Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-06-2023
08:09 PM
No, I am not using DB connect as that is a sort of limitation in my project. As i am new to splunk, looking for some help in visualizing data in tabular format.
11-06-2023
07:37 PM
Hello partners I request your kind support as I intend to activate the Linux ESCU correlations, however these do not work well because the datamodels are not complete, I know they are necessary, but...
See more...
Hello partners I request your kind support as I intend to activate the Linux ESCU correlations, however these do not work well because the datamodels are not complete, I know they are necessary, but my observation is that the Linux events do not contain all the values necessary to fill the datamodel. So my question to the community is the following: What audit, messages or syslog rules must be active for the correct collection of events?
Labels
- Labels:
-
inputs.conf
-
Linux
-
source
11-06-2023
03:43 PM
Thank you Rich! Does it seem odd though that the underlying size of the events hasn't changed through this time? What might be causing it to have to search through more slices for the same style fo...
See more...
Thank you Rich! Does it seem odd though that the underlying size of the events hasn't changed through this time? What might be causing it to have to search through more slices for the same style format and volume of data?
11-06-2023
03:35 PM
| where command!="jira" AND command!="macro" AND command!="filename"
11-06-2023
03:33 PM
You said you were getting high numbers - the change I suggested was just to the last line of your search so instead of counting the distinct values, you listed them, so you could investigate why ther...
See more...
You said you were getting high numbers - the change I suggested was just to the last line of your search so instead of counting the distinct values, you listed them, so you could investigate why there were so many.
11-06-2023
03:30 PM
Thank you for the response. I did manage to figure out my issue. First was the use of the multiple lookups, when I created the first lookup, I used sort, that limited my results to > 5000, and I need...
See more...
Thank you for the response. I did manage to figure out my issue. First was the use of the multiple lookups, when I created the first lookup, I used sort, that limited my results to > 5000, and I needed < 30k. I fixed that, creating the Inputlookup ACResults.csv without the sort value that was limiting my results. (inputlookup was from Active Directory). Then used the following search: index=Myindex host=xx.xx.xx.xx "AAA user accounting Successful" | dedup user Then used lookup for where the user field values matched the field cn from my lookup: | lookup ACResults.csv cn as user Final result of my new search: index=Myindex host=xx.xx.xx.xx "AAA user accounting Successful" | dedup user | lookup ACResults.csv cn as user | eval Sector=extensionAttribute14 | stats count by Sector | sort -count Answering your questions: -What is the relationship between the field you tabled ("user") and all the lookup tables? -user = cn from active directory -And the relationship with "field_stats_wanted"? -extensionAttribute14 for that user (cn) from Active Directory - Most importantly, why is inputlookup even considered? -all my inputlookups had the same fields, so appending would make it easier to search, (I thought), I was wrong. -It usually means that the problem is not clearly understood. - that was true, but I learned. I hope this helps for future users. Thank you all the same.
11-06-2023
03:17 PM
Not exactly what I was looking for. I have the Label and Value mapped to field 1 as that is the user friendly value and unique. I have field 2 which means nothing to my users and is a varied value ...
See more...
Not exactly what I was looking for. I have the Label and Value mapped to field 1 as that is the user friendly value and unique. I have field 2 which means nothing to my users and is a varied value field. The Label/Value combo feeds panel_A chart which works very well. I have panel_B chart which I would like powered from field2 without having to create a second drop down with the same values. Two for the price of one. I am going to try and make the Label field a combo of the 2 and then set a token to a regex extraction from $Label which may just work. But I feel it's janky and cheating. I am hoping someone will have a much better idea.
11-06-2023
02:28 PM
Within the change tag have you tried to reference the $label$ or $value$ from the dynamic search using these tokens? <set token="show_another_panel">$label$</set>
<set toke...
See more...
Within the change tag have you tried to reference the $label$ or $value$ from the dynamic search using these tokens? <set token="show_another_panel">$label$</set>
<set token="another_result">$value$</set> Here's a basic SimpleXML page with a dynamic dropdown and a couple HTML panels to show the value of the tokens being set: <form version="1.1">
<label>Dropdown Test</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1">
<label>field1</label>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>source_dc</fieldForValue>
<search>
<query>index=_internal earliest=-6h | stats dc(source) as source_dc by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<set token="show_another_panel">$label$</set>
<set token="another_result">$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<html>$show_another_panel$</html>
</panel>
<panel>
<html>$another_result$</html>
</panel>
</row>
</form> Per change (form input)
11-06-2023
01:47 PM
<input type="dropdown" token="tok_choice" searchWhenChanged="true"> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> ... | stats dc(field2) as fi...
