All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try again Verify the lookup file permissions have not changed Make sure no one else is editing the file Make sure no other programs (outside of Splunk) have locked the file or have it open for exc... See more...
Try again Verify the lookup file permissions have not changed Make sure no one else is editing the file Make sure no other programs (outside of Splunk) have locked the file or have it open for exclusive access
@inventsekar Thank you for your response. There is not just one Dashboard. We need to list out all the Dashboards that have autorefresh enabled. For which we don’t want to go one by one looking int... See more...
@inventsekar Thank you for your response. There is not just one Dashboard. We need to list out all the Dashboards that have autorefresh enabled. For which we don’t want to go one by one looking into the dashboards to find out because there are more than 1000 dashboards. Thank you in advance.
Thank you. I tried it and it looks like there are lots of duplicates and for example SysMon fields were as same as to XmlWinEvtLogs and there was no difference between fields within Application and ... See more...
Thank you. I tried it and it looks like there are lots of duplicates and for example SysMon fields were as same as to XmlWinEvtLogs and there was no difference between fields within Application and Security for example. Would you be able to have a look into the SPL and see if it can be optimized, please? Kind regards, Dan
I am trying to save a lookup file  in the Splunk App for lookup file editing and I get the error: The lookup file could not be saved. How do I resolve this?
Thank you so much, it works!
Try something like this <input type="multiselect" token="choose_office" searchWhenChanged="true"> <label>Front/Back office</label> <choice value="Front%20Office">Front Office</choice> <choice value=... See more...
Try something like this <input type="multiselect" token="choose_office" searchWhenChanged="true"> <label>Front/Back office</label> <choice value="Front%20Office">Front Office</choice> <choice value="Back%20Office">Back Office</choice> <valuePrefix>form.choose_office=</valuePrefix> <valueSuffix></valueSuffix> <delimiter>&amp;</delimiter> </input>
Hello, I was given the administration of a Splunk Enterprise Security and I am not familiarized, I have always used manual queries from "Search & reporting" I have the knowledge level of Fundament... See more...
Hello, I was given the administration of a Splunk Enterprise Security and I am not familiarized, I have always used manual queries from "Search & reporting" I have the knowledge level of Fundamentals 1 and 2. Splunk ES currently works and I can see noticeable events from paloalto firewalls but recently configured fortinet logs and these are already coming in under an index called fortinet, when doing a normal query with index=fortinet I can see events but I see nothing from Splunk ES. Exactly what do I need to do to get the fortinet events to be taken into account by Splunk ES and start logging notable events?
I've managed to solve this with an ugly hack based on this post:  https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-doesn-t-this-JavaScript-work-to-apply-a-click-event-to-the/m-p/389572    ... See more...
I've managed to solve this with an ugly hack based on this post:  https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-doesn-t-this-JavaScript-work-to-apply-a-click-event-to-the/m-p/389572    Basically, I've just wrapped the entire javascript snippet with a setTimeout()...
I don't see anything local other than the below: Not sure if this is your sourcetype. /opt/splunkforwarder/etc/apps/armor/local/props.conf [armor_json_02] /opt/splunkforwarder/etc/apps/armor/loca... See more...
I don't see anything local other than the below: Not sure if this is your sourcetype. /opt/splunkforwarder/etc/apps/armor/local/props.conf [armor_json_02] /opt/splunkforwarder/etc/apps/armor/local/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/apps/armor/local/props.conf description = JavaScript Object Notation format. For more information, visit http://json.org/ We need more on what's applying to the enterprise as well. And It's hard to convey the troubleshooting steps here.  1.) Try to run the btool command specific to your sourcetype such as  splunk btool props list "your_sourcetype" --debug      splunk btool props list --debug | grep -v /system/default  2.) As @somesoni2 mentioned make sure KV_MODE=JSON or INDEXED_EXTRACTIONS = json  only one of them is set . My personal recommendation is to use KV_MODE=JSON instead of I_E=JSON I hope running this search might help you with the settings applied to the parsing instance. | rest splunk_server=local /services/configs/conf-props/YOUR_SOURCETYPE | transpose | search column=eai:acl.app  Hope this helps. If you need more assistance, encourage you to open an ODS request. an https://www.splunk.com/en_us/pdfs/professional-services/splunk-ondemand-services-portal.pdf
@jkaldor I haven't seen any apps that depend on Splunk data in SOAR as it's an independent tool and most apps use API-based connections.  If you want to check, download the app either locally or i... See more...
@jkaldor I haven't seen any apps that depend on Splunk data in SOAR as it's an independent tool and most apps use API-based connections.  If you want to check, download the app either locally or in the platform and view the py files.  -- Hope this helped. If so please mark as a solution for others to see. Happy SOARing! --
I believe it's because the data is being extracted at index and search time?   is there a way for me to stop one or the other?   i believe you're on the right track
Found the problem...the latest time was same as the earliest time. Correct syntax:  | eval Date = strftime(_time,"%d-%b-%y"), earliest=relative_time(_time,"@d"), latest=relative_time(_time,"+d@d") ... See more...
