All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have 1 question. The solution shows the time range in restricted _time. It is possible to expand it into/show in selected time range, which is defined in the time range picker? To the range addinfo... See more...
I have 1 question. The solution shows the time range in restricted _time. It is possible to expand it into/show in selected time range, which is defined in the time range picker? To the range addinfo.info_max_time, addinfo.info_min_time?
thanks @PickleRick 
Any solution for this?
Thanks for the response, when I'm using this line breaker regex  alot of events are missing attaching screenshot as reference. Is there any way i can read that whole file into single payload, If yes... See more...
Thanks for the response, when I'm using this line breaker regex  alot of events are missing attaching screenshot as reference. Is there any way i can read that whole file into single payload, If yes this can resolve my issue.   
Interview preparation is like getting ready for a conversation where someone asks you questions to know more about you and your abilities. Here are a few simple tips: Know Yourself: Think about ... See more...
Interview preparation is like getting ready for a conversation where someone asks you questions to know more about you and your abilities. Here are a few simple tips: Know Yourself: Think about your strengths (things you're good at) and your experiences (things you've done in the past). Understand the Job: Learn about the job you're applying for. What skills are they looking for? How does your experience match those skills? Practice Common Questions: People often ask similar questions in interviews. Practice answering questions like: "Can you tell me about yourself?" "What are your strengths?" "Why do you want this job?" Be Ready to Share Examples: If they ask about your skills, try to give examples from your past experiences. This helps show that you have practical knowledge. Ask Questions: Prepare a couple of questions to ask the interviewer. It shows that you're interested. For example: "Can you tell me more about the team I'll be working with?" "What is the company culture like?" Dress Appropriately: Wear something neat and tidy. It shows that you care about the opportunity. Be on Time: Try to arrive a little early. It gives a good impression. Stay Calm: If you feel nervous, take a deep breath. It's okay to take a moment before answering a question. Follow Up: After the interview, send a thank-you email. It's a nice way to show appreciation.
I am aware of this, which is why I linked the question where this was answered already. I need to change the token within the XML dashboard.
I am aware of this, however I was not able to accomplish this. Could you specify HOW EXACTLY you would accomplish this - e.g. shift earliest to earliest-1h within the input part of XML?
@quentin_young  Use this link for Splunk Web Framework Component Reference.  https://docs.splunk.com/DocumentationStatic/WebFramework/1.0/ JQuery: https://www.w3schools.com/jquery/default.asp Spl... See more...
@quentin_young  Use this link for Splunk Web Framework Component Reference.  https://docs.splunk.com/DocumentationStatic/WebFramework/1.0/ JQuery: https://www.w3schools.com/jquery/default.asp Splunk UI Toolkit: https://splunkui.splunk.com/home Integrating jQuery DataTables Into Splunk: https://hurricanelabs.com/splunk-tutorials/integrating-jquery-datatables-into-splunk-tutorial-part-1/  and so on. Happy Learning if you face any issues, just let us know.   Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.  
Hello! Still very new to Splunk so hoping to get some clarification. My dashboard is currently using a post-process search as its base and filtering data from there. On my dashboard objects, I have ... See more...
Hello! Still very new to Splunk so hoping to get some clarification. My dashboard is currently using a post-process search as its base and filtering data from there. On my dashboard objects, I have a <link></link> which works fine until adding an eval strftime to convert the time to human readable. Running this search as a new search manually with the eval works fine. However, the link directs to a blank search. Removing the eval statement makes the link work. Link: <link target="_blank"> search?q=| inputlookup io_vuln_data_lookup where $severity$ | search last_found &gt;= "$info_min_time$" AND last_found &lt;= "$info_max_time$" | eval last_found = strftime(last_found, "%c") | table dns_name,  last_found | where lower(state)!="fixed" </link> I was hoping to only do this conversion for a single dashboard object, so didn't want to convert the entire lookup. Would be amazing if I could get this search to work Thanks!
Hi Brains Trust, I'm trying to find the location of a CSV file that used to be a file input in 2019 but the file input (Files & directories) has been removed from the HF.  Is there a way to search ... See more...
Hi Brains Trust, I'm trying to find the location of a CSV file that used to be a file input in 2019 but the file input (Files & directories) has been removed from the HF.  Is there a way to search for the file path? The only info I have is the index & source file name but need to know the details on the file input to see if the file in question still exists in that location. index=nessus source="2019_04_17_CRIT_HIGH.csv" Thanks in advance!
I wrote the description of the saved search using Korean. When the search operates and is recorded in scheduler.log, Korean characters are broken. It worked fine in version 8.2, but the problem oc... See more...
I wrote the description of the saved search using Korean. When the search operates and is recorded in scheduler.log, Korean characters are broken. It worked fine in version 8.2, but the problem occurs in 9.0.7 What should I do?  8.2.3.2 version 9.0.7 version
Hello Giuseppe, Noticed it's been over 8 years since you posted your question, but came across this post will searching on how to make a text box empty by default.,,,,same as you were looking to do.... See more...
