All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, I apologize for the confusion -- I updated the code to be complete. Thank you!
This doesn't appear in your "full dashboard code" you post in a previous response. Please clarify which code is in which dashboard?
Hello! Here it is:   <form version="1.1" theme="dark"> <label>Hayabusa Overview</label> <fieldset submitButton="false" autoRun="true"> <input type="time" token="global_time" searchWhenChang... See more...
Hello! Here it is:   <form version="1.1" theme="dark"> <label>Hayabusa Overview</label> <fieldset submitButton="false" autoRun="true"> <input type="time" token="global_time" searchWhenChanged="true"> <label>Global Time Range</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> <prefix>index=case_</prefix> <suffix>*</suffix> <fieldForLabel>case</fieldForLabel> <fieldForValue>case</fieldForValue> <search> <query>| tstats count where index=case_* by index | rex field=index "\_(?&lt;case&gt;.*?)\_" | dedup case | table case</query> <earliest>0</earliest> <latest></latest> </search> </input> <input type="multiselect" token="host_token" searchWhenChanged="true"> <label>Host</label> <choice value="*">All Hosts</choice> <fieldForLabel>Host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by host | table host</query> <earliest>0</earliest> <latest></latest> </search> <initialValue>*</initialValue> <delimiter>, </delimiter> <prefix>host IN (</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <default>*</default> </input> </fieldset> <row> <panel> <table> <title>Top Informational Alerts</title> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa $host_token$ Level=info by RuleTitle | sort -count</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <option name="drilldown">cell</option> <format type="color" field="count"> <colorPalette type="list">[#65778A,#65778A,#65778A,#65778A,#65778A]</colorPalette> <scale type="threshold">0,30,70,100</scale> </format> <drilldown> <set token="form.rule_token">$click.value$</set> </drilldown> </table> </panel> <panel> <table> <title>Top Hosts By Hits</title> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by host | sort -count</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <option name="drilldown">cell</option> <format type="color" field="count"> <colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <drilldown> <set token="form.host_token">$click.value$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Hayabusa Hits Overview</title> <input type="multiselect" token="level_token" searchWhenChanged="true"> <label>Level</label> <choice value="*">All Levels</choice> <choice value="info">Info</choice> <choice value="low">Low</choice> <choice value="med">Medium</choice> <choice value="high">High</choice> <choice value="crit">Critical</choice> <default>*</default> <initialValue>*</initialValue> <prefix>Level IN (</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter> </input> <input type="multiselect" token="rule_token" searchWhenChanged="true"> <label>Rule</label> <choice value="*">All Rules</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>RuleTitle</fieldForLabel> <fieldForValue>RuleTitle</fieldForValue> <search> <query>| tstats count where $case_token$ $host_token$ sourcetype=hayabusa $level_token$ by RuleTitle | table RuleTitle</query> <earliest>0</earliest> <latest></latest> </search> <prefix>RuleTitle IN (</prefix> <suffix>)</suffix> <delimiter>,</delimiter> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="text" token="search_token" searchWhenChanged="true"> <label>Search</label> <default>*</default> <initialValue>*</initialValue> </input> <input type="text" token="exclude_token" searchWhenChanged="true"> <label>Search (to Exclude)</label> <default>Default Value to Exclude</default> <initialValue>Default Value to Exclude</initialValue> </input> <input type="multiselect" token="channel_token" searchWhenChanged="true"> <label>Channel</label> <fieldForLabel>Channel</fieldForLabel> <fieldForValue>Channel</fieldForValue> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by Channel</query> <earliest>0</earliest> <latest></latest> </search> <delimiter> </delimiter> <choice value="*">All Channels</choice> <default>*</default> <initialValue>*</initialValue> </input> <html> <p>For <strong>Search</strong> and <strong>Search to Exclude</strong>, delimit with a comma. For example: <strong>term,search phrase</strong> </p> </html> <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <set token="form.channel_token">$click.value$</set> </drilldown> </event> </panel> </row> </form>  
Is this still unfeasible with the Studio mode? There are many usecases where we need to reset multiple dropdowns based on a specific dropdown (e.g. if country is changed, we should not have the city ... See more...
Is this still unfeasible with the Studio mode? There are many usecases where we need to reset multiple dropdowns based on a specific dropdown (e.g. if country is changed, we should not have the city stay the same as it no longer belongs to the selected country, etc.)
Yes! Here it is: <input type="multiselect" token="channel_token" searchWhenChanged="true"> <label>Channel</label> <fieldForLabel>Channel</fieldForLabel> <fieldForValue>Channel</fieldForValue> <s... See more...
