Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-19-2024
12:11 AM
Hi @gcusello is it possible for you to provide a sample code of what you want me to do in the 3rd scenario.
01-18-2024
11:56 PM
Hi @AL3Z, don't untar the app in windows, copy it in Ubuntu and untar it in Ubuntu, so you can modify it as you want and you can give to files and folders the correct grants. Than tar it (tar.gz) a...
See more...
Hi @AL3Z, don't untar the app in windows, copy it in Ubuntu and untar it in Ubuntu, so you can modify it as you want and you can give to files and folders the correct grants. Than tar it (tar.gz) and copy the tarred file in the machine that you will use for the upload (also windows). In other words, passing in windows erase the grants, so, when you try to upload it in Splunk Cloud it has wrong grants. It's the same issue that you have if you try to use a Windows Deployment Server to deploy apps to Linux servers. Ciao. Giuseppe
01-18-2024
11:53 PM
Hi Ryan, Thanks for your support. I have already contacted AppD Support Team and they only asked me to check here. Thanks, Sikha
01-18-2024
11:50 PM
Hello Splunkers!! I have pasted my dashboard code and in this text I am attaching screenshot of macro. When I am passing the below macros in dashboard it is not working fine. Please suggest how to p...
See more...
Hello Splunkers!! I have pasted my dashboard code and in this text I am attaching screenshot of macro. When I am passing the below macros in dashboard it is not working fine. Please suggest how to proceed further ?
01-18-2024
11:48 PM
<row>
<panel>
<title>General Filters</title>
<input type="time" token="time" id="my_date_range" searchWhenChanged="true">
<label>Select the Time Range</label>
<d...
See more...
<row>
<panel>
<title>General Filters</title>
<input type="time" token="time" id="my_date_range" searchWhenChanged="true">
<label>Select the Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
<change>
<eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval>
<eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval>
<eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ > 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ > 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval>
<eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ > 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ > 86400, "h", $form.span_token$))</eval>
</change>
</input>
</panel></row>
<row>
<panel>
<chart>
<title>Total Pallet</title>
<search>
<query>|`$macro_token$(span_token="$span_token$")`
|strcat "raw" "," location group_name | timechart span=1d count by location</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
01-18-2024
11:44 PM
@gcusello Hello, I actually untarred the file in Windows using 7zip. Afterward, I employed the Ubuntu app from the app store and executed the following command: bash COPYFILE_DISABLE=1 tar -...
See more...
@gcusello Hello, I actually untarred the file in Windows using 7zip. Afterward, I employed the Ubuntu app from the app store and executed the following command: bash COPYFILE_DISABLE=1 tar --format ustar -cvzf <appname>.tar.gz <appname_directory> Despite using "chmod 644 appname," the permissions persist at 777. Any suggestions on how to rectify this? Thanks
01-18-2024
11:30 PM
Hi @AL3Z, how do you created your app, in Linux or in Windows? open you tar.gz file in Linux and the the correct grants that you can see in another app download from splunkbase: folder 755, file...
See more...
Hi @AL3Z, how do you created your app, in Linux or in Windows? open you tar.gz file in Linux and the the correct grants that you can see in another app download from splunkbase: folder 755, files 644. in other words, you probably have grants 777 for your files that isn't acceptable for Splunk Cloud. Ciao. Giuseppe
01-18-2024
11:17 PM
Hi, Which I am trying to upload the custom app to splunk cloud it is not passing the vetting, how we can fix this issue? I have tried this in the Linux COPYFILE_DISABLE=1 tar --format ustar...
See more...
