All Posts

Top

All Posts

It's okay. I was able to figure out how to install this. It's a bit odd that dependencies like this are not automatically managed.
Hi @yew, I’m a Community Moderator in the Splunk Community. This question was posted 8 years ago, so it might not get the attention you need for your question to be answered. We recommend that yo... See more...
Hi @yew, I’m a Community Moderator in the Splunk Community. This question was posted 8 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
I am new to dashboards building Can I get the xml code pls
Check some of the app permissions settings using the below, this may help troubleshoot - it sounds like a permissions issue.   | rest splunk_server=local servicesNS/nobody/search/configs/conf-mac... See more...
Check some of the app permissions settings using the below, this may help troubleshoot - it sounds like a permissions issue.   | rest splunk_server=local servicesNS/nobody/search/configs/conf-macros | search eai:acl.app=my_new_app
The URI above does not give me any errors but returns an empty array even though my API account has dashboard view and admin permissions. If this URI was replaced by another, it seems that the old on... See more...
The URI above does not give me any errors but returns an empty array even though my API account has dashboard view and admin permissions. If this URI was replaced by another, it seems that the old one should give an error.
@karthi2809  Try this example.  Changes : While setting the token on the change event, you should use the values .  PS : Added a token to the Interface text to demonstrate the changes.   <form v... See more...
@karthi2809  Try this example.  Changes : While setting the token on the change event, you should use the values .  PS : Added a token to the Interface text to demonstrate the changes.   <form version="1.1" theme="light"> <label>Depends_Rejects</label> <fieldset submitButton="false"></fieldset> <row> <panel id="panel_layout"> <input id="input_link_split_by" type="link" token="tokSplit" searchWhenChanged="true"> <label></label> <choice value="Finance">OVERVIEW</choice> <choice value="BankIntegrations">BANKS</choice> <default>OVERVIEW</default> <initialValue>OVERVIEW</initialValue> <change> <condition value="Finance"> <set token="Finance">$value$</set> <unset token="BankIntegrations"></unset> </condition> <condition value="BankIntegrations"> <set token="BankIntegrations">$value$</set> <unset token="Finance"></unset> </condition> </change> </input> </panel> </row> <row> <panel> <input type="time" token="time" searchWhenChanged="true"> <label>Time Interval</label> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="env" searchWhenChanged="true"> <label>Environment</label> <choice value="*">ALL</choice> <choice value="DEV">DEV</choice> <choice value="TEST">TEST</choice> <choice value="PRD">PRD</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="applicationName" searchWhenChanged="true" depends="$Finance$" rejects="$BankIntegrations$"> <label>ApplicationName</label> <choice value="*">ALL</choice> <choice value="p-wd-finance-api">p-wd-finance-api</choice> <default>"p-wd-finance-api</default> <initialValue>p-oracle-fin-processor","p-oracle-fin-processor-2","p-wd-finance-api</initialValue> <fieldForLabel>ApplicationName</fieldForLabel> <fieldForValue>ApplicationName</fieldForValue> </input> <input type="text" token="InterfaceName" searchWhenChanged="true" depends="$Finance$" rejects="$BankIntegrations$"> <label>InterfaceName</label> <default>$tokSplit$</default> <initialValue></initialValue> </input> <input type="dropdown" token="applicationName" searchWhenChanged="true" depends="$BankIntegrations$" rejects="$Finance$"> <label>ApplicationName</label> <choice value="p-wd-finance-api">p-wd-finance-api</choice> <default>p-oracle-fin-processor","p-oracle-fin-processor-2","p-wd-finance-api</default> <initialValue>p-oracle-fin-processor","p-oracle-fin-processor-2","p-wd-finance-api</initialValue> <fieldForLabel>ApplicationName</fieldForLabel> <fieldForValue>ApplicationName</fieldForValue> </input> <input type="text" token="InterfaceName" searchWhenChanged="true" depends="$BankIntegrations$" rejects="$Finance$"> <label>InterfaceName</label> <default>$tokSplit$</default> <initialValue></initialValue> </input> </panel> </row> </form>     Hope it helps!
A few things to check: 1. Have you enabled Whitelisting for HEC as this is cloud or are firewalls blocking.  2. Check logs journalctl -b -u sc4s 3. Check your all your indexs have been created in... See more...
