All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have two lookups, 1 with 460K rows and another with 10K rows.  I used join to get the 10K results from 460K rows, however join is not working and not returning any results.  I used table and stat... See more...
I have two lookups, 1 with 460K rows and another with 10K rows.  I used join to get the 10K results from 460K rows, however join is not working and not returning any results.  I used table and stats in both lookups though no results.    Below is the query I used:  | inputlookup unix.csv | eval sys_name = lower(FQDN) | join sys_name [| inputlookup inventory.csv | eval sys_name = lower("*".sys_name."*") | table Status sys_name host-ip  "DNS Name"  ] &  | inputlookup unix.csv | eval sys_name = lower(FQDN) |stats values(*) as * by sys_name | join sys_name [| inputlookup inventory.csv | eval sys_name = lower("*".sys_name."*") | table Status sys_name host-ip  "DNS Name"  ] Any help would be greatly appreciated. 
Ideally it should be managed locally in system/local - however, have you tried managing it through peer-apps? As peer-apps' Precedence will be as follow -  1. Peer-app local directories -- highest p... See more...
Ideally it should be managed locally in system/local - however, have you tried managing it through peer-apps? As peer-apps' Precedence will be as follow -  1. Peer-app local directories -- highest priority 2. System local directory 3. App local directories 4. Peer-app default directories 5. App default directories 6. System default directory -- lowest priority https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles#Precedence_within_global_context.2C_indexer_cluster_peers_only Please accept the solution and hit Karma, if this helps!
Hi @karthi2809, what do you mean with "pass parameters"? have you logs from this website, or what else? Ciao. Giuseppe
I will not be able to give screenshots but the issue was larger than just selected fields. It was no data was saving on a per user basis. This includes selected fields, search mode, and many other th... See more...
I will not be able to give screenshots but the issue was larger than just selected fields. It was no data was saving on a per user basis. This includes selected fields, search mode, and many other things. I found in another thread that the newer versions of Splunk come with an "Optimizations" script that disables these by default and in the documentation it states to not disable this. However in the thread the Splunk guy said this optimization was meant for environments with over 1000 users. My environment has a handful of users so disabling has not caused any issues so far. This has fixed my issues of saved data not persisting for each user. However, If it is possible I would like to keep the optimizations but then disable certain features that it is optimizing. is that possible? Example: Only optimizing search mode since verbose could theoretically take the most processing power. I hope I have explained this enough. Edit: Here is the thread I spoke about - https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652794
let's say that I have clustered for my indexers and now I want to change the configuration for peers regarding web.conf from the master node level (disable the indexers gui because there is now a clu... See more...
let's say that I have clustered for my indexers and now I want to change the configuration for peers regarding web.conf from the master node level (disable the indexers gui because there is now a cluster master manages them) and add config to server.conf from the cluster master level for the entire cluster. 
Just scanning the $SPLUNK_HOME/etc/system/default/*.conf files for boolean values show a huge disparity.  "0" and "1" exceed "true/false" or "True/False" in commonality.  If linted against the .spec ... See more...
Just scanning the $SPLUNK_HOME/etc/system/default/*.conf files for boolean values show a huge disparity.  "0" and "1" exceed "true/false" or "True/False" in commonality.  If linted against the .spec files, most of these would fail.  Is there person that needs to see this to get it changed and self-consistent on the default values?  The vendor defaults should be the gold standard to measure against.  Any and all comments and how I might pursue resolution are welcome. 
Hello @sushraw, Can you please try below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" The above should extract CmdSet from the events. If it looks good, you can write search time field extra... See more...
Hello @sushraw, Can you please try below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" The above should extract CmdSet from the events. If it looks good, you can write search time field extraction to extract the field CmdSet automatically. Please accept the solution and hit Karma, if this helps!
TACACS event: Mar 26 15:37:59 <device_IP> <device_name>_Passed_Authentications 0045846127 2 0 2024-03-26 14:37:59.011 +00:00 06024423114 5202 NOTICE Device-Administration: Command Authorization succ... See more...
