All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Not exactly what I was looking for.  I have the Label and Value mapped to field 1 as that is the user friendly value and unique.  I have field 2 which means nothing to my users and is a varied value ... See more...
Not exactly what I was looking for.  I have the Label and Value mapped to field 1 as that is the user friendly value and unique.  I have field 2 which means nothing to my users and is a varied value field. The Label/Value combo feeds panel_A chart which works very well.  I have panel_B chart which I would like powered from field2 without having to create a second drop down with the same values.  Two for the price of one.   I am going to try and make the Label field a combo of the 2 and then set a token to a regex extraction from $Label which may just work.  But I feel it's janky and cheating.  I am hoping someone will have a much better idea.
Within the change tag have you tried to reference the $label$ or $value$ from the dynamic search using these tokens?     <set token="show_another_panel">$label$</set> <set toke... See more...
Within the change tag have you tried to reference the $label$ or $value$ from the dynamic search using these tokens?     <set token="show_another_panel">$label$</set> <set token="another_result">$value$</set>       Here's a basic SimpleXML page with a dynamic dropdown and a couple HTML panels to show the value of the tokens being set:     <form version="1.1"> <label>Dropdown Test</label> <fieldset submitButton="false"> <input type="dropdown" token="field1"> <label>field1</label> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>source_dc</fieldForValue> <search> <query>index=_internal earliest=-6h | stats dc(source) as source_dc by sourcetype</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <set token="show_another_panel">$label$</set> <set token="another_result">$value$</set> </change> </input> </fieldset> <row> <panel> <html>$show_another_panel$</html> </panel> <panel> <html>$another_result$</html> </panel> </row> </form>       Per change (form input)
<input type="dropdown" token="tok_choice" searchWhenChanged="true"> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> ... | stats dc(field2) as fi... See more...
<input type="dropdown" token="tok_choice" searchWhenChanged="true"> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> ... | stats dc(field2) as field2number by host </query> </search> <change> <condition match=" like($tok_choice$,&quot;%&quot;) "> <set token="show_another_panel">show</set> <set token="another_result"> $result.field2number$ </set> </condition> </change> </input> The token for 'show_another_panel' is working just fine but the other token is treating the whole $result.field2number$ as full text including the $.  The drop down is working as expected with fieldForLabel and fieldForValue. I have tried the following. <done> <set token="another_result"> $result.field2number$ </set> </done> This sets the token to the field2number first row.  The value does not update to the row based upon selecting a new host. When selecting a new host, I want the token to update to the corresponding value of the alternate row.  Any suggestions?
Hi @Guilherme.Drehmer, Thanks for clarifying and also submitting a ticket. If you could report back what you hear from Support back on this thread would be amazing!
Hi @Ryan.Paredez , Large projects like ours have long build times, and not being able to turn the Gradle build configuration cache for the entire project just because AppD plugin sounds like an issu... See more...
Hi @Ryan.Paredez , Large projects like ours have long build times, and not being able to turn the Gradle build configuration cache for the entire project just because AppD plugin sounds like an issue to me, not a feature request. The Gradle build configuration cache might be disable by default now, but it will likely be turned on by default in near future, given the benefits it can provide. I've raised a ticket for investigation. Thanks, Guil
Hello All  I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was th... See more...
Hello All  I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was the only way to make it workg for me. In your cluster map  edit search --> search string text box do something like this mainQuery: it is your base search, in my case is a Macro used in differnt dashboads ###################  Code ############################### | fields 1   ``` there is no fields called 1 - the idea is to get an empty result from the base search ``` ```  The idea about the code below is to use the query mainQuery and get the fields to pass them to geostats ``` | append        [  search `mainQuery`           | fields lat lon country sales        ] | geostats latfield=lat longfield=lon count(sales) by country globallimit=0 locallimit=0 ###################  end of Code ###############################
Here is what it is on Lantern regarding this: Audit reduction and report generation Leveraging Splunk to ingest and index time-series data supports on-demand review, analysis, and reporting in nea... See more...
Here is what it is on Lantern regarding this: Audit reduction and report generation Leveraging Splunk to ingest and index time-series data supports on-demand review, analysis, and reporting in near real-time and retroactively according to an organization's data retention requirements. Splunk Enterprise's optional data integrity control feature provides a mechanism to verify the integrity of indexed data via SHA-256 hashing. https://lantern.splunk.com/Splunk_Platform/UCE/Security/Compliance/Monitoring_NIST_SP_800-53_rev5_control_families/NIST_SP_800-53_audit_and_accountability
Ended up getting it to work using a different sample log from the app that will be submitting the OTLP logs.  For some reason the example in the otlp spec wouldn't work on the /event endpoint using P... See more...
