All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @RS, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are... See more...
Hi @RS, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I appreciate your help very much 
Now you can try Chat GTP. it will give this answer only. 
@willtseng0217    Can you please try XML and js below? XML     <dashboard version="1.1" theme="dark" script="test.js"> <label>js for button on table cell</label> <row> <panel> <table id=... See more...
@willtseng0217    Can you please try XML and js below? XML     <dashboard version="1.1" theme="dark" script="test.js"> <label>js for button on table cell</label> <row> <panel> <table id="table1"> <search> <query>|makeresults count=5 | eval A=random(), B=random(), status=A, action=A</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </dashboard>         test.js     require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function (_, $, mvc, TableView) { console.log("Hie 2"); var CustomCellRenderer = TableView.BaseCellRenderer.extend({ canRender: function (cell) { // Enable this custom cell renderer for the confirm field return _(["action", "status"]).contains(cell.field); }, render: function ($td, cell) { if (cell.field == "action") { let unique_id = cell.value; let button_id = "action_btn_" + unique_id; let div_id = "status_div_" + unique_id; let button = $('<button />', { value: 'Ack', id: button_id, on: { click: function () { console.log(unique_id, button_id); console.log(div_id); let div_value = $('#' + div_id).html(); if (div_value == "Ack") { $('#' + div_id).html("Unack"); $('#' + button_id).html("Ack"); } else { $('#' + div_id).html("Ack"); $('#' + button_id).html("Unack"); } } } }).addClass("extend_expiry btn-sm btn btn-primary").html("Ack"); $td.html(button) } if (cell.field == "status") { let div_id = "status_div_" + cell.value; let html = `<div id="` + div_id + `"></div>` $td.html(html) } } }); var sh = mvc.Components.get("table1"); if (typeof (sh) != "undefined") { sh.getVisualization(function (tableView) { // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomCellRenderer()); tableView.table.render(); }); } });       Screenshot   Note: Just change the code as per your logic and feel free to ask.   I hope this will help you.  Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.    
Any idea? how to hide in studio dashboard?
Is there a way to make the dashboard react to the scenario below? I have 3 panels for dropdown menu. if A is selected  panel 1 shows Search A panel 2 shows Title and the link to URL panel ... See more...
Is there a way to make the dashboard react to the scenario below? I have 3 panels for dropdown menu. if A is selected  panel 1 shows Search A panel 2 shows Title and the link to URL panel 3 shows Another Search of its own (if "drop down" is selected A) if B is selected Panel 1 shows Search B  Panel 2 Disappear Panel 3 Disappear if C is selected Panel 1 shows Search C Panel 2 Disappear  Panel 3 Disappear if D is selected Panel 1 shows Search D Panel 2 Disappear  Panel 3 Disappear This is what I have so far that doesn't seem to work as expected <input type="dropdown" token="tokenSearchOption1" searchWhenChanged="true"> <label>Sources</label> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <choice value="D">D</choice> <change> <condition value="A"> <set token="tokenSearchQuery"> index= search query A</set> </condition> <condition value="B"> <set token="tokenSearchQuery">index= search query B</set> </condition> <condition value="C"> <set token="tokenSearchQuery">index=search query C</set> </condition> <condition value="D"> <set token="tokenSearchQuery">index= search query D</set> </condition> </change> <initialValue>"A"</initialValue> </input> </panel> </row> <row>   <panel id="URL test"> <title>Title URL</title> <html> <!-- <style> .dashboard-row Title .dashboard-panel h2.panel-title { font-size: 40px !important; text-align:left; font-weight:bold; } </style>--> <center> <style>.btn-primary { margin: 5px 10px 5px 0;font-size: 40px !important; }</style> <a href="URL for a website" target="blank" class="btn btn-primary"> Click here </a> </center> </html> </panel> </row>   <row> <panel depends=dropdown A> <title>Magic</title> <table> <search> <query>Index=Run this search when drop down A </query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="wrap">false</option> </table> </panel>
Take a look at Ingest Actions  
I was having the same issue. Looking in the code editor for the table showed that a field summary had been set somehow. Removing this seemed to fix my issue.
Is there any way to block logs coming from other servers, on a distributed server, with the debug level activated? I say this because our splunk is suffering performance degradation due to the amount... See more...
Is there any way to block logs coming from other servers, on a distributed server, with the debug level activated? I say this because our splunk is suffering performance degradation due to the amount of DEBUG logs. I'm still studying the props.conf documentation, would this be the right way to do this?
Thanks @ITWhisperer that worked, Very help full   
Thanks @gcusello. The given query helped me produce the required timechart.
