Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-30-2023
08:26 PM
Still the same results...still displays all of them.
11-30-2023
07:53 PM
Use this construct index=House sourcetype=LivingRoom
[ | inputlookup HouseInventory.csv
| where Room="Bathroom"
| rename X_Furniture as host
| appendpipe [
| stats count | where count=0
...
See more...
Use this construct index=House sourcetype=LivingRoom
[ | inputlookup HouseInventory.csv
| where Room="Bathroom"
| rename X_Furniture as host
| appendpipe [
| stats count | where count=0
``` Add in what you want the default to be ```
| eval host="*"
]
]
| timechart span=5m count by host I assume the field in the lookup that corresponds to host is X_Furniture You just need to let the subsearch return and it will effectively return host=bla The appendpipe will make host=* if there are no values from the inputlookup - so set that value to be the default you want.
11-30-2023
07:48 PM
1 Karma
The parameters you need to pass from dashboard A to dashboard B are form.t_time.* as that's the name of your time picker in dashboard B As I said in my initial reply, input elements in dashboard hav...
See more...
The parameters you need to pass from dashboard A to dashboard B are form.t_time.* as that's the name of your time picker in dashboard B As I said in my initial reply, input elements in dashboard have the token names PREFIXED with form. so if you want to pass from a dashboard to another dashboard where the input field is populated from the passed URL parameters, you need to prefix the target token with form.
11-30-2023
07:37 PM
I'm not a programmer but I am trying to get the display of my graph to depict "No Results" or "N/A" when the Where command can't find the specific name within the csv. Rather what I get is all of the...
See more...
I'm not a programmer but I am trying to get the display of my graph to depict "No Results" or "N/A" when the Where command can't find the specific name within the csv. Rather what I get is all of the servers listed within the excel. Here is quick example: This works for me index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathroom" | return host=$X_Furniture ] | timechart span=5m count by host But what happens is if a user types "where Room="Bathr00mZ"....see below......I get a list of all the servers listed in my csv which is what I don't want. I rather have it say "No Results" or "N/A" index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathr00mZ" | return host=$X_Furniture ] | timechart span=5m count by host I've tried this: index=House sourcetype=LivingRoom [ | inputlookup HouseInventory.csv | where Room="Bathr00mZ" | eval res=if(Room=="Bathroom",X_Furniture,"Null") ] | timechart span=5m count by host But this still comes back with the list of all the servers.
Labels
- Labels:
-
lookup
11-30-2023
06:13 PM
I customize a dashboard page and I put a submit button on it.How can I use the Javascript monitor the button's click to send a request to Splunk and have Splunk execuse a SPL?
This is my Js code:
...
See more...
I customize a dashboard page and I put a submit button on it.How can I use the Javascript monitor the button's click to send a request to Splunk and have Splunk execuse a SPL?
This is my Js code:
require([
"jquery",
], function ($) {
$(document).on('click', '#btn_submit',
function () {
setTimeout(function time() {
var temp_a = document.getElementById('temp_a').value
var temp_b = document.getElementById('temp_b').value
},
100);
});
});
and the dashboard source code is:
<dashboard script="test.js">
<label>test_js_action</label>
<row>
<panel>
<html>
<div>
<button id="btn_submit">submit</button>
</div>
</html>
</panel>
</row>
</dashboard>
By the way, I saw a sample using the splunkjs/mvc to send request ,but I cant't get whole code. only know the Js head is:
require([
"jquery",
"splunkjs/mvc",
"splunkjs/mvc/simplexml/ready!"
], function ($, mvc) {
Thank you very much if you could provide a solution.
Labels
- Labels:
-
Analytics Workspace
11-30-2023
05:58 PM
Hi, how can we reset password for admin user from CLI. Currently i have indexer using Splunk 9.1.1 in testing environment and i forgot the username and password. There were some bin command that will...
See more...
Hi, how can we reset password for admin user from CLI. Currently i have indexer using Splunk 9.1.1 in testing environment and i forgot the username and password. There were some bin command that will prompt for Splunk username and password, so i need to reset the username and password. Please help. Thank you.
