All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Will it be a major release like 10.x/minor release like 9.1?
Was this ever resolved without the need of Splunk Support?
Hi There!    I would like to pass multiselect values to macros, earlier it was dropdown. The values in multiselect itself an macros which we need pass as a token to search, <input type="checkbox"... See more...
Hi There!    I would like to pass multiselect values to macros, earlier it was dropdown. The values in multiselect itself an macros which we need pass as a token to search, <input type="checkbox" token="index_scope" searchWhenChanged="true"> <label>Choose console</label> <choice value="1T*">Standard</choice> <choice value="2A*">Scada</choice> <choice value="2S*">AWS</choice> <default>1T*</default> <initialValue>1T*</initialValue> </input>| Here is the search `compliance($index_scope$, now(), $timerange$, $scope$, $origin$, $country$, $cacp$)`   It's not working as expected in multiselect, earlier for dropdown its working good. Thanks in Advance! Manoj Kumar S
Sorry, you're right. I was checking the "script" input and it has the "interval" parameter whereas powershell indeed has "schedule". How do you know it's not running (and not just running and produc... See more...
Sorry, you're right. I was checking the "script" input and it has the "interval" parameter whereas powershell indeed has "schedule". How do you know it's not running (and not just running and producing any results for example)? What does splunk list inputstatus say? My definition looks almost identical and works. From what I see you avoided the common pitfall of $SplunkHome so the path is good. [powershell://script-checker] script= . "$SplunkHome\etc\apps\cert_checker\bin\scripts\Splunk-cert-checker.ps1" schedule = 86400 index=internal_auxiliary sourcetype=kv:cert-checker event_serialization_format=kv disabled=0  
@mseijos - Marking this answer as accepted as it seems working. And it has been answered correctly first. Let me know if this doesn't work for you.   Splunk Community Moderator, Vatsal Jagani
Hello, How can I implement this one. to autochoose category dropdown from ingredient dropdown. FOr example, If I choose apple, it will autochoose fruit.. Many thanks @Anonymous         ... See more...
Hello, How can I implement this one. to autochoose category dropdown from ingredient dropdown. FOr example, If I choose apple, it will autochoose fruit.. Many thanks @Anonymous             
Hi @Praz_123, how do you read the logs? are they in a file? if yes, check if in the file there are logs in the missing periods. if not, the issue is outside Splunk. If yes, your should check if t... See more...
Hi @Praz_123, how do you read the logs? are they in a file? if yes, check if in the file there are logs in the missing periods. if not, the issue is outside Splunk. If yes, your should check if they were writtend moment by moment or after a delay. For this reason I hint to create an alert depending on the update frequency of your data (e.g. every 15 minutes). So you can immediately check if the issue is in Splunk or outside it. Ciao. Giuseppe
Hi maybe this helps youhttps://community.splunk.com/t5/Alerting/Why-can-t-I-change-alert-with-REST-It-change-permission-from-app/m-p/646456/thread-id/15104/highlight/false#M15117 It’s old answer wh... See more...
Hi maybe this helps youhttps://community.splunk.com/t5/Alerting/Why-can-t-I-change-alert-with-REST-It-change-permission-from-app/m-p/646456/thread-id/15104/highlight/false#M15117 It’s old answer where I change some parameters on query. I think that you could change the query just like those parameters on conf. r. Ismo
The patch actually had a different name on my webserver, I've fixed that now, sorry Also, for the latest (as of sept) splunk app, the update functions and changes are the same if you want to ad... See more...
