Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-01-2023
12:45 AM
As long as you have only some pairs you could try map command https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Map But you must follow up it's memory and other resource usage and w...
See more...
As long as you have only some pairs you could try map command https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Map But you must follow up it's memory and other resource usage and when needed switch to other way to do it.
12-01-2023
12:21 AM
You said the You have looked those, but You haven't said how. There are several ways to look those are some are better and some a not so good. Even btool shows only those configurations what are in ...
See more...
You said the You have looked those, but You haven't said how. There are several ways to look those are some are better and some a not so good. Even btool shows only those configurations what are in disk, but not those which you have in running splunkd. But I expecting that this is still enough close to to reality. Of course you could restart splunkd or use e.g. rest api to get running versions. Basically Splunk GUI (I expecting that you are talking about Users&roles settings?) cannot show anything what it haven' t on it's configurations locally! You said that you haven't seen those on with splunk btool indexes list --debug|egrep '\[.*\]' How about this splunk btool authorize list --debug |egrep '(\[.*\]|Indexes)'|egrep -v capability Can it found the index_a, but not index_b?
12-01-2023
12:07 AM
It works! I really thanks for the response!
12-01-2023
12:07 AM
Yes as I said in my post I checked the config files and there are no definitions of both indexes on the SH. Only on the IX and on the IX they are identical except the name.
11-30-2023
11:44 PM
1 Karma
Hi here is some old posts how to do onboarding with your own workstation etc. https://community.splunk.com/t5/Getting-Data-In/Does-anyone-have-troubleshooting-steps-on-index-vs-search/m-p/613811 ...
See more...
Hi here is some old posts how to do onboarding with your own workstation etc. https://community.splunk.com/t5/Getting-Data-In/Does-anyone-have-troubleshooting-steps-on-index-vs-search/m-p/613811 https://community.splunk.com/t5/Getting-Data-In/What-props-conf-and-transforms-conf-settings-I-need-to-onboard/m-p/582549 https://community.splunk.com/t5/Getting-Data-In/Data-Onboarding-Strategy/m-p/513166 r. Ismo
11-30-2023
11:35 PM
Hi have you already looked these: https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/AboutsecuringyourSplunkconfigurationwithSSL https://conf.splunk.com/watch/conf-online.html?search.eve...
See more...
Hi have you already looked these: https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/AboutsecuringyourSplunkconfigurationwithSSL https://conf.splunk.com/watch/conf-online.html?search.event=conf23&search=SEC1936B#/ r. Ismo
11-30-2023
11:33 PM
Hi you could use Splunk's antivirus configuration as a baseline for aide. See those from https://docs.splunk.com/Documentation/Splunk/9.1.2/ReleaseNotes/RunningSplunkalongsideWindowsantivirusproduct...
See more...
Hi you could use Splunk's antivirus configuration as a baseline for aide. See those from https://docs.splunk.com/Documentation/Splunk/9.1.2/ReleaseNotes/RunningSplunkalongsideWindowsantivirusproducts r. Ismo
Hi You should just define that it's using cron schedule and there add schedule as */3 * * * * That will run it every 3rd minutes. Then don' t add throttling for it. More info from https://do...
See more...
Hi You should just define that it's using cron schedule and there add schedule as */3 * * * * That will run it every 3rd minutes. Then don' t add throttling for it. More info from https://docs.splunk.com/Documentation/Splunk/latest/Alert/Definescheduledalerts https://docs.splunk.com/Documentation/Splunk/latest/Alert/AlertTriggerConditions r. Ismo
11-30-2023
11:22 PM
I want to repeat same alert 3 times, 5 minutes apart like morning call. please let me know How can I do it. Can I organize the logic into queries? or is there any alert option for it? this is m...
See more...
I want to repeat same alert 3 times, 5 minutes apart like morning call. please let me know How can I do it. Can I organize the logic into queries? or is there any alert option for it? this is my query for alert event. index="main" sourcetype="orcl_sourcetype" | sort by _time | tail 1 | where CNT < 10
- Tags:
- alert action
Labels
- Labels:
-
alert action
11-30-2023
11:06 PM
We have added custom snippet to track additional information like User and SAP FIORI application details. Whenever there is a Script error or AJAX error while loading an application, data that captur...
See more...
