Lookup 1 : Contains fields such as AssetName FQDN and IP Address Lookup 2 : Contains fields such as Host Index and source type Expected Output : Need to compare host value from lookup 2 with...
See more...
Lookup 1 : Contains fields such as AssetName FQDN and IP Address Lookup 2 : Contains fields such as Host Index and source type Expected Output : Need to compare host value from lookup 2 with FQDN and IP address in Lookup 1 and output must be missing devices details
I believe this should do it. <input>
.....
<change>
<condition match="'value'=="BT" OR 'value'=="UART"">
<unset token="show_wifi_connect_type"></unset>
</co...
See more...
I believe this should do it. <input>
.....
<change>
<condition match="'value'=="BT" OR 'value'=="UART"">
<unset token="show_wifi_connect_type"></unset>
</condition>
</change>
...
</input> You can see on the screenshots it worked as expected when testing locally.
@madhav_dholakia - Got it. I don't think that level of token manipulation is possible on Dashboard Studio. You can try Simple XML for that. I hope this helps!!~!
I was thinking about this just now... How is it possible to have more than 1 app/add-on functioning on an Indexer? Because now that I understand global-level context and precedence, one app's con...
See more...
I was thinking about this just now... How is it possible to have more than 1 app/add-on functioning on an Indexer? Because now that I understand global-level context and precedence, one app's configurations will always take precedence over another due to lexicographical naming. (I am aware system/local will override all config changes) E.G. There is an indexer with 3 apps. Alpha, Bravo and Charlie. Each of their directories will be as follows: - SPLUNK_HOME/etc/apps/Alpha/local (highest precedence) - SPLUNK_HOME/etc/apps/Bravo/local - SPLUNK_HOME/etc/apps/Charlie/local (lowest precedence) If I want my indexer to have Charlie functionality, that wouldn't work if I have the 2 above in the example running. What is a fix for this?
I want to combine these two <condition> into one. <input> ..... <change> <condition value = "BT"> <unset token="show_wifi_connect_type"></unset> </condition> <condition v...
See more...
I want to combine these two <condition> into one. <input> ..... <change> <condition value = "BT"> <unset token="show_wifi_connect_type"></unset> </condition> <condition value="UART"> <unset token="show_wifi_connect_type"></unset> </condition> </change> ... </input> I tried combine these two status using "match", but it doesn't work. How could I solve this problem?
I encountered an error while configuring Splunk to connect to LDAP. Failed to retrieve a user with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG f...
See more...
I encountered an error while configuring Splunk to connect to LDAP. Failed to retrieve a user with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.
Hi @palomalgrv, you can put the inputs in the first panel after Panel B or in a dedicated empty panel. To move inputs you can use drag&drop or copy the code in that panel. Ciao. Giuseppe
Hi @syaseensplunk, in transforms.conf, you put a transformation called from the props.conf, so you can put whatever you want: # props.conf
[your_sourcetype]
TRANSFORMS-routing = AnthosGSP
#transfo...
See more...
Hi @syaseensplunk, in transforms.conf, you put a transformation called from the props.conf, so you can put whatever you want: # props.conf
[your_sourcetype]
TRANSFORMS-routing = AnthosGSP
#transforma.conf
[AnthosGSP]
REGEX = drnt0-retail-sabbnetservices
DEST_KEY = _MetaData:Index
FORMAT = gsp Ciao. Giuseppe
Hi @xxxxxxxxxxxxxx , try the chart command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Chart <initial search that returns the above events>
| chart count OVER appName B...
See more...
Hi @xxxxxxxxxxxxxx , try the chart command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Chart <initial search that returns the above events>
| chart count OVER appName BY resultCode Ciao. Giuseppe
I have used VT4Splunk app for notable enriching process in Splunk Enterprise Security. Does somebody know if I can get comment values from VirusTotal <hash,ip, domain> results? Not only count of th...
See more...
I have used VT4Splunk app for notable enriching process in Splunk Enterprise Security. Does somebody know if I can get comment values from VirusTotal <hash,ip, domain> results? Not only count of them. Below is an example of | makeresutls
| eval file_hash="43dbf0a7df3b78cffbe5732b9da758fddfe13a8c9775da1214622837e8d30d28"
| vt4splunk hash=file_hash the results Here is an example of a particular API request I found in the VT docs and want to use with splunk: https://docs.virustotal.com/reference/files-comments-get Thanks in advance!
Hi @VatsalJagani - apologies for the delayes response. Yes, that static Month is already in place. I have got 35 dashboards having three different Time ranges available to select in the dropdown (Las...
See more...
Hi @VatsalJagani - apologies for the delayes response. Yes, that static Month is already in place. I have got 35 dashboards having three different Time ranges available to select in the dropdown (Last Month, Last to Last Month, Month To Date) - so I am looking for the header to update based on the time range selected. For example, if I run this report today for "Last Month" - Report Title would be Monthly Report - Nov 2023 if I run this report today for "Last to last Month" - Report Title would be Monthly Report - Oct 2023 if I run this report today for "Month to date" - Report Title would be Monthly Report - Dec 2023 Thank you.
in splunk dashboard i see there are ways to add default visualisation. I want to add my own visualisation from my own app to this menu how do I do that?