All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Missing site from this line |stats sum(count) as Success site  
Hi @Nawab, I have only 7.2 version, but this issue is really strange because I don't think that Splunk remoived filters from this dashboard. I suppose that the Splunk Support should help you. Ciao... See more...
Hi @Nawab, I have only 7.2 version, but this issue is really strange because I don't think that Splunk remoived filters from this dashboard. I suppose that the Splunk Support should help you. Ciao. Giuseppe
Hi @ilhwan , in addition tho the perfect answer of @richgalloway , I hint to compare (in structure and data) the Data Models on the two SH, because Data Models are usually located on SH, except if y... See more...
Hi @ilhwan , in addition tho the perfect answer of @richgalloway , I hint to compare (in structure and data) the Data Models on the two SH, because Data Models are usually located on SH, except if you forward them to an Indexer Cluster. Ciao. Giuseppe
Yes, i am talking about the incident review dashboard of version 7.3.0, and I tried clicking it multiple times, still same. Also opened a case with splunk support
Hi @jmrubio , if you have this message on Indexer, it seems that you forgot to create the index on Indexers or that maybe there's a difference between the index name and the index that you configure... See more...
Hi @jmrubio , if you have this message on Indexer, it seems that you forgot to create the index on Indexers or that maybe there's a difference between the index name and the index that you configured in the inputs.con of the HF. If the message is in the HF, it seems that there's an issue in forwardring configuration. Ciao. Giuseppe
Hi @snobyink, at first, these seem to be Linux logs, so using the Splunk_TA_nix (https://splunkbase.splunk.com/app/833), you should have all the fields extracted. Anyway, you can use a regex to ext... See more...
Hi @snobyink, at first, these seem to be Linux logs, so using the Splunk_TA_nix (https://splunkbase.splunk.com/app/833), you should have all the fields extracted. Anyway, you can use a regex to extract the use field (the host should be already extracted: index=your_index | rex "for user (?<user>\w+)" | table _time host user Ciao. Giuseppe
Hi @Mariam001, how are you ingesting database logs? are you using DB-Connect or are you reading log files? In both cases, check the relative input. Ciao. Giuseppe
Hi @Nawab, in Enterprise Security there are many dashboards: the filters you shared seem to be the ones in the Incident Review dashboard. Did you tried to click two times the Hide Filters button? ... See more...
Hi @Nawab, in Enterprise Security there are many dashboards: the filters you shared seem to be the ones in the Incident Review dashboard. Did you tried to click two times the Hide Filters button? Ciao. Giuseppe
yes the dashboard of enterprise security and its filters
Hi @Muthu_Vinith , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karm... See more...
Hi @Muthu_Vinith , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @Nawab, which dashboard are you speaking of? in the Incident Review dashboard, the filters are the ones you shared. Ciao. Giuseppe
hi i try to use a table icon viz like below in the static folder i have put the "table_icons_rangemap.js" and the 'table_decorations.css" files I call these file in my xml like this : <dashbo... See more...
hi i try to use a table icon viz like below in the static folder i have put the "table_icons_rangemap.js" and the 'table_decorations.css" files I call these file in my xml like this : <dashboard version="1.1" script="table_icons_rangemap.js" stylesheet="table_decorations.css"> when I run the dashboard nothing happens  I just have severe, high instead an icon I use 9..1.0.1 Splunk Enterprise version is anybody cant help please?? thanks  
@richgalloway but in your steps i didnt see anything to convert bucket renames? Its not required?
These are options i want
I have installed the latest splunk with Splunk enterprise security on it. I have worked with enterprise security before, and there were some filters available to filter incidents, now in this versio... See more...
I have installed the latest splunk with Splunk enterprise security on it. I have worked with enterprise security before, and there were some filters available to filter incidents, now in this version 7.3.0 there are no filters,    Is there anything wrong I am doing?  
Hi @Niro, If your issue isn't resolved, it might happen because of sourcetype overwrite on pan logs.  pan:traffic is overridden sourcetype please try putting the transforms setting to your original... See more...
Hi @Niro, If your issue isn't resolved, it might happen because of sourcetype overwrite on pan logs.  pan:traffic is overridden sourcetype please try putting the transforms setting to your original sourcetpe. It should be pan:log or pan_log according to your input setting. [pan:log] TRANSFORMS-pan_user = pan_src_user
Hi did you get this working?
Thanks @kamlesh_vaghela 
@Muthu_Vinith    Are you looking like this?  XML <form version="1.1" theme="dark"> <label>Chechbox</label> <fieldset submitButton="false"> <input type="checkbox" token="checkbox_a"> ... See more...
@Muthu_Vinith    Are you looking like this?  XML <form version="1.1" theme="dark"> <label>Chechbox</label> <fieldset submitButton="false"> <input type="checkbox" token="checkbox_a"> <label></label> <choice value="panel_a">Panel A</choice> <delimiter> </delimiter> <change> <condition match="$checkbox_a$==&quot;panel_a&quot;" > <set token="tkn_panel_a">1</set> </condition> <condition> <unset token="tkn_panel_a"></unset> </condition> </change> </input> <input type="checkbox" token="checkbox_b"> <label></label> <choice value="panel_b">Panel B</choice> <delimiter> </delimiter> <change> <condition match="$checkbox_b$==&quot;panel_b&quot;" > <set token="tkn_panel_b">1</set> </condition> <condition> <unset token="tkn_panel_b"></unset> </condition> </change> </input> </fieldset> <row> <panel depends="$tkn_panel_a$"> <title>Panel One $checkbox_a$</title> <chart> <search> <query>| makeresults | eval a=100</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">pie</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel depends="$tkn_panel_b$"> <title>Panel Two $checkbox_b$</title> <chart> <search> <query>| makeresults | eval a=100</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">pie</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>       I hope this will help you.   Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
Hello Splunk experts, I would like to know is there an API which can access all events which are generating in Splunk irrespective of search? Please suggest! Thank you in advance. Regards, Eshwar... See more...
Hello Splunk experts, I would like to know is there an API which can access all events which are generating in Splunk irrespective of search? Please suggest! Thank you in advance. Regards, Eshwar