Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-18-2023
08:20 AM
We are still having these ERROR Messages since the upgrade. Never found some evidence or root cause
10-18-2023
08:20 AM
Solution in my case was a field marked as required which was missing in the data - after adding it to the data again the issue was solved.
10-18-2023
08:19 AM
Hi @Udaya Bhaskar.chimakurthy,
You can sign up right here - https://accounts.appdynamics.com/trial
10-18-2023
08:17 AM
1 Karma
If you are just looking to define 'yesterday' as either Sunday or Friday on a Monday then this example shows you how to make a search time range that will be either the previous day, or if Monday and...
See more...
If you are just looking to define 'yesterday' as either Sunday or Friday on a Monday then this example shows you how to make a search time range that will be either the previous day, or if Monday and exclude weekends, is is Friday <form version="1.1" theme="light">
<label>ExcludeWeekends</label>
<fieldset>
<input type="radio" token="weekends" searchWhenChanged="true">
<label>Weekends</label>
<choice value="exclude">Exclude Weekends</choice>
<choice value="include">Include Weekends</choice>
<default>exclude</default>
<initialValue>exclude</initialValue>
</input>
</fieldset>
<search>
<done>
<set token="search_start">$result.search_start$</set>
<set token="search_end">$result.search_end$</set>
</done>
<query>| makeresults
| fields - _time
| eval now=now()
| eval prev_day=if(strftime(now, "%a")="Mon" AND "$weekends$"="exclude", -3, -1)
| eval search_start=relative_time(now, prev_day."d@d")
| eval search_end=search_start + 86400</query>
</search>
<row>
<panel>
<table>
<search>
<query>index=_audit
| bin _time span=1d
| stats count by _time</query>
<earliest>$search_start$</earliest>
<latest>$search_end$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
10-18-2023
08:05 AM
1 Karma
I don't get it, either. When I plug your numbers into the query I get the expected 21.67. Can you share a screenshot just so we're sure we're looking at the right numbers?
10-18-2023
08:04 AM
Try again Verify the lookup file permissions have not changed Make sure no one else is editing the file Make sure no other programs (outside of Splunk) have locked the file or have it open for exc...
See more...
Try again Verify the lookup file permissions have not changed Make sure no one else is editing the file Make sure no other programs (outside of Splunk) have locked the file or have it open for exclusive access
10-18-2023
07:50 AM
@inventsekar Thank you for your response. There is not just one Dashboard. We need to list out all the Dashboards that have autorefresh enabled. For which we don’t want to go one by one looking int...
See more...
@inventsekar Thank you for your response. There is not just one Dashboard. We need to list out all the Dashboards that have autorefresh enabled. For which we don’t want to go one by one looking into the dashboards to find out because there are more than 1000 dashboards. Thank you in advance.
10-18-2023
07:49 AM
Thank you. I tried it and it looks like there are lots of duplicates and for example SysMon fields were as same as to XmlWinEvtLogs and there was no difference between fields within Application and ...
See more...
Thank you. I tried it and it looks like there are lots of duplicates and for example SysMon fields were as same as to XmlWinEvtLogs and there was no difference between fields within Application and Security for example. Would you be able to have a look into the SPL and see if it can be optimized, please? Kind regards, Dan
10-18-2023
07:49 AM
I am trying to save a lookup file in the Splunk App for lookup file editing and I get the error: The lookup file could not be saved. How do I resolve this?
10-18-2023
07:46 AM
Thank you so much, it works!
10-18-2023
07:46 AM
Try something like this <input type="multiselect" token="choose_office" searchWhenChanged="true">
<label>Front/Back office</label>
<choice value="Front%20Office">Front Office</choice>
<choice value=...
See more...
Try something like this <input type="multiselect" token="choose_office" searchWhenChanged="true">
<label>Front/Back office</label>
<choice value="Front%20Office">Front Office</choice>
<choice value="Back%20Office">Back Office</choice>
<valuePrefix>form.choose_office=</valuePrefix>
<valueSuffix></valueSuffix>
<delimiter>&</delimiter>
</input>
10-18-2023
07:45 AM
Hello, I was given the administration of a Splunk Enterprise Security and I am not familiarized, I have always used manual queries from "Search & reporting" I have the knowledge level of Fundament...
See more...
Hello, I was given the administration of a Splunk Enterprise Security and I am not familiarized, I have always used manual queries from "Search & reporting" I have the knowledge level of Fundamentals 1 and 2. Splunk ES currently works and I can see noticeable events from paloalto firewalls but recently configured fortinet logs and these are already coming in under an index called fortinet, when doing a normal query with index=fortinet I can see events but I see nothing from Splunk ES. Exactly what do I need to do to get the fortinet events to be taken into account by Splunk ES and start logging notable events?
10-18-2023
07:35 AM
I've managed to solve this with an ugly hack based on this post: https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-doesn-t-this-JavaScript-work-to-apply-a-click-event-to-the/m-p/389572 ...
See more...