Thanks for that! I need to find some time to invest in this. 
WARNING!   The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable.  So while my correct answer looked fine and w... See more...
WARNING!   The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable.  So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT.  The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">.  If you do that, it works.  The stupid site is also forcing me to add an app, even this this Q/A has nothing to do with any app.
WARNING!   The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable.  So while my correct answer looked fine and w... See more...
WARNING!   The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable.  So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT.  The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">.  If you do that, it works.
As @ITWhisperer suggested, you should check and post accuracy of relevant data.  I highly doubt if you have a field called httpsCode.  It is more likely httpCode, if the field is provided by Splunk a... See more...
As @ITWhisperer suggested, you should check and post accuracy of relevant data.  I highly doubt if you have a field called httpsCode.  It is more likely httpCode, if the field is provided by Splunk at all.  If it not already extracted, you need to first extract it.  If you need help with extraction, you will need to post raw data (anonymize as needed). More than that, a good, answerable question should illustrate desired results and explain the logic between illustrated dataset and desired results.  This relieves volunteers of the burden to read your mind.  Statistically, mind reading is more wrong than correct. This said, I interpret your intention as to discern the count and average timetaken - again, if this field is named such and already extracted in Splunk, by "success" or "failure" status.  Maybe this will help. | eval status = if(match(httpCode, "200|30[0-4,78]"), "success", "failure") | stats avg(timetaken) count by status Note that 3xx return codes are generally success statuses.  Unless you have specific reasons to classify them as "failure", they should be grouped into success. Hope this helps.
Since I cannot find much on querying ASUS router syslogs, and I am completely new to Splunk, I thought I'd start a thread for other Google Travelers in the far future. I installed Splunk ENT yesterd... See more...
Since I cannot find much on querying ASUS router syslogs, and I am completely new to Splunk, I thought I'd start a thread for other Google Travelers in the far future. I installed Splunk ENT yesterday and I am successfully sending syslogs. In my first self-challenge, I'm trying to build a query with just dropped packets for external IP sources, but its not working. source="udp:514" index="syslog" sourcetype="syslog" | where !(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src)) The Raw data is below - I wanna filter out all 192 privates and just external addresses, like that darn external HP src IP (15.73.182.64). Feb 4 08:46:36 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=50 ID=43798 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D135F84C3294ECB) MARK=0x8000000 Feb 4 08:46:37 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=50 ID=43799 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D136188C3294ECB) MARK=0x8000000 Feb 4 08:46:38 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=50 ID=43800 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D136590C3294ECB) MARK=0x8000000 Feb 4 08:46:40 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=50 ID=43801 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D136DA0C3294ECB) MARK=0x8000000 Feb 4 08:46:44 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=49 ID=43802 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D137DC0C3294ECB) MARK=0x8000000 Feb 4 08:46:52 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=49 ID=43803 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D139E00C3294ECB) MARK=0x8000000 Feb 4 08:47:09 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=49 ID=43804 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D13DE80C3294ECB) MARK=0x8000000 Feb 4 08:47:17 kernel: DROP IN=eth4 OUT= MAC=ff:ff:ff:ff:ff:ff:28:11:a8:58:a6:ab:08:00 src=192.168.1.109 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=41571 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x8000000 Next question - would anyone be able to write an app that takes the external IPs and does a lookup against the AbusePDB API or other blacklist APIs?  
Ok. Then what does the splunk btool server list license say? Also splunk list licenses
H, @meshorer, Yes, rest/health endpoint shows db_data and status off all services. https://docs.splunk.com/Documentation/SOARonprem/6.2.0/PlatformAPI/RESTInfo#.2Frest.2Fhealth  But maybe it is bet... See more...
H, @meshorer, Yes, rest/health endpoint shows db_data and status off all services. https://docs.splunk.com/Documentation/SOARonprem/6.2.0/PlatformAPI/RESTInfo#.2Frest.2Fhealth  But maybe it is better to monitor the system using an external script or something else. This will alert you even system stops.
I would like to use the test.js to do this , try to ask for ChatGPT but can't done my job...
Dear Splunkers ,  May I ask for help please~ I have a dashboard like below , I need someone give me some suggestion , to add a button on action fields when button clicked, then change the status... See more...
Dear Splunkers ,  May I ask for help please~ I have a dashboard like below , I need someone give me some suggestion , to add a button on action fields when button clicked, then change the status filed content to "Ack" thank u all ,  <dashboard version="1.1" theme="dark" script="test.js"> <label>111</label> <row> <panel> <table> <search> <query>|makeresults count=5 | eval A=random(), B=random(), status="", action="Ack/UnAck"</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </dashboard>