Ended up getting it to work using a different sample log from the app that will be submitting the OTLP logs.  For some reason the example in the otlp spec wouldn't work on the /event endpoint using Postman but would on the /raw endpoint.  Though with the /raw endpoint it was just the log body and not all the context around it.  Thanks for your help!
Does Splunk Heavy Forwarders support Coretto as opposed to Java
Thank you, I am getting the result but unwanted fields are coming like jira, macro, filename. How to get rid of this from result
Hello @bora.min, I was told the Accounts team has sent you a Password reset email to the email you have used to sign into the Community. Can you confirm if you got it or not?
A "slice" is a portion of a bucket.  The audit record is trying to show how much data was read to satisfy the search.
Tried it and it shows the _time/date and lists all the IONS (Users) names in the other column.  There is no count of disconnections.  
My apologies for my poor Monday morning reply.  In Splunk Cloud, all you do is upload your props.conf in an app and Splunk automatically installs it on the indexers.
There is a REST endpoint, /services/search/v2/parser,  you may be able to use to parse queries into the commands used.  It requires the POST method so it will have to be used from a script (not from ... See more...
There is a REST endpoint, /services/search/v2/parser,  you may be able to use to parse queries into the commands used.  It requires the POST method so it will have to be used from a script (not from the UI).  See https://docs.splunk.com/Documentation/Splunk/9.1.1/RESTREF/RESTsearch#search.2Fv2.2Fparser
... I tested it if you copy back the moment.js from /opt/splunk/quarantined_files/share/splunk/search_mrsparkle/exposed/js/contrib/  to  /opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib... See more...
... I tested it if you copy back the moment.js from /opt/splunk/quarantined_files/share/splunk/search_mrsparkle/exposed/js/contrib/  to  /opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/ The Cisco app works. But this is a hack and Splunk will complain about the file integrity. I think Cisco needs to update its app.
I have events like this : 11/06/2023 12:34:56 ip 1.2.3.4 This is record 1 of 5 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND user 1 1.0 0.0 2492 604 ? Ss 12:27 0:00 proc01 user 6 0.5 0.0... See more...
I have events like this : 11/06/2023 12:34:56 ip 1.2.3.4 This is record 1 of 5 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND user 1 1.0 0.0 2492 604 ? Ss 12:27 0:00 proc01 user 6 0.5 0.0 2608 548 ? S 12:27 0:00 proc02 user 19 0.0 0.0 12168 7088 ? S 12:27 0:00 proc03 user 223 0.0 0.1 852056 39300 ? Ssl 12:27 0:00 proc04 user 470 0.0 0.0 7844 6016 pts/0 Ss 12:27 0:00 proc05 user 683 0.0 0.0 7872 3380 pts/0 R+ 12:37 0:00 proc06 11/06/2023 12:34:56 ip: 1.2.3.4 This is record 2 of 5 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND user 1 0.0 0.0 2492 604 ? Ss 12:27 0:00 proc07 user 6 9.0 0.0 2608 548 ? S 12:27 0:00 proc08 user 19 6.0 0.0 12168 7088 ? S 12:27 0:00 proc09 user 223 0.0 0.1 852056 39300 ? Ssl 12:27 0:00 proc10 user 470 0.0 0.0 7844 6016 pts/0 Ss 12:27 0:00 proc11 user 683 0.0 0.0 7872 3380 pts/0 R+ 12:37 0:00 proc12 and repeating with different data, but the same structure: record 1 of 18...record 2 of 18...etc. The dates and times are the same for each "subsection" of the ps command. I want to be able to make a graph of each "proc" to show their cpu and memory usage over time. The processes will be in a random order. I have the time line parsed with fields extracted (like the ip), and want the header of the ps command to be field names for the ps data. I'm struggling with this! I tried mvepand and/or max_match=0 but failed. Thanks for any help.
Sounds like IONS has lots of distinct values in the last 30 days - try investigating these | timechart values(IONS) as IONS span=1d
So I have attached to images Computers that have checked-in in less than 60 days (274) The subset of that that has CBC installed (270)   What I want now is a query to identify the 4... See more...
So I have attached to images Computers that have checked-in in less than 60 days (274) The subset of that that has CBC installed (270)   What I want now is a query to identify the 4 devices that do not have the app installed
@richgalloway , Can you guide me how to make the change, create or update an app on the Cluster Manager and apply the bundle. Thanks