The patch actually had a different name on my webserver, I've fixed that now, sorry Also, for the latest (as of sept) splunk app, the update functions and changes are the same if you want to add "fixed/static" proxy entries. I'm currently testing to make sure is actually correct but I'm hopeful In the function validate_arguments def validate_arguments(ikey: str, skey: str, host: str, interval: int, offset_seconds: int=-140): """ Ensures that the provided credentials have access to different log types Also check that the interval is >= 120 seconds to avoid rate limiting. :param ikey: Integration key of Admin Panel API :param skey: Secret key of Admin Panel API :param host: Host of Admin Panel API :param interval: How often Splunk runs this input script, in seconds. :param offset_seconds: Number of seconds to subtract from current time, for the validation request """ if interval < 120: LOGGER.error("The interval must be greater than or equal to 120 seconds") print_error('The interval must be greater than or equal to 120 seconds') raise ValueError("The interval must be greater than or equal to 120 seconds") admin = duo_client.admin.Admin(ikey=ikey, skey=skey, host=host) if host == LOCAL_API_HOST: admin.ca_certs = "DISABLE" # Update the bellow to set a fixed proxy server admin.set_proxy("proxyserver","proxyport") current_unix_ts = int(time.time()) and then in the function run_script a little further down def run_script(): """ Method will instantiate a duo_client.Admin object with the configured ikey/skey/api_host. In addition, it will call each log collector class to poll the Duo adminapi for JSON encoded data that gets written to stdout. """ LOGGER.info("Getting input configuration.") config, splunk_session_key = get_config() LOGGER.info("Configuration processing completed. Setting LOGGER level for %s to %s", config['name'], config['logging_level']) LOGGER.setLevel(config['logging_level']) splunk_session_args = { 'token': splunk_session_key, 'user': 'nobody', 'app': 'duo_splunkapp' } local_mode: bool = config['api_host'] == LOCAL_API_HOST admin_api = duo_client.Admin( ikey=config['ikey'], skey=config['skey'], host=config['api_host'], ca_certs="DISABLE" if local_mode else None, digestmod=hashlib.sha512 ) # Update the bellow to set a fixed proxy server admin_api.set_proxy("proxyserver","proxyport") Once this is done I will attempt to make a patch file that allows you to specify a proxy server and port via the UI. Hopefully this is enough to get anyone rolling with the new version.  
Hi Pradeep,   Could you please do the following and let me know how it goes? 1. Go to the API Clients in Controller  -> Go to the Settings => Administrator => API Client 2. Create an API client.... See more...
Hi Pradeep,   Could you please do the following and let me know how it goes? 1. Go to the API Clients in Controller  -> Go to the Settings => Administrator => API Client 2. Create an API client. 3. Enter the client Name, Description and Generate the Secret. Once the secret is generated, copy the secret and save it. 4. Assign the role. 4. Save it. If you want to generate Token via CURL Command  5. run the below curl command to generate the token. curl -X POST -H "Content-Type: application/vnd.appd.cntrl+protobuf;v=1" "https://test-controller.saas.appdynamics.com/controller/api/oauth/access_token" -d 'grant_type=client_credentials&client_id=<client-id>@account_name&client_secret=<secret>' Replace <client-id> & <secret> accordingly. client-id -> Client Name from Step 3 client_secret -> Secret from step 3 for example: curl -X POST -H "Content-Type: application/vnd.appd.cntrl+protobuf;v=1" "https://test-controller.saas.appdynamics.com/controller/api/oauth/access_token" -d 'grant_type=client_credentials&client_id=sunil_api_client@ces-controller&client_secret=738e62b5-2455-45af-a644-934234234234' Here is the docs for the details:  https://docs.appdynamics.com/appd/23.x/latest/en/extend-appdynamics/appdynamics-apis/api-clients#id-.APIClientsv23.1-generate-access-tokens 
No worries @vikas1  Just some admin, it is good practise to mark a correct answer as the solution as other users may find it useful when searching Splunk answers for the same issue.   Karma points... See more...
No worries @vikas1  Just some admin, it is good practise to mark a correct answer as the solution as other users may find it useful when searching Splunk answers for the same issue.   Karma points are also greatly appreciated.