See more...
<input type="dropdown" token="tok_choice" searchWhenChanged="true"> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> ... | stats dc(field2) as field2number by host </query> </search> <change> <condition match=" like($tok_choice$,"%") "> <set token="show_another_panel">show</set> <set token="another_result"> $result.field2number$ </set> </condition> </change> </input> The token for 'show_another_panel' is working just fine but the other token is treating the whole $result.field2number$ as full text including the $. The drop down is working as expected with fieldForLabel and fieldForValue. I have tried the following. <done> <set token="another_result"> $result.field2number$ </set> </done> This sets the token to the field2number first row. The value does not update to the row based upon selecting a new host. When selecting a new host, I want the token to update to the corresponding value of the alternate row. Any suggestions?
11-06-2023
01:35 PM
Hi @Guilherme.Drehmer,
Thanks for clarifying and also submitting a ticket. If you could report back what you hear from Support back on this thread would be amazing!
11-06-2023
12:21 PM
Hi @Ryan.Paredez , Large projects like ours have long build times, and not being able to turn the Gradle build configuration cache for the entire project just because AppD plugin sounds like an issu...
See more...
Hi @Ryan.Paredez , Large projects like ours have long build times, and not being able to turn the Gradle build configuration cache for the entire project just because AppD plugin sounds like an issue to me, not a feature request. The Gradle build configuration cache might be disable by default now, but it will likely be turned on by default in near future, given the benefits it can provide. I've raised a ticket for investigation. Thanks, Guil
11-06-2023
12:10 PM
Hello All I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was th...
See more...
Hello All I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was the only way to make it workg for me. In your cluster map edit search --> search string text box do something like this mainQuery: it is your base search, in my case is a Macro used in differnt dashboads ################### Code ############################### | fields 1 ``` there is no fields called 1 - the idea is to get an empty result from the base search ``` ``` The idea about the code below is to use the query mainQuery and get the fields to pass them to geostats ``` | append [ search `mainQuery` | fields lat lon country sales ] | geostats latfield=lat longfield=lon count(sales) by country globallimit=0 locallimit=0 ################### end of Code ###############################
11-06-2023
12:10 PM
Here is what it is on Lantern regarding this: Audit reduction and report generation Leveraging Splunk to ingest and index time-series data supports on-demand review, analysis, and reporting in nea...
See more...
Here is what it is on Lantern regarding this: Audit reduction and report generation Leveraging Splunk to ingest and index time-series data supports on-demand review, analysis, and reporting in near real-time and retroactively according to an organization's data retention requirements. Splunk Enterprise's optional data integrity control feature provides a mechanism to verify the integrity of indexed data via SHA-256 hashing. https://lantern.splunk.com/Splunk_Platform/UCE/Security/Compliance/Monitoring_NIST_SP_800-53_rev5_control_families/NIST_SP_800-53_audit_and_accountability
11-06-2023
12:05 PM
1 Karma
Ended up getting it to work using a different sample log from the app that will be submitting the OTLP logs. For some reason the example in the otlp spec wouldn't work on the /event endpoint using P...
See more...
Ended up getting it to work using a different sample log from the app that will be submitting the OTLP logs. For some reason the example in the otlp spec wouldn't work on the /event endpoint using Postman but would on the /raw endpoint. Though with the /raw endpoint it was just the log body and not all the context around it. Thanks for your help!
11-06-2023
11:28 AM
Does Splunk Heavy Forwarders support Coretto as opposed to Java
Labels
- Labels:
-
universal forwarder
11-06-2023
11:03 AM
Thank you, I am getting the result but unwanted fields are coming like jira, macro, filename. How to get rid of this from result
11-06-2023
10:45 AM
Hello @bora.min,
I was told the Accounts team has sent you a Password reset email to the email you have used to sign into the Community. Can you confirm if you got it or not?
11-06-2023
10:18 AM
1 Karma
A "slice" is a portion of a bucket. The audit record is trying to show how much data was read to satisfy the search.
11-06-2023
10:16 AM
Tried it and it shows the _time/date and lists all the IONS (Users) names in the other column. There is no count of disconnections.
11-06-2023
10:08 AM
My apologies for my poor Monday morning reply. In Splunk Cloud, all you do is upload your props.conf in an app and Splunk automatically installs it on the indexers.