We have added custom snippet to track additional information like User and SAP FIORI application details. Whenever there is a Script error or AJAX error while loading an application, data that captured by custom snippet was not reflecting on to EUM dashboard. Sometimes the data is not collected even if there are no errors. We are not able to identify any particular reason for this inconsistency. Below is the code we have added in the custom snippet. <script charset="UTF-8" type="text/javascript">
window["adrum-start-time"] = new Date().getTime();
function getCustInfo() {
if (!!sap) {
var userId = sap.ushell.Container.getService("UserInfo").getUser().getId();
var userName = sap.ushell.Container.getService("UserInfo").getUser().getFullName();
if(sap.ushell.services.AppConfiguration.getCurrentApplication() != undefined) {
var AppTitle = sap.ushell.services.AppConfiguration.getCurrentApplication().text;
var CompID = sap.ushell.services.AppConfiguration.getCurrentApplication().applicationDependencies.name;
if (sap.ushell.services.AppConfiguration.getCurrentApplication().reservedParameters['sap-fiori-id'] == undefined) {
var AppDevType = 'Custom'
} else {
var AppDevType = 'SAP'
var AppID = sap.ushell.services.AppConfiguration.getCurrentApplication().reservedParameters['sap-fiori-id'][0];
}
}
}
return {
"userId": userId,
"userName": userName,
"AppTitle": AppTitle,
"CompID": CompID,
"AppDevType": AppDevType,
"SIB_APPID": AppID
}
}
window['adrum-config'] = {
userEventInfo: {
"PageView" : function(context){
return {
userData: getCustInfo()
}
},
"Ajax": function(context) {
return {
userData: getCustInfo()
}
},
"VPageView" : function(context){
return {
userData: getCustInfo()
}
}
}
};
(function(config){
config.appKey = "AD-AAB-ACE-TNP";
config.adrumExtUrlHttp = "http://cdn.appdynamics.com";
config.adrumExtUrlHttps = "https://cdn.appdynamics.com";
config.beaconUrlHttp = "http://pdx-col.eum-appdynamics.com";
config.beaconUrlHttps = "https://pdx-col.eum-appdynamics.com";
config.useHTTPSAlways = true;
config.resTiming = {"bufSize":200,"clearResTimingOnBeaconSend":true};
config.maxUrlLength = 512;
config.Isabapapp = true;
config.page = { "title" : function title() { return document.title; } }
})(window["adrum-config"] || (window["adrum-config"] = {}));
</script>
<script src="//cdn.appdynamics.com/adrum/adrum-23.3.0.4265.js"></script> Any help would be appreciated. Thanks!
Labels
- Labels:
-
Real User Monitoring
11-30-2023
11:06 PM
1 Karma
Hi @splunkreal , you have two solutions to do this: copy your data in a summary index, copying only the data you want to share and creating special dashboards to see these data. Creating an app wi...
See more...
Hi @splunkreal , you have two solutions to do this: copy your data in a summary index, copying only the data you want to share and creating special dashboards to see these data. Creating an app with dashboards with disabled access to the Search and Reporting dashboard. I prefer the first solution. Ciao. Giuseppe
11-30-2023
10:52 PM
1 Karma
Hi @GIA , I don't know at what step of the DC monitoring you are: at first, you should take logs from your DCs using a Splunk Universal Forwarder. On this UF you have to deploy the Splunk Add-On f...
See more...
Hi @GIA , I don't know at what step of the DC monitoring you are: at first, you should take logs from your DCs using a Splunk Universal Forwarder. On this UF you have to deploy the Splunk Add-On for Microsoft Windows (https://splunkbase.splunk.com/app/742), enabling all the stanzas. Then you have to configure your UFs to send logs to a Splunk instance. On this instance, you have to install the same Splunk Add-On for Microsoft Windows and the Domain Controller Monitoring App for Splunk (https://splunkbase.splunk.com/app/6698). This last app should give you some Use Cases for monitoring your DCs, if they aren't sufficient, you can develop your Use Cases using the SPL. Ciao. Giuseppe
11-30-2023
10:27 PM
Hi @syazwani please follow below steps to reset password go to <SPlunk installation directory>/splunk/etc/ under this location file called passwd rename it to passwd.backup go t...
See more...
Hi @syazwani please follow below steps to reset password go to <SPlunk installation directory>/splunk/etc/ under this location file called passwd rename it to passwd.backup go to following location <SPlunk installation directory>/splunk/etc/system/local create new file user-seed.conf inside user-seed file add following contents [user_info] USERNAME = admin PASSWORD = <newpassword> and restart splunk from cmd <SPlunk installation directory>/splunl/bin/ splunk restart ---- Regards, Sanjay Reddy ---- If this reply helps you, Karma would be appreciated
11-30-2023
10:10 PM
1 Karma
@quentin_young Sharing my sample code. please check the console for results. test_js_action.js require([
'underscore',
'jquery',
'splunkjs/mvc',
"splunkjs/mvc/searchmanager",
...