I've managed to solve this with an ugly hack based on this post: https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-doesn-t-this-JavaScript-work-to-apply-a-click-event-to-the/m-p/389572 Basically, I've just wrapped the entire javascript snippet with a setTimeout()...
10-18-2023
07:19 AM
1 Karma
I don't see anything local other than the below: Not sure if this is your sourcetype. /opt/splunkforwarder/etc/apps/armor/local/props.conf [armor_json_02] /opt/splunkforwarder/etc/apps/armor/loca...
See more...
I don't see anything local other than the below: Not sure if this is your sourcetype. /opt/splunkforwarder/etc/apps/armor/local/props.conf [armor_json_02] /opt/splunkforwarder/etc/apps/armor/local/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/apps/armor/local/props.conf description = JavaScript Object Notation format. For more information, visit http://json.org/ We need more on what's applying to the enterprise as well. And It's hard to convey the troubleshooting steps here. 1.) Try to run the btool command specific to your sourcetype such as splunk btool props list "your_sourcetype" --debug splunk btool props list --debug | grep -v /system/default 2.) As @somesoni2 mentioned make sure KV_MODE=JSON or INDEXED_EXTRACTIONS = json only one of them is set . My personal recommendation is to use KV_MODE=JSON instead of I_E=JSON I hope running this search might help you with the settings applied to the parsing instance. | rest splunk_server=local /services/configs/conf-props/YOUR_SOURCETYPE
| transpose | search column=eai:acl.app Hope this helps. If you need more assistance, encourage you to open an ODS request. an https://www.splunk.com/en_us/pdfs/professional-services/splunk-ondemand-services-portal.pdf
10-18-2023
07:16 AM
@jkaldor I haven't seen any apps that depend on Splunk data in SOAR as it's an independent tool and most apps use API-based connections. If you want to check, download the app either locally or i...
See more...
@jkaldor I haven't seen any apps that depend on Splunk data in SOAR as it's an independent tool and most apps use API-based connections. If you want to check, download the app either locally or in the platform and view the py files. -- Hope this helped. If so please mark as a solution for others to see. Happy SOARing! --
10-18-2023
07:15 AM
I believe it's because the data is being extracted at index and search time? is there a way for me to stop one or the other? i believe you're on the right track
- Tags:
- i
10-18-2023
07:13 AM
Found the problem...the latest time was same as the earliest time. Correct syntax: | eval Date = strftime(_time,"%d-%b-%y"), earliest=relative_time(_time,"@d"), latest=relative_time(_time,"+d@d") ...
See more...
Found the problem...the latest time was same as the earliest time. Correct syntax: | eval Date = strftime(_time,"%d-%b-%y"), earliest=relative_time(_time,"@d"), latest=relative_time(_time,"+d@d")
10-18-2023
07:09 AM
It looks like the StepControlWizard is deprecated with Splunk version 9.1.1. We are guessing the control must have been using a previous version of jQuery 3.5. Not sure. We found the control was mov...
See more...
It looks like the StepControlWizard is deprecated with Splunk version 9.1.1. We are guessing the control must have been using a previous version of jQuery 3.5. Not sure. We found the control was moved to the quarantine folder. Is there a plan to replace this control ?
- Tags:
- StepControlWizard
Labels
- Labels:
-
javascript
10-18-2023
07:04 AM
Yes. So imagine the first stack with the markup being applied across the chart.
10-18-2023
07:04 AM
Hi Everyone, I`ve got a dropdown input that generates 30 date entries and stores the choice in the "date.tok2" token. I`d like to be able to pass the token to a table to run a search over the perio...
See more...
Hi Everyone, I`ve got a dropdown input that generates 30 date entries and stores the choice in the "date.tok2" token. I`d like to be able to pass the token to a table to run a search over the period chosen from the drop down, but this is not working as expected (not generating any results - I know the query works because if I run it independently it produces results, so the problem must be with the token). I`ve got an identical drop down menu that works fine and it successfully passes the token onto the table at the beginning of the dashboard (that token is called "date.tok" and is used to set "earliest_tok" and "latest_tok"). Any help would be greatly appreciated. <input type="dropdown" token="date.tok2" searchWhenChanged="true">
<label>Date</label>
<fieldForLabel>Date</fieldForLabel>
<fieldForValue>earliest</fieldForValue>
<search>
<query>| makeresults
| timechart span=d count
| sort - _time
| where _time <= relative_time(now(),"@d")
| fields - count
| eval Date = strftime(_time,"%d-%b-%y"), earliest=relative_time(_time,"@d"), latest=relative_time(_time,"@d")
| dedup Date</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<selectFirstChoice>true</selectFirstChoice>
<change>
<set token="earliest_tok2">$row.earliest$</set>
<set token="latest_tok2">$row.latest$</set>
</change>
</input>
<table>
<search>
<query>| ...| ...</query>
<earliest>$earliest_tok2$</earliest>
<latest>$latest_tok2$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
Labels
- Labels:
-
token
