All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Ok. Back up a little. You have a file. It's supposed to be a certificate (possibly with a certificate chain from trusted rootCA). How did you get it? Did you send someone a CSR to obtain a cert? Did... See more...
Ok. Back up a little. You have a file. It's supposed to be a certificate (possibly with a certificate chain from trusted rootCA). How did you get it? Did you send someone a CSR to obtain a cert? Did you just get a cert because you mailed/called/faxed/whatever someone and told them "hey, we need a cert"? And the most important question here is - do you have a private key corresponding to that cert?
How to fetch the fieldForLabel value using token(option). i have to pass fieldForLabel to query <input type="dropdown" token="option"> <label>Choose from options</label> <fieldForLabel>TEST</f... See more...
How to fetch the fieldForLabel value using token(option). i have to pass fieldForLabel to query <input type="dropdown" token="option"> <label>Choose from options</label> <fieldForLabel>TEST</fieldForLabel> <fieldForValue>aaa</fieldForValue> <search> <query> | inputlookup keyvalue_pair.csv | dedup TEST | sort TEST | table TEST aaa </query> </search> </input>  
Hi @bowesmana  Thanks a lot!!  You rock!!   I did make attempt on using evenstats, but then It didn't work because of  if condition didn't work.  It turns out I had to use a match command.    I ap... See more...
Hi @bowesmana  Thanks a lot!!  You rock!!   I did make attempt on using evenstats, but then It didn't work because of  if condition didn't work.  It turns out I had to use a match command.    I appreciate your help.
My post can be disregarded,  simple misinformation and not checking what/where people were running their field extractions.  (App vs Global permissions on Field and Transform extractions). Cheers non... See more...
My post can be disregarded,  simple misinformation and not checking what/where people were running their field extractions.  (App vs Global permissions on Field and Transform extractions). Cheers nontheless and thanks for the pointers
already tried, it's not working. i reinstalled the whole Splunk once again just to make sure if I am doing anything wrong, but nothing worked.
server.conf - --> enableSplunkdSSL = true --> sslRootCAPath = path of root.pem file --> serverCert = path of server.pem file --> sslPassword = <mypassword> --> sslVersions = *,-ssl2   web.conf... See more...
server.conf - --> enableSplunkdSSL = true --> sslRootCAPath = path of root.pem file --> serverCert = path of server.pem file --> sslPassword = <mypassword> --> sslVersions = *,-ssl2   web.conf -  --> sslVersions = *,-ssl2 --> sslPassword = <mypassword>
Thanks for the information. I tried all the possible ways; SSL is not getting configured. Opened another case with Splunk, they are looking. even if we are trying to configure it from scratch as per ... See more...
Thanks for the information. I tried all the possible ways; SSL is not getting configured. Opened another case with Splunk, they are looking. even if we are trying to configure it from scratch as per the documentation, its not working. Splunk has asked for the diag file, and we have shared it to them but no response on it yet.
index=_internal source=*splunkd.log* host=<all indexer hosts> bucketreplicator full earliest=-15m | stats count dc(host) as num_indexer_blocked_by_peer by peer | where num_indexer_blocked_by_peer > ... See more...
index=_internal source=*splunkd.log* host=<all indexer hosts> bucketreplicator full earliest=-15m | stats count dc(host) as num_indexer_blocked_by_peer by peer | where num_indexer_blocked_by_peer > 0 AND count > 0 | join type=left peer [ search index=_introspection host=<all indexer hosts> hostwide earliest=-10m | stats values(data.instance_guid) as peer by host]
Hi, A couple of notes regarding Network Explorer. The networkExplorer data collection was deprecated in the v0.88.0 Splunk helm chart. That said, the interface from the infrastructure navigator is s... See more...
Hi, A couple of notes regarding Network Explorer. The networkExplorer data collection was deprecated in the v0.88.0 Splunk helm chart. That said, the interface from the infrastructure navigator is still available if you ingest networkExplorer data (e.g., tcp.bytes). To ingest this data, you'll probably want to consider the upstream eBpf helm chart along with the OTel collector running as a gateway. This link may help: https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#migrate-from-networkexplorer-to-ebpf-helm-chart
I was able to check _internal and found  "SSLError(MaxRetryError("HTTPSConnectionPool(host='redacted.host.com', port=XXX): Max retries exceeded with url: /rest/token (Caused by SSLError(SSLError(1, '... See more...
