All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I see that you are new here.  But this is a Splunk forum.  Very few people will know what Cisco firewall events entail.  In fact, Cisco firewall can also have multiple forms.  @ITWhisperer is asking ... See more...
I see that you are new here.  But this is a Splunk forum.  Very few people will know what Cisco firewall events entail.  In fact, Cisco firewall can also have multiple forms.  @ITWhisperer is asking you to post sample (anonymized) or mock data.  You can use raw events, or field tables. You should also illustrate desired results.  Additionally, explain very clearly which part of the data will lead to your desired result and how.  In short, you need to explain how to get your desired results WITHOUT Splunk.
What do you mean by "total count"?  There is only one total in my vocabulary.  That's the opposite of the mockup chart in your original post that shows multiple bars at each depicted time point.  If ... See more...
What do you mean by "total count"?  There is only one total in my vocabulary.  That's the opposite of the mockup chart in your original post that shows multiple bars at each depicted time point.  If you don't need to break down, all you need is | timechart count  
Hi all, I am experiencing an issue with the Splunk WinHostInfo input. It is not working after being deployed to the universal forwarder, whereas the other logs from the same device are successfully ... See more...
Hi all, I am experiencing an issue with the Splunk WinHostInfo input. It is not working after being deployed to the universal forwarder, whereas the other logs from the same device are successfully received. Does anyone have any idea or suggestions on how to resolve this?
Hello, I'm pretty new with splunk and downloaded a couple of apps to get some dashboards going, including Security Essentials. I installed the app through splunk web and then opened the app after a r... See more...
Hello, I'm pretty new with splunk and downloaded a couple of apps to get some dashboards going, including Security Essentials. I installed the app through splunk web and then opened the app after a restart and for many of the pages in SSE, a bunch of javascript errors are thrown. They all say "A custom JavaScript error caused an issue loading your dashboard. See the developer console for more details." Here are the error logs from the console. Not sure how to proceed.  
I'm dealing with Cisco firewall events.  
It is supposed to be a bar chart y axis denotes the login count and x- axis represents the time period selection we do in our search.... Those bars are representation of total count values of xxx,yyy... See more...
It is supposed to be a bar chart y axis denotes the login count and x- axis represents the time period selection we do in our search.... Those bars are representation of total count values of xxx,yyyy,aaa,bbb
You mean something like this? | timechart count by "Login mode"
Iam trying to align values on X-axis in this order : ">3 days" ">5 days" ">15 days" ">30 days" ">100 days" I have tried table command but its not giving me the expected output. query: |inputlook... See more...
Iam trying to align values on X-axis in this order : ">3 days" ">5 days" ">15 days" ">30 days" ">100 days" I have tried table command but its not giving me the expected output. query: |inputlookup acn_ticket_unresolved_dessertholdings_kv | eval age=((now() - epoc_time_submitted)/86400),total_age=round(age,2) |rangemap field=total_age ">3 days"=0-3.00 ">5 days"=3.01-15.00 ">15 days"=15.01-30.00 ">30 days"=30.01-100.00 ">100 days"=100.01-1000.00 | chart count as count1 over range by priority | rename priority as Priority  
I have a search query statistical result values in the below format Login mode Total login xxx 48 Yyyy 23 aaa 52 bbbb 73   Now I need to display a bar ch... See more...
I have a search query statistical result values in the below format Login mode Total login xxx 48 Yyyy 23 aaa 52 bbbb 73   Now I need to display a bar chart which shows the login in respective of the login mode and the time selection in the query   for example:  
Alternatively, if ServiceNow accepts literal newline, you can just insert newline | eval summary = replace(summary, " from ", " from ")
Hello, How to align single value text to left in Dashboard Classic? I tried to use text-align and float, but it didn't work. Please suggest Thank you  <panel id="DisplayPanel"> <single... See more...
Hello, How to align single value text to left in Dashboard Classic? I tried to use text-align and float, but it didn't work. Please suggest Thank you  <panel id="DisplayPanel"> <single id="datestyle"> <search>   <query>| makeresults       | addinfo      | eval text = "How to align this text to left?"      | table text    </query> </search> </single> </panel> <panel depends="$alwaysHideCSS$"> <title>Single value</title> <html> <style> #DisplayPanel { width: 100% !important; font-size: 16px !important; text-align: left !important; float: left; } </style> </html> </panel>
Yes, eventstats can be expensive and possibly slower than join.  You can try switch the eventstats for fields in index _network instead. I don't understand why all in a sudden you are handling host ... See more...
