All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi you could use Splunk's antivirus configuration as a baseline for aide. See those from https://docs.splunk.com/Documentation/Splunk/9.1.2/ReleaseNotes/RunningSplunkalongsideWindowsantivirusproduct... See more...
Hi you could use Splunk's antivirus configuration as a baseline for aide. See those from https://docs.splunk.com/Documentation/Splunk/9.1.2/ReleaseNotes/RunningSplunkalongsideWindowsantivirusproducts r. Ismo
Hi You should just define that it's using cron schedule and there add schedule as  */3 * * * * That will run it every 3rd minutes. Then don' t add throttling for it. More info from https://do... See more...
Hi You should just define that it's using cron schedule and there add schedule as  */3 * * * * That will run it every 3rd minutes. Then don' t add throttling for it. More info from https://docs.splunk.com/Documentation/Splunk/latest/Alert/Definescheduledalerts https://docs.splunk.com/Documentation/Splunk/latest/Alert/AlertTriggerConditions  r. Ismo
I want to repeat same alert 3 times, 5 minutes apart like morning call. please let me know How can I do it. Can I organize the logic into queries? or is there any alert option for it?   this is m... See more...
I want to repeat same alert 3 times, 5 minutes apart like morning call. please let me know How can I do it. Can I organize the logic into queries? or is there any alert option for it?   this is my query for alert event.       index="main" sourcetype="orcl_sourcetype" | sort by _time | tail 1 | where CNT < 10        
No good still
We have added custom snippet to track additional information like User and SAP FIORI application details. Whenever there is a Script error or AJAX error while loading an application, data that captur... See more...
We have added custom snippet to track additional information like User and SAP FIORI application details. Whenever there is a Script error or AJAX error while loading an application, data that captured by custom snippet was not reflecting on to EUM dashboard. Sometimes the data is not collected even if there are no errors. We are not able to identify any particular reason for this inconsistency. Below is the code we have added in the custom snippet. <script charset="UTF-8" type="text/javascript"> window["adrum-start-time"] = new Date().getTime(); function getCustInfo() { if (!!sap) { var userId = sap.ushell.Container.getService("UserInfo").getUser().getId(); var userName = sap.ushell.Container.getService("UserInfo").getUser().getFullName(); if(sap.ushell.services.AppConfiguration.getCurrentApplication() != undefined) { var AppTitle = sap.ushell.services.AppConfiguration.getCurrentApplication().text; var CompID = sap.ushell.services.AppConfiguration.getCurrentApplication().applicationDependencies.name; if (sap.ushell.services.AppConfiguration.getCurrentApplication().reservedParameters['sap-fiori-id'] == undefined) { var AppDevType = 'Custom' } else { var AppDevType = 'SAP' var AppID = sap.ushell.services.AppConfiguration.getCurrentApplication().reservedParameters['sap-fiori-id'][0]; } } } return { "userId": userId, "userName": userName, "AppTitle": AppTitle, "CompID": CompID, "AppDevType": AppDevType, "SIB_APPID": AppID } } window['adrum-config'] = { userEventInfo: { "PageView" : function(context){ return { userData: getCustInfo() } }, "Ajax": function(context) { return { userData: getCustInfo() } }, "VPageView" : function(context){ return { userData: getCustInfo() } } } }; (function(config){ config.appKey = "AD-AAB-ACE-TNP"; config.adrumExtUrlHttp = "http://cdn.appdynamics.com"; config.adrumExtUrlHttps = "https://cdn.appdynamics.com"; config.beaconUrlHttp = "http://pdx-col.eum-appdynamics.com"; config.beaconUrlHttps = "https://pdx-col.eum-appdynamics.com"; config.useHTTPSAlways = true; config.resTiming = {"bufSize":200,"clearResTimingOnBeaconSend":true}; config.maxUrlLength = 512; config.Isabapapp = true; config.page = { "title" : function title() { return document.title; } } })(window["adrum-config"] || (window["adrum-config"] = {})); </script> <script src="//cdn.appdynamics.com/adrum/adrum-23.3.0.4265.js"></script> Any help would be appreciated. Thanks!  
Hi @splunkreal , you have two solutions to do this: copy your data in a summary index, copying only the data you want to share and creating special dashboards to see these data. Creating an app wi... See more...
