IME, \r and \n don't always work in Splunk regexes. To match any text that might include newlines, try [\s\S]+. EventCode=4103[\s\S]+\s+Files\\SplunkUniversalForwarder\\bin\\splunk-powershell\.ps1
Hi @Manasa_401 response provided by @richgalloway , will work. https://localhost:8000/en-US/account/login?loginType=splunk In addition to rich reponse. if your existing URL contains 8000...
See more...
Hi @Manasa_401 response provided by @richgalloway , will work. https://localhost:8000/en-US/account/login?loginType=splunk In addition to rich reponse. if your existing URL contains 8000 number keep that as well. sometimes it might be issue with language en-us or en-gb , kindly try with language for URL with SAML auth
Are you trying to configure the SSL certificate for Splunk web, such that accessing Splunk through HTTPS will use your cert? If so, how do the SSL stanzas look on your server.conf and/or web.conf?
Which bit don't you understand? How to set up a submit button, or how to have a panel search execute if a token changes? Your panel search could be a hidden panel whereby the search uses outputlooku...
See more...
Which bit don't you understand? How to set up a submit button, or how to have a panel search execute if a token changes? Your panel search could be a hidden panel whereby the search uses outputlookup as I suggested.
I'm trying to remove some Windows events from being ingested ... example below: The regex I've tried in both Ingest Actions and the old method works both at regex101 and in my SPL index=win* ...
See more...
I'm trying to remove some Windows events from being ingested ... example below: The regex I've tried in both Ingest Actions and the old method works both at regex101 and in my SPL index=win* EventCode=4103 Message=*Files\\SplunkUniversalForwarder* | regex "EventCode=4103(.|\r|\n)+\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1" Yet, when I configure an ingest action ruleset, nothing gets removed. [_rule:ruleset_WinEventLogSecurity:filter:regex:ft7j3fkn] INGEST_EVAL = queue=if(match(_raw, "EventCode=4103(.|\\r|\\n)+\\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1"), "nullQueue", queue) STOP_PROCESSING_IF = queue == "nullQueue" same goes for trying to do it "the old way" [drop_4103_splunkpowershell] DEST_KEY = queue REGEX = EventCode=4103(.|\r|\n)+\s+Files.SplunkUniversalForwarder.bin.splunk-powershell.ps1 FORMAT = nullQueue 04/04/2024 07:02:28 PM LogName=Microsoft-Windows-PowerShell/Operational EventCode=4103 EventType=4 ComputerName=redacted User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-PowerShell Type=Information RecordNumber=1258288151 Keywords=None TaskCategory=Executing Pipeline OpCode=To be used when operation is just executing a method Message=CommandInvocation(Start-Sleep): "Start-Sleep" ParameterBinding(Start-Sleep): name="Milliseconds"; value="200" Context: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17763.5576 Host ID = 222d8490-3c1f-486d-94ed-47f91e59da32 Host Application = powershell.exe -command $input |C:\Program` Files\SplunkUniversalForwarder\bin\splunk-powershell.ps1 C:\Program` Files\SplunkUniversalForwarder e20c0be00a8583fe Engine Version = 5.1.17763.5576 Runspace ID = 87084a50-365f-409b-aed6-d666c6c6b2b Pipeline ID = 1 Command Name = Start-Sleep Command Type = Cmdlet Script Name = .......
Thanks @ITWhisperer for the prompt reply. I don’t understand how a csv file would be generated on the click of a submit button in a dashboard. Can you please elaborate more. the user selections...
See more...
Thanks @ITWhisperer for the prompt reply. I don’t understand how a csv file would be generated on the click of a submit button in a dashboard. Can you please elaborate more. the user selections would be 1. Time range and click submit. the panel will show the results for a query which runs for the selected time range. now the question is how can I export it to a csv automatically. And later on use this csv for different visualisation in a dashboard panel
The outputlookup command has a create_context option which can be set to user to create user-specific versions of the lookup (csv) file. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Se...
See more...
The outputlookup command has a create_context option which can be set to user to create user-specific versions of the lookup (csv) file. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Outputlookup
I tried several different prior versions. Splunk only accepts the single msi that was used to install and that is not available: splunk-7.0.1-2b5b15c4ee89-x64-release.msi I will need to manually st...
See more...
I tried several different prior versions. Splunk only accepts the single msi that was used to install and that is not available: splunk-7.0.1-2b5b15c4ee89-x64-release.msi I will need to manually start surgical removal of the prior version. Definitely a negative when trying Splunk.
Hi, The requirement is that the user makes a dynamic selection (time range from time picker, environment from env dropdown and few more) and click submit button and as soon as hi clicks submit, a c...
See more...
Hi, The requirement is that the user makes a dynamic selection (time range from time picker, environment from env dropdown and few more) and click submit button and as soon as hi clicks submit, a csv file should be generated as per the user input selection and later on the user should be able to reference that csv in the dashboard panel to create different visualisations. Is that possible in Splunk?
| foreach f1 f2 f3 f4
[| eval <<FIELD>>=if(<<FIELD>>==1,1,null())]
| eventstats dc(H) as d1 by f1
| eventstats dc(H) as d2 by f2
| eventstats dc(H) as d3 by f3
| eventstats dc(H) as d4 by f4
| st...
See more...
| foreach f1 f2 f3 f4
[| eval <<FIELD>>=if(<<FIELD>>==1,1,null())]
| eventstats dc(H) as d1 by f1
| eventstats dc(H) as d2 by f2
| eventstats dc(H) as d3 by f3
| eventstats dc(H) as d4 by f4
| stats values(d*) as d*
Hi @Muhammad Husnain.Ashfaq,
It's been a few days and it seems the Community has not jumped in with a reply. Did you happen to make a discovery or find a solution you could share? If you have no...
See more...
Hi @Muhammad Husnain.Ashfaq,
It's been a few days and it seems the Community has not jumped in with a reply. Did you happen to make a discovery or find a solution you could share? If you have not, you can try contacting AppDynamics Support: How do I submit a Support ticket? An FAQ
OK so use eval with an if such that if the two fields are equal mvappend a value that the formatting picks up to change the colour to what you want. (See the example in the link I provided)
Hi @Dean.Marchetti,
If the reply from Terence helped answer your question, would you please take a quick moment to click the “Accept as Solution” button on the reply? This confirmation that the que...
See more...
Hi @Dean.Marchetti,
If the reply from Terence helped answer your question, would you please take a quick moment to click the “Accept as Solution” button on the reply? This confirmation that the question was answered alerts the community and helps build that bank of expertise for everyone in the community.
If the reply did not answer your question, jump back into the conversation to keep it going.