I was able to check _internal and found  "SSLError(MaxRetryError("HTTPSConnectionPool(host='redacted.host.com', port=XXX): Max retries exceeded with url: /rest/token (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))")). I have verify SSL set to false in the tenable_consts.py file so I am not sure if that has bearing ...*update* it does not still getting the same error. Any ideas?
The registration of the DLL worked for us.
index=hum_stg_app "msg.OM_MsgType"=REQUEST msg.OM_Body.header.transactionId=* "msg.service_name"="fai-np-notification" "msg.OM_Body.header.templateType"=vsf_device_auth_otp_template "msg.OM_Body.head... See more...
index=hum_stg_app "msg.OM_MsgType"=REQUEST msg.OM_Body.header.transactionId=* "msg.service_name"="fai-np-notification" "msg.OM_Body.header.templateType"=vsf_device_auth_otp_template "msg.OM_Body.header.channelType{}"=sms "msg.OM_Body.header.organization"=VSF | rename msg.OM_Body.header.transactionId as transactionId | eval lenth=len(transactionId) |sort 1000000 _time | dedup transactionId _time | search lenth=40 | rename _time as Time1 | eval Request_time=strftime(Time1,"%y-%m-%d %H:%M:%S") | stats count by Time1 transactionId Request_time | appendcols [| search index=hum_stg_app earliest=-30d fcr-np-sms-gateway "msg.service_name"="fcr-np-sms-gateway" "msg.TransactionId"=* "msg.NowSMSResponse"="{*Success\"}" | rename "msg.TransactionId" as transactionId_request|sort 1000000 _time | dedup transactionId_request _time |eval Time=case(like(_raw,"%fcr-np-sms-gateway%"),_time) | eval lenth=len(transactionId_request) | search lenth=40 | dedup transactionId_request | stats count by transactionId_request Time ] | eval Transaction_Completed_time=strftime(Time,"%y-%m-%d %H:%M:%S") | eval Time_dif=Time-Time1 | eval Time_diff=(Time_dif)/3600 | fields transactionId transactionId_request Request_time Transaction_Completed_time count Time_diff Request_time Time Time1 #getting wrong value in Transaction_Completed_time.
Did you ever tried referencing icons from static directory? Seems that only works for images. Any idea on how to accomplish the same but for icons?
H status at  2024-03-07T01:50:00.000-05:00 X 20240307 2024-03-07T03:40:07.000-05:00 X 20240307 C status at  2024-03-07T08:30:22.000-05:00 C 20240307 2024-03-07T08:... See more...
H status at  2024-03-07T01:50:00.000-05:00 X 20240307 2024-03-07T03:40:07.000-05:00 X 20240307 C status at  2024-03-07T08:30:22.000-05:00 C 20240307 2024-03-07T08:30:22.000-05:00 C 20240307 So here count 2  One more H status at  2024-03-07T22:40:07.000-05:00 X 20240307 But its not completed within the day 2024-03-08T08:30:22.000-05:00 C 20240308
Did you ever solve this? I can deploy dashboards with images in the appserver/static folder and they work fine. But it's a different story for icons.
You haven't really explained how you get to a count of 2 given your sample data. Please can you explain your process?
Hello @williamcclark , Is this a Splunk Cloud or on-premise instance? If it is Splunk Cloud and it is a Classic stack confirm if this app is installed in IDM instead of the SH. Also, I recommend yo... See more...
Hello @williamcclark , Is this a Splunk Cloud or on-premise instance? If it is Splunk Cloud and it is a Classic stack confirm if this app is installed in IDM instead of the SH. Also, I recommend you the following: 1 - Open the developer tools of your browser and go to the Console to see if there any errors shown when you receive this error message. 2 - Look for internal errors of this TA in Splunk. index=_internal source=*tenable*   Thanks.
If the lookup table is small enough, you may be able to update it manually using the Splunk App for Lookup File Editing (https://splunkbase.splunk.com/app/1724). Otherwise, the only way to do it in ... See more...
If the lookup table is small enough, you may be able to update it manually using the Splunk App for Lookup File Editing (https://splunkbase.splunk.com/app/1724). Otherwise, the only way to do it in SPL is to read the entire lookup table, modify the status field using eval or other commands, and then rewrite the lookup table. | inputlookup Status.csv | eval status=... | outputlookup Status.csv  
comparing both _time and DT and the NUM (different num will be there). In the sample data i have same NUM.
Thankyou for the answer