All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We're trying to customize the Meantime to Triage and Meantime to Resolution queries in the ES Executivity Summary dashboard to filter for specific urgency or rule names.  We previously were using the... See more...
We're trying to customize the Meantime to Triage and Meantime to Resolution queries in the ES Executivity Summary dashboard to filter for specific urgency or rule names.  We previously were using the stand alone Mission Control app before it was integrated into Enterprise Security. Reviewing the incident_updates_lookup table, it seemed to have stopped updating both "urgency" and "rule_name" around the time we migrated into Enterprise Security's Mission Control.  We can see old entries prior to that, but more recent ones are very infrequent. Anyone know how to resolve this or know of another way to filter?
Hey @spamarea1, So, where do you see 0 events? On the sourcetype-extraction page of the Add-on Builder? Can you please share a screenshot of it? I assume it is because of the nature of the data flo... See more...
Hey @spamarea1, So, where do you see 0 events? On the sourcetype-extraction page of the Add-on Builder? Can you please share a screenshot of it? I assume it is because of the nature of the data flow set up. Your Add-on Builder would be present on one of the Enterprise Servers and the data would be ingested into different server on which Indexer is residing. So, whenever the input runs, it collects the data and sends it to the indexer server. If the indexing happens locally, you would be able to see the events on the Add-on Builder page. Let me know if what I'm understanding is incorrect and screenshot would be better to troubleshoot further. Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!! 
I did the save and finish buttons.  I get output when I hit the test and I see it when I search using the index and sourcetype.  The data is even put into dashboard.  I just have to run this manually... See more...
I did the save and finish buttons.  I get output when I hit the test and I see it when I search using the index and sourcetype.  The data is even put into dashboard.  I just have to run this manually.   
Hello @spamarea1, Did you run the test button before saving? If the output shows blank white screen, it'll not ingest any data. Also, try to add more loggers to isolate the problem. Also, for once, ... See more...
Hello @spamarea1, Did you run the test button before saving? If the output shows blank white screen, it'll not ingest any data. Also, try to add more loggers to isolate the problem. Also, for once, add a info log of the response.txt itself. So that you can understand what the output should look like.  Thanks, Tejas. 
@tej57  Here is the code, I reused the template that the addon builder app started.  The data input is also setup, it was built by the app, I have to give it a name and put the interval to 30 second... See more...
@tej57  Here is the code, I reused the template that the addon builder app started.  The data input is also setup, it was built by the app, I have to give it a name and put the interval to 30 seconds. Formatting here is not good....   # encoding = utf-8 import os import sys import time import datetime ''' IMPORTANT Edit only the validate_input and collect_events functions. Do not edit any other part in this file. This file is generated only once when creating the modular input. ''' ''' # For advanced users, if you want to create single instance mod input, uncomment this method. def use_single_instance_mode(): return True ''' def validate_input(helper, definition): """Implement your own validation logic to validate the input stanza configurations""" # This example accesses the modular input variable # password = definition.parameters.get('password', None) # username = definition.parameters.get('username', None) # finesse_ip = definition.parameters.get('finesse_ip', None) pass def collect_events(helper, ew): import requests from requests.auth import HTTPBasicAuth finesse_ip = helper.get_arg('finesse_ip') username = helper.get_arg('username') password = helper.get_arg('password') url = f"https://{finesse_ip}/finesse/api/SystemInfo" try: response = requests.get(url, auth=HTTPBasicAuth(username, password), verify=False) if response.status_code == 200: helper.log_info(f"Successfully retrieved data from {url}") else: helper.log_error(f"Request failed. Status: {response.status_code}, Body: {response.text}") event = helper.new_event( data=response.text, source=helper.get_input_type(), index=helper.get_output_index(), host="finesse1a", sourcetype=helper.get_sourcetype() ) ew.write_event(event) except Exception as e: helper.log_error(f"Error during request to {url}: {str(e)}")        
Hello @spamarea1, Would you be able to share the python code to check further why it is not ingesting events? And can you also confirm if ew.write_event(event) has been set properly? Did you also ch... See more...
Hello @spamarea1, Would you be able to share the python code to check further why it is not ingesting events? And can you also confirm if ew.write_event(event) has been set properly? Did you also check on the Add-on Builder UI if it is ingesting events when you run the Test button? Thanks, Tejas. 
Hello @sl, You can alternatively use this wonderful tool developed by Ryan Adler - https://github.com/ryanadler/downloadSplunk I found this one one of the previous answers on Community. Running the... See more...
Hello @sl, You can alternatively use this wonderful tool developed by Ryan Adler - https://github.com/ryanadler/downloadSplunk I found this one one of the previous answers on Community. Running the bash script will help you download whatever version you wish if Splunk Support doesn't help you better.   Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!! 