See more...
@quentin_young Sharing my sample code. please check the console for results. test_js_action.js require([
'underscore',
'jquery',
'splunkjs/mvc',
"splunkjs/mvc/searchmanager",
'splunkjs/mvc/simplexml/ready!'
], function (_, $, mvc, SearchManager) {
var mySearch = new SearchManager({
id: "mysearch",
autostart: "false",
search: '| makeresults | eval test = "This is test" ',
preview: false,
}, { tokens: true, tokenNamespace: "submitted" });
var mySearchResults = mySearch.data("results");
mySearchResults.on("data", function () {
resultArray = mySearchResults.data().rows;
console.log("My Data", resultArray);
});
$(document).ready(function () {
$("#btn_submit").on("click", function () {
// Capture value of the Text Area
console.log("button clicked");
mySearch.startSearch();
});
});
}); XML <dashboard version="1.1" script="test_js_action.js">
<label>test_js_action</label>
<row>
<panel>
<html>
<div>
<button id="btn_submit">submit</button>
</div>
</html>
</panel>
</row>
</dashboard> I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
11-30-2023
10:08 PM
Hi @bowesmana , This works when I use table in the dashboard. However for custom search from drilldown, the structure is a below: <drilldown> <link target="_blank">search?xxxxxxxxxxxxx(custom s...
See more...
Hi @bowesmana , This works when I use table in the dashboard. However for custom search from drilldown, the structure is a below: <drilldown> <link target="_blank">search?xxxxxxxxxxxxx(custom search)|table field_1 field_2 ;earliest=$time_selection_earliest$&latest=$time_selection_latest$</link> </drilldown> I cannot add the table id as "id" is an invalid attribute for both drilldown and link tags.
11-30-2023
09:58 PM
I don't follow how the drilldown is related, but you can format the table column widths using this css in your dashboards <row depends="$AlwaysHideCSS$">
<panel>
<html>
<style>
#...
See more...
I don't follow how the drilldown is related, but you can format the table column widths using this css in your dashboards <row depends="$AlwaysHideCSS$">
<panel>
<html>
<style>
#table_id th[data-sort-key=Name] {
width: 20% !important;
}
</style>
</html>
</panel>
</row> and your table is defined with the id <table id="table_id">...
11-30-2023
09:53 PM
Use the bin command, e.g. | bin _time span=1h
11-30-2023
09:21 PM
Hello All, I need to convert the Timeline with different times into one. For example: 12:05AM 12:10AM 12:15AM should be taken as 12AM 1:05AM 1:10AM 1:15AM should be taken as 1AM and vice versa...
See more...
Hello All, I need to convert the Timeline with different times into one. For example: 12:05AM 12:10AM 12:15AM should be taken as 12AM 1:05AM 1:10AM 1:15AM should be taken as 1AM and vice versa. Can you please help me to write a query for this. Timeline Top 10 Values Count % 01:10:02 AM 2 0.368% 01:20:02 PM 2 0.368% 01:30:02 AM 2 0.368% 01:35:02 PM 2 0.368% 01:45:02 PM 2 0.368% 01:50:02 AM 2 0.368% 02:05:02 PM 2 0.368% 02:10:02 PM 2 0.368% 02:40:02 PM 2 0.368% 03:05:02 PM Thank you.
- Tags:
- eval
Labels
- Labels:
-
eval
11-30-2023
08:47 PM
Exactly how it should work if you set = * If you want the search to return NO results, you need to give the subsearch something that will make the outer search not find anything, e.g. host=_there_is...
See more...
Exactly how it should work if you set = * If you want the search to return NO results, you need to give the subsearch something that will make the outer search not find anything, e.g. host=_there_is_no_such_host in which case, then the outer search (probably) won't find any results, then you get no results found. If you are in a dashboard, you can then add some code after the search to force a count of 0, e.g. | appendpipe [
| stats count as NoHost| where NoHost=0
| eval _time=now()
] but then that won't give you much of a timechart, so then you need to work out what should show instead of a timechart - if you want a simple single value viz, you will have to start playing with having multiple panels, one for a timechart and one for a single value viz, where your tokens decide which one gets shown. See this for more info https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML
