All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @AL3Z, if you don't want to manually manage Assets and Identities (I'm supposing that you are speaking of ES) the prerequisites is the availability ox external archives containing the company ass... See more...
Hi @AL3Z, if you don't want to manually manage Assets and Identities (I'm supposing that you are speaking of ES) the prerequisites is the availability ox external archives containing the company assets and identities that you can query using a script or an ldap query or a DB-Connect query. So having these archives, you have to query them saving resuts in an index and from the index in the predefined ES lookups. Obviously this job requires that you analyzed your data and the record set of ES Assets and Identities. Ciao. Giuseppe
@m_nouman - You need to use time_window for streamstats command, as suggested by @PickleRick  For timechart and bin command use span=10m   I hope this helps!!!
@Monstah54 - Have you tried using a different browser, most likely it could be browser cache issue.   I hope this helps!!!
Hi, Can someone please assist me in setting up assets and identity from the scratch, and what prerequisites are necessary for this? Thanks in advance.
@parthiban - You need to use a dependant Dropdown filter. Here is reference example - https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-multiple-dependent-dropdowns-on-a-dashboa... See more...
@parthiban - You need to use a dependant Dropdown filter. Here is reference example - https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-multiple-dependent-dropdowns-on-a-dashboard/m-p/391089   I hope this helps!!! Kindly upvote if this helps!!
I am working in Classic dashboard. I have a gateway address (URL: abc23.com ) I want to check this value after every dashboard refresh. Either display the results of the URL and/or single value visua... See more...
I am working in Classic dashboard. I have a gateway address (URL: abc23.com ) I want to check this value after every dashboard refresh. Either display the results of the URL and/or single value visual with green and red colors. Green is for when the URL status is set to "OK", else is "Red".  Any ideas on how I can accomplish this task?   I created a python scrip that extracts the value into a log and then the dashboard checks the log but this doesn't seem like the best approach and not really what I want. 
@emesabarrameda I can't seem to find anything in the docs: https://docs.splunk.com/Documentation/SOARonprem/6.2.0/DevelopApps/AppDevAPIRef  Both options you call out have the tag option which could ... See more...
@emesabarrameda I can't seem to find anything in the docs: https://docs.splunk.com/Documentation/SOARonprem/6.2.0/DevelopApps/AppDevAPIRef  Both options you call out have the tag option which could maybe be used for thee INFO/WARNING/TRACE strings? Any reason you want to Split into those categories as it all ends up in spawn.log anyway. 
I'm trying to create an admission rule in workload management with the following syntax: any search with "=*" in the index will return a predefined message. my intention is to block any search that... See more...
I'm trying to create an admission rule in workload management with the following syntax: any search with "=*" in the index will return a predefined message. my intention is to block any search that contains "=*" in any part of the index, such as: "index=splun*", "index=spl*", "index=_internal*", etc. I didn't find anything in the documentation that talked about it. Is there any way to create a general rule for this case?
@Carloszavala121 as @jenniandthebets said, the best way is to create your own app for this or modify the existing one to remove the need for base_url at the asset level and have it as a parameter for... See more...
@Carloszavala121 as @jenniandthebets said, the best way is to create your own app for this or modify the existing one to remove the need for base_url at the asset level and have it as a parameter for the GET action instead maybe.
Hello, thanks so how would you connect from Python using base url? We have HA/FO servers in front of Splunk servers.
@splunkreal - For the host you need to just IP address or hostname. The port should be a Splunk management port generally 8089 and not the Splunk UI port.   I hope this helps!!!
Hello All, Recently we have migrated all our indexes to Splunk Smartstore with our remote storage being Azure blob. After that we noticed several problems with our environment. Buckets being st... See more...
Hello All, Recently we have migrated all our indexes to Splunk Smartstore with our remote storage being Azure blob. After that we noticed several problems with our environment. Buckets being stuck in fixup state more often. Indexing queues being full (No major spike in data indexation). Huge increase in number of buckets. And the list goes on. We are considering to revert back to the persistent disk for data storage, however, looking at the Splunk documentation, it is not possible to revert back an index configured with Splunk Smartstore perisitent disk. But, I'm looking at a way, if it would be still possible to do it, because of the above issues, the search performance is abysmal. We have around 6 indexers and each indexer has around 800k buckets and the current data on remote storage (Smartstore) is 50 TB.   Are there any ways to migrate back to persistent disk? Looking forward to any gray methods to try out as well.   Thanks
Please advise on the optimal solution for this business task. I have a set of events with the following fields:     city: Almaty country: KZ latitude: 43.2433 longitude: 76.8646 region: Almaty ... See more...
