All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This is what I currently have: <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer,... See more...
This is what I currently have: <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <set token="form.channel_token">$click.value$</set> </drilldown> </event> This does not change the title from $channel_token$ to an actual value. When you say update, is that different from the "set token" feature?
Here is last year conf presentation about using DS with UF and otel collector add on https://conf.splunk.com/files/2024/slides/PLA1117B.pdf
Thanks! This helps. For anyone interested in this in the future, how it works is that the classcom.splunk.logging.HttpEventCollectorLogbackAppender has setters defined, and the tags need to follow t... See more...
Thanks! This helps. For anyone interested in this in the future, how it works is that the classcom.splunk.logging.HttpEventCollectorLogbackAppender has setters defined, and the tags need to follow the same scheme as the setters. So, for example, while this field name is _batchCount, the setter is setbatch_size_count, and so the tag needs to be <batch_size_count>    
Wait! You have already defined channel_token elsewhere in the dashboard? You should have mentioned this before! Try updating the form token in your drilldown <event> <title>$channel_token$</title>... See more...
Wait! You have already defined channel_token elsewhere in the dashboard? You should have mentioned this before! Try updating the form token in your drilldown <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="form.channel_token">$click.value$</set> </condition> </drilldown> </event>
Is it possible that you will share the whole dashboard code?
What you or someone else have done before this problem started? Or have there been some infrastructure level issue?
I currently have a dropdown for the $channel_token$. However, I followed your advice and set the title to $channel_token$. The title does not update when I click on a row or Channel option in the eve... See more...
I currently have a dropdown for the $channel_token$. However, I followed your advice and set the title to $channel_token$. The title does not update when I click on a row or Channel option in the event pane.
When you are modifying simple xml dashbords with GUI and you are mixing source and UI options that editor covert those values between < and &gt; To avoid this you should use only source mode and eve... See more...
When you are modifying simple xml dashbords with GUI and you are mixing source and UI options that editor covert those values between < and &gt; To avoid this you should use only source mode and even add <![CDATA[….]]> inside query tags. 
Hi here is list of different articles how this can do in splunk. There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/... See more...
Hi here is list of different articles how this can do in splunk. There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ TrackMe https://splunkbase.splunk.com/app/4621/ Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/ Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings Some helpful posts: https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe https://www.duanewaddle.com/proving-a-negative/  
Have you add this  ... script="simple_xml_examples:showtokens.js" into your <form … > line? With this addition you can see all defined tokens and their values. Of course you must 1st install this... See more...
Have you add this  ... script="simple_xml_examples:showtokens.js" into your <form … > line? With this addition you can see all defined tokens and their values. Of course you must 1st install this app. 
How do you know it isn't working? How are you using the token? Try updating the title (temporarily) to see if it changes? <event> <title>$channel_token$</title> <search> <query>$case_token$ sour... See more...
How do you know it isn't working? How are you using the token? Try updating the title (temporarily) to see if it changes? <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="channel_token">$click.value$</set> </condition> </drilldown> </event>
I totally agree with @PickleRick that this case should continue with some local company/ contractor. There are too many open items and one must see your real architecture and also logs to give answer ... See more...
I totally agree with @PickleRick that this case should continue with some local company/ contractor. There are too many open items and one must see your real architecture and also logs to give answer to you.
I'm assuming they thought the "very stupid question" part was directed at the OP. 
Im not the OP, but this helped me.
I am using Splunk version 9.4.0. I got rid of the list and raw drilldown options and made sure only table.drilldown was present and set to all. It's still not working.
This should be higher up. Correct solution. 
I have a version working with just table.drilldown = all, i.e. list.drilldown and raw.drilldown seem to be redundant. Also, table.drilldown = 1 seems to work. Which version of Splunk are you using?
It is not solved, thank you for asking! 1. Can you please alert me to what is harmlessly redundant? 2. The token does not work. I used a drilldown to set Channel to click.value (I also tried to set... See more...
It is not solved, thank you for asking! 1. Can you please alert me to what is harmlessly redundant? 2. The token does not work. I used a drilldown to set Channel to click.value (I also tried to set Channel to row.Channel), but it doesn't work. 
Has this now been solved (as I can't see anything wrong with what you posted - apart from some obvious harmlessly-redundant options)?
Hi Team. Could you please look into my post and respond on Automatic event correlation in Splunk ITSI (without creating manual correlation searches) for third party tools/ log4j? Thank you.