Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-12-2024
12:16 AM
Removed the eval statement and got it working.
03-11-2024
11:56 PM
Thanks. And, It is taking only one event and returning me average response time as 4 or any number I put in the eval field. I couldn't grab all the numbers in such logs/events and take average val...
See more...
Thanks. And, It is taking only one event and returning me average response time as 4 or any number I put in the eval field. I couldn't grab all the numbers in such logs/events and take average value.
03-11-2024
11:52 PM
<panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; padding:2...
See more...
<panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; padding:20px; height:10px;"> <h3>Message:</h3> </div> <div class="modal-body" style="padding:30%"> <p style="color:blue;font-size:16px;"> This dashboard has been moved to azure. Kindly visit the following link - <a href="https://mse-svsplunkm01.emea.duerr.int:8000/en-US/app/GermanISMS/kpi_global_v5">Go here </a> </p> </div> </div> </html> </panel> I have created this code which displays the pop up but the splunk dashboard is still working on the background ...Can anyone please help me with an idea about any script that I can add in this code to make the dashboard stop working in the background as well as the pop up should also display...
Labels
- Labels:
-
search
03-11-2024
11:51 PM
Hello i m unable to see data / tenant data in prod dashboards by searching by tenant id , cannot see tenant id but it is visible in lower domains , i have verified all beats metrics are installed...
See more...
Hello i m unable to see data / tenant data in prod dashboards by searching by tenant id , cannot see tenant id but it is visible in lower domains , i have verified all beats metrics are installed on servers
Labels
- Labels:
-
Classic dashboard
03-11-2024
11:50 PM
Hello Kiran,
<panel>
<html>
<div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;">
<div class="modal-header" style="background:#e1e6eb; p...
See more...
Hello Kiran,
<panel>
<html>
<div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;">
<div class="modal-header" style="background:#e1e6eb; padding:20px; height:10px;">
<h3>Message:</h3>
</div>
<div class="modal-body" style="padding:30%">
<p style="color:blue;font-size:16px;"> This dashboard has been moved to azure. Kindly visit the following link - <a href="https://mse-svsplunkm01.emea.duerr.int:8000/en-US/app/GermanISMS/kpi_global_v5">Go here </a> </p>
</div>
</div>
</html>
</panel>
I have created this code which displays the pop up but the dashboard is still working on the background ...do you have any idea about any script that I can add in this code to make the dashboard stop working in the background.
03-11-2024
11:44 PM
You are probably entering private IPs - or see this for Splunk's private IPs https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSerrormessages
03-11-2024
11:34 PM
Hi, please try this: | tstats
dc(index) AS index_count
WHERE index IN (aws,windows)
BY host
| where index_count=2
| table host Ciao. Giuseppe
03-11-2024
11:03 PM
See this for base search documentation https://docs.splunk.com/Documentation/Splunk/9.2.0/Viz/Savedsearches
03-11-2024
11:02 PM
1 Karma
To make a common search, use a base search that is then used by both other searches. The details will need to be common enough. Your main table has a search window of 90m - do you expect a large num...
See more...
To make a common search, use a base search that is then used by both other searches. The details will need to be common enough. Your main table has a search window of 90m - do you expect a large number of events in this data set. This table does not really do any aggregations, so using this as a base search is not really good idea. You would need 3 searches, the base and one for the dropdown and the other for the data table. See this (untested) and compare it to your dashboard - it fixes your dropdown issue, creates a base search used by the other two searches and they all use the same time picker values. <form version="1.1" theme="light">
<label>GP Errors</label>
<search id="base">
<query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error
| stats count by _time host EventCode Message
| rename host AS Host, EventCode AS EventID
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-90m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="Computername">
<label>Computer Name</label>
<default>*</default>
</input>
<input type="dropdown" token="EventID">
<label>Event ID</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>EventID</fieldForLabel>
<fieldForValue>EventID</fieldForValue>
<search base="base">
<query>
| stats count by EventID</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base">
<query>
search Host=$Computername$ EventID=$EventID$
| table Host, EventID, Message, _time count
| sort - _time</query>
</search>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form> Note that you also need to consider dependencies - should the list of eventids in the dropdown be ones that are found only for the entered computer? If not, then when you select an ID it may not exist.