Hi @splunkreal , you have two solutions to do this: copy your data in a summary index, copying only the data you want to share and creating special dashboards to see these data. Creating an app with dashboards with disabled access to the Search and Reporting dashboard. I prefer the first solution. Ciao. Giuseppe
Hi @GIA , I don't know at what step of the DC monitoring you are: at first, you should take logs from your DCs using a Splunk Universal Forwarder. On this UF you have to deploy the Splunk Add-On f... See more...
Hi @GIA , I don't know at what step of the DC monitoring you are: at first, you should take logs from your DCs using a Splunk Universal Forwarder. On this UF you have to deploy the Splunk Add-On for Microsoft Windows (https://splunkbase.splunk.com/app/742), enabling all the stanzas. Then you have to configure your UFs to send logs to a Splunk instance. On this instance, you have to install the same Splunk Add-On for Microsoft Windows  and the Domain Controller Monitoring App for Splunk (https://splunkbase.splunk.com/app/6698). This last app should give you some Use Cases for monitoring your DCs, if they aren't sufficient, you can develop your Use Cases using the SPL. Ciao. Giuseppe  
Hi @syazwani  please follow below steps to reset password go to  <SPlunk installation directory>/splunk/etc/  under this location file called passwd  rename it to passwd.backup  go t... See more...
Hi @syazwani  please follow below steps to reset password go to  <SPlunk installation directory>/splunk/etc/  under this location file called passwd  rename it to passwd.backup  go to following location  <SPlunk installation directory>/splunk/etc/system/local create new file user-seed.conf  inside user-seed file  add following contents  [user_info] USERNAME = admin PASSWORD = <newpassword> and restart splunk from cmd  <SPlunk installation directory>/splunl/bin/ splunk restart  ---- Regards, Sanjay Reddy ---- If this reply helps you, Karma would be appreciated
@quentin_young  Sharing my sample code. please check the console for results. test_js_action.js require([ 'underscore', 'jquery', 'splunkjs/mvc', "splunkjs/mvc/searchmanager", ... See more...
@quentin_young  Sharing my sample code. please check the console for results. test_js_action.js require([ 'underscore', 'jquery', 'splunkjs/mvc', "splunkjs/mvc/searchmanager", 'splunkjs/mvc/simplexml/ready!' ], function (_, $, mvc, SearchManager) { var mySearch = new SearchManager({ id: "mysearch", autostart: "false", search: '| makeresults | eval test = "This is test" ', preview: false, }, { tokens: true, tokenNamespace: "submitted" }); var mySearchResults = mySearch.data("results"); mySearchResults.on("data", function () { resultArray = mySearchResults.data().rows; console.log("My Data", resultArray); }); $(document).ready(function () { $("#btn_submit").on("click", function () { // Capture value of the Text Area console.log("button clicked"); mySearch.startSearch(); }); }); });   XML <dashboard version="1.1" script="test_js_action.js"> <label>test_js_action</label> <row> <panel> <html> <div> <button id="btn_submit">submit</button> </div> </html> </panel> </row> </dashboard>   I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.  
Hi @bowesmana , This works when I use table in the dashboard. However for custom search from drilldown, the structure is a below: <drilldown>    <link target="_blank">search?xxxxxxxxxxxxx(custom s... See more...
Hi @bowesmana , This works when I use table in the dashboard. However for custom search from drilldown, the structure is a below: <drilldown>    <link target="_blank">search?xxxxxxxxxxxxx(custom search)|table field_1 field_2 ;earliest=$time_selection_earliest$&amp;latest=$time_selection_latest$</link> </drilldown> I cannot add the table id as "id" is an invalid attribute for both drilldown and link tags.
I don't follow how the drilldown is related, but you can format the table column widths using this css in your dashboards <row depends="$AlwaysHideCSS$"> <panel> <html> <style> #... See more...
I don't follow how the drilldown is related, but you can format the table column widths using this css in your dashboards <row depends="$AlwaysHideCSS$"> <panel> <html> <style> #table_id th[data-sort-key=Name] { width: 20% !important; } </style> </html> </panel> </row> and your table is defined with the id <table id="table_id">...  
Use the bin command, e.g. | bin _time span=1h
Hello All,  I need to convert the Timeline with different times into one. For example: 12:05AM 12:10AM 12:15AM should be  taken as 12AM 1:05AM 1:10AM 1:15AM should be  taken as 1AM and vice versa... See more...