TACACS event: Mar 26 15:37:59 <device_IP> <device_name>_Passed_Authentications 0045846127 2 0 2024-03-26 14:37:59.011 +00:00 06024423114 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=1398, Device IP Address=<device_IP>, DestinationIPAddress=<device_IP>, DestinationPort=49, UserName=<user>, CmdSet=[ CmdAV=show CmdArgAV=running-config CmdArgAV=interface CmdArgAV=Ethernet1/19 CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=Unsafecommand, RequestLatency=10, NetworkDeviceName=<device_name>
Hello @dood9999, Would you be able to elaborate the question in detail along with few screenshots?
This is a pretty old post but were you ever able to figure out a solution to this? I am currently exploring these options with a custom adaptive response.   Thanks!
Hi Guys, Thanks in Advance, I have a task that  I need to pass parameter to splunk  from external website. And i already have dashboard .So based on correlationId we need to populate the result in ... See more...
Hi Guys, Thanks in Advance, I have a task that  I need to pass parameter to splunk  from external website. And i already have dashboard .So based on correlationId we need to populate the result in splunk.How to pass parameters from external website to splunk 
Hello @Patrycja_K_ typically, server.conf and web.conf file is for below -  server.conf: This file contains configurations related to the Splunk server, such as network settings, authentication ... See more...
Hello @Patrycja_K_ typically, server.conf and web.conf file is for below -  server.conf: This file contains configurations related to the Splunk server, such as network settings, authentication settings etc. You typically only need to manage this file on the cluster master. web.conf: This file contains configurations for the Splunk Web interface, such as UI settings, SSL settings, and HTTP server settings. Similarly, you typically manage this file on the cluster master. Can you please share if you have any specific question about server.conf and web.conf files?
Hello @sushraw, Can you please share sample events in order to create the regex? Sample event along with the field value that you want to extract.
Yes, this was it.  The filter wasn't able to deal with the multiple levels in my data. I ended up replacing the filter with a code block that ran the same conditional statement and saved the positiv... See more...
Yes, this was it.  The filter wasn't able to deal with the multiple levels in my data. I ended up replacing the filter with a code block that ran the same conditional statement and saved the positive matches to a new list (or, in my case, 5 lists for the 5 fields I needed).  Then I fed those lists into the format block instead. Thanks for the help!
Just to clarify, the depends attribute works on the presence / absence of a token having a non-null value, not on a specific value of the token. Without the rest of the dashboard, it is not clear whe... See more...
Just to clarify, the depends attribute works on the presence / absence of a token having a non-null value, not on a specific value of the token. Without the rest of the dashboard, it is not clear whether you are using tokens in this way.
Hello all, can someone help me to to extract field 'CmdSet' from cisco ISE accouting logs. string : '[ CmdAV=show CmdArgAV=license CmdArgAV=usage CmdArgAV=<cr> ]'
Hi @sajo.sam, Can you check out the replies to this post and see if this helps: https://community.appdynamics.com/t5/Infrastructure-Server-Network/Kubernetes-cluster-agent-can-not-connect-404/m-p/4... See more...
Hi @sajo.sam, Can you check out the replies to this post and see if this helps: https://community.appdynamics.com/t5/Infrastructure-Server-Network/Kubernetes-cluster-agent-can-not-connect-404/m-p/43062
i have a file with CRT extension from the third party. I am trying to convert the file into PEM but unable to get it done. there were various steps we performed but unable to get it converted. Please... See more...
i have a file with CRT extension from the third party. I am trying to convert the file into PEM but unable to get it done. there were various steps we performed but unable to get it converted. Please suggest.
we are using 9.0.4
Hi Everyone I have had confirmation back from Splunk: Dashboards team have confirmed that this is an expected behavior and it's a known limitation. I've added as a Feature Request