Labels
- Labels:
-
login
11-30-2023
05:19 PM
I am very new using Splunk but I am enjoying it a lot so far. I am being tasked with writing a document on how to verify that all Domain Controller's logs are going into Splunk for the SecOps team t...
See more...
I am very new using Splunk but I am enjoying it a lot so far. I am being tasked with writing a document on how to verify that all Domain Controller's logs are going into Splunk for the SecOps team to action on a daily basis. Can someone please point to a good document on this process? Thank you in advance!
Labels
- Labels:
-
count
11-30-2023
04:33 PM
Hello @Lubomir.Kostal,
I wanted to share some existing content I found in the Community.
https://community.appdynamics.com/t5/Knowledge-Base/Database-Monitoring-An-error-occurred-while-ge...
See more...
Hello @Lubomir.Kostal,
I wanted to share some existing content I found in the Community.
https://community.appdynamics.com/t5/Knowledge-Base/Database-Monitoring-An-error-occurred-while-getting-wait-state/ta-p/22412
https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Machine-Agent-Http-Listener-not-working/m-p/50622
Let me know if these help.
11-30-2023
03:44 PM
@bowesmana When I click on the URL these parameters are being passed: ?earliest=1701381000&latest=1701384619 But when I add a new timepicker in the drill-down and set a default the URL becomes: ?e...
See more...
@bowesmana When I click on the URL these parameters are being passed: ?earliest=1701381000&latest=1701384619 But when I add a new timepicker in the drill-down and set a default the URL becomes: ?earliest=1701381000&latest=1701384619&form.t_time.earliest=-15m&form.t_time.latest=now Drill-down timepicker token _time default "last 15 minutes" This is appended to the bottom of my spl (outside of the query tags) <earliest>$t_time.earliest$</earliest> <latest>$t_time.latest$</latest> My timepicker XML looks like this: <input type="time" token="t_time"> <label></label> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input>
11-30-2023
03:08 PM
When you click to drilldown, what are the parameters passed on the url to the second dashboard On the second dashboard, what is the XML for the time picker? If you go to the second dashboard directl...
See more...
When you click to drilldown, what are the parameters passed on the url to the second dashboard On the second dashboard, what is the XML for the time picker? If you go to the second dashboard directly without a link and it is showing all time as the default, that is because the time picker is configured to show all time - if you want to change that without a link, edit that second dashboard and change the default. Please post the XML for the <drilldown> section in the source dashboard and the <input> time picker in the second dashboard.
11-30-2023
02:52 PM
Hello, regarding filtering Splunk roles, we would like to only allow transforming commands (stats, timechart...) for users on a specific search head. This search head is not part of the cluster, onl...
See more...
Hello, regarding filtering Splunk roles, we would like to only allow transforming commands (stats, timechart...) for users on a specific search head. This search head is not part of the cluster, only querying clustered indexers. The aim is to avoid specific users from accessing raw indexes data, only show statistics. At the moment we use summary indexing in local index by scheduling reports with sistats or sitimechart but it's long and heavy to convert searches. Thanks for your help.
Labels
11-30-2023
02:25 PM
We are scanning our splunk enterprise instance with AIDE for linux and have a decent set of exclusions defined otherwise it is VERY noisy with findings. We are still getting quite a bit of noise from...
See more...
We are scanning our splunk enterprise instance with AIDE for linux and have a decent set of exclusions defined otherwise it is VERY noisy with findings. We are still getting quite a bit of noise from things like installed apps or add ons in seemingly benign files. Is there a recommended AIDE configuration for Splunk that will focus it only on the 'important' files. We don't want to too broadly just exclude top level directories so if this has been solved, I would love to hear about your aide.conf exclusion settings for splunk.
11-30-2023
02:07 PM
@bowesmana Appreciated the response. I'm "linking to dashboard" when I create the parameter I'm using earliest = $earliest$ and latest = $latest$ and seems to be passing to the url fine via the dri...
See more...
