All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes, But its still showing same error  Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand   side: applicationName=APPLICATION_NAME. ... See more...
Yes, But its still showing same error  Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand   side: applicationName=APPLICATION_NAME.   This the query which i am using:     index=mulesoft environment=$env$ applicationName=$BankApp$ InterfaceName=$interface$ (priority="ERROR" OR priority="WARN") | stats values(*) as * by correlationId | rename content.InterfaceName as InterfaceName content.FileList{} as FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR",priority="WARN","WARN",priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | where FileList!=" "  
Try changing the applicationName to APPLICATION_NAME in the prefix <input type="dropdown" token="BankApp" searchWhenChanged="true"> <label>ApplicationName</label> <choice value=... See more...
Try changing the applicationName to APPLICATION_NAME in the prefix <input type="dropdown" token="BankApp" searchWhenChanged="true"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup APPLICATION_NAME | sort APPLICATION_NAME | table APPLICATION_NAME </query> </search> <fieldForLabel>ApplicationName</fieldForLabel> <fieldForValue>APPLICATION_NAME</fieldForValue> <default>*</default> <prefix>APPLICATION_NAME="</prefix> <suffix>"</suffix> </input> in the second look up, you are trying to filter with applicationName="" where as the lookup file seems to have APPLICATION_NAME as header
Your fieldForLabel has to be a field returned by the search query, which it isn't in both instances
Hi, I have installed cisco networks app and add-on. I have a labdata file with many events loaded to splunk. All data can be seen from search engine, but the app shows no result. Is it possible to us... See more...
Hi, I have installed cisco networks app and add-on. I have a labdata file with many events loaded to splunk. All data can be seen from search engine, but the app shows no result. Is it possible to use the labdata information on Cisco Networks? Should I add some configuration in order to it work?
To summarize: 434531263412:us-west-2:lambda_functions -> lambda_functions 434531263412:us-west-2:nat_gateways -> gateways 434531263412:us-west-2:application_load_balancers -> load_balancers If th... See more...
To summarize: 434531263412:us-west-2:lambda_functions -> lambda_functions 434531263412:us-west-2:nat_gateways -> gateways 434531263412:us-west-2:application_load_balancers -> load_balancers If this is correct then more information is needed.  What is the rule to use to determine how much of the service is to be used?
04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined. I believe the function requires 9.2.0+ Thanks for noticing! ... See more...
04-18-2024 13:36:06.590 ERROR EvalCommand [102993 searchOrchestrator] - The 'bit_shift_left' function is unsupported or undefined. I believe the function requires 9.2.0+ Thanks for noticing!  I always assumed that bitwise operations had been part of SPL from day one but no.  The document has this footer: "This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1." (Searching in previous versions results in the same pointers to 9.2.) For the above, should the second set have been given a different value for the field? Those are really bad copy-and-paste errors.  Corrected.
Thanks in advance . I am trying to fetch application name and inteface details from input lookup and match with the splunk query .But i am getting below error.  Error in 'search' command: U... See more...
Thanks in advance . I am trying to fetch application name and inteface details from input lookup and match with the splunk query .But i am getting below error.  Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: applicationName=applicationName.       <input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup APPLICATION_NAME | sort APPLICATION_NAME | table APPLICATION_NAME </query> </search> <fieldForLabel>ApplicationName</fieldForLabel> <fieldForValue>APPLICATION_NAME</fieldForValue> <default>*</default> <prefix>applicationName="</prefix> <suffix>"</suffix> </input> <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> <label>InterfaceName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort INTERFACE_NAME | table INTERFACE_NAME </query> </search> <fieldForLabel>InterfaceName</fieldForLabel> <fieldForValue>INTERFACE_NAME</fieldForValue> <default>*</default> <prefix>InterfaceName="</prefix> <suffix>"</suffix> </input>    
Hi @Jerg.Weick, Thanks for your patience, Eng has confirmed it's a bug and is expected to be fixed in 24.4. Which should hopefully be by mid-May.
You should just replace this  splunk_server=* and then it sends that to all search peers. I cannot recall what are those endpoints, but it’s something under config or configurations.
It's okay. I was able to figure out how to install this. It's a bit odd that dependencies like this are not automatically managed.
Hi @yew, I’m a Community Moderator in the Splunk Community. This question was posted 8 years ago, so it might not get the attention you need for your question to be answered. We recommend that yo... See more...
Hi @yew, I’m a Community Moderator in the Splunk Community. This question was posted 8 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
I am new to dashboards building Can I get the xml code pls
Check some of the app permissions settings using the below, this may help troubleshoot - it sounds like a permissions issue.   | rest splunk_server=local servicesNS/nobody/search/configs/conf-mac... See more...