A few things to check: 1. Have you enabled Whitelisting for HEC as this is cloud or are firewalls blocking.  2. Check logs journalctl -b -u sc4s 3. Check your all your indexs have been created in Splunk cloud. 4. Check the indexes are mapped /opt/sc4s/local/context/splunk_index.csv 5. Try basic testing using curl - create a token and use the below, may need some tuning https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/HTTPEventCollectortokenmanagement Use below example and change to your stack name curl "https://http-inputs.mysplunkserver.splunkcloud.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "manual"}'
How do I install reinstall this add-on within a cloud instance?
Yes, but nothing relevant
Hiya, I'm trying to use the Splunk REST API to update macros that I've recently had to move to live under a different app that isn't the default `search` app. Before when the macro lived in the `s... See more...
Hiya, I'm trying to use the Splunk REST API to update macros that I've recently had to move to live under a different app that isn't the default `search` app. Before when the macro lived in the `search` app I was able to make a POST request to    /servicesNS/<account>/search/admin/macros/<macroName>   And this worked:   elif search_or_macro == 'macros': url = '<ROOT>/servicesNS/<ACCOUNT>/search/admin/macros/{}'.format(macro_name) res = requests.post(url, headers=headers, data={'definition': r'{}'.format(macro_definition)})   However once I moved the macros to live under a new app, let's call it `my_new_app`, POST requests no longer work to update the macro. This is what I have currently:   elif search_or_macro == 'macros': url = '<ROOT>/servicesNS/nobody/my_new_app/admin/macros/{}'.format(macro_name) res = requests.post(url, headers=headers, data={'definition': r'{}'.format(macro_definition)})   I have tried replacing `nobody` with: admin the account that owns the macro However neither of these work. I used the following splunk command to verify that the endpoint does seem to exist:   | rest /servicesNS/<ACCOUNT>/my_new_app/admin/macros/<MACRO NAME> | search author=<ACCOUNT>   And when I run that I get the following `id`:   https://127.0.0.1:8089/servicesNS/nobody/my_new_app/admin/macros/<MACRO NAME>     I have also read through the REST API documentation here: https://docs.splunk.com/Documentation/Splunk/9.1.3/RESTTUT/RESTbasicexamples https://docs.splunk.com/Documentation/Splunk/9.1.3/RESTUM/RESTusing#Namespace https://docs.splunk.com/Documentation/Splunk/9.1.3/RESTUM/RESTusing However none of these explicitly describe how to update macros, and all I can seem to find when googling are old posts from 2015-2019 that weren't applicable to what I am trying to achieve Any help here would greatly be appreciated, I feel like I'm missing something simple but can't find further documentation that applies to macros
@selvam_sekar  Are you trying to achieve something similar? Here is a run anywhere example . Number input is only to change the value in the A box for demonstration   { "visualizations": ... See more...
@selvam_sekar  Are you trying to achieve something similar? Here is a run anywhere example . Number input is only to change the value in the A box for demonstration   { "visualizations": { "viz_mP9NTc6l": { "type": "splunk.singlevalue", "options": { "trendColor": "#171d21", "backgroundColor": "#dc4e41" }, "dataSources": { "primary": "ds_uCpsCnrn" } }, "viz_5qfKAE2H": { "type": "splunk.singlevalue", "options": { "backgroundColor": "#b6c75a" }, "dataSources": { "primary": "ds_s5yiPOpw_ds_uCpsCnrn" } }, "viz_lwpeyQcS": { "type": "splunk.singlevalue", "options": { "backgroundColor": "#62b3b2" }, "dataSources": { "primary": "ds_6iVMrVEi_ds_s5yiPOpw_ds_uCpsCnrn" } }, "viz_P6dRCwGc": { "type": "abslayout.line" }, "viz_jTW6Jy5J": { "type": "abslayout.line" } }, "dataSources": { "ds_uCpsCnrn": { "type": "ds.search", "options": { "enableSmartSources": true, "query": "| makeresults count=$number$\n| stats count" }, "name": "A" }, "ds_s5yiPOpw_ds_uCpsCnrn": { "type": "ds.search", "options": { "enableSmartSources": true, "query": "| makeresults count=5\n| stats count" }, "name": "B" }, "ds_6iVMrVEi_ds_s5yiPOpw_ds_uCpsCnrn": { "type": "ds.search", "options": { "enableSmartSources": true, "query": "| makeresults\r\n| eval variance=$A:result.count$ - $B:result.count$\r\n| table variance" }, "name": "Variant" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" }, "input_vWVKiJlJ": { "options": { "defaultValue": 10, "token": "number" }, "title": "Number Input Title", "type": "input.number" } }, "layout": { "type": "absolute", "options": { "width": 1440, "height": 960, "display": "auto" }, "structure": [ { "item": "viz_mP9NTc6l", "type": "block", "position": { "x": 410, "y": 170, "w": 150, "h": 100 } }, { "item": "viz_5qfKAE2H", "type": "block", "position": { "x": 680, "y": 170, "w": 150, "h": 100 } }, { "item": "viz_lwpeyQcS", "type": "block", "position": { "x": 520, "y": 370, "w": 150, "h": 100 } }, { "item": "viz_P6dRCwGc", "type": "line", "position": { "from": { "x": 483, "y": 274 }, "to": { "item": "viz_lwpeyQcS", "port": "n" } } }, { "item": "viz_jTW6Jy5J", "type": "line", "position": { "from": { "x": 756, "y": 272 }, "to": { "item": "viz_lwpeyQcS", "port": "n" } } } ], "globalInputs": [ "input_global_trp", "input_vWVKiJlJ" ] }, "description": "", "title": "Variance_Test" }    
I have just got my licence today.
