All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@tej57  Here is the code, I reused the template that the addon builder app started.  The data input is also setup, it was built by the app, I have to give it a name and put the interval to 30 second... See more...
@tej57  Here is the code, I reused the template that the addon builder app started.  The data input is also setup, it was built by the app, I have to give it a name and put the interval to 30 seconds. Formatting here is not good....   # encoding = utf-8 import os import sys import time import datetime ''' IMPORTANT Edit only the validate_input and collect_events functions. Do not edit any other part in this file. This file is generated only once when creating the modular input. ''' ''' # For advanced users, if you want to create single instance mod input, uncomment this method. def use_single_instance_mode(): return True ''' def validate_input(helper, definition): """Implement your own validation logic to validate the input stanza configurations""" # This example accesses the modular input variable # password = definition.parameters.get('password', None) # username = definition.parameters.get('username', None) # finesse_ip = definition.parameters.get('finesse_ip', None) pass def collect_events(helper, ew): import requests from requests.auth import HTTPBasicAuth finesse_ip = helper.get_arg('finesse_ip') username = helper.get_arg('username') password = helper.get_arg('password') url = f"https://{finesse_ip}/finesse/api/SystemInfo" try: response = requests.get(url, auth=HTTPBasicAuth(username, password), verify=False) if response.status_code == 200: helper.log_info(f"Successfully retrieved data from {url}") else: helper.log_error(f"Request failed. Status: {response.status_code}, Body: {response.text}") event = helper.new_event( data=response.text, source=helper.get_input_type(), index=helper.get_output_index(), host="finesse1a", sourcetype=helper.get_sourcetype() ) ew.write_event(event) except Exception as e: helper.log_error(f"Error during request to {url}: {str(e)}")        
Hello @spamarea1, Would you be able to share the python code to check further why it is not ingesting events? And can you also confirm if ew.write_event(event) has been set properly? Did you also ch... See more...
Hello @spamarea1, Would you be able to share the python code to check further why it is not ingesting events? And can you also confirm if ew.write_event(event) has been set properly? Did you also check on the Add-on Builder UI if it is ingesting events when you run the Test button? Thanks, Tejas. 
Hello @sl, You can alternatively use this wonderful tool developed by Ryan Adler - https://github.com/ryanadler/downloadSplunk I found this one one of the previous answers on Community. Running the... See more...
Hello @sl, You can alternatively use this wonderful tool developed by Ryan Adler - https://github.com/ryanadler/downloadSplunk I found this one one of the previous answers on Community. Running the bash script will help you download whatever version you wish if Splunk Support doesn't help you better.   Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!! 
Hi   @Narendra_Rao  for upgrading to KV store 7.x first kV store need to be in 4.2x, by looking at your kv store version its in 4.1.7  this is reason upgrade is failing  you need ... See more...
Hi   @Narendra_Rao  for upgrading to KV store 7.x first kV store need to be in 4.2x, by looking at your kv store version its in 4.1.7  this is reason upgrade is failing  you need to upgrade to 4.2x. then go for 7.x  Upgarde document to 4.2.x https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.3/administer-the-app-key-value-store/migrate-the-kv-store-storage-engine then upgrade document to 7.x https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/MigrateKVstore#Prepare_for_the_upgrade
This worked perfectly! thank you so much!!!      Diana
Hi, I need to create an investigation with SOAR. When I create the investigation, it doesn't link the Finding to the Investigation. Do you have a playbook that can help me with this feature?   ... See more...
Hi, I need to create an investigation with SOAR. When I create the investigation, it doesn't link the Finding to the Investigation. Do you have a playbook that can help me with this feature?        
Ok, I give up.. do you have anywhere I can read about how to use ingest API ? I am able to send the payload to the endpoint in my realm, using a token I created for it. I get a HTTP200 response but ... See more...
Ok, I give up.. do you have anywhere I can read about how to use ingest API ? I am able to send the payload to the endpoint in my realm, using a token I created for it. I get a HTTP200 response but the metrics don't get created anywhere.. I have been searching the documentation but splunk docs are in general abysmal I think, I haven't found anything useful at all..... Any hints?  Thanks   Disregard, ChatGPT figured out my problem for me......
Hi @MKhan1, Using LAUNCHSPLUNK=0 just ignores any problem during Splunk starting up, so unfortunately it still could be pretty much anything.  If you run splunk start from a command line, what does ... See more...
Hi @MKhan1, Using LAUNCHSPLUNK=0 just ignores any problem during Splunk starting up, so unfortunately it still could be pretty much anything.  If you run splunk start from a command line, what does it say?  Have you tried checking EventLogs and splunkd.log? Cheers,    - Jo.  
The official way to obtain software versions not listed on the download page is to contact support with a request to share a specific version.
https://community.splunk.com/t5/Dashboards-Visualizations/Why-does-dark-theme-switch-fail-when-using-emojis-in-the/m-p/518190 This is expected it seems. Any workaround we have to overcome this?
@D2SI @andrewtrobec @robtun1 @blablabla @niketn can you guys help me on this as well... Re: How to add the description for dashboard in be... - Splunk Community I am trying to add  in my Splunk da... See more...
@D2SI @andrewtrobec @robtun1 @blablabla @niketn can you guys help me on this as well... Re: How to add the description for dashboard in be... - Splunk Community I am trying to add  in my Splunk dashboard description and as soon as I give this HTML, dark theme changing to light and it is not returning. Can you guys help me?
