All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for commenting on my scenario, that is the same conclusion that I came to, but was hoping to find a way around it.  
Hi Where are the Checkpoint values for enabled DB Connect Inputs stored? I did check at folder: /opt/splunk/var/lib/splunk/modinputs/server/splunk_app_db_connect There there are only files ... See more...
Hi Where are the Checkpoint values for enabled DB Connect Inputs stored? I did check at folder: /opt/splunk/var/lib/splunk/modinputs/server/splunk_app_db_connect There there are only files with names of our disabled DB Inputs, but not the ones of our enabled DB Inputs. Splunk Enterprise Version: 9.0.4.1 Splunk DB Connect Version: 3.6.0 Ps. our three enabled DB Inputs do work correctly, and I can see the checkpoint values from the web. Just cannot find where they are stored on the OS best regards Altin
Hello,    I have a panel with a search query e.g.     <row><panel><table> <search> <query>_some_query_ | table A B C D </query> </search> </table></panel></row>        and it displays multi... See more...
Hello,    I have a panel with a search query e.g.     <row><panel><table> <search> <query>_some_query_ | table A B C D </query> </search> </table></panel></row>        and it displays multiple of rows on a dashboard. I am trying to create a button that will send all of the column C data to a different site, so I want to store column C data as a token. Is there a way to do that?  
Hello! As a newcomer to the world of IT and Cyber Security, i am having some trouble. I am trying to set up a splunk homelab environment to get some hands on experience with the application. My ... See more...
Hello! As a newcomer to the world of IT and Cyber Security, i am having some trouble. I am trying to set up a splunk homelab environment to get some hands on experience with the application. My hopeful goal is to be able to import or stream some data to a splunk dashboard to be able to mess a round and learn for starters, but eventually set up my own home network monitoring system. Ive been able to statically import some local logs and read them over, which is fine. Id like to be able to setup a better environment for detecting intrusions and analyzing for IOCs. If anyone has some helpful links or advice i would very much appreciate it!
Hi @richgalloway @isoutamo , thank you for the information and help.
Hi @hfaz , when you say that enabled forwarding to the Indexers, I suppose that you're peaking of logs. Check that you don't have the deploymentclient.conf file in the HF, eventually distributed us... See more...
Hi @hfaz , when you say that enabled forwarding to the Indexers, I suppose that you're peaking of logs. Check that you don't have the deploymentclient.conf file in the HF, eventually distributed using an add-on. Ciao. Giuseppe
Hi @Roopashree, Splunk isn't Excel, so you cannot merge two cels, you could have the NOT_OK value in both the rows: <your_search> | rex 1 | rex 2 | stats count BY Status Reasons please next time a... See more...
Hi @Roopashree, Splunk isn't Excel, so you cannot merge two cels, you could have the NOT_OK value in both the rows: <your_search> | rex 1 | rex 2 | stats count BY Status Reasons please next time add also the sample in text mode. Ciao. Giuseppe
Perfect! Thanks for the tip.
  I need help with a splunk query to return events where an array of object contains certain value for a key in all the objects of an array Event 1: { list: [ ... See more...
  I need help with a splunk query to return events where an array of object contains certain value for a key in all the objects of an array Event 1: { list: [ {"name": "Hello", "type": "code"}, {"name": "Hello", "type": "document"} ] } Event 2: { list: [ {"name": "Hello", "type": "code"}, {"name": "World", "type": "document"} ] } Event 3: { list: [ {"name": "Hello", "type": "document"}, {"name": "Hello", "type": "document"} ] } filters: In the list array, the first object in an array should have "type": "code" In all the items in the list array should have "name": "Hello" Expected output: In the above list of events the query should return 'Event 1', where first item - list[0].type = code and list has all the items with "name": "Hello" I tried multiple ways like search list{}.name="Hello" This was returning the events which had atleast 1 element having name: Hello However i was able to achieve checking for 1st filter as below | eval conflict = mvindex(list, 0) | spath input=conflict | search type=code If someone can help in achieving both the filters in a query that will be helpful. Thanks in advance  
Hello Splunkers, I'm encountering an issue with data model acceleration in my ES instance . A few weeks ago, I enabled several data models in my ES instance to support correlation searches. However,... See more...
Hello Splunkers, I'm encountering an issue with data model acceleration in my ES instance . A few weeks ago, I enabled several data models in my ES instance to support correlation searches. However, I recently noticed that there hasn't been any increase in SVC usage, and upon checking today, I found that the acceleration status for these models was disabled. I'm puzzled by this and would appreciate any insights into why this occurred and how to identify the root cause. Thank you.
Hey DK, Build the PKG, then open terminal and run the command sudo xattr -rd com.apple.quarantine /path/to/the.pkg This will remove the com.apple.quarantine attribute and stop the computer fro... See more...
