All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The problem is that there is a lag happening in the log shipping from our application to Splunk, after some investigation we realized that we can override the event time by providing _time property i... See more...
The problem is that there is a lag happening in the log shipping from our application to Splunk, after some investigation we realized that we can override the event time by providing _time property in the logs (ref:https://docs.splunk.com/Documentation/SCS/current/Search/Timestampsandtimeranges) and it should be UNIX epoch time (seconds). we did that but it didn’t have any effect on the event time and the time difference persists. It has been a while since we are testing a lot of possibilities yet none of them did the trick.
Is there a way to print the entire report in the email instead of a PDF attachment?
Hello All,  Currently we have setup the use case to send the emails whenever a condition is satisfied and an alert is fired up. My concern is whenever the email is received we are receiving the add... See more...
Hello All,  Currently we have setup the use case to send the emails whenever a condition is satisfied and an alert is fired up. My concern is whenever the email is received we are receiving the address in the FROM field as "abc.xyz+untrusted@jkl.com",   and we think that some mail boxes are not getting these emails from the specific untrusted email address,  please correct me if i am misunderstood.  Also, is there a way to add this "abc.xyz@jkl.com" to the trusted email group or something like that? or is there a different way to get the actual email address instead of the +untrusted email whenever an email is sent out from splunk. Hope this makes sense.  Thanks, 
In these kinds of situations in Splunk I generally do something like this to replace empty strings with actual null values. | foreach err_field* [ | eval ... See more...
In these kinds of situations in Splunk I generally do something like this to replace empty strings with actual null values. | foreach err_field* [ | eval <<FIELD>>=if( '<<FIELD>>'=="" OR match('<<FIELD>>', "^\s*$"), null(), '<<FIELD>>' ) ] | eval err_final=coalesce(err_field1, err_field2, err_field3, err_field4)   You can see the coalesce works as expected after replacing nullifying the empty strings. Note: this is also replacing any values in the err_field* fields that is only whitespace in addition to empty strings.
Dashboard Studio is still under development so some features which are available in SimpleXML / Classic dashboards are either not available or not fully working, it will depend on which version of Sp... See more...
Dashboard Studio is still under development so some features which are available in SimpleXML / Classic dashboards are either not available or not fully working, it will depend on which version of Splunk you are using.
When using BREAK_ONLY_BEFORE, set SHOULD_LINEMERGE = true. [snow:all:devices] KV_MODE=xml BREAK_ONLY_BEFORE =\<item> SHOULD_LINEMERGE = true DATETIME_CONFIG = NONE
From the dashboard, select "Schedule PDF Delivery" from the Export dropdown.  Check the "Schedule PDF" box and fill in the form.  In the Schedule field, select "Run on Cron Schedule" then put "13 0-2... See more...
From the dashboard, select "Schedule PDF Delivery" from the Export dropdown.  Check the "Schedule PDF" box and fill in the form.  In the Schedule field, select "Run on Cron Schedule" then put "13 0-23/3 * * 0,6".
Splunk Cloud Version: 9.0.2209.4
It looks like err_field1contains an empty string.  If it was null then err_final would be set to err_field2 or err_field3.
I'd like to set up an email notification for the following dashboard, specifically on Saturdays and Sundays at intervals of 3 hours. Since I receive files only on these days, this schedule aligns wit... See more...
I'd like to set up an email notification for the following dashboard, specifically on Saturdays and Sundays at intervals of 3 hours. Since I receive files only on these days, this schedule aligns with our data delivery. Could someone guide me on configuring this setup?    
Your LINE_BREAKER (and EVENT_BREAKER - they work very similarily but on different levels) makes no sense. This parameter is not used to find whole event. It is supposed to find and match (the part c... See more...
Your LINE_BREAKER (and EVENT_BREAKER - they work very similarily but on different levels) makes no sense. This parameter is not used to find whole event. It is supposed to find and match (the part captured within the capture group is discarded as not belonging to either the preceeding or following event) the text which is _between_ events. That's why by default it matches ([\r\n]+) - it finds all sequences of continuous end of line characters, splits the stream where those sequences happen, and removes those sequences from the ingestion pipeline. In your case the situation is more complicated since you're trying to do a Bad Thing (tm) which is approach the structured data with simple regex manipulation. You could try to define your LINE_BREAKER as ^}(,[\r\n]+){ Which would mean that Splunk is to break the events in those places where you have only "}," alone in the line and immediately after that another "{" starts (possibly having several empty lines in between). But you're running into a risk of: 1) Incorrectly spliting your event in case you have a more complicated json structure 2) Laving the beginning and dangling square brackets as parts of the events (well, this one could be mitigated be editing the regex further but by expense of increasing risk number 1.  
index="********" message_type =ERROR correlation_id="*" | eval err_field1 = spath(_raw,"response_details.body") | eval err_field2 = spath(_raw,"response_details") | eval err_field3 = spath(_raw,"... See more...
index="********" message_type =ERROR correlation_id="*" | eval err_field1 = spath(_raw,"response_details.body") | eval err_field2 = spath(_raw,"response_details") | eval err_field3 = spath(_raw,"error") | eval err_field4 = spath(_raw,"message") | eval err_final=coalesce(err_field1,err_field2,err_field3,err_field4) | table err_field1 err_field2 err_field3 err_field4 err_final i have the fields populating for err_field3 and err_field4.. but its not populating in the err_final. Attached the screenshot for reference
If you're on Cloud, you can't send your syslog directly to cloud and need a local forwarder (or SC4S instance)  anyway. So it doesn't matter much whether it's TCP or UDP (at least in terms of on-site... See more...
If you're on Cloud, you can't send your syslog directly to cloud and need a local forwarder (or SC4S instance)  anyway. So it doesn't matter much whether it's TCP or UDP (at least in terms of on-site vs. Cloud).
Hi @gcusello  Yes, it looks same but the issue is, we cannot change the height of the graph for better visibility.
Hi @vinod743374, it seems to be the most near to your requisite. Ciao. Giuseppe
Hi @quangnm21 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I dont think there is a connector for that purpose. If you want to follow the "develop your own solution" route i would recommend building a connector for SOAR instead of a function in the visual edi... See more...
I dont think there is a connector for that purpose. If you want to follow the "develop your own solution" route i would recommend building a connector for SOAR instead of a function in the visual editor. IMO its more flexible on what you can do (e.g. include external libs) and its easily reusable and you can add multiple assets to use in the PBs. Also, the new app wizard makes it easier to get started and you have tons of "examples" if you look in the SOAR connector GitHub account. 
HI @gcusello  Thanks for the reply, I tried the horizon chart already, but its not meet my requirement (tooltips and the visibility of the graph and values on the axis are not looks good), Looki... See more...
HI @gcusello  Thanks for the reply, I tried the horizon chart already, but its not meet my requirement (tooltips and the visibility of the graph and values on the axis are not looks good), Looking for a better one. Thanks.
@gcusello , Thank you
Hi @vinod743374, see if the Horizon Chart - Custom Visualization (https://splunkbase.splunk.com/app/3117) is what you want. ciao. Giuseppe