All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @SN1  Try the following: require([ 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!', 'jquery' ], function(mvc, SearchMa... See more...
Hi @SN1  Try the following: require([ 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!', 'jquery' ], function(mvc, SearchManager, TableView, ignored, $) { // Define a simple cell renderer with a button var ActionButtonRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { return cell.field === 'rowKey'; }, render: function($td, cell) { $td.addClass('button-cell'); var rowKey = cell.value; var $btn = $('<button>').text('Unsolved'); $btn.on('click', function(e) { e.preventDefault(); e.stopPropagation(); var searchQuery = `| inputlookup sbc_warning.csv | eval rowKey=tostring(rowKey) | eval solved=if(rowKey="${rowKey}", "1", solved) | outputlookup sbc_warning.csv`; var writeSearch = new SearchManager({ id: "writeSearch_" + Math.floor(Math.random() * 100000), search: searchQuery, autostart: true }); writeSearch.on('search:done', function() { $btn.text('Solved'); var panelSearch = mvc.Components.get('panel_search_id'); if (panelSearch) { panelSearch.startSearch(); } }); }); $td.append($btn); } }); // Apply the renderer to the specified table var tableComponent = mvc.Components.get('sbc_warning_table'); if (tableComponent) { tableComponent.getVisualization(function(tableView) { tableView.table.addCellRenderer(new ActionButtonRenderer()); tableView.table.render(); }); } }); The button is created with $('<button>').text('Unsolved'). When clicked, after lookup update (search:done), the button label is changed using $btn.text('Solved'). This only changes text for that row's button; repeat clicks won't revert. Note: If you want the initial state ("Unsolved"/"Solved") to reflect actual data, you must pass the current "solved" value for each row and set the initial button text accordingly. Do you have a field for if its already Solved or not that you could use to set the initial button text?    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@yuanliu  hi so I only want to suppress alert on the dates of the lookup table. The condition for the alert is to fire if the resulted does not equal to 1 If your pointing out my screen shot please... See more...
@yuanliu  hi so I only want to suppress alert on the dates of the lookup table. The condition for the alert is to fire if the resulted does not equal to 1 If your pointing out my screen shot please let me know which to adjust to the correct format so I can try implement it correctly.  
You almost had it.  Use the bin and stats commands to group events by day and get the latest status.  Then timechart will give the counts. basesearch | bin span=1d _time | stats latest(status) as st... See more...
You almost had it.  Use the bin and stats commands to group events by day and get the latest status.  Then timechart will give the counts. basesearch | bin span=1d _time | stats latest(status) as status by _time, test | timechart span=1d distinct_count(test) by status  
@Ashish0405    <dashboard version="1.1"> <label>Status &amp; Severity Coloring</label> <row> <panel> <title>Test Status and Severity</title> <table> <search> <query> <![CDATA[ | make... See more...
@Ashish0405    <dashboard version="1.1"> <label>Status &amp; Severity Coloring</label> <row> <panel> <title>Test Status and Severity</title> <table> <search> <query> <![CDATA[ | makeresults count=4 | streamstats count as id | eval Status=case(id==1, "failed", id==2, "finished", id==3, "finished", 1==1, "failed") | eval Severity=case(id==1, "Critical", id==2, "Informational", id==3, "Critical", 1==1, "Informational") ]]> </query> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="Status"> <colorPalette type="map">{&quot;failed&quot;:&quot;#D93F3C&quot;,&quot;finished&quot;:&quot;#31A35F&quot;}</colorPalette> </format> <format type="color" field="Severity"> <colorPalette type="map">{&quot;Critical&quot;:&quot;#D93F3C&quot;,&quot;Informational&quot;:&quot;#31A35F&quot;}</colorPalette> </format> </table> </panel> </row> </dashboard>
for the search: Eventtype=wineventlog_security there´s no results. The errors are: [Indexer] Eventtype 'wineventlog_security' does not exist or is disabled [Indexer] Ignoring eventtype 'wineventlo... See more...