Check some of the app permissions settings using the below, this may help troubleshoot - it sounds like a permissions issue.   | rest splunk_server=local servicesNS/nobody/search/configs/conf-macros | search eai:acl.app=my_new_app
The URI above does not give me any errors but returns an empty array even though my API account has dashboard view and admin permissions. If this URI was replaced by another, it seems that the old on... See more...
The URI above does not give me any errors but returns an empty array even though my API account has dashboard view and admin permissions. If this URI was replaced by another, it seems that the old one should give an error.
@karthi2809  Try this example.  Changes : While setting the token on the change event, you should use the values .  PS : Added a token to the Interface text to demonstrate the changes.   <form v... See more...
@karthi2809  Try this example.  Changes : While setting the token on the change event, you should use the values .  PS : Added a token to the Interface text to demonstrate the changes.   <form version="1.1" theme="light"> <label>Depends_Rejects</label> <fieldset submitButton="false"></fieldset> <row> <panel id="panel_layout"> <input id="input_link_split_by" type="link" token="tokSplit" searchWhenChanged="true"> <label></label> <choice value="Finance">OVERVIEW</choice> <choice value="BankIntegrations">BANKS</choice> <default>OVERVIEW</default> <initialValue>OVERVIEW</initialValue> <change> <condition value="Finance"> <set token="Finance">$value$</set> <unset token="BankIntegrations"></unset> </condition> <condition value="BankIntegrations"> <set token="BankIntegrations">$value$</set> <unset token="Finance"></unset> </condition> </change> </input> </panel> </row> <row> <panel> <input type="time" token="time" searchWhenChanged="true"> <label>Time Interval</label> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="env" searchWhenChanged="true"> <label>Environment</label> <choice value="*">ALL</choice> <choice value="DEV">DEV</choice> <choice value="TEST">TEST</choice> <choice value="PRD">PRD</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="applicationName" searchWhenChanged="true" depends="$Finance$" rejects="$BankIntegrations$"> <label>ApplicationName</label> <choice value="*">ALL</choice> <choice value="p-wd-finance-api">p-wd-finance-api</choice> <default>"p-wd-finance-api</default> <initialValue>p-oracle-fin-processor","p-oracle-fin-processor-2","p-wd-finance-api</initialValue> <fieldForLabel>ApplicationName</fieldForLabel> <fieldForValue>ApplicationName</fieldForValue> </input> <input type="text" token="InterfaceName" searchWhenChanged="true" depends="$Finance$" rejects="$BankIntegrations$"> <label>InterfaceName</label> <default>$tokSplit$</default> <initialValue></initialValue> </input> <input type="dropdown" token="applicationName" searchWhenChanged="true" depends="$BankIntegrations$" rejects="$Finance$"> <label>ApplicationName</label> <choice value="p-wd-finance-api">p-wd-finance-api</choice> <default>p-oracle-fin-processor","p-oracle-fin-processor-2","p-wd-finance-api</default> <initialValue>p-oracle-fin-processor","p-oracle-fin-processor-2","p-wd-finance-api</initialValue> <fieldForLabel>ApplicationName</fieldForLabel> <fieldForValue>ApplicationName</fieldForValue> </input> <input type="text" token="InterfaceName" searchWhenChanged="true" depends="$BankIntegrations$" rejects="$Finance$"> <label>InterfaceName</label> <default>$tokSplit$</default> <initialValue></initialValue> </input> </panel> </row> </form>     Hope it helps!
A few things to check: 1. Have you enabled Whitelisting for HEC as this is cloud or are firewalls blocking.  2. Check logs journalctl -b -u sc4s 3. Check your all your indexs have been created in... See more...
A few things to check: 1. Have you enabled Whitelisting for HEC as this is cloud or are firewalls blocking.  2. Check logs journalctl -b -u sc4s 3. Check your all your indexs have been created in Splunk cloud. 4. Check the indexes are mapped /opt/sc4s/local/context/splunk_index.csv 5. Try basic testing using curl - create a token and use the below, may need some tuning https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/HTTPEventCollectortokenmanagement Use below example and change to your stack name curl "https://http-inputs.mysplunkserver.splunkcloud.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "manual"}'
How do I install reinstall this add-on within a cloud instance?
Yes, but nothing relevant
Hiya, I'm trying to use the Splunk REST API to update macros that I've recently had to move to live under a different app that isn't the default `search` app. Before when the macro lived in the `s... See more...