Found the problem...the latest time was same as the earliest time. Correct syntax:  | eval Date = strftime(_time,"%d-%b-%y"), earliest=relative_time(_time,"@d"), latest=relative_time(_time,"+d@d")  
It looks like the StepControlWizard is deprecated with Splunk version 9.1.1. We are guessing the control must have been using a previous version of jQuery 3.5. Not sure.  We found the control was mov... See more...
It looks like the StepControlWizard is deprecated with Splunk version 9.1.1. We are guessing the control must have been using a previous version of jQuery 3.5. Not sure.  We found the control was moved to the quarantine folder. Is there a plan to replace this control ?
Yes. So imagine the first stack with the markup being applied across the chart.
Hi Everyone, I`ve got a dropdown input that generates 30 date entries and stores the choice in the "date.tok2" token. I`d like to be able to pass the token to a table to run a search over the perio... See more...
Hi Everyone, I`ve got a dropdown input that generates 30 date entries and stores the choice in the "date.tok2" token. I`d like to be able to pass the token to a table to run a search over the period chosen from the drop down, but this is not working as expected (not generating any results - I know the query works because if I run it independently it produces results, so the problem must be with the token). I`ve got an identical drop down menu that works fine and it successfully passes the token onto the table at the beginning of the dashboard (that token is called "date.tok" and is used to set "earliest_tok" and "latest_tok"). Any help would be greatly appreciated. <input type="dropdown" token="date.tok2" searchWhenChanged="true"> <label>Date</label> <fieldForLabel>Date</fieldForLabel> <fieldForValue>earliest</fieldForValue> <search> <query>| makeresults | timechart span=d count | sort - _time | where _time &lt;= relative_time(now(),"@d") | fields - count | eval Date = strftime(_time,"%d-%b-%y"), earliest=relative_time(_time,"@d"), latest=relative_time(_time,"@d") | dedup Date</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <selectFirstChoice>true</selectFirstChoice> <change> <set token="earliest_tok2">$row.earliest$</set> <set token="latest_tok2">$row.latest$</set> </change> </input> <table> <search> <query>| ...| ...</query> <earliest>$earliest_tok2$</earliest> <latest>$latest_tok2$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">none</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table>    
You can read the comments on a container by using the the API in a code or custom function block.   comment_url = phantom.build_phantom_rest_url('container', container_id, 'comments') comment_resp... See more...
You can read the comments on a container by using the the API in a code or custom function block.   comment_url = phantom.build_phantom_rest_url('container', container_id, 'comments') comment_resp_json = phantom.requests.get(comment_url, verify=False).json() if comment_resp_json.get('count', 0) > 0: phantom.debug(comment_resp_json)   You can then parse the comments to your heart's content.
/opt/splunkforwarder/etc/system/default/props.conf [_json] /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/system/default/props.conf descripti... See more...
/opt/splunkforwarder/etc/system/default/props.conf [_json] /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/system/default/props.conf description = JavaScript Object Notation format. For more information, visit http://json.org/ /opt/splunkforwarder/etc/apps/armor/local/props.conf [armor_json_02] /opt/splunkforwarder/etc/apps/armor/local/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/apps/armor/local/props.conf description = JavaScript Object Notation format. For more information, visit http://json.org/ /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/system/default/props.conf [json_no_timestamp] /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/apps/splunk_internal_metrics/default/props.conf [log2metrics_json] /opt/splunkforwarder/etc/apps/splunk_internal_metrics/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/apps/splunk_internal_metrics/default/props.conf METRIC-SCHEMA-TRANSFORMS = metric-schema:log2metrics_default_json /opt/splunkforwarder/etc/apps/splunk_internal_metrics/default/props.conf description = JSON-formatted data. Log-to-metrics processing converts the numeric values in json keys into metric data points. /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/system/default/props.conf INDEXED_EXTRACTIONS = json       json only extraction   all props.txt is way too long.
 Does it leverage an API call to directly to the data sources, or does it use data indexed in Splunk already?
Seeing the same after an upgrade from v8 to v9.0.6. I'm suspecting something went wrong during the upgrade but don't have any solid evidence yet.  Did anyone manage to get to the bottom of this ?
Hi There!    I'm having the case, If present day is "Monday" and if user selects the option "Exclude weekend", the time range picker should looks for the data on friday If user selects the option... See more...
Hi There!    I'm having the case, If present day is "Monday" and if user selects the option "Exclude weekend", the time range picker should looks for the data on friday If user selects the option "Include weekend", the time range picker should be yesterday <input type="radio" token="weekends" searchWhenChanged="true"> <label>Weekends</label> <choice value="exclude">Exclude Weekends</choice> <choice value="include">Include Weekends</choice> <default>exclude</default> <initialValue>exclude</initialValue> </input> thanks!