for the search: Eventtype=wineventlog_security there´s no results. The errors are: [Indexer] Eventtype 'wineventlog_security' does not exist or is disabled [Indexer] Ignoring eventtype 'wineventlog_security' for search expansion due to error="search string cannot be empty" remote search process failed on peer   As for additional information, the error just shows up for index searches where NO windows eventlog are involved. Just for our firewalls, switches and other devices. As long as I search for windows indexes ex. Index=wineventlog_security or index=wineventlog_system there´s no error.
Hi @Benny87 , what does it happen if you run eventtype=wineventlog_security from a search dashboard in your app? do you have the same message or a different one? did you recently changed the versi... See more...
Hi @Benny87 , what does it happen if you run eventtype=wineventlog_security from a search dashboard in your app? do you have the same message or a different one? did you recently changed the version of Splunk_TA_Windows? recently there was a change to the data structure of the TA: sourcetype is WinEventLog or xmlWinEventLog  and the difference between Security, Application and System is in the source field. Otherwise, you can open a case to Splunk Support, because this Add-On is Splunk supported. Ciao. Giuseppe
Hi @Nrsch , if you have different log formats, you should exactly identify each data source assigning to each one the correct sourcetype. Then, having the correct sourcetype, you can define an host... See more...
Hi @Nrsch , if you have different log formats, you should exactly identify each data source assigning to each one the correct sourcetype. Then, having the correct sourcetype, you can define an host recognition regex for each one. About IP address instead of hostname, it depends on the presence of this field in the log: if it's present, you can assign it to the host field using a regex, if not present, it isn't so easy. Ciao. Giuseppe
The windows -TA eventtypes are all Globylly shared and access is read for everyone. The problem is why now and not a few days ago. The error just stated to show up a few days ago without any change ... See more...
The windows -TA eventtypes are all Globylly shared and access is read for everyone. The problem is why now and not a few days ago. The error just stated to show up a few days ago without any change to any configuration. 
Hi @Benny87 , check if this eventtype is shared at App or Global level: it must be Global. you can do this at [settings > Eventtypes]. Ciao. Giuseppe
Hi, got some problem in my searches since a few days. I really don´t know what happend and no one changed the configuration.   In search or dashboards for Cisco Network I get for every search the... See more...
Hi, got some problem in my searches since a few days. I really don´t know what happend and no one changed the configuration.   In search or dashboards for Cisco Network I get for every search the error "Eventtype 'wineventlog_security' does not exist or is disabled"   search example:  Index=firewall  The question is why when I search an completly unrelated index to windows it shows the error from the eventtype from the Windows-TA ? and also it doesn´t show any results.
Thank you for your answer. Since the HAProxy collects logs from different clients, their log formats are different. So, do we need to parse the logs twice — once to extract the hostname, and again ... See more...
Thank you for your answer. Since the HAProxy collects logs from different clients, their log formats are different. So, do we need to parse the logs twice — once to extract the hostname, and again to extract other fields depending on the log type? Also, is it possible to extract the host IP address instead of the hostname? Thank you very much for your help.
Hello,  I would like to create timechart that counts number of tests with different statuses (e.g. statuses 'OK', 'ERROR', 'WARN' etc) for last 30 days (per each day). The problem is that it should ... See more...
Hello,  I would like to create timechart that counts number of tests with different statuses (e.g. statuses 'OK', 'ERROR', 'WARN' etc) for last 30 days (per each day). The problem is that it should take only latest log with status per test (e.g. I have Login test (id 151), it has couple events/logs with different statuses, and I would like to take for that test last log/event with latest status.  I have a problem to combine 'latest' and 'distinct_count' with timechart.  When I do following search, I get duplicates of logs for test (e.g. I should have every day count of 62 (tests) for all statuses):  basesearch | timechart span=1d distinct_count(test) as tests by status e.g. on day 2025-05-26 test 'Login test (id 151)' have one event with status 'OK' and another one with status 'Blad', and the duplicate is shown here. When I want to combine 'latest' to timechart I get distinct_count results only for last day: basesearch | stats latest(status) as statuses latest(test) as tests latest(_time) as myTime by test | eval _time=myTime | timechart span=1d distinct_count(tests) by statuses   I appreciate help how to combine timechart, distinct_count and latest all together.  
