All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Any working solution for 9.4.x Doesn't seem to be working thus far any of the suggestions.
Hi, I would like to resize the panels that I have in a Splunk row. So I have 3 panels and I referred to some previous posts on doing the panel width resize using CSS. I remember this used to work? B... See more...
Hi, I would like to resize the panels that I have in a Splunk row. So I have 3 panels and I referred to some previous posts on doing the panel width resize using CSS. I remember this used to work? But I can't seem to get this working on my current Splunk dashboard. Due to some script dependencies, I am not able to use Dashboard Studio hence still stuck with the classic XML dashboard. I referred to previous question on this and did exactly like what was mentioned but the panels still appear equally spaced at 33.33% each. <form version="1"> <label>Adjust Width of Panels in Dashboard</label> <fieldset submitButton="false"> <input type="time" token="tokTime" searchWhenChanged="true"> <label>Select Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel depends="$alwaysHideCSS$" id="CSSPanel"> <html> <p/> <style> #CSSPanel{ width:0% !important; } #errorSinglePanel{ width:25% !important; } #errorStatsPanel{ width:30% !important; } #errorLineChartPanel{ width:45% !important; } </style> </html> </panel> <panel id="errorSinglePanel"> <title>Splunkd Errors (Single Value)</title> <single> <search> <query>index=_internal sourcetype=splunkd log_level!=INFO | timechart count</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">trend</option> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">inverse</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single> </panel> <panel id="errorStatsPanel"> <title>Top 5 Error (Stats)</title> <table> <search> <query>index=_internal sourcetype=splunkd log_level!=INFO | top 5 component showperc=false</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel id="errorLineChartPanel"> <title>Splunkd Errors (Timechart)</title> <chart> <search> <query>index=_internal sourcetype=splunkd log_level!=INFO | timechart count</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> </form>
Hello @dshpritz looks like this is "officially" documented at https://splunk.my.site.com/customer/s/article/How-To-Use-Wildcards-with-Sourcetype
Could you help me with guiding me for setting up these whole thing. 
I believe (although I rarely use the event visualisation) that you must specify a  | fields a b c... in your SPL to get fields from the event to show up in the event panel as fields. The XML <field... See more...
I believe (although I rarely use the event visualisation) that you must specify a  | fields a b c... in your SPL to get fields from the event to show up in the event panel as fields. The XML <fields> element is used as a way to limit the display of the available fields from the search, so in order to get those fields there in the first place, you must use the SPL fields command to specify fields you want. Using the table command is not the right way
The Splunk fix is known as SPL-270280.  A fix has been included in the latest version 9.4.2 and backported to supported versions of older releases  9.3.4, 9.2.6 and 9.1.9 https://splunk.my.site.co... See more...
The Splunk fix is known as SPL-270280.  A fix has been included in the latest version 9.4.2 and backported to supported versions of older releases  9.3.4, 9.2.6 and 9.1.9 https://splunk.my.site.com/customer/s/article/Splunk-vulnerability-libcurl-7-32-0-8-9-1-DoS-CVE-2024-7264-TEN-205024
_raw is like ... \"products\": [\"foo\", \"bar\"], ...
It's not that httpout is not supported for logstash, it's that logstash cannot do s2s. Yes, it is confusing but despite sharing some of the low-level mechanics, s2s over http (which is httpout) h... See more...
It's not that httpout is not supported for logstash, it's that logstash cannot do s2s. Yes, it is confusing but despite sharing some of the low-level mechanics, s2s over http (which is httpout) has nothing to do with "normal HEC" .
You can make events generated by local inputs be sent to just one output group. But that will not be pretty. You need to set _TCP_ROUTING key for each input stanza that you want to selectively manag... See more...
You can make events generated by local inputs be sent to just one output group. But that will not be pretty. You need to set _TCP_ROUTING key for each input stanza that you want to selectively manage. That means adding this to every single Splunk's own input. I'd just create a separate app and create inputs.conf in that app containing just this one setting per each input stanza. EDIT: And one more thing - you cannot use both tcpout and httpout at the same time.
so I tried this but end up with same problem  UF--> HF(routing) --> LS( writing to a file)  httpout is definitely not working/supported for logstash . 
exactly , stopping internal logs at UF level does not work however at logstash level it worked . but yeah via HEC it is not possible it seems so far . Still waiting for others to respond may be we cr... See more...
exactly , stopping internal logs at UF level does not work however at logstash level it worked . but yeah via HEC it is not possible it seems so far . Still waiting for others to respond may be we crack something amazing here collectively . Thank you for response though 
Thank you for your response , I have tried below but with that also same problem .  codec => plain { charset => "UTF-8" } codec => plain { charset => "UTF-16LE" }
Are you sure that your character sets are correctly defined? Based on your example it seems that you have at least UTF escaped characters and probably real UTF or some other in your file?
I have used eventhub with splunk without issues e.g. with AKS and other logs. Just use https://splunkbase.splunk.com/app/3110 this app to ingest those. 
Any progress here?
Hi! Thank you for your response. When I take out the table command, only the _time, host, Level, and RuleTitle fields show up. The fields I have included in <fields></fields> don't all show up.
You used httpout which doesn't use this option at all so I completely missed that.
Well I was using this already as mentioned in my original post . 
for anyone that would like to see this work better, please consider voting for my idea here to support long query urls: https://ideas.splunk.com/ideas/EID-I-2569 to me, this is not uncommon at all. ... See more...
for anyone that would like to see this work better, please consider voting for my idea here to support long query urls: https://ideas.splunk.com/ideas/EID-I-2569 to me, this is not uncommon at all.  it's a daily problem that I have to work around.   (I'm aware of the current solutions and already use them.)
for anyone that would like to see this work better, please consider voting for my idea here to support long query urls: https://ideas.splunk.com/ideas/EID-I-2569 to me, this is not uncommon at all. ... See more...
for anyone that would like to see this work better, please consider voting for my idea here to support long query urls: https://ideas.splunk.com/ideas/EID-I-2569 to me, this is not uncommon at all.  it's a daily problem that I have to work around.   (I'm aware of the current solutions and already use them.)