Hello All,  I need to convert the Timeline with different times into one. For example: 12:05AM 12:10AM 12:15AM should be  taken as 12AM 1:05AM 1:10AM 1:15AM should be  taken as 1AM and vice versa. Can you please help me to write a query for this. Timeline Top 10 Values Count %   01:10:02 AM 2 0.368%   01:20:02 PM 2 0.368%   01:30:02 AM 2 0.368%   01:35:02 PM 2 0.368%   01:45:02 PM 2 0.368%   01:50:02 AM 2 0.368%   02:05:02 PM 2 0.368%   02:10:02 PM 2 0.368%   02:40:02 PM 2 0.368%   03:05:02 PM Thank you. 
Exactly how it should work if you set = * If you want the search to return NO results, you need to give the subsearch something that will make the outer search not find anything, e.g. host=_there_is... See more...
Exactly how it should work if you set = * If you want the search to return NO results, you need to give the subsearch something that will make the outer search not find anything, e.g. host=_there_is_no_such_host in which case, then the outer search (probably) won't find any results, then you get no results found. If you are in a dashboard, you can then add some code after the search to force a count of 0, e.g. | appendpipe [ | stats count as NoHost| where NoHost=0 | eval _time=now() ] but then that won't give you much of a timechart, so then you need to work out what should show instead of a timechart - if you want a simple single value viz, you will have to start playing with having multiple panels, one for a timechart and one for a single value viz, where your tokens decide which one gets shown. See this for more info https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML  
Hi All,  How do you customize the table width of results of custom search from a drilldown? I am not able to find any documentation on this. 
Still the same results...still displays all of them.
Use this construct index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathroom" | rename X_Furniture as host | appendpipe [ | stats count | where count=0 ... See more...
Use this construct index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathroom" | rename X_Furniture as host | appendpipe [ | stats count | where count=0 ``` Add in what you want the default to be ``` | eval host="*" ] ] | timechart span=5m count by host I assume the field in the lookup that corresponds to host is X_Furniture You just need to let the subsearch return and it will effectively return host=bla The appendpipe will make host=* if there are no values from the inputlookup - so set that value to be the default you want.
The parameters you need to pass from dashboard A to dashboard B are form.t_time.* as that's the name of your time picker in dashboard B As I said in my initial reply, input elements in dashboard hav... See more...
The parameters you need to pass from dashboard A to dashboard B are form.t_time.* as that's the name of your time picker in dashboard B As I said in my initial reply, input elements in dashboard have the token names PREFIXED with form. so if you want to pass from a dashboard to another dashboard where the input field is populated from the passed URL parameters, you need to prefix the target token with form.
I'm not a programmer but I am trying to get the display of my graph to depict "No Results" or "N/A" when the Where command can't find the specific name within the csv. Rather what I get is all of the... See more...
I'm not a programmer but I am trying to get the display of my graph to depict "No Results" or "N/A" when the Where command can't find the specific name within the csv. Rather what I get is all of the servers listed within the excel. Here is quick example: This works for me index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathroom" | return host=$X_Furniture ] | timechart span=5m count by host But what happens is if a user types "where Room="Bathr00mZ"....see below......I get a list of all the servers listed in my csv which is what I don't want. I rather have it say "No Results" or "N/A" index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathr00mZ" | return host=$X_Furniture ] | timechart span=5m count by host I've tried this: index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathr00mZ" | eval res=if(Room=="Bathroom",X_Furniture,"Null") ] | timechart span=5m count by host But this still comes back with the list of all the servers. 
I customize a dashboard page and I put a submit button on it.How can I use the Javascript monitor the button's click to send a request to Splunk and have Splunk execuse a SPL? This is my Js code: ... See more...
I customize a dashboard page and I put a submit button on it.How can I use the Javascript monitor the button's click to send a request to Splunk and have Splunk execuse a SPL? This is my Js code:   require([ "jquery", ], function ($) { $(document).on('click', '#btn_submit', function () { setTimeout(function time() { var temp_a = document.getElementById('temp_a').value var temp_b = document.getElementById('temp_b').value }, 100); }); });   and the dashboard source code is:   <dashboard script="test.js"> <label>test_js_action</label> <row> <panel> <html> <div> <button id="btn_submit">submit</button> </div> </html> </panel> </row> </dashboard>   By the way, I saw a sample using the splunkjs/mvc to send request ,but I cant't get whole code. only know the Js head is:   require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function ($, mvc) {   Thank you very much if you could provide a solution.