Yes! Here it is: <input type="multiselect" token="channel_token" searchWhenChanged="true"> <label>Channel</label> <fieldForLabel>Channel</fieldForLabel> <fieldForValue>Channel</fieldForValue> <search> <query>| tstats count where $case_token$ sourcetype=hayabusa by Channel</query> <earliest>0</earliest> <latest></latest> </search> <delimiter> </delimiter> <choice value="*">All Channels</choice> <default>*</default> <initialValue>*</initialValue> </input>
Can you share the source for the dropdown?
I am new to Splunk SOAR and I have a custom python code block that I am creating and exporting a variable to a Splunk action block. The variable in the custom code block is set fine and with debug s... See more...
I am new to Splunk SOAR and I have a custom python code block that I am creating and exporting a variable to a Splunk action block. The variable in the custom code block is set fine and with debug statements I can see it set correctly.  I then export that variable. In the splunk action block , I import that variable but when I try to use it the value is set to "None".  When I import soar system variables, it works fine.   There are no error messages.  SOAR has the auto fill for the variables so not like I have a typo.   Screen shot below {0} is my customer code variable that gets set to none. {1} is from the extract ip utility and that is set fine.  
We are receiving the following Meraki sourcetypes, and we wonder if there is any app that presents this set of sourcetypes nicely - meraki:securityappliances meraki:devicesavailabilitieschangehisto... See more...
We are receiving the following Meraki sourcetypes, and we wonder if there is any app that presents this set of sourcetypes nicely - meraki:securityappliances meraki:devicesavailabilitieschangehistory meraki:assurancealerts meraki:licensessubscriptionentitlements meraki:apirequestshistory meraki:appliancesdwanstatuses meraki:licensesoverview
This is what I currently have: <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer,... See more...
This is what I currently have: <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <set token="form.channel_token">$click.value$</set> </drilldown> </event> This does not change the title from $channel_token$ to an actual value. When you say update, is that different from the "set token" feature?
Here is last year conf presentation about using DS with UF and otel collector add on https://conf.splunk.com/files/2024/slides/PLA1117B.pdf
Thanks! This helps. For anyone interested in this in the future, how it works is that the classcom.splunk.logging.HttpEventCollectorLogbackAppender has setters defined, and the tags need to follow t... See more...
Thanks! This helps. For anyone interested in this in the future, how it works is that the classcom.splunk.logging.HttpEventCollectorLogbackAppender has setters defined, and the tags need to follow the same scheme as the setters. So, for example, while this field name is _batchCount, the setter is setbatch_size_count, and so the tag needs to be <batch_size_count>    
Wait! You have already defined channel_token elsewhere in the dashboard? You should have mentioned this before! Try updating the form token in your drilldown <event> <title>$channel_token$</title>... See more...
Wait! You have already defined channel_token elsewhere in the dashboard? You should have mentioned this before! Try updating the form token in your drilldown <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="form.channel_token">$click.value$</set> </condition> </drilldown> </event>
Is it possible that you will share the whole dashboard code?
What you or someone else have done before this problem started? Or have there been some infrastructure level issue?
I currently have a dropdown for the $channel_token$. However, I followed your advice and set the title to $channel_token$. The title does not update when I click on a row or Channel option in the eve... See more...
I currently have a dropdown for the $channel_token$. However, I followed your advice and set the title to $channel_token$. The title does not update when I click on a row or Channel option in the event pane.
When you are modifying simple xml dashbords with GUI and you are mixing source and UI options that editor covert those values between < and &gt; To avoid this you should use only source mode and eve... See more...
When you are modifying simple xml dashbords with GUI and you are mixing source and UI options that editor covert those values between < and &gt; To avoid this you should use only source mode and even add <![CDATA[….]]> inside query tags. 
Hi here is list of different articles how this can do in splunk. There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/... See more...
Hi here is list of different articles how this can do in splunk. There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ TrackMe https://splunkbase.splunk.com/app/4621/ Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/ Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings Some helpful posts: https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe https://www.duanewaddle.com/proving-a-negative/  
Have you add this  ... script="simple_xml_examples:showtokens.js" into your <form … > line? With this addition you can see all defined tokens and their values. Of course you must 1st install this... See more...
Have you add this  ... script="simple_xml_examples:showtokens.js" into your <form … > line? With this addition you can see all defined tokens and their values. Of course you must 1st install this app. 
How do you know it isn't working? How are you using the token? Try updating the title (temporarily) to see if it changes? <event> <title>$channel_token$</title> <search> <query>$case_token$ sour... See more...
How do you know it isn't working? How are you using the token? Try updating the title (temporarily) to see if it changes? <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="channel_token">$click.value$</set> </condition> </drilldown> </event>
I totally agree with @PickleRick that this case should continue with some local company/ contractor. There are too many open items and one must see your real architecture and also logs to give answer ... See more...
I totally agree with @PickleRick that this case should continue with some local company/ contractor. There are too many open items and one must see your real architecture and also logs to give answer to you.