All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @LearningGuy , as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this: ... See more...
Hi @LearningGuy , as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this: base search <search id="base"> <query> index=testindex | fields company ip id AvgScore </query> </search> Panel 1 (without id field): <search base="base"> <query> index=testindex | table company ip AvgScore </query> </search> Panel 2 (with id field): <search base="base"> <query> | lookup example.csv id OUTPUTNEW id location | table company id ip AvgScore location </query> </search> Ciao. Giuseppe
Did they give you a SPL- number for what bug it is? 
Hello @gcusello  Thank you for your help. I have 2 "statistics table" panels: 1) statistic table for the base search  (id="base")       I don't want to display "id "field  on the table   2) st... See more...
Hello @gcusello  Thank you for your help. I have 2 "statistics table" panels: 1) statistic table for the base search  (id="base")       I don't want to display "id "field  on the table   2) statistic table panel for the  second search  (derived from the base search  base="base")     I want to display "id" field on the table How do I not display "id" field on the statistic table panel for the base search, but display "id" field on the statistic table panel for the second search? If  I remove "id" from "| table" the base search, it doesn't display on the statistic table for the base search couldn't use it on the second search 1) statistic table for the base search <search id="base">     <query> index=testindex           | table company, ip, AvgScore      </query> </search> company ip AvgScore CompanyA ip1 1 CompanyA ip2 3 CompanyA ip3 4 2) statistic table panel for the  second search <search base="base">       <query> | lookup  example.csv id as id OUTPUTNEW  id, location                         | table company, id, ip, AvgScore, location      </query> </search> company id ip AvgScore location CompanyA idA ip1 1 loc1 CompanyA idA ip2 3 loc1 CompanyA idA ip3 4 loc1
@meshorer is the value you would use when NOT true hardcoded or from other information in the event/artifact? I think for this you might be best to use a Code Block / Custom Function to have a singl... See more...
@meshorer is the value you would use when NOT true hardcoded or from other information in the event/artifact? I think for this you might be best to use a Code Block / Custom Function to have a single output and do all the checking in code based on the inputted value(s).  -- Happy SOARing! --
Many others have had the same problem after upgrading.  It seems the alert is too sensitive.  Once you have confirmed the instances are healthy, consider adjusting the alert threshold or disabling it.
While in an all-in-one scenario it might not be that important, it's useful to remember that you should avoid putting anything in etc/system/local. Apart from that, you can put it "anywhere" - see h... See more...
While in an all-in-one scenario it might not be that important, it's useful to remember that you should avoid putting anything in etc/system/local. Apart from that, you can put it "anywhere" - see how Splunk merges the separate files into effective config https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Wheretofindtheconfigurationfiles
Which dashboard is this from? Which app is it in? Which version of Splunk are you using?
Hi, during a playbook,  I would like to check a parameter with a condition, and if the condition result true, I would like to use that parameter. But if the condition result is false, I would then ... See more...
Hi, during a playbook,  I would like to check a parameter with a condition, and if the condition result true, I would like to use that parameter. But if the condition result is false, I would then use a different parameter. is there a way to do that without duplicating a lot of blocks? 
This appears to be a single event. The correlation id doesn't match and neither do any of the dates. Please can you provide the correct corresponding events for the row shown?
Hi Splunkers!    How to change the color of info button in dashboard.   <panel id="global_status_op"> <title>Global Compliance</title> <html> <style> </style> <div class="infobutton" par... See more...
Hi Splunkers!    How to change the color of info button in dashboard.   <panel id="global_status_op"> <title>Global Compliance</title> <html> <style> </style> <div class="infobutton" parent="global_status_op" type="collapse" style="display: none"> <p style="font-size:15pt;"> The compliance is calculated as follow:</p> <p style="font-size:9pt;"> - If compliant, the asset is considered as complinat</p> <p style="font-size:9pt;"> - If not compliant, the asset is considered as not compliant</p> </div> </html> </panel> Thanks!
Hi @ITWhisperer  I am not sure, this is you are expecting.. If not can you please give some assist how to get it.   Correlation ID Event start time Event end time Difference  930fd232-8... See more...
