring of our network ... See more...
Thanks a lot for your reply! For log collection, SC4S looks like a great fit — we'll definitely look into it. That said, we’re also interested in the infrastructure-level monitoring of our network devices — things like interface status, bandwidth usage, CPU load, etc. In this case, is it possible (or recommended) to use SNMP with Splunk? If so, are there supported solutions or best practices for integrating SNMP metrics into Splunk in an agentless way? Any advice or experience would be greatly appreciated!
@livehybrid , thank you for your response, unfortunately we need to set the election to false remotely on each member . So guess that is not possible with api call as we do not have POST.   Will lo... See more...
@livehybrid , thank you for your response, unfortunately we need to set the election to false remotely on each member . So guess that is not possible with api call as we do not have POST.   Will look into other possibilities. Thank you again
Hi @Leonardo1998  I would recommend looking at Splunk Connect for Syslog (SC4S) https://splunk.github.io/splunk-connect-for-syslog/main/ as this is designed exactly for taking syslog feeds from netw... See more...
Hi @Leonardo1998  I would recommend looking at Splunk Connect for Syslog (SC4S) https://splunk.github.io/splunk-connect-for-syslog/main/ as this is designed exactly for taking syslog feeds from network infrastructure, parsing it and then sending to your Splunk instance over HTTP Event Collector (HEC).  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Raja1  You cannot set a static captaincy using the POST request, instead use the following: To switch to a static captain, reconfigure each cluster member to use a static captain: On the memb... See more...
Hi @Raja1  You cannot set a static captaincy using the POST request, instead use the following: To switch to a static captain, reconfigure each cluster member to use a static captain: On the member that you want to designate as captain, run this CLI command: splunk edit shcluster-config -mode captain -captain_uri <URI>:<management_port> -election false   2. On each non-captain member, run this CLI command: splunk edit shcluster-config -mode member -captain_uri <URI>:<management_port> -election false For more info check out https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.3/manage-search-head-clustering/use-static-captain-to-recover-from-loss-of-majority#id_523dfe8f_7801_49b2_b533_7a0fec0b053d__Use_static_captain_to_recover_from_loss_of_majority  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Ahh my apologies @tgulgund  - I misunderstood what you were looking for. Unfortunately embedding HTML directly in Dashboard Studio is not available/supported - only the limited Markdown code.  Di... See more...
Ahh my apologies @tgulgund  - I misunderstood what you were looking for. Unfortunately embedding HTML directly in Dashboard Studio is not available/supported - only the limited Markdown code.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @shangxuan_shi  It would be worthwhile raising a Support ticket yourself aswell as @Butz  ticket, this will add a little weight as demonstrates multiple users are affected by the issue. You can ... See more...
Hi @shangxuan_shi  It would be worthwhile raising a Support ticket yourself aswell as @Butz  ticket, this will add a little weight as demonstrates multiple users are affected by the issue. You can access Support via https://www.splunk.com/support  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello everyone, we’re currently working on integrating our network devices (such as routers, switches, and firewalls) into Splunk to enable centralized monitoring and log collection. As these are n... See more...
Hello everyone, we’re currently working on integrating our network devices (such as routers, switches, and firewalls) into Splunk to enable centralized monitoring and log collection. As these are network appliances, we’re required to proceed in agentless mode, since installing agents or forwarders directly on the devices is not an option. We would really appreciate any guidance or suggestions on: The best approaches for agentless integration (e.g., Syslog, SNMP, NetFlow, APIs) Any recommended Splunk add-ons or apps to support this Best practices or examples from similar implementations Thanks in advance for your help and insights!
Thanks @livehybrid  I have an  embed link for a widget on the external website and want to display in on my dashboard. I have a <iframe></iframe> link. how do I add it go my dashboard ?
Thanks.  I am looking to add a embded widget from external site and I have a <ifram><i/frame> link. How do i add it to my dashboard
Hi @tgulgund  Using dashboard studio you can create a link by using the Markdown object: The following markdown is what was used in this example: This is a link to [google](https://www.google.... See more...
Hi @tgulgund  Using dashboard studio you can create a link by using the Markdown object: The following markdown is what was used in this example: This is a link to [google](https://www.google.com) If unfamiliar with markdown, essentially you put the text in square brackets followed by the URL in regular brackets. Here is a full dashboard example: { "title": "testing", "description": "", "inputs": {}, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "-24h@h", "latest": "now" } } } } }, "visualizations": { "viz_hwZoBg6m": { "options": { "fontSize": "extraLarge", "markdown": "This is a link to [google](https://www.google.com)" }, "type": "splunk.markdown" } }, "dataSources": { "ds_UUxjD5lL": { "name": "Search_1", "options": { "query": "index=cultivar* clientip!=\"\\\"-\\\"\" | iplocation clientip | geostats latfield=lat longfield=lon count by method " }, "type": "ds.search" }, "search1": { "name": "search1", "options": { "query": "| makeresults \n| eval msg=\"Search 1\"" }, "type": "ds.search" }, "search2": { "name": "search2", "options": { "query": "| makeresults \n| eval msg=\"Search2\"" }, "type": "ds.search" } }, "layout": { "globalInputs": [], "layoutDefinitions": { "layout_1": { "options": { "display": "auto", "height": 960, "width": 1440 }, "structure": [ { "item": "viz_hwZoBg6m", "position": { "h": 190, "w": 830, "x": 0, "y": 0 }, "type": "block" } ], "type": "absolute" } }, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Amd what events are you expecting? As per the TA description, it provides custom search commands, not inputs.
Thank you for raising the support ticket. But I am quite new to Splunk. May I know how long will splunk take to response to the ticket and resolve the bug.  Also, Just to check with you, this is a... See more...
Thank you for raising the support ticket. But I am quite new to Splunk. May I know how long will splunk take to response to the ticket and resolve the bug.  Also, Just to check with you, this is a new error that just occur right? Because, I did not encounter this error weeks ago.
Am trying to set the kvstore captain in maintenance mode, but when i try set the kvstore captain in maintenance mode, it says that maintenance mode can only be set on the "static captain" I can sw... See more...
Am trying to set the kvstore captain in maintenance mode, but when i try set the kvstore captain in maintenance mode, it says that maintenance mode can only be set on the "static captain" I can switch to static captain using the following command successfully splunk edit shcluster-config -mode captain -captain_uri <URI>:<management_port> -election false But i have to set election to false on  non-captain members for which am trying to the curl command which fails curl -k -u username:password -X POST -d '{"mode":"member", "captain_uri":"https://captain.example.net:port","election":"false","target_uri":"https://member.example.net:port"}' https://member.example.net:port/services/shcluster/config/ <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Cannot perform action "POST" without a target name to act on.</msg> </messages> </response> As per the documentation I can only see the get call (https://docs.splunk.com/Documentation/Splunk/9.4.2/RESTREF/RESTcluster#shcluster.2Fconfig) Are there any other alternatives to set the election=false for the non-captain members remotely  
I have a dashboard built using dashboard studio and I need to embed external link but I am unable to do us.  How do I add an external embed link
Is there a rest call to set the election as false from the captain for each cluster member , instead of logging into each seach head member and running the command  /opt/splunk/bin/splunk edit s... See more...
Is there a rest call to set the election as false from the captain for each cluster member , instead of logging into each seach head member and running the command  /opt/splunk/bin/splunk edit shcluster-config -mode member -captain_uri https://your-Captain-SH-address:8089 -election false