@bowesmana Appreciated the response. I'm "linking to dashboard" when I create the parameter I'm using earliest = $earliest$ and latest = $latest$ and seems to be passing to the url fine via the drill-down dashboard. What is annoying it when I go directly into the drill-down dashboard, the timepicker defaults to "All Time". My question is how can this be avoided? When I create the timepicker in the drilldown and set a default the "link to dashboard" parameters no longer work.
11-30-2023
02:05 PM
1 Karma
Most likely because the substitution is passing $ips$ as the string "a,c,x" and if you search for | search ips IN ("a,c,x") you also get no results You could do it differently using where, for ex...
See more...
Most likely because the substitution is passing $ips$ as the string "a,c,x" and if you search for | search ips IN ("a,c,x") you also get no results You could do it differently using where, for example this works | eval outer_ips=split($ips$, ",")
| where ips=outer_ips or this | where match($ips$, ips) assuming your use case is IP addresses, the where option also allows for cirdmatch if that is useful.
11-30-2023
01:54 PM
1 Karma
I'm not sure I fully understood your question, but Input field tokens are passed as form.token_name=value in the URL, so if your token is t_time in the target dashboard, you should pass form.t_time.e...
See more...
I'm not sure I fully understood your question, but Input field tokens are passed as form.token_name=value in the URL, so if your token is t_time in the target dashboard, you should pass form.t_time.earliest=X&form.t_time.latest=Y in the URL Let me know if this helps
11-30-2023
01:51 PM
OK, please do the following 1. For that specific event, run your search for that time range and show what is the _indextime of your event index= "abc" "pace api iaCode - YYY no valid pace arrangeme...
See more...
OK, please do the following 1. For that specific event, run your search for that time range and show what is the _indextime of your event index= "abc" "pace api iaCode - YYY no valid pace arrangementId as response!!!" OR "pace api iaCode - ZZZ no valid pace arrangementId as response!!!" source!="/var/log/messages" sourcetype=600000304_gg_abs_ipc2
| eval index_time=strftime(_indextime, "%F %T.%Q")
| table _time index_time _raw 2. Then run this search for the time range 00:00 to 00:20 on that day index=_internal YOUR_ALERT_NAME sourcetype=scheduler and you should see details of the scheduler running your alert 3. HOW are you getting your alert? Is it being sent by email? If so, what is the SENT time of the email? Then from (1) you will see when the data is VISIBLE in Splunk from the index time for that event. That will show you if when the alert runs at 00:15 if the event is present in Splunk From (2) you will see the result count of the alert that runs From (3) you can see when the event was sent from Splunk I have suggested two times before that you change the time range of your search to look a little in the past to account for ingest lag - please can you ensure you are doing that, so set the search time range to be earliest=-16m@m
latest=-1m@m in your alert time picker. That will allow for 1 minute lag between event creation and index time
11-30-2023
01:51 PM
Here is a conf presentation about TLS certs https://conf.splunk.com/watch/conf-online.html?locale=watch&search.event=conf23&search=SEC1936B#/
11-30-2023
01:38 PM
Good Afternoon, Currently, I'm submitting this message for help in regards to editing the font color for all labels introduced within a Pie chart via a created panel within Splunk Studio. Is there ...
See more...
Good Afternoon, Currently, I'm submitting this message for help in regards to editing the font color for all labels introduced within a Pie chart via a created panel within Splunk Studio. Is there a method of changing the font color? I'm looking through the documentation and found a URL link for all the possible source commands to be utilized within the Pie chart. One command in particular is called seriesColors. I'm still fairly new to Splunk so I do not have any acquired expertise for editing pie charts here. Thank you
11-30-2023
01:35 PM
1 Karma
@jacobdavis You've picked it up well. This is how things are done in XML. Have you used fixedrange=f in the timechart - it's similar to cont, but makes timechart trim the empt stuff at either end of ...
See more...
@jacobdavis You've picked it up well. This is how things are done in XML. Have you used fixedrange=f in the timechart - it's similar to cont, but makes timechart trim the empt stuff at either end of the time ranges.
