Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-13-2023
02:58 AM
1 Karma
Hi @roberto_baggio, as I said, outside ES, you have to use the normal menu configuration form at: from the app that you want to modify menu: [Settings > User Interface > Navigation menu > default]. ...
See more...
Hi @roberto_baggio, as I said, outside ES, you have to use the normal menu configuration form at: from the app that you want to modify menu: [Settings > User Interface > Navigation menu > default]. Then you can add your dashboard. For more infos see at https://dev.splunk.com/enterprise/docs/developapps/createapps/addnavsplunkapp/ or https://dev.splunk.com/enterprise/tutorials/module_getstarted/modifynavbar/ Ciao. Giuseppe
12-13-2023
02:51 AM
Hello, Giuseppe. Thank you for you firm response. You are right. In ES I can do so. But for example in AWS dashboard app there are no such option. So that means that I can`t to do so? ...
See more...
Hello, Giuseppe. Thank you for you firm response. You are right. In ES I can do so. But for example in AWS dashboard app there are no such option. So that means that I can`t to do so?
12-13-2023
02:49 AM
I set up the Microsoft Teams Add-On For Splunk yesterday and am successfully ingesting data from our tenant. My query is regarding the relationship between the volume of incoming webhooks from Azure,...
See more...
I set up the Microsoft Teams Add-On For Splunk yesterday and am successfully ingesting data from our tenant. My query is regarding the relationship between the volume of incoming webhooks from Azure, and the callrecord events: As I understand it (and this is likely the root cause ), Azure pushes a change notification to the Splunk webhook each time a call ends, containing the unique call ID. The Teams Call Record app/input runs on a schedule (in my case every five minutes) and retrieves all the call records it's received change notifications for since it last ran. I would, therefore, expect there to be an equal number of m365:webhook and m365:teams:callRecord events, but there aren't. I'm typically seeing a 3:2 ratio of webhook to callRecord events. I believe the 'id' field in the webhook event and the callRecords matches (this is the identifier splunk uses to retrieve the callRecord using graphAPI) and I would have expected the id in each event type to be unique, but there appear to be many duplicates in both event types. If I look at my data for yesterday I can see: 4163 webhook events 3867 callRecord events But if I dedup on 'id', I see: 2614 webhook events 2586 callRecord events ...which still doesn't match (although it's much closer) and is a lot of duplicates. Any bright ideas, folks?
Labels
- Labels:
-
administration
-
configuration
12-13-2023
02:48 AM
1 Karma
It's (almost) impossible to say what is your real issue based on these information what you have told. Normally you shouldn't create automatic indexes by your Add Ons etc. Just create separate SA (e...
See more...
It's (almost) impossible to say what is your real issue based on these information what you have told. Normally you shouldn't create automatic indexes by your Add Ons etc. Just create separate SA (etc.) which is separate from your main Add On or App and install that part only on your indexers / MN. Probably it's best to remove that indexes definition on your SHC side and check if this helps. Also if your Add On create automatic that index on SH side, remove that part too. To be honest, I don't trust Chat GPT's instructions how and what to do with Splunk. Most of those instructions, which I have look are "scrap" and sends you to wrong direction / habits!
Hi @parthiban, if you run: index="XXXX" "Genesys system is available"
| rename "response_details.response_payload.entities{}.onlineStatus" as status
| where name="YYYY" which values have you for t...
See more...
Hi @parthiban, if you run: index="XXXX" "Genesys system is available"
| rename "response_details.response_payload.entities{}.onlineStatus" as status
| where name="YYYY" which values have you for the status field? Ciao. Giuseppe
12-13-2023
02:21 AM
I have 2 multivalue fields (old and new) containing group lists for 1 or more users. The new values is the list of groups that replace the old groups For example: user 1 has an old value of group1,...
See more...
I have 2 multivalue fields (old and new) containing group lists for 1 or more users. The new values is the list of groups that replace the old groups For example: user 1 has an old value of group1, group2, group3 user 1 has a new value of group1, group2, group3, group4, and group5 user 2 has an old value of group3, group4, group5 user 1 has a new value of group4, group5, group6, group7, and group8 I'm trying to return group4 and group5 for user and group7 and group8 for user2
Labels
- Labels:
-
fields
12-13-2023
02:11 AM
Hi @EricMonkeyKing, did you configured INDEXED_EXTRACTIONS = json for that sourcetype or used the spath command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Spath) ? Ciao. G...
See more...
Hi @EricMonkeyKing, did you configured INDEXED_EXTRACTIONS = json for that sourcetype or used the spath command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Spath) ? Ciao. Giuseppe
12-13-2023
02:11 AM
Hi, I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but we see the data from yesterday and today, and each graph line is separate. ...
See more...
Hi, I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but we see the data from yesterday and today, and each graph line is separate. I want to see the lines together, one superimposed on the other. please could you suggest? please can you suggest to compare them? Current SPL: basesearch earliest=-1d@d latest=now | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | timechart span=15m count by Day Current visualization: Expected visualization is:
- Tags:
- dashboard
Labels
- Labels:
-
metrics
-
using Splunk Enterprise
12-13-2023
02:07 AM
Hi @roberto_baggio , you can create your own dashboard in the apps you like. If you want to see them in a normal Splunk Enterprise App, you have to configure it in [Settings > User Interface > Menu...
See more...
