All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Heres a 3rd option if its helpful? This starts off with a hidden panel, clicking on the row in the table sets a token containing the full URL, which unhides the panel and displays the full URL for t... See more...
Heres a 3rd option if its helpful? This starts off with a hidden panel, clicking on the row in the table sets a token containing the full URL, which unhides the panel and displays the full URL for the clicked row.  <dashboard version="1.1"> <label>Long URL demo (makeresults + hidden full value)</label> <row> <panel> <table> <search> <query>| makeresults count=5 | streamstats count | eval schemes=split("https,https,https,http,http", ",") | eval hosts=split("alpha.example.com,beta.example.org,gamma.example.net,delta.example.io,epsilon.example.dev", ",") | eval paths=split("shop/products/42,blog/2024/10/15/welcome,api/v1/users/12345/profile,media/images/2024/10/banner,docs/guides/install/linux", ",") | eval queries=split("ref=newsletter&amp;utm=fall,?tag=splunk&amp;src=forum,?session=abc123&amp;feature=beta,?size=large&amp;color=blue,?step=1&amp;mode=advanced", ",") | eval fragments=split("#top,#comments,#details,#preview,#faq", ",") | eval url_full=mvindex(schemes,count-1)."://".mvindex(hosts,count-1)."/".mvindex(paths,count-1).mvindex(queries,count-1).mvindex(fragments,count-1) | eval host="web-server-00".count | eval _full_url=url_full | eval url_display=if(len(url_full)&gt;60, substr(url_full,1,60)."…", url_full) | table host url_display _full_url</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="full_url_token">$row._full_url$</set> </drilldown> </table> </panel> </row> <row depends="$full_url_token$"> <panel> <html> <h3>Full URL</h3> <p>$full_url_token$</p> </html> </panel> </row> </dashboard>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
At first glance it should work. 1. Are you by any chance using INDEXED_EXTRACTIONS? 2. Is your data sent straight from UF to indexers or do you have any HF in the middle?
Route logs from combined_large.log to webapp1_index or webapp2_index based on log content ([webapp1] or [webapp2]). Setup: Universal Forwarder: Windows (sending logs) Indexer: Windows (receivi... See more...
Route logs from combined_large.log to webapp1_index or webapp2_index based on log content ([webapp1] or [webapp2]). Setup: Universal Forwarder: Windows (sending logs) Indexer: Windows (receiving & parsing) Logs contain [webapp1] or [webapp2] Expect routing to happen on the Indexer Sample log: 2025-05-03 16:41:36 [webapp1] Session timeout for user 2025-04-13 20:25:59 [webapp2] User registered successfully inputs.conf (on UF): [monitor://C:\logs\combined_large.log] disabled = false sourcetype = custom_combined_log index = default props.conf (on Indexer): [custom_combined_log] TRANSFORMS-route_app_logs = route-webapp1_index, route-webapp2_index transforms.conf (on Indexer): [route-webapp1_index] REGEX = \[webapp1\] DEST_KEY = _MetaData:Index FORMAT = webapp1_index [route-webapp2_index] REGEX = \[webapp2\] DEST_KEY = _MetaData:Index FORMAT = webapp2_index Tried: Verified file is being read Confirmed btool loads configs Restarted services Re-indexed by duplicating the file Issue: Logs not appearing in either webapp1_index or webapp2_index Questions: Is this config correct? Am I missing a key step or wrong config location? Any way to debug routing issues? Any help or insight would be greatly appreciated. Thanks in advance    
Being a client of oneself can have some strange results, especially if you deploy an app modifying DS behaviour (especially repo location). I suppose it could lead to a restart loop or some similar "... See more...
Being a client of oneself can have some strange results, especially if you deploy an app modifying DS behaviour (especially repo location). I suppose it could lead to a restart loop or some similar "funny" side effects. But even without it, you could accidentally push some general settings involuntarily modifying DS behaviour in an undesired way (even disabling it entirely).
I'm not aware of any built-in visualization component providing such functionality. In simpleXML dashboard you could probably do that with custom JS. Of course @livehybrid 's idea can shorten your d... See more...
I'm not aware of any built-in visualization component providing such functionality. In simpleXML dashboard you could probably do that with custom JS. Of course @livehybrid 's idea can shorten your data if it's over a certain limit but you're left with just a shortened version - no "click to unwrap" functionality.
Hi @danielbb  The docs state :  Important: The deployment server cannot be a deployment client of itself. If it is, the following error will appear in splunkd.log: "This DC shares a Splunk instance... See more...
Hi @danielbb  The docs state :  Important: The deployment server cannot be a deployment client of itself. If it is, the following error will appear in splunkd.log: "This DC shares a Splunk instance with its DS: unsupported configuration". This has the potential to lead to situations where the deployment clients lose their ability to contact the deployment server. https://help.splunk.com/en/splunk-enterprise/administer/update-your-deployment/9.4/configure-the-deployment-system/configure-deployment-clients#:~:text=The%20deployment%20server%20cannot%20be%20a%20deployment%20client%20of%20itself  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
It's an unsupported configuration.  It was explicitly prohibited at one time, but I can't find that documented now. Note that it is possible for a DS to be a client of another DS.  This hierarchical... See more...
It's an unsupported configuration.  It was explicitly prohibited at one time, but I can't find that documented now. Note that it is possible for a DS to be a client of another DS.  This hierarchical structure has been used to manage multiple DSs when there are too many endpoints for a single DS to handle.
