All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

My input module relies on API data and I have decided to move connection timeout configuration options over to global configuration e.g:   helper.get_global_setting("read_timeout")   Rather than ... See more...
My input module relies on API data and I have decided to move connection timeout configuration options over to global configuration e.g:   helper.get_global_setting("read_timeout")   Rather than requiring it be set individually per Input module. However it appears there is no `validate_input` functionality similar to the input module for global configuration options. There is no documentation for this, but you would think that being able to validate global config options inherited by every input module would be an important thing to do. I now have to figure out how to do this in each input module, but it delays telling the user they have made bad config where they enter it. I cannot rely on something like log info due to splunk cloud giving not much access to logs, so I'm more or less reliant on resetting the value or keeping them in input modules. Is there anyway this can be achieved?
When using stats, rather than using values, use list for each field instead: | stats list(FirstName), list(LastName) by Loc
Hello, We have been running Website monitoring for a while and just recently it started to continuously report Connection Time out errors on and off on the URL's we track.  We had checked the networ... See more...
Hello, We have been running Website monitoring for a while and just recently it started to continuously report Connection Time out errors on and off on the URL's we track.  We had checked the network, and no issues can be found. Is it possible Splunk or the Website monitoring add-in is corrupt? Any suggestions?
I think I may not be explaining a key part of this well enough (or if I am misunderstanding your explanation, I'm sorry!). I need ALL ResourceIds from index=main. The only values I need to filter out... See more...
I think I may not be explaining a key part of this well enough (or if I am misunderstanding your explanation, I'm sorry!). I need ALL ResourceIds from index=main. The only values I need to filter out are instance IDs (i.e. i-1234567abcdef) that are NOT found in index=other. So let's say index=main ResourceId=* returns: i-1234567abcdef i-abcdef1234567 sg-12345abcde etc. (any other value that is not an instance ID) and the index=other search returns InstanceId: i-abcdef1234567 I need the results to be (filtered out i-1234567abcdef because it was not returned by index=other): i-abcdef1234567 sg-12345abcde So I guess a way to think about this is that I am trying to remove any value from ResourceId that matches the string "i-*" IF it was NOT found in index=other, and THEN coalesce ResourceId and InstanceId into a single field. 
Hi @Nour.Alghamdi, Did you ever get a solution from Support? I did hear back from Docs and this is what they told me. "Events service will take care of bringing up the elastic search"
Splunk does not limit access by email address - it uses role-based access controls (RBAC).  You would need to create a role and make that role the only one that can access the dashboard in question. ... See more...
Splunk does not limit access by email address - it uses role-based access controls (RBAC).  You would need to create a role and make that role the only one that can access the dashboard in question.  Then create a Splunk account with the subject email address and assign that account to the new role. Another option is to make the dashboard private to the user with the subject email address. All of that is easiest to do using the GUI.  How to do it "through the backend" depends on your environment (Splunk Cloud, standalone, SHC, etc.).  It also depends on what you mean by "backend" - REST API, config files, or CLI commands.
Putting inputs.conf on a HF without a matching props.conf means the events may not be indexed properly.  That's why I advise installing a TA.  Use the same TAs you use on the UFs.  If you don't have ... See more...
Putting inputs.conf on a HF without a matching props.conf means the events may not be indexed properly.  That's why I advise installing a TA.  Use the same TAs you use on the UFs.  If you don't have one, try Splunk Add-on for Microsoft Windows (https://splunkbase.splunk.com/app/742) and Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833).
As per your suggestions we have changed the SQL quiry. After changes results showing it's still "Winows_Support - Operations" group.  Can you please help me here.
Which TAs are you referencing (for a Windows HF)? I have a Windows inputs.conf file that I'm sure came from an app, but I'm not sure which, that is being modified for certain needs now. If you had a ... See more...
Which TAs are you referencing (for a Windows HF)? I have a Windows inputs.conf file that I'm sure came from an app, but I'm not sure which, that is being modified for certain needs now. If you had a specific TA in mind that may help determine which inputs are not suitable for a HF.
Am trying to provide limited access to a dashboard and am trying to do that through the backend 
So it is possible to control with a deployment server? I thought I saw somewhere that it was not. Which TAs are you referencing for the HFs? I am currently modifying a single Windows inputs.conf fil... See more...