Hi @roberto_baggio , you can create your own dashboard in the apps you like. If you want to see them in a normal Splunk Enterprise App, you have to configure it in [Settings > User Interface > Menu]. If instead you want to see these dashboard in ES, you have to go in [Confgure > General > Navigation]. Ciao. giuseppe
12-13-2023
02:04 AM
Hi all, For this sort of json string, how can I extract KeyA, KeyB, KeyC? { "KeyA": [ { "path": "/attibuteA", "op": "replace", "value": "hello" }, { "path": "/attibuteB", "op": "replace", "value":...
See more...
Hi all, For this sort of json string, how can I extract KeyA, KeyB, KeyC? { "KeyA": [ { "path": "/attibuteA", "op": "replace", "value": "hello" }, { "path": "/attibuteB", "op": "replace", "value": "hi" } ], "KeyB": [ { "path": "/attibuteA", "op": "replace", "value": "" }, { "path": "/attibuteC", "op": "replace", "value": "hey" }, { "path": "/attibuteD", "op": "replace", "value": "hello" } ], "KeyC": [ { "path": "/attibuteE", "op": "replace", "value": "" } ] } My ideal output would look like: Key path op value KeyA attibuteA replace hello KeyA attibuteB replace hi KeyB attibuteA replace KeyB attibuteC replace hey KeyB attibuteD replace hello Keyc attibuteE replace Many thanks^
Labels
- Labels:
-
eval
-
field extraction
12-13-2023
02:04 AM
Hi @aguilard, this path isn't correct, check if you configured in serverclasses.conf the targetRepositoryLocation parameter that's used to configure where to push apps, default is $SPLUNK_HOME/etc/...
See more...
Hi @aguilard, this path isn't correct, check if you configured in serverclasses.conf the targetRepositoryLocation parameter that's used to configure where to push apps, default is $SPLUNK_HOME/etc/apps. Ciao. Giuseppe
12-13-2023
01:42 AM
| table Status, timeval, CompanyCode, CN |appendpipe [stats count| eval error="thats not cool" | where count==0 |table error |fields - Status, timeval, CompanyCode, CN] these are the last two lin...
See more...
| table Status, timeval, CompanyCode, CN |appendpipe [stats count| eval error="thats not cool" | where count==0 |table error |fields - Status, timeval, CompanyCode, CN] these are the last two lines of a search , so in this search if in fields (Status, timeval, CompanyCode, CN) there is no values or the all the fields are empty then i have to display a message which in this case is "thats not cool" , it is working but in the result as you can see all the empty fields are also displaying in the result . But I want only the error field if other fields are empty. Can anyone help?
12-13-2023
01:38 AM
Hello, I am trying to create some dashboards in ES and some other apps. For convenience I would like to be able to access them from app drop-down menu, but I can`t find way to do so. Can someon...
See more...
Hello, I am trying to create some dashboards in ES and some other apps. For convenience I would like to be able to access them from app drop-down menu, but I can`t find way to do so. Can someone tell me if this is even possible? If yes how! P.S. We are using Splunk cloud deployment.
Labels
- Labels:
-
Dashboard Studio
12-13-2023
01:05 AM
Hello @gcusello , I do not have error messages on the Deployer. I have plenty of space in the disk of the Deployer, I already checked. The owner of the files is splunk and it's been installed and ...
See more...
Hello @gcusello , I do not have error messages on the Deployer. I have plenty of space in the disk of the Deployer, I already checked. The owner of the files is splunk and it's been installed and ran with user Splunk. The thing that I noticed 20 minutes ago and I do not why is when the deployer pushes the ITSI apps to /opt/splunk/var/run/splunk/apps it adds at the of the folder the word "-local" and I just checked that in other installations that I manage it doesn't occur. Thanks for the response
12-13-2023
12:30 AM
Hi @aguilard, have you error messages on the Deployer? have you enough disk space on the Deployer? it's required some additional disk space on it. what's the owner of the folders and files? it mus...
See more...
Hi @aguilard, have you error messages on the Deployer? have you enough disk space on the Deployer? it's required some additional disk space on it. what's the owner of the folders and files? it must be splunk. Which user are you using to install and run splunk? Ciao. Giuseppe
Hi @parthiban, I found an error in the eval definition, but it shouldn't be the issue: index="XXXX" "Genesys system is available"
| rename "response_details.response_payload.entities{}.onlineStatus...
See more...
Hi @parthiban, I found an error in the eval definition, but it shouldn't be the issue: index="XXXX" "Genesys system is available"
| rename "response_details.response_payload.entities{}.onlineStatus" as status
| where name="YYYY"
| stats
count(eval(status="offline")) AS offline_count
count(eval(status="online")) AS online_count
earliest(eval(if(status="offline",_time,""))) AS offline
earliest(eval(if(status="online",_time,""))) AS online
| fillnull value=0 offline_count
| fillnull value=0 online_count
| eval condition=case(
offline_count=0 AND online_count>0,"Online",
offline_count>0 AND online_count=0,"Offline",
offline_count>0 AND online_count>0 AND online>offline, "Offline but newly
online",
offline_count>0 AND online_count>0 AND offline>online, "Offline",
offline_count=0 AND online_count=0, "No data")
| search condition="Offline" OR condition="Offline but newly online"
| table condition Debug the search, to understand if the search conditions are verified or not: remove the search statement and see which values you have. Ciao. Giuseppe
12-12-2023
10:09 PM
Could anyone help me on this please?