Hey DK, Build the PKG, then open terminal and run the command sudo xattr -rd com.apple.quarantine /path/to/the.pkg This will remove the com.apple.quarantine attribute and stop the computer from checking it for malicious software. The -d option deletes the noted attribute and the -r option acts recursively. If you would like to check which attributes the .PKG has on it, then run the command: xattr -r /path/to/the.pkg   Hope this helps  
I'm still working on this; I've made some progress on doing the .tar file install and tweaking it, but I'm getting these two alerts (see attached images) whenever I log in to the user account. Have y... See more...
I'm still working on this; I've made some progress on doing the .tar file install and tweaking it, but I'm getting these two alerts (see attached images) whenever I log in to the user account. Have you found a workaround (assuming you've seen this)?
With Splunk Enterprise 9.2.1 there's no issue any more. This issue is defintively related to the builds of Splunk Enterprise.
Hi @louisss, I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that ... See more...
Hi @louisss, I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Hi, I wanted to create a table as below. I am extracting Status and Reason using rex. How can I create this. Count column should count the events- I used stats count by ..  
@karthi2809 - Dashboard filters values shows in the URL, so once you get right URL, that should work.   I hope this helps!!!!
HI @Ben.Howl, Thanks for asking your question on the Community. It's been a few days and the Community has not jumped in, I wanted to let you know you can always contact AppD Support or even your A... See more...
HI @Ben.Howl, Thanks for asking your question on the Community. It's been a few days and the Community has not jumped in, I wanted to let you know you can always contact AppD Support or even your AppD CSM. How do I submit a Support ticket? An FAQ  If you find a solution or any other bit of help to this question, it would be helpful if you could come back and share that as a reply. 
Hello, So I have the following issue... Let's say I have a Splunk table, where is a rename on the end. The tokens can have different value, so the final header column is dynamic, as it depends on t... See more...
Hello, So I have the following issue... Let's say I have a Splunk table, where is a rename on the end. The tokens can have different value, so the final header column is dynamic, as it depends on the token.   | table 1_aaa, 1_bbb, 1_ccc, 2_aaa, 2_bbb, 2_ccc, 3_aaa, 3_bbb, 3_ccc | rename 1_aaa as "1. $aaa$", 1_bbb as "1. $bbb$", 1_ccc as "1. $ccc$", 2_aaa as "2. $aaa$", 2_bbb as "2. $bbb$", 2_ccc as "2. $ccc$", 3_aaa as "3. $aaa$", 3_bbb as "3. $bbb$", 3_ccc as "3. $ccc$"   The formatting is working properly:   <format type="color" field="1. $aaa$"> <colorPalette type="list">[#5b708f]</colorPalette> </format>   But the drilldown not. I tried the below conditions, but without success.   <drilldown> <condition match="$click.name2$ = 1. $aaa$"> <condition match="$click.name2$ = &quot;1. $aaa$&quot;"> <condition match="$click.name2$ = &quot;1. &quot;$aaa$"> <condition match="match('click.name2', 1. $aaa$)"> <condition match="match('click.name2', &quot;1. $aaa$&quot;)"> <condition match="match('click.name2', &quot;1. &quot;$aaa$)"> <condition match="match('click.name2', '1. $aaa$')">   Is there a way to do it somehow with such a combination? P.S.: As a possible workaround, without a combination of string&token it works properly, but I rather go without it as then I unnecessarily need to create a separate token for each column:   <set token="1_aaa">1. $result.aaa$</set> <set token="1_bbb">1. $result.bbb$</set> <set token="1_ccc">1. $result.ccc$</set> ... | table 1_aaa, 1_bbb, 1_ccc, 2_aaa, 2_bbb, 2_ccc | rename 1_aaa as "$1_aaa$", 1_bbb as "$1_bbb$", 1_ccc as "$1_ccc$", 2_aaa as "$2_aaa$", 2_bbb as "$2_bbb$", 2_ccc as "$2_ccc$", 3_aaa as "$3_aaa$", 3_bbb as "$3_bbb$", 3_ccc as "$3_ccc$" ... <format type="color" field="$1_aaa$"> <colorPalette type="list">[#5b708f]</colorPalette> </format> ... <drilldown> <condition match="$click.name2$ = $1_aaa$">  
The simple answer is no - however, you could include a version number in your lookup, or a modified date as a new field, or every time you update it you save the old copy to a different lookup. Essen... See more...
The simple answer is no - however, you could include a version number in your lookup, or a modified date as a new field, or every time you update it you save the old copy to a different lookup. Essentially, Splunk can only find information that you choose to keep.
Hi @Jared.Botha, Did the information from @Terence.Chen help?