Yes, eventstats can be expensive and possibly slower than join.  You can try switch the eventstats for fields in index _network instead. I don't understand why all in a sudden you are handling host instead of snat.  I will assume that you still want to match snat but with host in lookupfile representing the host portion like 10.10.10.10.  Is this correct?  You also lost matching _time (bucketed to 5m).  If all you want to match is the host portion of snat, i.e., if the lookup contains no _time info, you can have this very efficient search index=_network [ inputlookup lookupfile ``` assuming this only contains 10.10.10.10, 20.20.20.20 ``` | dedup host ``` you SHOULD produce a lookup file that contains no dup ``` | rename host AS snat | eval snat = snat . ":*" ``` the lookup file SHOULD use field name snat and contains asterisk without external work ```] | bucket span=1m _time | rex field=client "^(?<client_ip>.*?)\:(?<client_port>.*)" | stats count by _time snat client_ip However, if you still want to match _time and put bucketed _time column in lookupfile, the search will necessarily be more complex.  You will have to explain data (both in index and in lookupfile) and exactly what desired output looks like, and describe the exact logic connecting the dataset and desired output.
First thing to check is of course btool splunk btool inputs list --debug for the respective inputs.  If it shows renderXml set to false, for those inputs, then some other setting is overriding the ... See more...
First thing to check is of course btool splunk btool inputs list --debug for the respective inputs.  If it shows renderXml set to false, for those inputs, then some other setting is overriding the setting you are trying to apply.  Adding the --debug flag lets you know which file provides the winning setting, so you can figure out where it is coming from.
Hi frends   I have logs like _time=time latitude=1 longitude=-1 other fields ... _time=time latitude=1 longitude=-2 other fields ... Etc The objective is to translate the latitude and longitude... See more...
Hi frends   I have logs like _time=time latitude=1 longitude=-1 other fields ... _time=time latitude=1 longitude=-2 other fields ... Etc The objective is to translate the latitude and longitude values ​​to their associated countries and then apply filters on these values ​​but I only have these values.   Hope can help me.   Regards  
Ah sorry - I should have mentioned indexes for the panels based on "Servername" have no relation to the AppID. So I can't query the panels by AppID token. The AppID index is searching a bunch of l... See more...
Ah sorry - I should have mentioned indexes for the panels based on "Servername" have no relation to the AppID. So I can't query the panels by AppID token. The AppID index is searching a bunch of logs that have a field for AppID and two fields (host & node) which im using an eval to join together for the "Servername", which relates to a field in all the Servername index logs, giving me the one-way relation to what server(s) an AppID is running on. Which is silly, but thats the logs im dealing with... and hence the problem with a wildcard "*" selection on the second dropdown, it just returns any Servername, not ones filtered by AppID ie. it's own dropdown query. Thats kinda why I'm wondering if the second dropdown already creates a list of the Servername(s) related to a specific AppID, how can i have all Servername(s) dropped/tokenized into the search query for each panel, not just a single Servername based on the token from selecting a second dropdown Servername but the whole list of dropdown options for Servername(s) tokenized or getting passed as tokens into the panel search queries - ie. a dropdown option for ALL...
Firstly I would suggest your search for the second dropdown change slightly to index="syslogs" sourcetype="logs:servers:inventory" AppID=$AppID|s$ | eval Servername = host."\\".InstanceName | field... See more...
Firstly I would suggest your search for the second dropdown change slightly to index="syslogs" sourcetype="logs:servers:inventory" AppID=$AppID|s$ | eval Servername = host."\\".InstanceName | fields Servername | dedup Servername | sort Servername that will be slightly more efficient. You should add the wildcard option in the second dropdown, but in your panel searches you also need to include the  AppID=$AppID|s$ as part of that search, so the * for ServerName will also be restricted to those in your chosen AppID
After a timechart split by a field you cannot use the field name after the timechart as it no longer exists. The field names are the values of your 'series' field. You need to use the foreach method... See more...
After a timechart split by a field you cannot use the field name after the timechart as it no longer exists. The field names are the values of your 'series' field. You need to use the foreach method in your initial post The reason why index=aws returns nothing is that the data you are searching for does not exist in that index. What makes you think it did? It is in the _internal index, so you should definitely include that Change your earliest/latest settings to define the time period you want to search for, or use the time picker instead and remove the earliest and latest totally.  
These settings can be applied universal forwarder
Is it possible to attach two DUO consoles to the splunk API - we have a standard console and are soft migrating to DUO Federal, and would like visibility/ ingestion for both in Splunk:  We see the op... See more...
Is it possible to attach two DUO consoles to the splunk API - we have a standard console and are soft migrating to DUO Federal, and would like visibility/ ingestion for both in Splunk:  We see the option to edit the DUO Splunk connector, not add a second one.  Thank you! 
Bumping this thread. I'd like a solution to this post too. Below is Simple XML code I have used. <table> <search></search> <format type="color" field="Health"> <colorPalette type="map">{... See more...
Bumping this thread. I'd like a solution to this post too. Below is Simple XML code I have used. <table> <search></search> <format type="color" field="Health"> <colorPalette type="map">{"Critical":#6A5C9E, "Abnormal":#6A5C9E, "Normal":#65A637}</colorPalette> </format> </table> See output, image below. (Dashboard left, PDF right.) Splunk Cloud Version 9.0.2303.201 Experience: Classic Links to Splunk Cloud docs https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/TableFormatsXML  https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/DashboardPDFs