All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

How to compare 2 different Fields between 2 lookups and output must be missing items

by in Splunk Search
‎12-28-2023 06:43 AM
‎12-28-2023 06:43 AM
Lookup 1  : Contains fields such as  AssetName  FQDN and IP Address Lookup 2 :  Contains fields such as Host Index and source type  Expected Output : Need to compare host value from lookup 2 with... See more...
Lookup 1  : Contains fields such as  AssetName  FQDN and IP Address Lookup 2 :  Contains fields such as Host Index and source type  Expected Output : Need to compare host value from lookup 2 with FQDN and IP address in Lookup 1 and output must be missing devices details
Labels

Re: How could I check multiple condition(state) at <input> token?

by in Dashboards & Visualizations
‎12-28-2023 06:19 AM
1 Karma
‎12-28-2023 06:19 AM
1 Karma
I believe this should do it. <input> ..... <change> <condition match="'value'==&quot;BT&quot; OR 'value'==&quot;UART&quot;"> <unset token="show_wifi_connect_type"></unset> </co... See more...
I believe this should do it. <input> ..... <change> <condition match="'value'==&quot;BT&quot; OR 'value'==&quot;UART&quot;"> <unset token="show_wifi_connect_type"></unset> </condition> </change> ... </input>   You can see on the screenshots it worked as expected when testing locally.  

not able to see logs in index=abc

by in Splunk Enterprise
‎12-28-2023 05:34 AM
‎12-28-2023 05:34 AM
Able to see events in index=_internal but not in index=abc for a particular host  , what could be reason.

Re: Splunk Dashboard Studio - Markdown Text

by SplunkTrust in Dashboards & Visualizations
‎12-28-2023 05:16 AM
‎12-28-2023 05:16 AM
@madhav_dholakia - Got it. I don't think that level of token manipulation is possible on Dashboard Studio. You can try Simple XML for that.   I hope this helps!!~!

Apps on Indexers

by in Getting Data In
‎12-28-2023 04:30 AM
‎12-28-2023 04:30 AM
I was thinking about this just now...   How is it possible to have more than 1 app/add-on functioning on an Indexer? Because now that I understand global-level context and precedence, one app's con... See more...
I was thinking about this just now...   How is it possible to have more than 1 app/add-on functioning on an Indexer? Because now that I understand global-level context and precedence, one app's configurations will always take precedence over another due to lexicographical naming.    (I am aware system/local will override all config changes)     E.G. There is an indexer with 3 apps. Alpha, Bravo and Charlie. Each of their directories will be as follows:   - SPLUNK_HOME/etc/apps/Alpha/local (highest precedence) - SPLUNK_HOME/etc/apps/Bravo/local - SPLUNK_HOME/etc/apps/Charlie/local (lowest precedence) If I want my indexer to have Charlie functionality, that wouldn't work if I have the 2 above in the example running.    What is a fix for this?
Labels

How could I check multiple condition(state) at <input> token?

by in Dashboards & Visualizations
‎12-28-2023 01:46 AM
‎12-28-2023 01:46 AM
I want to combine these two <condition> into one. <input> ..... <change> <condition value = "BT"> <unset token="show_wifi_connect_type"></unset> </condition> <condition v... See more...
I want to combine these two <condition> into one. <input> ..... <change> <condition value = "BT"> <unset token="show_wifi_connect_type"></unset> </condition> <condition value="UART"> <unset token="show_wifi_connect_type"></unset> </condition> </change> ... </input> I tried combine these two status using "match", but it doesn't work. How could I solve this problem?
Labels

Re: Track Changes to a field

by in Splunk Search
‎12-28-2023 01:44 AM
‎12-28-2023 01:44 AM
Thank you @dtburrows3  This was exactly what i was looking for.

Failed to retrieve a user with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set

by in Knowledge Management
‎12-28-2023 01:43 AM
‎12-28-2023 01:43 AM
I encountered an error while configuring Splunk to connect to LDAP. Failed to retrieve a user with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG f... See more...
I encountered an error while configuring Splunk to connect to LDAP. Failed to retrieve a user with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

Re: Why is Javascript not running until I click on "Edit" , and it runs twice after that?

by in Dashboards & Visualizations
‎12-28-2023 01:11 AM
‎12-28-2023 01:11 AM
Hi Pinggg    I'm facing the same issue and do not understand where the issue is.. Did you by any chance find a solution? Thanks 1000!   Greetings