So it is possible to control with a deployment server? I thought I saw somewhere that it was not. Which TAs are you referencing for the HFs? I am currently modifying a single Windows inputs.conf file and just pushing it to different machines via the deployment server. Which is where the root of the question, which inputs should definitely be turned off to avoid problems? 
I can see the business transactions 0 of 10 happening but I can't see the transactions and the application flow map. What could be the reason for it?
What problem are you trying to solve?
If the illustrated fields are all you have, the only link between 250 -> 100 (with user) and the rest of events (without) is host.  I highly doubt if this can be sufficient to determine what a user h... See more...
If the illustrated fields are all you have, the only link between 250 -> 100 (with user) and the rest of events (without) is host.  I highly doubt if this can be sufficient to determine what a user have done between 250 and 100, unless this tool is strictly single-user and no other things can generate any of these events. If the tool is single-user only, you can use transaction to group these events together, like | transaction host startswith="EventCode=250" endswith="EventCode=100" Once transactions are established, you can then glean completed transactions for event codes that are not 250 and 100.  For example, | transaction host startswith="EventCode=250" endswith="EventCode=100"​ | stats values(EventCode) as EventCode values(user) as user by host | eval EventCode = mvfilter(NOT EventCode IN ("250", "100")) Hope this helps.
Trying to blacklist an event that is generating a lot of logs. Previously asked this question here Solved: Re: Splunk Blacklist DesktopExtension.exe addition... - Splunk Community but the solution... See more...
Trying to blacklist an event that is generating a lot of logs. Previously asked this question here Solved: Re: Splunk Blacklist DesktopExtension.exe addition... - Splunk Community but the solution is not working. Any other thoughts on how to blacklist Desktopextension.exe for windows security events.      blacklist = EventCode=4673 message="DesktopExtension\.exe        
Hello, How do i provide access to a limited email address on a dashboard through the backend 
i can see the business transactions 0 of 10 happening but i cant see the transactions and the application flow map. what could be the reason for it.
I am trying to configure the distributed monitoring console without the UI (for automation purposes). It seems that I have gotten most things right - all instances show up the way I want them to, how... See more...
I am trying to configure the distributed monitoring console without the UI (for automation purposes). It seems that I have gotten most things right - all instances show up the way I want them to, however they are all marked as "unreachable". It seems that I must do the step where I provide credentials for the mc host to login to the monitored host. However I cannot figure out what this step actually does. Also I cannot find anything that hints to the credentials being stored anywhere. So what does this login process actually do, and how can I mimic that bevhaviour for the mc from the commandline/ via config files? Any insight on how the setup process works behind the scene would be appreciated.
I have an application that I am trying to monitor.  There is a specific event code for when the tool is opened to modify the tool (EventCode=250).  There is an EventCode for when it is closed (EventC... See more...
I have an application that I am trying to monitor.  There is a specific event code for when the tool is opened to modify the tool (EventCode=250).  There is an EventCode for when it is closed (EventCode=100).  These two codes display a user name, but the events between them do not.  How can I write a search to look for these two events then display the changes between them with the username who completed the change?   | from datamodel:P3 | search EventCode=250 OR 100 OR 70 OR 80 | eval user = coalesce(User, Active_User) | eval Event_Time=strftime(_time,"%m/%d/%y %I:%M:%S %P") | table Event_Time, host,user,Device_Added,Device_SN,Device_ID,EventCode, EventDescription Event_Time                        host              user      Device_Added      Device_SN       Device_ID      EventCode  02/22/24 08:49:44 am Test-Com   xxxxx                                                                                                 100 02/21/24 03:59:12 pm Test-Com   xxxxx                                                                                                  250 02/21/24 03:56:08 pm Test-Com   xxxxx                                                                                                  100 02/21/24 03:56:00 pm Test-Com                            USB 1                   12345          PID_1                   70  02/21/24 03:56:00 pm Test-Com                            USB 2                    6789            PID_2                   70  02/21/24 03:51:10 pm Test-Com                            USB 1                   12345          PID_1                   80   02/21/24 03:50:44 pm Test-Com     xxxxx                                                                                                  250
Hi   I want to change font size label (to bold) in pie chart please help me with code