All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I customize a dashboard page and I put a submit button on it.How can I use the Javascript monitor the button's click to send a request to Splunk and have Splunk execuse a SPL? This is my Js code: ... See more...
I customize a dashboard page and I put a submit button on it.How can I use the Javascript monitor the button's click to send a request to Splunk and have Splunk execuse a SPL? This is my Js code:   require([ "jquery", ], function ($) { $(document).on('click', '#btn_submit', function () { setTimeout(function time() { var temp_a = document.getElementById('temp_a').value var temp_b = document.getElementById('temp_b').value }, 100); }); });   and the dashboard source code is:   <dashboard script="test.js"> <label>test_js_action</label> <row> <panel> <html> <div> <button id="btn_submit">submit</button> </div> </html> </panel> </row> </dashboard>   By the way, I saw a sample using the splunkjs/mvc to send request ,but I cant't get whole code. only know the Js head is:   require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function ($, mvc) {   Thank you very much if you could provide a solution.
Hi, how can we reset password for admin user from CLI. Currently i have indexer using Splunk 9.1.1 in testing environment and i forgot the username and password. There were some bin command that will... See more...
Hi, how can we reset password for admin user from CLI. Currently i have indexer using Splunk 9.1.1 in testing environment and i forgot the username and password. There were some bin command that will prompt for Splunk username and password, so i need to reset the username and password. Please help. Thank you.
I am very new using Splunk but I am enjoying it a lot so far. I am being tasked with writing a document on how to verify that all Domain Controller's logs are going into Splunk for the SecOps team t... See more...
I am very new using Splunk but I am enjoying it a lot so far. I am being tasked with writing a document on how to verify that all Domain Controller's logs are going into Splunk for the SecOps team to action on a daily basis. Can someone please point to a good document on this process? Thank you in advance! 
Hello @Lubomir.Kostal, I wanted to share some existing content I found in the Community. https://community.appdynamics.com/t5/Knowledge-Base/Database-Monitoring-An-error-occurred-while-ge... See more...
Hello @Lubomir.Kostal, I wanted to share some existing content I found in the Community. https://community.appdynamics.com/t5/Knowledge-Base/Database-Monitoring-An-error-occurred-while-getting-wait-state/ta-p/22412 https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Machine-Agent-Http-Listener-not-working/m-p/50622 Let me know if these help. 
@bowesmana When I click on the URL these parameters are being passed: ?earliest=1701381000&latest=1701384619 But when I add a new timepicker in the drill-down and set a default the URL becomes: ?e... See more...
@bowesmana When I click on the URL these parameters are being passed: ?earliest=1701381000&latest=1701384619 But when I add a new timepicker in the drill-down and set a default the URL becomes: ?earliest=1701381000&latest=1701384619&form.t_time.earliest=-15m&form.t_time.latest=now Drill-down timepicker token _time default "last 15 minutes" This is appended to the bottom of my spl (outside of the query tags) <earliest>$t_time.earliest$</earliest> <latest>$t_time.latest$</latest> My timepicker XML looks like this: <input type="time" token="t_time"> <label></label> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input>  
When you click to drilldown, what are the parameters passed on the url to the second dashboard On the second dashboard, what is the XML for the time picker? If you go to the second dashboard directl... See more...
When you click to drilldown, what are the parameters passed on the url to the second dashboard On the second dashboard, what is the XML for the time picker? If you go to the second dashboard directly without a link and it is showing all time as the default, that is because the time picker is configured to show all time - if you want to change that without a link, edit that second dashboard and change the default. Please post the XML for the <drilldown> section in the source dashboard and the <input> time picker in the second dashboard.
Hello, regarding filtering Splunk roles, we would like to only allow transforming commands (stats, timechart...) for users on a specific search head. This search head is not part of the cluster, onl... See more...
Hello, regarding filtering Splunk roles, we would like to only allow transforming commands (stats, timechart...) for users on a specific search head. This search head is not part of the cluster, only querying clustered indexers. The aim is to avoid specific users from accessing raw indexes data, only show statistics. At the moment we use summary indexing in local index by scheduling reports with sistats or sitimechart but it's long and heavy to convert searches. Thanks for your help.
We are scanning our splunk enterprise instance with AIDE for linux and have a decent set of exclusions defined otherwise it is VERY noisy with findings. We are still getting quite a bit of noise from... See more...
We are scanning our splunk enterprise instance with AIDE for linux and have a decent set of exclusions defined otherwise it is VERY noisy with findings. We are still getting quite a bit of noise from things like installed apps or add ons in seemingly benign files. Is there a recommended AIDE configuration for Splunk that will focus it only on the 'important' files. We don't want to too broadly just exclude top level directories so if this has been solved, I would love to hear about your aide.conf exclusion settings for splunk.
@bowesmana  Appreciated the response. I'm "linking to dashboard" when I create the parameter I'm using earliest = $earliest$ and latest = $latest$ and seems to be passing to the url fine via the dri... See more...
@bowesmana  Appreciated the response. I'm "linking to dashboard" when I create the parameter I'm using earliest = $earliest$ and latest = $latest$ and seems to be passing to the url fine via the drill-down dashboard. What is annoying it when I go directly into the drill-down dashboard, the timepicker defaults to "All Time". My question is how can this be avoided? When I create the timepicker in the drilldown and set a default the "link to dashboard" parameters no longer work. 
Most likely because the substitution is passing $ips$ as the string "a,c,x" and if you search for  | search ips IN ("a,c,x") you also get no results You could do it differently using where, for ex... See more...