Re: Position of dropdown menu

by SplunkTrust in Dashboards & Visualizations
‎12-28-2023 12:47 AM
‎12-28-2023 12:47 AM
Hi @palomalgrv, you can put the inputs in the first panel after Panel B or in a dedicated empty panel. To move inputs you can use drag&drop or copy the code in that panel. Ciao. Giuseppe

Re: how to route the data based on event filed

by SplunkTrust in Splunk Search
‎12-28-2023 12:43 AM
‎12-28-2023 12:43 AM
Hi @syaseensplunk, in transforms.conf, you put a transformation called from the props.conf, so you can put whatever you want: # props.conf [your_sourcetype] TRANSFORMS-routing = AnthosGSP #transfo... See more...
Hi @syaseensplunk, in transforms.conf, you put a transformation called from the props.conf, so you can put whatever you want: # props.conf [your_sourcetype] TRANSFORMS-routing = AnthosGSP #transforma.conf [AnthosGSP] REGEX = drnt0-retail-sabbnetservices DEST_KEY = _MetaData:Index FORMAT = gsp Ciao. Giuseppe

Re: Update output count as percent

by SplunkTrust in Splunk Search
‎12-28-2023 12:41 AM
‎12-28-2023 12:41 AM
Hi @xxxxxxxxxxxxxx , try the chart command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Chart <initial search that returns the above events> | chart count OVER appName B... See more...
Hi @xxxxxxxxxxxxxx , try the chart command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Chart <initial search that returns the above events> | chart count OVER appName BY resultCode   Ciao. Giuseppe

Re: how to route the data based on event filed

by in Splunk Search
‎12-27-2023 11:43 PM
‎12-27-2023 11:43 PM
Is there a way I can use "namespace" in transforms.conf to seperate the data after using sourcetype in props.conf

Re: Update output count as percent

by SplunkTrust in Splunk Search
‎12-27-2023 11:33 PM
‎12-27-2023 11:33 PM
Hi have you look at eventstats with chart? r. Ismo

Splunk Enterprise security Audit logs API

by in Splunk Enterprise Security
‎12-27-2023 11:03 PM
‎12-27-2023 11:03 PM
How can we fetch the events performed by users in Splunk Enterprise security product from API's?
Labels

Controller SSL Certification

by in Splunk AppDynamics
‎12-27-2023 10:39 PM
‎12-27-2023 10:39 PM
Hi Team, I have installed the on-prem controller in http format now, I need to change it to https format. Kindly provide the steps for changes.

VT4Splunk Comments

by in All Apps and Add-ons
‎12-27-2023 10:37 PM
‎12-27-2023 10:37 PM
I have used VT4Splunk app for notable enriching process in Splunk Enterprise Security. Does somebody know if  I can get comment values from VirusTotal <hash,ip, domain> results? Not only count of th... See more...
I have used VT4Splunk app for notable enriching process in Splunk Enterprise Security. Does somebody know if  I can get comment values from VirusTotal <hash,ip, domain> results? Not only count of them. Below is an example of      | makeresutls | eval file_hash="43dbf0a7df3b78cffbe5732b9da758fddfe13a8c9775da1214622837e8d30d28" | vt4splunk hash=file_hash     the results   Here is an example of a particular API request I found in the VT docs and want to use with splunk: https://docs.virustotal.com/reference/files-comments-get Thanks in advance!
Labels

Re: Splunk Dashboard Studio - Markdown Text

by in Dashboards & Visualizations
‎12-27-2023 10:14 PM
‎12-27-2023 10:14 PM
Hi @VatsalJagani - apologies for the delayes response. Yes, that static Month is already in place. I have got 35 dashboards having three different Time ranges available to select in the dropdown (Las... See more...
Hi @VatsalJagani - apologies for the delayes response. Yes, that static Month is already in place. I have got 35 dashboards having three different Time ranges available to select in the dropdown (Last Month, Last to Last Month, Month To Date) - so I am looking for the header to update based on the time range selected. For example, if I run this report today for "Last Month" - Report Title would be Monthly Report - Nov 2023  if I run this report today for "Last to last Month" - Report Title would be Monthly Report - Oct 2023  if I run this report today for "Month to date" - Report Title would be Monthly Report - Dec 2023  Thank you.

Add custom visualisation to splunk studio dashboard

by in Dashboards & Visualizations
‎12-27-2023 09:16 PM
1 Karma
‎12-27-2023 09:16 PM
1 Karma
in splunk dashboard i see there are ways to add default visualisation. I want to add my own visualisation from my own app to this menu how do I do that?
Labels