Can you please share download links for hf and enterprise prior to 9.1? i.e. 9.0.x, both linux and windows, thanks
I see, that's good to know. Thanks for the explanation!
one more thing, if I enter this html, the dashboard theme automatically going to light theme, even if I select dark theme... is there any limitation for HTML or alert symbol that it cannot use dark m... See more...
one more thing, if I enter this html, the dashboard theme automatically going to light theme, even if I select dark theme... is there any limitation for HTML or alert symbol that it cannot use dark mode? any work around for this? because I want one of the 3 dashboards to be in dark mode.
try this, <div style=" background: linear-gradient(120deg, #2e2e2e 0%, #1a1a1a 100%); border-left: 6px solid #ffb74d; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6... See more...
try this, <div style=" background: linear-gradient(120deg, #2e2e2e 0%, #1a1a1a 100%); border-left: 6px solid #ffb74d; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6px; padding: 18px 24px; font-family: -apple-system,BlinkMacSystemFont, Segoe UI, Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.45; margin-bottom: 24px;"> <h3 style="color: #ffa726; margin: 0 0 8px 0; display: flex; align-items: center;"> <span style="font-size: 32px; margin-right: 12px;">⚠️</span> Important Notice </h3> <p style="margin: 0 0 10px 0; color: #e0e0e0;"> Avoid running the dashboard for long date ranges <strong>(Last 30 days)</strong> unless strictly needed – it may impact performance. Use shorter ranges for faster results. </p> <p style="margin: 0; color: #e0e0e0;"> Please ensure an <strong>Index Name</strong> is selected – this is required to load dashboard data. </p> </div>
Looks good but it look bit bad for dark mode. Can you help me with the good colors? sorry I am asking more
Hi @elend  You configure a volume in your indexes.conf which is your s3 location essentially, and then you can update all or individual indexes to use that volume by setting the remotePath eg  remo... See more...
Hi @elend  You configure a volume in your indexes.conf which is your s3 location essentially, and then you can update all or individual indexes to use that volume by setting the remotePath eg  remotePath = volume:<VOLUME_NAME>/$_index_name the $_index_name is actually an internal variable so you don’t need to overwrite this. in addition to the other docs I posted on the previous post it’s worth checking https://docs.splunk.com/Documentation/Splunk/9.4.2/Indexer/SmartStoresecuritystrategies too.      Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing.  
Ahhh... I doublechecked and it seems Splunk also populates the timestamp by default (to be honest, I didn't know that; I thought it was only the _time field and those "partial" fields like date_hour,... See more...
Ahhh... I doublechecked and it seems Splunk also populates the timestamp by default (to be honest, I didn't know that; I thought it was only the _time field and those "partial" fields like date_hour, date_day and so on). So when you had your TIME_PREFIX wrong Splunk - since as I said timestamp recognition happend very early in the ingestion pipeline - would attempt to parse out the timestamp from the message. Since the prefix was wrong Splunk wouldn't properly extract the time so it would set the _time using default logic (either to the timestamp of the previous event or the current time of the receiving host; the details of the time assignment are pretty well docummented, for example here - https://help.splunk.com/en/data-management/get-data-in/get-data-into-splunk-cloud-platform/10.0.2503/configure-timestamps/how-timestamp-assignment-works ) and it would set the  timestamp field to "none". And then in search time your already transformed json would get parsed into fields so the value from the event would be added to the already present value of "none" making the field a multivalued field.  
@splunklearner  You can add <div> block for that, <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="true" autoRun="false"> <html> <div style=" ... See more...
@splunklearner  You can add <div> block for that, <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="true" autoRun="false"> <html> <div style=" background: linear-gradient(120deg,#fff5f5 0%,#fff 100%); border-left: 6px solid #ff9800; box-shadow: 0 2px 6px rgba(0,0,0,.12); border-radius: 6px; padding: 18px 24px; font-family: -apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 1.45; margin-bottom: 24px;"> <!-- 👈 spacing between notice and dropdown --> <h3 style="color:#d84315; margin:0 0 8px 0; display:flex; align-items:center;"> <span style="font-size:32px; margin-right:12px;">⚠️</span> Important Notice </h3> <p style="margin:0 0 10px 0; color:#424242;"> Avoid running the dashboard for long date ranges <strong>(Last 30 days)</strong> unless strictly needed – it may impact performance. Use shorter ranges for faster results. </p> <p style="margin:0; color:#424242;"> Please ensure an <strong>Index Name</strong> is selected - this is required to load dashboard data. </p> </div> </html> Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
But when we use notice in here this notice is slightly overlapping with dropdowns which feels bad. Can you do something to maintain some space between them?  <form version="1.1" theme="light"> ... See more...
But when we use notice in here this notice is slightly overlapping with dropdowns which feels bad. Can you do something to maintain some space between them?  <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="true" autoRun="false"> <html> <div style=" background: linear-gradient(120deg,#fff5f5 0%,#fff 100%); border-left: 6px solid #ff9800; box-shadow: 0 2px 6px rgba(0,0,0,.12); border-radius: 6px; padding: 18px 24px; font-family: -apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 1.45;"> <h3 style="color:#d84315; margin:0 0 8px 0; display:flex; align-items:center;"> <!-- unicode icon (search engine–friendly, scales with text size) --> <span style="font-size:32px; margin-right:12px;">⚠️</span> Important Notice </h3> <p style="margin:0 0 10px 0; color:#424242;"> Avoid running the dashboard for long date ranges <strong>(Last 30 days)</strong> unless strictly needed – it may impact performance. Use shorter ranges for faster results. </p> <p style="margin:0; color:#424242;"> Please ensure an <strong>Index Name</strong> is selected - this is required to load dashboard data. </p> </div> </html> <input type="dropdown" token="index"> <label>Enter your Index Name</label> <fieldForLabel>index</fieldForLabel> <fieldForValue>index</fieldForValue> <search> This is the XML currently using for this....