All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for your guidelines. 
hi @richgalloway - In my case I dont see option to Delete the license.
Go to Settings->Licensing, delete the incorrect license and install the correct one.
Hi all, On Splunk Studio - I want that my dashboard will be colored consistently. For example - if field is priority - my dashboard will show "High" in the same color everywhere in the dashboard (I... See more...
Hi all, On Splunk Studio - I want that my dashboard will be colored consistently. For example - if field is priority - my dashboard will show "High" in the same color everywhere in the dashboard (I don't mind the color right now but might mind it in the future). and if a new value is added to priority field - it will get a new different color in all charts. Is it possible? Thanks, Tamar
     splunk query "Orca High Alerts" is connected to snow TEST environment. It is showing many more close records than open records. When filtering the splunk query results with a wide time wi... See more...
     splunk query "Orca High Alerts" is connected to snow TEST environment. It is showing many more close records than open records. When filtering the splunk query results with a wide time window and a unique event id on splunk side both open and close lines appear but both have exact same timestamp - suspect splunk only sends the close if the open and the close have the exact same timestamp - is there a way to validate this?
Turned out I'd misnamed the Event Hub Name by using the namespace instead... sorted now. 
Actually, the POST is only one problem, I have already gone through. Thanks to your post has found syntax error - "/token/" instead of "/tokens/" 
Hi Splunkers!     I would like to filter in a field when I received a specific value from multiselect input dropdown,  I'm having a field "Type" where I will get multiselect values, that will be ... See more...
Hi Splunkers!     I would like to filter in a field when I received a specific value from multiselect input dropdown,  I'm having a field "Type" where I will get multiselect values, that will be passed to a search by macro, in that search, i would like to filter "Assetname" with field of having Z in 3rd letter, only when I'm getting ADZ value from the field "Type"   When I'm not getting the value ADZ, i need to get all values in the field Assetname Type - Indus, ADZ, Stan Assetname - abZahd-2839 so, the Assetname with 3rd letter Z needs to be filtered. Thanks in Advance! Manoj Kumar S
hi , we accidentally uploaded Personalized Dev/Test License file instead of Developer license in our splunk emterprise environment. After restarting splunk, we found that it is not acceptiing any use... See more...
hi , we accidentally uploaded Personalized Dev/Test License file instead of Developer license in our splunk emterprise environment. After restarting splunk, we found that it is not acceptiing any user creds and logging on Admin user only. Please let us know how can we fix it given that no users are registered in splunk web now and no one is able to login.   Thanks
The issue somewhat solved itself from one day to another without doing any modifications. I have digged into the _internal-index and logfiles on the UF without getting any indication why this suddenl... See more...
The issue somewhat solved itself from one day to another without doing any modifications. I have digged into the _internal-index and logfiles on the UF without getting any indication why this suddenly startet to work. I will re-post if the error re-occurs.
hello, when I test actions in in app editor (view mode), the Console Output is shown with dark text over dark theme, so it makes it difficult to read the output. how can I turn the text or the... See more...
hello, when I test actions in in app editor (view mode), the Console Output is shown with dark text over dark theme, so it makes it difficult to read the output. how can I turn the text or the theme to light?   thank you in advance
I'm trying to build a custom app to parse the all these events and above field extraction into props and tranforms can you help me in adding all these extractions in to props.conf ? Sample Events:... See more...
I'm trying to build a custom app to parse the all these events and above field extraction into props and tranforms can you help me in adding all these extractions in to props.conf ? Sample Events: 2024-01-03 05:06:09,590  [TID:450] ERROR Thycotic.DistributedEngineRunner - Error getting Capabilities from Distributed Engine server - (null) System.NullReferenceException: Object reference not set to an instance of an object. TQ
Yes. Whenever your Splunk gets "locked" due to either exceeding your license quota too many times (in case of enforcing license) or moving past the license validity period, you need to install a one-... See more...
Yes. Whenever your Splunk gets "locked" due to either exceeding your license quota too many times (in case of enforcing license) or moving past the license validity period, you need to install a one-time "unlock license" which you need to contact your Splunk sales contact about.
Hello @ropo , I guess just the method that you've provided seems to be inappropriate. You'll need to use the POST method to disable the authentication token. Example: curl -k -u <username>:<passwo... See more...
Hello @ropo , I guess just the method that you've provided seems to be inappropriate. You'll need to use the POST method to disable the authentication token. Example: curl -k -u <username>:<password> -X POST https://<server>:<management_port>/services/authorization/tokens/<token_user> -d id=<token_id> -d status=disabled Reference Doc - https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/ManageAuthTokens#Disable_an_existing.2C_enabled_token   --- If the above solution helps, an upvote is appreciated.
Hi If you cannot connect to LM from peer, you have 72h time to fix the situation. After that you cannot do normal searches before you fix it. There is no automatic timeout for getting it work again!... See more...
Hi If you cannot connect to LM from peer, you have 72h time to fix the situation. After that you cannot do normal searches before you fix it. There is no automatic timeout for getting it work again! You must check that you have connection from your peer to LM usually it use port 8089. Also you must have same pass4SymmKey on generic stanza on peer and LM to get connection to work.  If physical connection between host is working then just look from LM's _internal log what is the reason why it didn't accept peers connection. r. Ismo
Hi here is some good starting point to your journey with Splunk: https://lantern.splunk.com/Splunk_Platform/Getting_Started https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/WhatSplunkcanmo... See more...
Hi here is some good starting point to your journey with Splunk: https://lantern.splunk.com/Splunk_Platform/Getting_Started https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/WhatSplunkcanmonitor Happy Splunking r. Ismo
I suppose you have found a solution to this by now. But if not, here is how i solved it by using the itsi_group_id field from index=itsi_grouped_alerts: https://<your_splunk_instance>/en-GB/app/it... See more...
I suppose you have found a solution to this by now. But if not, here is how i solved it by using the itsi_group_id field from index=itsi_grouped_alerts: https://<your_splunk_instance>/en-GB/app/itsi/itsi_event_management?earliest=-24h&episodeid=$result.itsi_group_id$ I used this to make a link from ServiceNow directly to the episode in ITSI Alerts and Episodes. In the Configure Action part of the Create/update ServiceNow Incident in the NEAP, i put the following in Custom Fields to make the link: comments=[code]<a href="https://<your_splunk_instance>/en-GB/app/itsi/itsi_event_management?earliest=-24h&episodeid=$result.itsi_group_id$" target="_blank">Link to Splunk ITSI Alerts and Episodes<br></a>[/code]  
Hi It's probably like @richgalloway said and you have exceed too many times your license quota and need a reset key. And probably you must also increase your current license? You can check the situ... See more...
Hi It's probably like @richgalloway said and you have exceed too many times your license quota and need a reset key. And probably you must also increase your current license? You can check the situation by Settings -> Licensing where you can see that you have valid license. For statistic you need to push "Usage Report" button. It opens you a new dashboard, where you could check "Pool Usage Warnings" which told about are you exceed your license quota too many times. You must do those on your license server. If you have distributed environment then you must do it on MC node with MC -> Indexing -> License usage. r. Ismo