Dinesh Please create a support case for us to troubleshoot further- https://mycase.cloudapps.cisco.com/ 
Suresh I would suggest you to create a support case , so that someone from team can help you install it https://mycase.cloudapps.cisco.com/case
Why the DS shouldn't be a client of itself? any reasoning here?
Hi @danielbb  As @richgalloway said, you cant/shouldnt have the DS as a client to itself - You should deploy apps onto your DS under $SPLUNK_HOME/etc/apps in the same way you deploy to $SPLUNK_HOME/... See more...
Hi @danielbb  As @richgalloway said, you cant/shouldnt have the DS as a client to itself - You should deploy apps onto your DS under $SPLUNK_HOME/etc/apps in the same way you deploy to $SPLUNK_HOME/etc/deployment_apps  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Further to my other reply, if you just want to truncate you could use substr() function: | eval url_chunked=substr(url_full,0,50)."..."   Full example: | makeresults count=1 | eval SomeField=... See more...
Further to my other reply, if you just want to truncate you could use substr() function: | eval url_chunked=substr(url_full,0,50)."..."   Full example: | makeresults count=1 | eval SomeField="Some Value" | eval host="web-server-001" | eval url_full="https://example.com/a/very/long/path/that/goes/on/and/on/and/on/until/it/reaches_the/really/really/far/end/adding/more/segments/to/demonstrate/excessive/length/in/this/uri/string/exceeding/every/reasonable/limit/for/display/in/default/table/view" | eval url_chunked=substr(url_full,0,50)."..." | fields - url_full  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @NoSpaces  You can use a REX command with multiple match allowance/limit to chunk the url into the length required, this would then split it across multiple lines, would this help? | rex max_mat... See more...
Hi @NoSpaces  You can use a REX command with multiple match allowance/limit to chunk the url into the length required, this would then split it across multiple lines, would this help? | rex max_match=100 field=url_full "(?<url_chunked>[\S]{1,50})" Full example: | makeresults count=1 | eval SomeField="Some Value" | eval host="web-server-001" | eval url_full="https://example.com/a/very/long/path/that/goes/on/and/on/and/on/until/it/reaches_the/really/really/far/end/adding/more/segments/to/demonstrate/excessive/length/in/this/uri/string/exceeding/every/reasonable/limit/for/display/in/default/table/view" | rex max_match=100 field=url_full "(?<url_chunked>[\S]{1,50})" | fields - url_full  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello everyone! I'm trying to create a table view of IIS logs. The main issue I've encountered is some very long URL fields. In similar situations elsewhere, I've seen interactive "URL wrapping" —... See more...
Hello everyone! I'm trying to create a table view of IIS logs. The main issue I've encountered is some very long URL fields. In similar situations elsewhere, I've seen interactive "URL wrapping" — like clicking or hovering to reveal the full link. But Splunk's table view doesn't seem to offer anything like that. How can I handle this?
Hi @TestUser  There used to be a placeholder configuration in UCC but unfortunately it was deprecated (https://splunk.github.io/addonfactory-ucc-generator/advanced/oauth_support/#properties:~:text=T... See more...
Hi @TestUser  There used to be a placeholder configuration in UCC but unfortunately it was deprecated (https://splunk.github.io/addonfactory-ucc-generator/advanced/oauth_support/#properties:~:text=The%20Placeholder%20attribute%20is%20deprecated%20and%20renounced.%20Instead%2C%20we%20recommend%20to%20use%20the%20%E2%80%9Chelp%E2%80%9D%20attribute.) which I was personally a bit frustrated by, but anyway, the alternative recommendation from the engineering team is to use the 'help' configuration such as: { "field": "name", "label": "Name", "type": "text", "required": true, "help": "Enter a name..", }, This will appear *under* the text box, but its better than nothing! #bringBackPlaceholder  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
A Deployment Server cannot be a client of itself.  Any apps the DS needs should be installed manually.
Hi @Dolly  postgres was incorrectly included in some 9.4.x UF builds, therefore if you are upgrading from one of these builds then the UF will "quarantine" the postgres binary as its not required/ex... See more...
Hi @Dolly  postgres was incorrectly included in some 9.4.x UF builds, therefore if you are upgrading from one of these builds then the UF will "quarantine" the postgres binary as its not required/expected in the UF bin directory.  You can safely remove the postgres binary from within the quarantine directory as it is not needed.   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I have two DSs that fail to deploy the TA_nix to themselves, how is it normally done? meaning how does the deployment server deploy to itself?
I want to show it in the configuration page tab, where im getting the date format as the input, where i need to show the example format of date input in the tab. Thanks
Hi @Dolly , Splunk recently (especially in newer 9.x versions) introduced mechanisms to quarantine suspicious or unexpected binaries during startup or upgrade. As part of App Integrity Checking o... See more...
Hi @Dolly , Splunk recently (especially in newer 9.x versions) introduced mechanisms to quarantine suspicious or unexpected binaries during startup or upgrade. As part of App Integrity Checking or Quarantine subsystem, it moved that binary out of active paths into quarantined_files for security reasons. During an upgrade, Splunk validates installed apps and files. If it finds unexpected binaries (especially those with execution permissions or high-risk names like postgres, bash, sh), it moves them to quarantined_files/ to prevent unintended execution.