Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-03-2024
06:59 AM
How do I set up an email notification that is triggered by a user add/update/delete/activate?
Labels
- Labels:
-
alert action
-
email
01-03-2024
06:55 AM
1 Karma
If you're referring to the roles listed in the Monitoring Console then, yes. Doing so does not change anything on the indexer itself, however.
01-03-2024
06:13 AM
Hello,
I created a dashboard with one column of timeStamp EndTimeUTC which stores AH_TIMESTAMP4 or EHActivityItem.EH_ENDTIME. That works.
result= 2024-01-01 10:09:28
Now the customer wants ...
See more...
Hello,
I created a dashboard with one column of timeStamp EndTimeUTC which stores AH_TIMESTAMP4 or EHActivityItem.EH_ENDTIME. That works.
result= 2024-01-01 10:09:28
Now the customer wants to see the time in timezone CET. I can show him the offset time with
| eval "EndTime (CET)"=strftime(strptime(EndTimeUTC,"%Y-%m-%d %T"),"%Y-%m-%d %T %z")
result: 2024-01-01 10:09:28 +0100
But how can I show the time in a calculated format ?
expected result: 2024-01-01 11:09:28
Thanks!
Labels
- Labels:
-
Classic dashboard
01-03-2024
06:12 AM
1 Karma
You can use a token modifier |s to escape double quotes. $token$ $token|s$ The value of the tokens get parsed asdf="asdf" "asdf=\"asdf\"" Unfortunately, this also adds double quotes...
See more...
You can use a token modifier |s to escape double quotes. $token$ $token|s$ The value of the tokens get parsed asdf="asdf" "asdf=\"asdf\"" Unfortunately, this also adds double quotes around it, which makes this modifier useless in all my work. I would have preferred only having 1 effect per modifier that can stack with others for those that want both, but this might work for others. The modifiers for tokens inside of alert action email bodies may not be available, but it will work in dashboards. Source: https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/tokens#Syntax_to_consume_tokens
- Tags:
- token filters
01-03-2024
06:08 AM
Hi Rich, Based on your answer, am I correct to assume that the KV Store role can be removed from the Indexer`s roles ? Many thanks.
01-03-2024
06:08 AM
Thanks for your guidelines.
01-03-2024
05:49 AM
hi @richgalloway - In my case I dont see option to Delete the license.
01-03-2024
05:29 AM
Go to Settings->Licensing, delete the incorrect license and install the correct one.
01-03-2024
05:18 AM
Hi all, On Splunk Studio - I want that my dashboard will be colored consistently. For example - if field is priority - my dashboard will show "High" in the same color everywhere in the dashboard (I...
See more...
Hi all, On Splunk Studio - I want that my dashboard will be colored consistently. For example - if field is priority - my dashboard will show "High" in the same color everywhere in the dashboard (I don't mind the color right now but might mind it in the future). and if a new value is added to priority field - it will get a new different color in all charts. Is it possible? Thanks, Tamar
Labels
- Labels:
-
chart
-
Dashboard Studio
01-03-2024
04:55 AM
splunk query "Orca High Alerts" is connected to snow TEST environment. It is showing many more close records than open records. When filtering the splunk query results with a wide time wi...
See more...
splunk query "Orca High Alerts" is connected to snow TEST environment. It is showing many more close records than open records. When filtering the splunk query results with a wide time window and a unique event id on splunk side both open and close lines appear but both have exact same timestamp - suspect splunk only sends the close if the open and the close have the exact same timestamp - is there a way to validate this?
Labels
- Labels:
-
Splunk Investigate
-
troubleshooting
01-03-2024
04:54 AM
Turned out I'd misnamed the Event Hub Name by using the namespace instead... sorted now.
01-03-2024
04:11 AM
Actually, the POST is only one problem, I have already gone through. Thanks to your post has found syntax error - "/token/" instead of "/tokens/"
01-03-2024
03:03 AM
Hi Splunkers! I would like to filter in a field when I received a specific value from multiselect input dropdown, I'm having a field "Type" where I will get multiselect values, that will be ...
See more...
Hi Splunkers! I would like to filter in a field when I received a specific value from multiselect input dropdown, I'm having a field "Type" where I will get multiselect values, that will be passed to a search by macro, in that search, i would like to filter "Assetname" with field of having Z in 3rd letter, only when I'm getting ADZ value from the field "Type" When I'm not getting the value ADZ, i need to get all values in the field Assetname Type - Indus, ADZ, Stan Assetname - abZahd-2839 so, the Assetname with 3rd letter Z needs to be filtered. Thanks in Advance! Manoj Kumar S
Labels
- Labels:
-
field extraction
01-03-2024
02:59 AM
hi , we accidentally uploaded Personalized Dev/Test License file instead of Developer license in our splunk emterprise environment. After restarting splunk, we found that it is not acceptiing any use...
See more...
hi , we accidentally uploaded Personalized Dev/Test License file instead of Developer license in our splunk emterprise environment. After restarting splunk, we found that it is not acceptiing any user creds and logging on Admin user only. Please let us know how can we fix it given that no users are registered in splunk web now and no one is able to login. Thanks
Labels
01-03-2024
02:55 AM
The issue somewhat solved itself from one day to another without doing any modifications. I have digged into the _internal-index and logfiles on the UF without getting any indication why this suddenl...
See more...
The issue somewhat solved itself from one day to another without doing any modifications. I have digged into the _internal-index and logfiles on the UF without getting any indication why this suddenly startet to work. I will re-post if the error re-occurs.
01-03-2024
02:52 AM
hello, when I test actions in in app editor (view mode), the Console Output is shown with dark text over dark theme, so it makes it difficult to read the output. how can I turn the text or the...
See more...
hello, when I test actions in in app editor (view mode), the Console Output is shown with dark text over dark theme, so it makes it difficult to read the output. how can I turn the text or the theme to light? thank you in advance
Labels
- Labels:
-
using SOAR ⁄ Phantom
01-03-2024
02:34 AM
I'm trying to build a custom app to parse the all these events and above field extraction into props and tranforms can you help me in adding all these extractions in to props.conf ? Sample Events:...
See more...
I'm trying to build a custom app to parse the all these events and above field extraction into props and tranforms can you help me in adding all these extractions in to props.conf ? Sample Events: 2024-01-03 05:06:09,590 [TID:450] ERROR Thycotic.DistributedEngineRunner - Error getting Capabilities from Distributed Engine server - (null) System.NullReferenceException: Object reference not set to an instance of an object. TQ
01-03-2024
02:32 AM
Yes. Whenever your Splunk gets "locked" due to either exceeding your license quota too many times (in case of enforcing license) or moving past the license validity period, you need to install a one-...
See more...
Yes. Whenever your Splunk gets "locked" due to either exceeding your license quota too many times (in case of enforcing license) or moving past the license validity period, you need to install a one-time "unlock license" which you need to contact your Splunk sales contact about.
01-03-2024
02:28 AM
Hello @ropo , I guess just the method that you've provided seems to be inappropriate. You'll need to use the POST method to disable the authentication token. Example: curl -k -u <username>:<passwo...
See more...
Hello @ropo , I guess just the method that you've provided seems to be inappropriate. You'll need to use the POST method to disable the authentication token. Example: curl -k -u <username>:<password> -X POST https://<server>:<management_port>/services/authorization/tokens/<token_user> -d id=<token_id> -d status=disabled Reference Doc - https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/ManageAuthTokens#Disable_an_existing.2C_enabled_token --- If the above solution helps, an upvote is appreciated.
01-03-2024
02:06 AM
@isoutamo New thing I learned, Thank you.