Hi @PickleRick, Noted on this. Yes I am using the Splunk App for Salesforce and it is using the "distance" command. Seems like they dont have a documentation for this app. Btw thankyou for your feed... See more...
Hi @PickleRick, Noted on this. Yes I am using the Splunk App for Salesforce and it is using the "distance" command. Seems like they dont have a documentation for this app. Btw thankyou for your feedback.
Hi @inventsekar , Thank you for your feedback. Yes, I'm currently using the Splunk App for Salesforce and this is our first time installing it. On the Splunk warning message, it didnt mentioned any... See more...
Hi @inventsekar , Thank you for your feedback. Yes, I'm currently using the Splunk App for Salesforce and this is our first time installing it. On the Splunk warning message, it didnt mentioned any details, only as the above screenshot. I did check on the search.log, they error show "syntax error - script (path)". I guess i need to fine tuned the query or is there any other way I can work on?
I feel so dumb @yeahnah  Thank you! Would you like some tea - just made a cup
Hi @vikas1  It's just a view setting and can be disabled under Format > Row Numbers, as shown below Hope that helps    
Hi @abi2023  This is a good example of using the chart command.  Here's a run anywhere example (based of dummy events derived from your example SPL) | makeresults | eval _raw="state, risk_rating op... See more...
Hi @abi2023  This is a good example of using the chart command.  Here's a run anywhere example (based of dummy events derived from your example SPL) | makeresults | eval _raw="state, risk_rating open, Critical open, Moderate open, Severe open, Sustainable close, Critical close, Moderate close, Sustainable" | multikv forceheader=1 | table state risk_rating ``` ^^^ above is just creating dummy example events ^^^ -> the SPL below creates the table output ``` | chart count OVER state BY risk_rating | sort - state | addtotals | addcoltotals labelfield=state label="Total"  Hope this helps
I'm going crazy with this, would appreciate some help. I'm pretty sure the record numbers were not being shown to me. I'm trying to index a simple JSON and unsure where it is coming from or how ... See more...
I'm going crazy with this, would appreciate some help. I'm pretty sure the record numbers were not being shown to me. I'm trying to index a simple JSON and unsure where it is coming from or how to disable!
Hello @MichalG1, ES requires 16 CPU, 32 GB Memory (https://docs.splunk.com/Documentation/ES/7.2.0/Install/DeploymentPlanning). However, if the ask is to update max_searches_per_cpu and base_max_searc... See more...
Hello @MichalG1, ES requires 16 CPU, 32 GB Memory (https://docs.splunk.com/Documentation/ES/7.2.0/Install/DeploymentPlanning). However, if the ask is to update max_searches_per_cpu and base_max_searches on pre-prod environment (and not prod), you can go ahead and try doing that.   I would also suggest disabling the Data Model Accelerations, as well as, reviewing the correlation searches which are enabled by default - because the issue seems to be with the scheduler getting a lot of searches to execute at any given time (and not resources issue). You can also review the alert actions and corn schedules, through this search (and stagger cron schedule if needed) -  | rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | eval actions=split(actions, ",") | rename title as "Correlation Search", cron_schedule as "Cron Schedule" "dispatch.earliest_time" as "Earliest Time" dispatch.latest_time as "Latest Time" actions as "Actions" | table "Correlation Search" "Cron Schedule" "Earliest Time" "Latest Time" "Actions"   Please accept the solution and hit Karma, if this helps!
Hello @msilins, here is something you are looking for - https://lantern.splunk.com/Splunk_Platform/UCE/IT_Modernization/Infrastructure_Monitoring/Managing_an_Amazon_Web_Services_environment/Users_who... See more...
Hello @msilins, here is something you are looking for - https://lantern.splunk.com/Splunk_Platform/UCE/IT_Modernization/Infrastructure_Monitoring/Managing_an_Amazon_Web_Services_environment/Users_who_haven't_accessed_AWS_for_an_extended_time
您好,请问一下问题是否已解决,或者您还有其他问题吗?