Thanks for providing some example events in a code block - very informative. The main issue with your request is that you haven't explained how the events are to be correlated between the two source... See more...
Thanks for providing some example events in a code block - very informative. The main issue with your request is that you haven't explained how the events are to be correlated between the two sources and how you would like to count them to give the desired result. Also, it appears the your search for the second source is not quite right (unless there are other events which match the search criteria that you have shared, e.g. "<---" should be "<===" in the search?
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, after which no new versions will be released and the app will be archived from Splunkbase. C... See more...
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, after which no new versions will be released and the app will be archived from Splunkbase. Check out this Splunk Lantern article to learn more.
I was following the documentation of splunk connect for syslog so that I could ingest syslog in Splunk Cloud setup. I cannot turn of SSL option in my HEC global settings. So I did not uncomment the ... See more...
I was following the documentation of splunk connect for syslog so that I could ingest syslog in Splunk Cloud setup. I cannot turn of SSL option in my HEC global settings. So I did not uncomment the below line I created the file /opt/sc4s/env_file with the contents. SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://your.splunk.instance:8088 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx #Uncomment the following line if using untrusted SSL certificates #SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no I started my sc4s.service ( systemd service created by following the doc). I started to get exception Followed this for splunk cloud. When sc4s service is started I get error below curl: (60) SSL certificate problem: self-signed certificate in certificate chain More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. SC4S_ENV_CHECK_HEC: Invalid Splunk HEC URL, invalid token, or other HEC connectivity issue index=main. sourcetype=sc4s:fallback Startup will continue to prevent data loss if this is a transient failure. If I uncomment the line, I don't see the exception anymore but I fail to get any message when I  search index=* sourcetype=sc4s:events "starting up" as suggested in the documentation. No sample data when I run echo “Hello SC4S” > /dev/udp/<SC4S_ip>/514 Please let me know what I am missing in the setup so that I can proceed forward
Hi @aasserhifni, did you tried to sop Splunk on the SH, delete the folder and then restart Splunk? did you checked if you have deployment tools as Ansible GPO or a Splunk Deployment Server? Ciao. ... See more...
Hi @aasserhifni, did you tried to sop Splunk on the SH, delete the folder and then restart Splunk? did you checked if you have deployment tools as Ansible GPO or a Splunk Deployment Server? Ciao. Giuseppe
It could be in the default location as well Try the command and should give you some pointers splunk btool web list --debug|findstr cert   Or in details splunk btool web list settings
Hi @ben_ramsey, I’m a Community Moderator in the Splunk Community. This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend ... See more...
Hi @ben_ramsey, I’m a Community Moderator in the Splunk Community. This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
@gcusello I also did that but every time I do that the app still exists in the gui with its configurations and also the files keep appearing 
If splunk forwarder is installe on COntrol-m host then you can run the splunk queries. In our case we have implemented it and working.  Search query -  index="YOUR_INDEX_NAME" sourcetype="Control... See more...
If splunk forwarder is installe on COntrol-m host then you can run the splunk queries. In our case we have implemented it and working.  Search query -  index="YOUR_INDEX_NAME" sourcetype="Control-M" "JOB * ENDED NOTOK" | rex "JOB\ \s*(?<JOB_NAME>.+)\s*\ \(ORDERID"