Hi @Ashish0405 , you have to follow the same process. or copy the option  <format type="color" field="Severity"> <colorPalette type="map"> {"failed":#D93F3C,"finished":#31A35F,"Critical":#D... See more...
Hi @Ashish0405 , you have to follow the same process. or copy the option  <format type="color" field="Severity"> <colorPalette type="map"> {"failed":#D93F3C,"finished":#31A35F,"Critical":#D93F3C,"Informational":#31A35F}</colorPalette> </format> obviously changing the values of the Severity field. Ciao. Giuseppe
Hi Team, I have added Red & Green color to Status column, I want to add the same to severity column as well. Can some one suggest me some commands   I have used below commands to add color to sta... See more...
Hi Team, I have added Red & Green color to Status column, I want to add the same to severity column as well. Can some one suggest me some commands   I have used below commands to add color to status field.   <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="Status"> <colorPalette type="map">{"failed":#D93F3C,"finished":#31A35F,"Critical":#D93F3C,"Informational":#31A35F}</colorPalette> </format>  
Hi @Nrsch , if the hostnames that you would to use in the host field are in the logs, you can override this value using a regex on the Heavy Forwarder following the instructions at: https://docs.sp... See more...
Hi @Nrsch , if the hostnames that you would to use in the host field are in the logs, you can override this value using a regex on the Heavy Forwarder following the instructions at: https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/Overridedefaulthostassignments in props.conf: [<your_sourcetype>] TRANSFORMS-override_host = override_host in transforms.conf: [override_host] REGEX = <your_regex> FORMAT = host::$1 DEST_KEY = MetaData:Host beware in defining your regex that you must use in the FORMAT option the group containing the hostname. Ciao. Giuseppe
Hello, im on splunk enterprise  Im facing with this error on my Dashboard : Failed to load source for JointJS Diagram visualization   Did you have any idea about this ? Regards.
I have a serious problem, please help me.   We have an HAProxy server that receives logs from various clients and forwards them to a Splunk Heavy Forwarder. The problem is that HAProxy replaces the c... See more...
I have a serious problem, please help me.   We have an HAProxy server that receives logs from various clients and forwards them to a Splunk Heavy Forwarder. The problem is that HAProxy replaces the client's IP address with its own (in TCP). The question is: how can we have the client's IP address for each log in the Splunk Heavy Forwarder?
hi @livehybrid , thks for reply. I wil try this.   Regards
"viz_is5FtVR7": {             "dataSources": {                 "primary": "ds_gVYGLUPs"             },             "title": "Hits Received by HTTP Error Response Code",             "type": "spl... See more...
"viz_is5FtVR7": {             "dataSources": {                 "primary": "ds_gVYGLUPs"             },             "title": "Hits Received by HTTP Error Response Code",             "type": "splunk.area"         },         "viz_sE6SurJU": {             "dataSources": {                 "primary": "ds_FXWuV3ZX_ds_search_1"             },             "title": "Light Gateway Start History",             "type": "splunk.pie"         },         "viz_tXWYyMRx": {             "dataSources": {                 "primary": "ds_3LhTiLOu"             },             "description": "",             "options": {                 "y2": "> primary | frameBySeriesNames('')"             },             "title": "UAT Inbound URL Path",             "type": "splunk.bar"         }     },
Hi Hamed, I'm facing the exact same issue. Were you able to resolve it? Thanks in advance! @hamed_khosrawi1