Hi @ITWhisperer  I am not sure, this is you are expecting.. If not can you please give some assist how to get it.   Correlation ID Event start time Event end time Difference  930fd232-8d16-4d1f-8725-a5893e9a46c7 11-01-2023 13:19:06:653 11-01-2023 13:19:23:359 16.706   {"message_type": "INFO", "processing_stage": "Obtained data", "message": "Successfully received data from API/SQS", "correlation_id": "0cd56112-6346-4ea3-8a2f-2b59b9eb68ba", "error": "", "invoked_component": "prd-start-step-function-from-lambda-v1", "request_payload": "", "response_details": "{'executionArn': 'arn:aws:states:eu-central-1:981503094308:execution:contact-centre-dialer-service:8a1acb14-b170-4f95-99bc-7a89ff814207', 'startDate': datetime.datetime(2023, 11, 1, 11, 33, 41, 354000, tzinfo=tzlocal()), 'ResponseMetadata': {'RequestId': '60427a29-6dd4-4cdf-b5c0-fc6cb45b08b2', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '60427a29-6dd4-4cdf-b5c0-fc6cb45b08b2', 'date': 'Wed, 01 Nov 2023 11:33:41 GMT', 'content-type': 'application/x-amz-json-1.0', 'content-length': '165', 'connection': 'keep-alive'}, 'RetryAttempts': 0}}", "invocation_timestamp": "2023-11-01T11:33:41Z", "response_timestamp": "2023-11-01T11:33:41Z", "custom_attributes": {"entity-internal-id": "", "root-entity-id": "", "student_id": "64690945", "lead-id": "37079165", "country": "Nepal"}}
Hi @jip31 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
hi @PickleRick , yes, I am a bit confused about the philosophy behind all these files. We have only one single server, so I guess it has to be configured there. You mentioned that has nothing to do ... See more...
hi @PickleRick , yes, I am a bit confused about the philosophy behind all these files. We have only one single server, so I guess it has to be configured there. You mentioned that has nothing to do with HEC, so where should I place the props.conf file? At /etc/system/local ? cheers
Hi @jip31, when you use sourcetype, you don't need to specify it; [Perfmon:mem] FIELDALIAS-Value = Value AS titi counter AS tutu only for host and source you have to specify them but with a differ... See more...
Hi @jip31, when you use sourcetype, you don't need to specify it; [Perfmon:mem] FIELDALIAS-Value = Value AS titi counter AS tutu only for host and source you have to specify them but with a different syntax: [source::your_source] FIELDALIAS-Value = Value AS titi counter AS tutu [host::your_host] FIELDALIAS-Value = Value AS titi counter AS tutu Ciao. Giuseppe
This is too vague. What exactly are you trying to achieve? What are your desired results? What events are you working with?
As I said earlier, "Please can you show an example of a row you expect in the results table i.e. event id, start time and end time, and the raw events that this information would be extracted from."
Hi @ITWhisperer @yuanliu  We are getting multiple events in each lambda. We need to extract start time and end time of the particular event and also need difference of the start and end time. As I... See more...
Hi @ITWhisperer @yuanliu  We are getting multiple events in each lambda. We need to extract start time and end time of the particular event and also need difference of the start and end time. As I mentioned above image has correlation id , start time , end time and difference. Please let me know if any input we want. Thanks 1 930fd232-8d16-4d1f-8725-a5893e9a46c7 11-01-2023 13:19:06:653 11-01-2023 13:19:23:359 16.706
Hi I want to connect java code with splunk cloud platform can someone suggest me how can I do it.
hello   I have a admin role when I create a field alias, I can see it in the props.conf file but when I run the search the field names are unchanged [sourcetype="Perfmon:mem"] FIELDALIAS-Valu... See more...
hello   I have a admin role when I create a field alias, I can see it in the props.conf file but when I run the search the field names are unchanged [sourcetype="Perfmon:mem"] FIELDALIAS-Value = Value AS titi counter AS tutu   what is wrong please?
Hi @ITWhisperer  Can you help me what you need exactly.