Hiya, I'm trying to use the Splunk REST API to update macros that I've recently had to move to live under a different app that isn't the default `search` app. Before when the macro lived in the `search` app I was able to make a POST request to    /servicesNS/<account>/search/admin/macros/<macroName>   And this worked:   elif search_or_macro == 'macros': url = '<ROOT>/servicesNS/<ACCOUNT>/search/admin/macros/{}'.format(macro_name) res = requests.post(url, headers=headers, data={'definition': r'{}'.format(macro_definition)})   However once I moved the macros to live under a new app, let's call it `my_new_app`, POST requests no longer work to update the macro. This is what I have currently:   elif search_or_macro == 'macros': url = '<ROOT>/servicesNS/nobody/my_new_app/admin/macros/{}'.format(macro_name) res = requests.post(url, headers=headers, data={'definition': r'{}'.format(macro_definition)})   I have tried replacing `nobody` with: admin the account that owns the macro However neither of these work. I used the following splunk command to verify that the endpoint does seem to exist:   | rest /servicesNS/<ACCOUNT>/my_new_app/admin/macros/<MACRO NAME> | search author=<ACCOUNT>   And when I run that I get the following `id`:   https://127.0.0.1:8089/servicesNS/nobody/my_new_app/admin/macros/<MACRO NAME>     I have also read through the REST API documentation here: https://docs.splunk.com/Documentation/Splunk/9.1.3/RESTTUT/RESTbasicexamples https://docs.splunk.com/Documentation/Splunk/9.1.3/RESTUM/RESTusing#Namespace https://docs.splunk.com/Documentation/Splunk/9.1.3/RESTUM/RESTusing However none of these explicitly describe how to update macros, and all I can seem to find when googling are old posts from 2015-2019 that weren't applicable to what I am trying to achieve Any help here would greatly be appreciated, I feel like I'm missing something simple but can't find further documentation that applies to macros
@selvam_sekar  Are you trying to achieve something similar? Here is a run anywhere example . Number input is only to change the value in the A box for demonstration   { "visualizations": ... See more...
@selvam_sekar  Are you trying to achieve something similar? Here is a run anywhere example . Number input is only to change the value in the A box for demonstration   { "visualizations": { "viz_mP9NTc6l": { "type": "splunk.singlevalue", "options": { "trendColor": "#171d21", "backgroundColor": "#dc4e41" }, "dataSources": { "primary": "ds_uCpsCnrn" } }, "viz_5qfKAE2H": { "type": "splunk.singlevalue", "options": { "backgroundColor": "#b6c75a" }, "dataSources": { "primary": "ds_s5yiPOpw_ds_uCpsCnrn" } }, "viz_lwpeyQcS": { "type": "splunk.singlevalue", "options": { "backgroundColor": "#62b3b2" }, "dataSources": { "primary": "ds_6iVMrVEi_ds_s5yiPOpw_ds_uCpsCnrn" } }, "viz_P6dRCwGc": { "type": "abslayout.line" }, "viz_jTW6Jy5J": { "type": "abslayout.line" } }, "dataSources": { "ds_uCpsCnrn": { "type": "ds.search", "options": { "enableSmartSources": true, "query": "| makeresults count=$number$\n| stats count" }, "name": "A" }, "ds_s5yiPOpw_ds_uCpsCnrn": { "type": "ds.search", "options": { "enableSmartSources": true, "query": "| makeresults count=5\n| stats count" }, "name": "B" }, "ds_6iVMrVEi_ds_s5yiPOpw_ds_uCpsCnrn": { "type": "ds.search", "options": { "enableSmartSources": true, "query": "| makeresults\r\n| eval variance=$A:result.count$ - $B:result.count$\r\n| table variance" }, "name": "Variant" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" }, "input_vWVKiJlJ": { "options": { "defaultValue": 10, "token": "number" }, "title": "Number Input Title", "type": "input.number" } }, "layout": { "type": "absolute", "options": { "width": 1440, "height": 960, "display": "auto" }, "structure": [ { "item": "viz_mP9NTc6l", "type": "block", "position": { "x": 410, "y": 170, "w": 150, "h": 100 } }, { "item": "viz_5qfKAE2H", "type": "block", "position": { "x": 680, "y": 170, "w": 150, "h": 100 } }, { "item": "viz_lwpeyQcS", "type": "block", "position": { "x": 520, "y": 370, "w": 150, "h": 100 } }, { "item": "viz_P6dRCwGc", "type": "line", "position": { "from": { "x": 483, "y": 274 }, "to": { "item": "viz_lwpeyQcS", "port": "n" } } }, { "item": "viz_jTW6Jy5J", "type": "line", "position": { "from": { "x": 756, "y": 272 }, "to": { "item": "viz_lwpeyQcS", "port": "n" } } } ], "globalInputs": [ "input_global_trp", "input_vWVKiJlJ" ] }, "description": "", "title": "Variance_Test" }