All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@niketn  I miss you, my friend. I remember this started a great bunch of conversations between us that included a hug at .conf19. I want to give a shout out to @kaeleyt for providing my go-to solu... See more...
@niketn  I miss you, my friend. I remember this started a great bunch of conversations between us that included a hug at .conf19. I want to give a shout out to @kaeleyt for providing my go-to solution for this problem: https://community.splunk.com/t5/Splunk-Search/How-to-add-colors-to-a-table-for-dynamic-columns/m-p/411419 After looking further, I found this line in the documentation, https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsXML: "If you do not specify a field, the format rule is applied to the entire table. " So the magic is not specifying a field in the line:   <format type="color">   I also want to provide, like Niket taught me by example, to include a run-anywhere example implementing the solution.   <dashboard version="1.1"> <label>Erics Column Test</label> <row> <panel> <title>Data Example</title> <table> <search> <query>index=_internal sourcetype=splunkd log_level!=INFO earliest=-7m@m latest=now | eval Time=strftime(_time,"%Y-%m-%d %H:%M") | chart count as Error by component Time</query> <earliest>-1h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color"> <colorPalette type="list">[#118832,#1182F3,#CBA700,#D94E17,#D41F1F]</colorPalette> <scale type="threshold">0,30,70,100</scale> </format> </table> </panel> </row> </dashboard>    
Please share your full search as the advice already given seems to fix the apparent errors in your example.
@phanTom , Anything on this?   thank you in advance
Can multiple wildcards be used in serverclass.conf whitelist file?  whitelist.from_pathname = /lookup/host.txt   Examples: M*WEB* *WBS*  
what can be the solution here as I'm creating this query dynamically with format and giving as an input to base query.  how can i escape these special charachters
No. As @bowesmana already told you - the -d "something" option sends the data you specify on the command line. If you want the data to be read from the file you have to specify it as the source for ... See more...
No. As @bowesmana already told you - the -d "something" option sends the data you specify on the command line. If you want the data to be read from the file you have to specify it as the source for the POST data with the -d @filename option. And there is no "templating" you just specify raw data to be posted. So it will not work like "get a part of the data from the command line and iterate some file's contents over it". No - if you want something like that, you have to implement it manually (bash scripting, python, PowerShell, whatever).
No. The SHC will not replicate files you manually place on one of the members of the cluster. That's what the deployer is for. You could manually place some content on each of the SHs in cluster and... See more...
No. The SHC will not replicate files you manually place on one of the members of the cluster. That's what the deployer is for. You could manually place some content on each of the SHs in cluster and that could work for some time (well, that's why you don't distribute/overwrite built-in apps from the deployer so you don't cause conflicts in case of upgrade). Also when the deployer is up you have to manually push the configs, it will not happen automatically.
Your quotes before the http appear to be two SINGLE quotes rather than a double quote. Once you fix that you get a different error about dynamic fields and it looks like it doesn't like the $ sign in... See more...
Your quotes before the http appear to be two SINGLE quotes rather than a double quote. Once you fix that you get a different error about dynamic fields and it looks like it doesn't like the $ sign in the searchmatch string.  
not sure you understood my question the curl command below create an event with "hello world" curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/co... See more...
not sure you understood my question the curl command below create an event with "hello world" curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}' imagine that in my json file I have many items with a different event name for example "hello world", "hello world1", "hello world2"..... is the good curl command to apply is like this? curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'  what i mean is that if i dont mention the name of the event, 3 events will be created in splunk with "hello world", "hello world1", "hello world2"?
That's not really a Splunk or ES-related question. It's related to your data and your use-cases. If you filter out some data, you don't have it. And if you don't have events, you can't base your sear... See more...
That's not really a Splunk or ES-related question. It's related to your data and your use-cases. If you filter out some data, you don't have it. And if you don't have events, you can't base your searches (and thus use-cases) on them. As simple as that. It's more a windows-related question to your admins to help you review the use cases you want to enable.
+1 on that. Why in what system should 14.84 ever mean 14.084? That's what leading zeros are for. It's definitely an application error. Also - where do you get that value from? It's the _time field o... See more...
+1 on that. Why in what system should 14.84 ever mean 14.084? That's what leading zeros are for. It's definitely an application error. Also - where do you get that value from? It's the _time field or some other time? While the app should be fixed either way, if it's the main timestamp of the event, it's simply plain wrong in terms of it being the proper timestamp for the event.
Hey @Sak08092015 , are you able to specify which exact Apex EventType are you trying to send to Splunk? Is it one of the standard Apex EventTypes that are EventLogFile supported? (Eg. Apex REST API E... See more...
Hey @Sak08092015 , are you able to specify which exact Apex EventType are you trying to send to Splunk? Is it one of the standard Apex EventTypes that are EventLogFile supported? (Eg. Apex REST API Event Type) avd
Also remember that json does not support comments.
I don't get it. index=vulnerability_scan Risk=Critical earliest=-7d latest=now | stats values(CVE) as CVE_7d by extracted_Host | appendcols [ search index=vulnerability_scan Risk=Critical earliest... See more...
I don't get it. index=vulnerability_scan Risk=Critical earliest=-7d latest=now | stats values(CVE) as CVE_7d by extracted_Host | appendcols [ search index=vulnerability_scan Risk=Critical earliest=now -7d latest=now | stats values(CVE) as CVE_now by extracted_Host ] I see two practically identical searches (with one having "earliest=-7d" and the other one having "now-7d" which mean the same). The only difference between them might be if some event got ingested between run of the outer search and inner one.
Hey @andrewtrobec , while the collection name is indeed maintenance_calendar, the lookup definition name is itsi_maintenance_calendar, so give that a try instead. I suspect you will have to play arou... See more...
Hey @andrewtrobec , while the collection name is indeed maintenance_calendar, the lookup definition name is itsi_maintenance_calendar, so give that a try instead. I suspect you will have to play around with the Supported fields for the schedules themselves to come up. Let me know if this helps, avd
Not by using just SimpleXML elements. You might be able (but I'm not sure about that; I'm not a frontend developer) to add some custom JS to change colours of single trellis but in general it's not s... See more...
Not by using just SimpleXML elements. You might be able (but I'm not sure about that; I'm not a frontend developer) to add some custom JS to change colours of single trellis but in general it's not supported out-of-the-box.
And remember that for search-time operations it's important if you have enough permissions for the app (that should not typically be the issue here but it's worth checking out if all else fails)
Make sure the sourcetype on your data matches that for the FIELDALIAS.
Cool, never saw that streamstats thingy, I'll test it and let you know