Hi, Which I am trying to upload the custom app to splunk cloud it is not passing the vetting, how we can fix this issue? I have tried this in the Linux COPYFILE_DISABLE=1 tar --format ustar -cvzf <appname>.tar.gz <appname_directory> [ Failure Summary ] Failures will block the Cloud Vetting. They must be fixed. check_for_bin_files This file has execute permissions for owners, groups, or others. File: README/ta_mandiant_advantage_account.conf.spec This file has execute permissions for owners, groups, or others. File: appserver/static/correlation_details_multiselect.js This file has execute permissions for owners, groups, or others. File: README/ta_mandiant_advantage_settings.conf.spec This file has execute permissions for owners, groups, or others. File: README/inputs.conf.spec This file has execute permissions for owners, groups, or others. File: static/appIcon.png This file has execute permissions for owners, groups, or others. File: README/addon_builder.conf.spec This file has execute permissions for owners, groups, or others. File: default/collections.conf This file has execute permissions for owners, groups, or others. File: appserver/static/correlation_details_button.css This file has execute permissions for owners, groups, or others. File: third_party/pytz_lic.txt This file has execute permissions for owners, groups, or others. File: default/data/ui/views/threat_intelligence_matched_events.xml This file has execute permissions for owners, groups, or others. File: default/searchbnf.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/inputs.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/jquery_mandiant.js This file has execute permissions for owners, groups, or others. File: app.manifest This file has execute permissions for owners, groups, or others. File: default/ta_mandiant_advantage_settings.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/datamodel_hook.js This file has execute permissions for owners, groups, or others. File: metadata/default.meta This file has execute permissions for owners, groups, or others. File: default/web.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/alerts_input_hook.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/0.licenses.txt This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/account_hook.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/1.licenses.txt This file has execute permissions for owners, groups, or others. File: default/data/ui/views/threat_intelligence_matched_events_summary.xml This file has execute permissions for owners, groups, or others. File: default/app.conf This file has execute permissions for owners, groups, or others. File: default/server.conf This file has execute permissions for owners, groups, or others. File: default/inputs.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/security_validation_overview.xml This file has execute permissions for owners, groups, or others. File: appserver/templates/base.html This file has execute permissions for owners, groups, or others. File: appserver/static/js/jquery-3.5.0.min.js This file has execute permissions for owners, groups, or others. File: default/commands.conf This file has execute permissions for owners, groups, or others. File: splunkbase.manifest This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/entry_page.js This file has execute permissions for owners, groups, or others. File: static/appIcon_2x.png This file has execute permissions for owners, groups, or others. File: appserver/static/indicator_info_send.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/vuln_fields_hook.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/3.js This file has execute permissions for owners, groups, or others. File: static/appLogo_2x.png This file has execute permissions for owners, groups, or others. File: TA-mandiant-advantage.aob_meta This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/0.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/mktoform.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/matched_events_hook.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/vulnerability_details.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/globalConfig.json This file has execute permissions for owners, groups, or others. File: appserver/static/correlation_details_button.js This file has execute permissions for owners, groups, or others. File: appserver/static/vulnerability_overview.css This file has execute permissions for owners, groups, or others. File: static/appIconAlt_2x.png This file has execute permissions for owners, groups, or others. File: default/transforms.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/configuration.xml This file has execute permissions for owners, groups, or others. File: static/appIconAlt.png This file has execute permissions for owners, groups, or others. File: appserver/static/img/mandiant_img2.png This file has execute permissions for owners, groups, or others. File: default/savedsearches.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/entry_page.licenses.txt This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/3.licenses.txt This file has execute permissions for owners, groups, or others. File: CP_mandiant_advantage.tar.gz This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/5.js This file has execute permissions for owners, groups, or others. File: static/appLogo.png This file has execute permissions for owners, groups, or others. File: appserver/static/js/underscore-min.js This file has execute permissions for owners, groups, or others. File: default/addon_builder.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/input_hook.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/dtm_alerts.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/1.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/asm_issues.xml This file has execute permissions for owners, groups, or others. File: third_party/tenacity_lic.txt This file has execute permissions for owners, groups, or others. File: appserver/static/pop_up.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/threat_intelligence_overview.xml This file has execute permissions for owners, groups, or others. File: default/data/ui/views/vulnerability_overview.xml This file has execute permissions for owners, groups, or others. File: default/props.conf This file has execute permissions for owners, groups, or others. File: README.txt This file has execute permissions for owners, groups, or others. File: default/data/ui/views/security_validation_details.xml This file has execute permissions for owners, groups, or others. File: default/data/ui/nav/default.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/4.js This file has execute permissions for owners, groups, or others. File: default/restmap.conf This file has execute permissions for owners, groups, or others. File: default/macros.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/asm_entities.xml Thanks in advance
Labels
01-18-2024
11:07 PM
1 Karma
Hi @rsreese, install the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603) and see the "Custom Decorations" example: it describes how to use a different icon for different value...