Most likely because the substitution is passing $ips$ as the string "a,c,x" and if you search for  | search ips IN ("a,c,x") you also get no results You could do it differently using where, for example this works | eval outer_ips=split($ips$, ",") | where ips=outer_ips or this | where match($ips$, ips) assuming your use case is IP addresses, the where option also allows for cirdmatch if that is useful.  
I'm not sure I fully understood your question, but Input field tokens are passed as form.token_name=value in the URL, so if your token is t_time in the target dashboard, you should pass form.t_time.e... See more...
I'm not sure I fully understood your question, but Input field tokens are passed as form.token_name=value in the URL, so if your token is t_time in the target dashboard, you should pass form.t_time.earliest=X&form.t_time.latest=Y in the URL Let me know if this helps
OK, please do the following 1. For that specific event, run your search for that time range and show what is the _indextime of your event index= "abc" "pace api iaCode - YYY no valid pace arrangeme... See more...
OK, please do the following 1. For that specific event, run your search for that time range and show what is the _indextime of your event index= "abc" "pace api iaCode - YYY no valid pace arrangementId as response!!!" OR "pace api iaCode - ZZZ no valid pace arrangementId as response!!!" source!="/var/log/messages" sourcetype=600000304_gg_abs_ipc2 | eval index_time=strftime(_indextime, "%F %T.%Q") | table _time index_time _raw 2. Then run this search for the time range 00:00 to 00:20 on that day index=_internal YOUR_ALERT_NAME sourcetype=scheduler and you should see details of the scheduler running your alert 3. HOW are you getting your alert? Is it being sent by email? If so, what is the SENT time of the email? Then from (1) you will see when the data is VISIBLE in Splunk from the index time for that event. That will show you if when the alert runs at 00:15 if the event is present in Splunk From (2) you will see the result count of the alert that runs From (3) you can see when the event was sent from Splunk I have suggested two times before that you change the time range of your search to look a little in the past to account for ingest lag - please can you ensure you are doing that, so set the search time range to be earliest=-16m@m latest=-1m@m in your alert time picker.  That will allow for 1 minute lag between event creation and index time
Here is a conf presentation about TLS certs https://conf.splunk.com/watch/conf-online.html?locale=watch&search.event=conf23&search=SEC1936B#/
Good Afternoon, Currently, I'm submitting this message for help in regards to editing the font color for all labels introduced within a Pie chart via a created panel within Splunk Studio. Is there ... See more...
Good Afternoon, Currently, I'm submitting this message for help in regards to editing the font color for all labels introduced within a Pie chart via a created panel within Splunk Studio. Is there a method of changing the font color? I'm looking through the documentation and found a URL link for all the possible source commands to be utilized within the Pie chart. One command in particular is called seriesColors. I'm still fairly new to Splunk so I do not have any acquired expertise for editing pie charts here. Thank you
@jacobdavis You've picked it up well. This is how things are done in XML. Have you used fixedrange=f in the timechart - it's similar to cont, but makes timechart trim the empt stuff at either end of ... See more...
@jacobdavis You've picked it up well. This is how things are done in XML. Have you used fixedrange=f in the timechart - it's similar to cont, but makes timechart trim the empt stuff at either end of the time ranges.  
Then what should I do for getting the server up on HTTP?
were you ever able to figure this out? I am facing the same issue
I'm trying to understand the API usage - Internal and Public, basic auth vs token based -  in our controllers so they are appropriately sized and there is no performance bottle necks, how do I get th... See more...
I'm trying to understand the API usage - Internal and Public, basic auth vs token based -  in our controllers so they are appropriately sized and there is no performance bottle necks, how do I get these stats? I want to filter out the Internal API volume from Public and explore the possibility of moving some of these APIs to APIM. Also, Is it possible to move all the external/public api's to a different port to manage them better?
Thank you very much, that explains it! I was able to complete my little proof of concept, this is my complete search: sourcetype=nftemp | top 100 SRC | eval ip_address = SRC | eval ip_dot_decimal_s... See more...
Thank you very much, that explains it! I was able to complete my little proof of concept, this is my complete search: sourcetype=nftemp | top 100 SRC | eval ip_address = SRC | eval ip_dot_decimal_split=split(ip_address,".") | eval first=mvindex(ip_dot_decimal_split,0),second=mvindex(ip_dot_decimal_split,1),third=mvindex(ip_dot_decimal_split,2),fourth=mvindex(ip_dot_decimal_split,3) | fields - ip_dot_decimal_split | eval first=first*pow(256,3),second=second*pow(256,2),third=third*256 | eval ip_address_integer=first+second+third+fourth | map search=" | inputlookup geobeta | where endIPNum >= $ip_address_integer$ AND startIPNum <= $ip_address_integer$ | eval ip=$ip_address$ | eval mapcount=$count$ | sort mapcount | table mapcount,ip,country_iso_code,latitude,longitude,ASName,ASNumber" maxsearches=20000   The sourcetype is a random generated nftables log with a few IPs in it, then convert the ip's to decimal and do the search against the geobeta lookup. The source of the geobeta lookup contains also only a few records, not sure how it will perform when the geobeta lookup will have millions of records in it, lets see ... geobeta comes from maxmind by the way.
Hi Giuseppe, thanks for your response. I would like to expand the IPv4 addresses and are looking for lat/lon, country and AS informations. As i do already have the maxmind database in my own mySQL... See more...
Hi Giuseppe, thanks for your response. I would like to expand the IPv4 addresses and are looking for lat/lon, country and AS informations. As i do already have the maxmind database in my own mySQL i thought to convert the data into a kvstore and get my data from there. None of the Apps on the market had ready suited for me unless i missed one, so i thought to do this by my own .. its just a hobby ... Cheers Matthias