Please advise on the optimal solution for this business task. I have a set of events with the following fields:     city: Almaty country: KZ latitude: 43.2433 longitude: 76.8646 region: Almaty     What would be the best approach to obtain the field indicating the local time of these events using the provided information?
Hi I am using something like this: index=_internal AND sourcetype=splunkd AND TERM(New) AND TERM(Old) AND TERM(properties) AND TERM(are) | rex field=_raw "Old properties are: \{ip=(?<old_ip>[^\ ... See more...
Hi I am using something like this: index=_internal AND sourcetype=splunkd AND TERM(New) AND TERM(Old) AND TERM(properties) AND TERM(are) | rex field=_raw "Old properties are: \{ip=(?<old_ip>[^\ ,]*)[\ ,]+dns=(?<old_dns>[^\ ,]*)[\ ,]+hostname=(?<old_hostname>[^\ ,]*)[\ ,]+deploymentClientName=(?<old_deploymentclientname>[^\ ,]*)[\ ,]+.*instanceId=(?<old_instanceid>[^\ ,]*)[\ ,]+instanceName=(?<old_instancename>[^\ ,\}]*)" | rex field=_raw "New properties are: \{ip=(?<new_ip>[^\ ,]*)[\ ,]+dns=(?<new_dns>[^\ ,]*)[\ ,]+hostname=(?<new_hostname>[^\ ,]*)[\ ,]+deploymentClientName=(?<new_deploymentclientname>[^\ ,]*)[\ ,]+.*instanceId=(?<new_instanceid>[^\ ,]*)[\ ,]+instanceName=(?<new_instancename>[^\ ,\}]*)" | stats latest(_time) AS ltm, count BY new_hostname, old_hostname, new_dns, old_dns, new_instancename, old_instancename, new_instanceid, old_instanceid, new_ip, old_ip | convert timeformat="%y-%m-%d" ctime(ltm) AS LastDay | fields - ltm  
@richgalloway Thank you so much for the clear answer!
The candidate always votes for itself.  Therefore, there are three votes for the new captain.
Thanks for the sample. I opted to add a column "key" to my csv file, with wild card before and after the colorkey, (*blue*  for example) then add a lookup to the search after the inputlookup section.... See more...
Thanks for the sample. I opted to add a column "key" to my csv file, with wild card before and after the colorkey, (*blue*  for example) then add a lookup to the search after the inputlookup section.      | lookup keywords.csv key as "String1" output Key .  I'm not sure of the performance ramifications, I don't see any difference in run times.
 Hello. I have a question about the captain selection process. Let me ask you a question using the example below. 1. In a clustering of four searchheads, the captain goes down. 2. Among the rem... See more...
 Hello. I have a question about the captain selection process. Let me ask you a question using the example below. 1. In a clustering of four searchheads, the captain goes down. 2. Among the remaining three, the search header whose timer expired earliest asks the remaining two to vote. 3. The remaining two cars vote for the search header whose timer ended early. 4. Although two votes were received, the captain election failed because three votes were required due to the majority rule. This is the process of captain selection in my opinion. However, when I practiced it myself, even if one of the four planes was down, another captain was automatically selected from the three remaining planes. How is this possible when there are not enough votes?
We are using /api base url, is that correct for .splunkrc as it asks for host and in our environment we use url? thanks for your help!   .splunkrc # Splunk host (default: localhost) host=splu... See more...
We are using /api base url, is that correct for .splunkrc as it asks for host and in our environment we use url? thanks for your help!   .splunkrc # Splunk host (default: localhost) host=splunkurl/api # Splunk admin port (default: 8089) port=443 # Splunk username username= # Splunk password password= # Access scheme (default: https) scheme=https # Your version of Splunk (default: 6.3) version=9.0.4