Hi   @Narendra_Rao  for upgrading to KV store 7.x first kV store need to be in 4.2x, by looking at your kv store version its in 4.1.7  this is reason upgrade is failing  you need ... See more...
Hi   @Narendra_Rao  for upgrading to KV store 7.x first kV store need to be in 4.2x, by looking at your kv store version its in 4.1.7  this is reason upgrade is failing  you need to upgrade to 4.2x. then go for 7.x  Upgarde document to 4.2.x https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.3/administer-the-app-key-value-store/migrate-the-kv-store-storage-engine then upgrade document to 7.x https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/MigrateKVstore#Prepare_for_the_upgrade
This worked perfectly! thank you so much!!!      Diana
Hi, I need to create an investigation with SOAR. When I create the investigation, it doesn't link the Finding to the Investigation. Do you have a playbook that can help me with this feature?   ... See more...
Hi, I need to create an investigation with SOAR. When I create the investigation, it doesn't link the Finding to the Investigation. Do you have a playbook that can help me with this feature?        
Ok, I give up.. do you have anywhere I can read about how to use ingest API ? I am able to send the payload to the endpoint in my realm, using a token I created for it. I get a HTTP200 response but ... See more...
Ok, I give up.. do you have anywhere I can read about how to use ingest API ? I am able to send the payload to the endpoint in my realm, using a token I created for it. I get a HTTP200 response but the metrics don't get created anywhere.. I have been searching the documentation but splunk docs are in general abysmal I think, I haven't found anything useful at all..... Any hints?  Thanks   Disregard, ChatGPT figured out my problem for me......
Hi @MKhan1, Using LAUNCHSPLUNK=0 just ignores any problem during Splunk starting up, so unfortunately it still could be pretty much anything.  If you run splunk start from a command line, what does ... See more...
Hi @MKhan1, Using LAUNCHSPLUNK=0 just ignores any problem during Splunk starting up, so unfortunately it still could be pretty much anything.  If you run splunk start from a command line, what does it say?  Have you tried checking EventLogs and splunkd.log? Cheers,    - Jo.  
The official way to obtain software versions not listed on the download page is to contact support with a request to share a specific version.
https://community.splunk.com/t5/Dashboards-Visualizations/Why-does-dark-theme-switch-fail-when-using-emojis-in-the/m-p/518190 This is expected it seems. Any workaround we have to overcome this?
@D2SI @andrewtrobec @robtun1 @blablabla @niketn can you guys help me on this as well... Re: How to add the description for dashboard in be... - Splunk Community I am trying to add  in my Splunk da... See more...
@D2SI @andrewtrobec @robtun1 @blablabla @niketn can you guys help me on this as well... Re: How to add the description for dashboard in be... - Splunk Community I am trying to add  in my Splunk dashboard description and as soon as I give this HTML, dark theme changing to light and it is not returning. Can you guys help me?
Can you please share download links for hf and enterprise prior to 9.1? i.e. 9.0.x, both linux and windows, thanks
I see, that's good to know. Thanks for the explanation!
one more thing, if I enter this html, the dashboard theme automatically going to light theme, even if I select dark theme... is there any limitation for HTML or alert symbol that it cannot use dark m... See more...
one more thing, if I enter this html, the dashboard theme automatically going to light theme, even if I select dark theme... is there any limitation for HTML or alert symbol that it cannot use dark mode? any work around for this? because I want one of the 3 dashboards to be in dark mode.
try this, <div style=" background: linear-gradient(120deg, #2e2e2e 0%, #1a1a1a 100%); border-left: 6px solid #ffb74d; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6... See more...
try this, <div style=" background: linear-gradient(120deg, #2e2e2e 0%, #1a1a1a 100%); border-left: 6px solid #ffb74d; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6px; padding: 18px 24px; font-family: -apple-system,BlinkMacSystemFont, Segoe UI, Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.45; margin-bottom: 24px;"> <h3 style="color: #ffa726; margin: 0 0 8px 0; display: flex; align-items: center;"> <span style="font-size: 32px; margin-right: 12px;">⚠️</span> Important Notice </h3> <p style="margin: 0 0 10px 0; color: #e0e0e0;"> Avoid running the dashboard for long date ranges <strong>(Last 30 days)</strong> unless strictly needed – it may impact performance. Use shorter ranges for faster results. </p> <p style="margin: 0; color: #e0e0e0;"> Please ensure an <strong>Index Name</strong> is selected – this is required to load dashboard data. </p> </div>
Looks good but it look bit bad for dark mode. Can you help me with the good colors? sorry I am asking more