See more...
Hi @rsreese, install the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603) and see the "Custom Decorations" example: it describes how to use a different icon for different values in a Single Value Panel. Ciao. Giuseppe
01-18-2024
11:04 PM
Hi @Suagni, you have to use a subsearch, putting attention to the field names that must be the same in main and sub search, in other words that the States field is present in both the searches and i...
See more...
Hi @Suagni, you have to use a subsearch, putting attention to the field names that must be the same in main and sub search, in other words that the States field is present in both the searches and it's written exactly in the same way (it's case sensitive), something like this: index=your_index [ | inputlookup your_lookup.csv | fields States ]
| table States IP Country user workstation This is possible if all the fieds to display are in the main search and you have to check only if States values are also in the lookup. If instead some fields arrive from the lookup, you have to add an additional command: so if e.g. Country field arrives only from the lookup, you have to write: index=your_index [ | inputlookup your_lookup.csv | fields States ]
| lookup your_lookup.csv States OUTPUT Country
| table States IP Country user workstation Ciao. Giuseppe
01-18-2024
08:56 PM
Hi @PaulaCom, Here's a way to convert your date to "Jan", "Feb" etc: strftime(date_field, format) see docs We can use the field Order_Date like this: eval month = strftime(strptime(Order_Date...
See more...
Hi @PaulaCom, Here's a way to convert your date to "Jan", "Feb" etc: strftime(date_field, format) see docs We can use the field Order_Date like this: eval month = strftime(strptime(Order_Date, "%d/%m/%Y"), "%b") That adds another step of converting the date to a unix timestamp, then converting that timestamp to the Month in english. Now that we have the month, we can make it a field by using special curly brackets: | eval {month} = Total That will create a field called "Jan" or "Feb" with the value of the total for sales. Here's the Search all together: |makeresults | eval data="Account_No=\"123\", Total=\"15.00\", Order_Date=\"1/01/2023\"@@Account_No=\"123\", Total=\"35.00\", Order_Date=\"15/02/2023\"@@Account_No=\"123\", Total=\"45.00\", Order_Date=\"19/02/2023\"@@Account_No=\"456\", Total=\"15.00\", Order_Date=\"1/01/2023\"@@Account_No=\"456\", Total=\"50.00\", Order_Date=\"25/01/2023\"@@Account_No=\"456\", Total=\"10.00\", Order_Date=\"19/02/2023\""
| makemv data delim="@@" | mvexpand data | rename data as _raw | extract
``` The above just creates the test data```
| eval month = strftime(strptime(Order_Date, "%d/%m/%Y"), "%b")
| stats sum(Total) as Total by Account_No, month
| eval {month}=Total
| fields - Total, month
| stats sum(*) as * by Account_No
| table Account_No, Ja*, Fe*,Ma*,Ap*,Ma*,Jun*, Jul*,Au*,Se*,Oc*,No*,De* The last table bit at the end is so that the months are listed in the right order. The result is: Hopefully that gets you closer to what you were looking for. Cheers, Daniel
01-18-2024
08:38 PM
That blog post is announcing a feature being released in Cloud version 9.0.2305. Cloud release numbers and Enterprise release numbers aren't really directly comparable. (Features tend to cloud fir...
See more...
That blog post is announcing a feature being released in Cloud version 9.0.2305. Cloud release numbers and Enterprise release numbers aren't really directly comparable. (Features tend to cloud first and then get released in later Enterprise releases). That said if you go to the doc for the What's New in Dashboard Studio on Enterprise 9.1.2: https://docs.splunk.com/Documentation/Splunk/9.1.2/DashStudio/WhatNew You'll notice that the table looks very similar to the table underneath the header of "What's new in Splunk Cloud 9.0.2303" (the previous cloud release) from the link from the blog post: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/DashStudio/WhatNewSC So from that I'd suspect the feature that you're looking for that came out in a later version of cloud would likely come out in a later version of Enterprise... Hopefully 9.2.x but of course could always be later.
