All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Wait! You have already defined channel_token elsewhere in the dashboard? You should have mentioned this before! Try updating the form token in your drilldown <event> <title>$channel_token$</title>... See more...
Wait! You have already defined channel_token elsewhere in the dashboard? You should have mentioned this before! Try updating the form token in your drilldown <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="form.channel_token">$click.value$</set> </condition> </drilldown> </event>
Is it possible that you will share the whole dashboard code?
What you or someone else have done before this problem started? Or have there been some infrastructure level issue?
I currently have a dropdown for the $channel_token$. However, I followed your advice and set the title to $channel_token$. The title does not update when I click on a row or Channel option in the eve... See more...
I currently have a dropdown for the $channel_token$. However, I followed your advice and set the title to $channel_token$. The title does not update when I click on a row or Channel option in the event pane.
When you are modifying simple xml dashbords with GUI and you are mixing source and UI options that editor covert those values between < and &gt; To avoid this you should use only source mode and eve... See more...
When you are modifying simple xml dashbords with GUI and you are mixing source and UI options that editor covert those values between < and &gt; To avoid this you should use only source mode and even add <![CDATA[….]]> inside query tags. 
Hi here is list of different articles how this can do in splunk. There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/... See more...
Hi here is list of different articles how this can do in splunk. There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ TrackMe https://splunkbase.splunk.com/app/4621/ Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/ Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings Some helpful posts: https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe https://www.duanewaddle.com/proving-a-negative/  
Have you add this  ... script="simple_xml_examples:showtokens.js" into your <form … > line? With this addition you can see all defined tokens and their values. Of course you must 1st install this... See more...
Have you add this  ... script="simple_xml_examples:showtokens.js" into your <form … > line? With this addition you can see all defined tokens and their values. Of course you must 1st install this app. 
How do you know it isn't working? How are you using the token? Try updating the title (temporarily) to see if it changes? <event> <title>$channel_token$</title> <search> <query>$case_token$ sour... See more...
How do you know it isn't working? How are you using the token? Try updating the title (temporarily) to see if it changes? <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="channel_token">$click.value$</set> </condition> </drilldown> </event>
I totally agree with @PickleRick that this case should continue with some local company/ contractor. There are too many open items and one must see your real architecture and also logs to give answer ... See more...
I totally agree with @PickleRick that this case should continue with some local company/ contractor. There are too many open items and one must see your real architecture and also logs to give answer to you.
I'm assuming they thought the "very stupid question" part was directed at the OP. 
Im not the OP, but this helped me.
I am using Splunk version 9.4.0. I got rid of the list and raw drilldown options and made sure only table.drilldown was present and set to all. It's still not working.
This should be higher up. Correct solution. 
I have a version working with just table.drilldown = all, i.e. list.drilldown and raw.drilldown seem to be redundant. Also, table.drilldown = 1 seems to work. Which version of Splunk are you using?
It is not solved, thank you for asking! 1. Can you please alert me to what is harmlessly redundant? 2. The token does not work. I used a drilldown to set Channel to click.value (I also tried to set... See more...
It is not solved, thank you for asking! 1. Can you please alert me to what is harmlessly redundant? 2. The token does not work. I used a drilldown to set Channel to click.value (I also tried to set Channel to row.Channel), but it doesn't work. 
Has this now been solved (as I can't see anything wrong with what you posted - apart from some obvious harmlessly-redundant options)?
Hi Team. Could you please look into my post and respond on Automatic event correlation in Splunk ITSI (without creating manual correlation searches) for third party tools/ log4j? Thank you.
How will get /add pre-populated fields as checkboxes severity field
Hi @te25  This might work, it assumes the lookup has a list of firewalls with a "host" field: | inputlookup firewall_lookup.csv | eval reported=0 | append [ search index=yourIndex sourcetype... See more...
Hi @te25  This might work, it assumes the lookup has a list of firewalls with a "host" field: | inputlookup firewall_lookup.csv | eval reported=0 | append [ search index=yourIndex sourcetype=pan:traffic earliest=-15m | stats count by host | eval reported=1 | fields firewall reported ] | stats max(reported) as reported by host | rex field=host "(?<pair>[^0-9]+)" | stats sum(reported) as reporting_count, values(host) as firewalls by pair | where reporting_count=0 | table pair firewalls  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello, and thank you for your help! Here is my what my dashboard looks like now: <event> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestam... See more...
Hello, and thank you for your help! Here is my what my dashboard looks like now: <event> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="channel_token">$click.value$</set> </condition> </drilldown> </event> Here is what the corresponding search looks like: index=test-index sourcetype=hayabusa host=* Level=* RuleType=* | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details