Hello Giuseppe, Noticed it's been over 8 years since you posted your question, but came across this post will searching on how to make a text box empty by default.,,,,same as you were looking to do. Was working on a dashboard today, and thought what character is not ever in event data, and is not a character used by SPL for any reason.  The answer was the:  ~ This worked for me, like a charm, in a dashboard text box:    <initialValue>~</initialValue> <default>~</default> Best regards,    Dennis
Using the following search strangely doesn't return the same result as it does in using postman, browser, etc. Essentially, we've got a list of IPs joined together that I'm attempting to pass to the ... See more...
Using the following search strangely doesn't return the same result as it does in using postman, browser, etc. Essentially, we've got a list of IPs joined together that I'm attempting to pass to the shodan API which the "net:" search filter supports. The list of IPs will looks like so: "1.2.3.4,1.1.1.1,8.8.8.8" etc (yes, the API key is included in the curl but is removed for the sake of this question) index=test_index  | dedup src_ip | stats values(src_ip) as ip_list | eval ip_list = mvjoin(ip_list, ",") | curl method=get uri="https://api.shodan.io/shodan/host/search?query=net:".ip_list."&fields=ip_str,port,timestamp,vulns&minify=false&language=en However, we get 0 matches when the response body is returned: { "matches": [], "total": 0 } Example query that returns a response: api.shodan.io/shodan/host/search?query=net:1.1.1.1,8.8.8.8,9.9.9.9&fields=ip_str,port,timestamp,vulns&minify=false&language=en Is the literal string expression (".ip_list.") not supported by TA-WebTools?  Thanks!
details field is blank
Your reply has solved my problem. Thank you very much. Also, there is a small request. Could you provide me with some relevant documents on using JavaScript in Splunk. Thank you again.
This helped me so much. When I say that I've been racking my brain on why this wouldn't work for the last 9 hours. I found this earlier, but I put it in the powershell. I was defeated. I then came ba... See more...
This helped me so much. When I say that I've been racking my brain on why this wouldn't work for the last 9 hours. I found this earlier, but I put it in the powershell. I was defeated. I then came back and read this again and saw that you said to put it into the cmd. It worked immediately. I'm so grateful.
I am attempting to use Splunk to remove the Oracle WebLogic files that are filling up our harddrive. I have been able to remove other files with a different filename format using the batch command. ... See more...
I am attempting to use Splunk to remove the Oracle WebLogic files that are filling up our harddrive. I have been able to remove other files with a different filename format using the batch command. But... the following stanza is not working   [batch://C:\Oracle\config\domains\csel\servers\...\DefaultAuditRecorder.*.log]   The filename format is: DefaultAuditRecorder.############.log where # is a number   Any suggestions?
Slight variation on @PickleRick example, your foreach statement only needs to be | foreach "*" [ eval <<FIELD>>=case('<<FIELD>>'=0, " ", '<<FIELD>>'>0, " ", ... See more...
Slight variation on @PickleRick example, your foreach statement only needs to be | foreach "*" [ eval <<FIELD>>=case('<<FIELD>>'=0, " ", '<<FIELD>>'>0, " ", 1==1, '<<FIELD>>') ]  The above allows for count > 1 with the green tick, but if it will either be 0 or 1 then you can make it so There is no need to test for the queue name, as long as it's never numeric
Your search= statement is simply looking for that index=oracle somewhere in the dashboard. If you have index="oracle" or index = oracle then it won't match, so it may be better to do a regex where cl... See more...
Your search= statement is simply looking for that index=oracle somewhere in the dashboard. If you have index="oracle" or index = oracle then it won't match, so it may be better to do a regex where clause, where you do ... | where match('eai:data', "(?i)index\s*(=[\s\"]*|in\s+\([\w,]*)oracle") what is an example of a metrics index search that is not showing up?  
Hi, I've been trying to follow the documentation to install the credentials for Windows for Universal Forwarder. It's been a nightmare to say the least. The documentation is rather confusing. I ran t... See more...
Hi, I've been trying to follow the documentation to install the credentials for Windows for Universal Forwarder. It's been a nightmare to say the least. The documentation is rather confusing. I ran the wget command to install the universal forwarder. I used msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet to install and agree to the license. Now I'm stuck. I've tried following the example. Used  C:\ProgramFiles\splunkuniversalforwarder\bin\splunk.exe install app C:\Users\Ryzen5\Downloads\splunkclouduf.spl to run the file for the credentials and I'm getting errors. I tried several variations and nothing is working. I don't know if I am missing something that is glaringly obvious. Any help would be  appreciated. I followed this https://docs.splunk.com/Documentation/Forwarder/8.2.0/Forwarder/InstallaWindowsuniversalforwarderfromthecommandline for the installation and I TRIED following the windows instructions from here https://docs.splunk.com/Documentation/Forwarder/9.1.2/Forwarder/ConfigSCUFCredentials.