01-18-2024
08:23 PM
Are you certain you had the :8089 as part of your curl url? AND you used the correct url? The redirection response you have provided is identical to the one that Splunk Web (i.e. port 443 OR no po...
See more...
Are you certain you had the :8089 as part of your curl url? AND you used the correct url? The redirection response you have provided is identical to the one that Splunk Web (i.e. port 443 OR no port specified with HTTPS) would give in response to a request for /servicesNS/nobody/search/data/indexes (Which would be the enterprise API url instead of the cluster blaster one you state in your post.) Deliberately omitting the :8089 from the cluster_blaster_indexes request against my classic stack I get the following: $ curl https://redacted.splunkcloud.com/services/cluster_blaster_indexes/sh_indexes_manager?output_mode=json
<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta http-equiv="refresh" content="1;url=https://redacted.splunkcloud.com/en-US/services/cluster_blaster_indexes/sh_indexes_manager?output_mode=json"><title>303 See Other</title></head><body><h1>See Other</h1><p>The resource has moved temporarily <a href="https://redacted.splunkcloud.com/en-US/services/cluster_blaster_indexes/sh_indexes_manager?output_mode=json">here</a>.</p></body></html>
01-18-2024
08:00 PM
1 Karma
So the first screenshot you have is actually within the Universal Forwarder app... Assuming that the app wasn't recreated by Splunk's automation, and that it's not a case of you or one of your fellow...
See more...
So the first screenshot you have is actually within the Universal Forwarder app... Assuming that the app wasn't recreated by Splunk's automation, and that it's not a case of you or one of your fellow admins didn't set the app invisible, also assuming that someone didn't actually just remove permissions from the app, I think logging a support case would be your best course of action.
01-18-2024
07:40 PM
Yes @franklinnavarro .. I have verified that the "Link to Search" is not available. as i remember this was available in classic dashboard. i think they mistakenly added the same content from clas...
See more...
Yes @franklinnavarro .. I have verified that the "Link to Search" is not available. as i remember this was available in classic dashboard. i think they mistakenly added the same content from classic dashboard to that blog for the Dashboard Studio. thanks.
01-18-2024
07:39 PM
thank you @Carloszavala121 but I am not talking about labels, I am talking about tags. for me the labels with the “operate on” is great as I use a label called offense. but within the offense la...
See more...
thank you @Carloszavala121 but I am not talking about labels, I am talking about tags. for me the labels with the “operate on” is great as I use a label called offense. but within the offense label, I categorize my offenses to tags. And there is an playbook that I want to automate to specific offenses with that tag
This answer does not seem to work on a Splunk 9.x Classic Dashboard. Receiving the error below when attempting to save the answer code in an example dashboard: Error parsing XML on line 37: Extra co...
See more...
This answer does not seem to work on a Splunk 9.x Classic Dashboard. Receiving the error below when attempting to save the answer code in an example dashboard: Error parsing XML on line 37: Extra content at the end of the document
01-18-2024
06:45 PM
This is some of the splunkd.log from the indexer 2 that is having issues. I have been trying to delete copy from replication factor that is pending to be fixed, but this error keeps coming back. ...
See more...
This is some of the splunkd.log from the indexer 2 that is having issues. I have been trying to delete copy from replication factor that is pending to be fixed, but this error keeps coming back.
01-18-2024
05:37 PM
Hi, the second search peer (indexer) has been up and running as shown in the License Master -> Monitoring Console -> "Instances". But this issue still persists.
01-18-2024
04:53 PM
Hi Everyone, Due to an issue we had with our Universal Forwarder not visible on Splunk cloud, we uninstalled the app from manage apps section. Reason to remove the universal forwarder app wa...
See more...
Hi Everyone, Due to an issue we had with our Universal Forwarder not visible on Splunk cloud, we uninstalled the app from manage apps section. Reason to remove the universal forwarder app was as we couldn't find the forward option under data inputs which is strange. So we tried to reinstall the app to the cloud but, App is no longer visible in All Apps. Is there any way to reinstall the Universal Forwarder App to Splunk Cloud? Thank you
Labels
- Labels:
-
using Splunk Cloud