03-11-2024
10:46 PM
You are only providing keyholes into your problem domain - we need to understand the bigger picture as @richgalloway says to understand what your problem is. Can you provide your existing XML and/or...
See more...
You are only providing keyholes into your problem domain - we need to understand the bigger picture as @richgalloway says to understand what your problem is. Can you provide your existing XML and/or searches showing the fields you are querying - please ensure the data is sanitised, so it can be posted here.
03-11-2024
10:10 PM
1 Karma
Hi. So you tried | makeresults ns=project*
| eval _raw="\"totalTimeTaken\":4"
| rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)"
| stats avg(response_time) And there are two pro...
See more...
Hi. So you tried | makeresults ns=project*
| eval _raw="\"totalTimeTaken\":4"
| rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)"
| stats avg(response_time) And there are two problems. 1) the first makeresults .. I don't know what the ns=project* is. Here's the reference https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults 2) your rex is extracting the value into the field Response_Time but then use do stats avg on response_time in lowercase. Case matters in Splunk field names. Here's what seems to work | makeresults=1
| eval _raw="\"totalTimeTaken\":4"
| rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)"
| stats avg(Response_Time)
03-11-2024
09:18 PM
I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID. It's also listed under the Event INFO in the container under Details Source ID: Got...
See more...
I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID. It's also listed under the Event INFO in the container under Details Source ID: Got there in the end. Thank you for the query though, wouldn't have found this without it.
03-11-2024
09:17 PM
Hello, I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site It shows I'm extracting the ...
See more...
Hello, I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site It shows I'm extracting the field and value correctly but, when I put the same into the Splunk statement it is not yielding the expected result. Log: {"Record: {"ATimeTaken":0, "BTimeTaken":0 ,"totalTimeTaken":4},{anotherFields}} Query: | makeresults ns=project*
| eval _raw="\"totalTimeTaken\":4"
| rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)"
| stats avg(response_time) Could I know where I'm going wrong?
Labels
- Labels:
-
regex
03-11-2024
08:42 PM
Windows hardening which cause the issue . Solved after adjust the permissions.
03-11-2024
08:00 PM
I've used tokens in the base search itself. Except class and group filter. I need to enable these two tokens for SQL row and need to disable it for others. @richgalloway
03-11-2024
07:29 PM
@poojabolla Hello Pooja, If you reference an index that does not exist in your Splunk environment, you will receive an error message similar to: “Error in ‘Search’: The specified index does not exist...
See more...
@poojabolla Hello Pooja, If you reference an index that does not exist in your Splunk environment, you will receive an error message similar to: “Error in ‘Search’: The specified index does not exist.” Even a small typo in the index name can lead to errors. Make sure you’ve spelled the index name correctly. https://docs.splunk.com/Documentation/Splunk/9.2.0/Troubleshooting/Cantfinddata
03-11-2024
04:57 PM
Thanks ^^ have a nice day!
03-11-2024
04:09 PM
1 Karma
The events returned by the search can have multiple fields,; the fieldsFor... elements defile which fields from the search are used for the label and which is used for the value.
03-11-2024
03:57 PM
I tried to whitelist an ip address for HEC log ingestion and got the error message "Subnet overlaps Private IP block" Does anyone know what this means? Thanks
Labels
- Labels:
-
HTTP Event Collector
03-11-2024
03:25 PM
I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=. According to this page, https://splunk.github.io/addonfactory-solut...
See more...
I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=. According to this page, https://splunk.github.io/addonfactory-solutions-library-python/credentials/#solnlib.credentials.CredentialNotExistException , this is due to the username not being valid. I'm trying to work out how to get what is passed to credentials.py since the information in the username doesn't make sense to me. Is there anyway of debugging credentials.py, I tried to put print statements in, but the TA UI didn't like it. I had to remove the print statements to get the UI working again. I've tried debugging via command line but always get stuck at this point, session_key = sys.stdin.readline().strip(). I can't work out what I need to do to see where the user information is coming from. Any help on how I can debug this? TIA, Joe
- Tags:
- debug
Labels
- Labels:
-
configuration
-
dashboard
-
troubleshooting
