Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-16-2023
01:54 PM
Any update on release of results?
10-16-2023
01:41 PM
please paste your btool output for props on the UF & enterprise, here to validate. splunk btool props list --debug
10-16-2023
01:32 PM
@sainag_splunk wrote: remove the INDEXED_EXTRACTIONS = json on your props. I've tried and actually ended up not extracting at all.
10-16-2023
01:02 PM
Did you get this working? How were you able to install a Websocket client in splunk?
- Tags:
- did
10-16-2023
12:49 PM
remove the INDEXED_EXTRACTIONS = json on your props.
10-16-2023
12:37 PM
Signed up for a free trial of splunk cloud, to test out an app im considering buying. however, nowhere was i told that i can not upload an app file, or that the cloud App can not be installed into...
See more...
Signed up for a free trial of splunk cloud, to test out an app im considering buying. however, nowhere was i told that i can not upload an app file, or that the cloud App can not be installed into the free trial of splink cloud. under APPS > Manage Apps, there is no "Upload" button. how can i test and see if this is worth buying, if I cant test and see if its worth throwing money at?
Labels
- Labels:
-
app
10-16-2023
12:16 PM
thank you got the expected results
10-16-2023
11:44 AM
I missed a colon in the regex. Added just now. Try the updated version.
10-16-2023
11:21 AM
Found it. So I removed the files I had copied into the shared folder from the quarantine folder, updated that server setting and restarted Splunk. That didn't work. I see the same JS error. It doe...
See more...
Found it. So I removed the files I had copied into the shared folder from the quarantine folder, updated that server setting and restarted Splunk. That didn't work. I see the same JS error. It doesn't find the files that are in the quarantined folder. Shoot. Thought I had a No-Code solution. I will move the three files back over and test this a little more.
10-16-2023
11:18 AM
uri=https://www-api.corp.google.com/google/com/customer/1015953/product/58870/create?ac=n I have the uri like this but the rex didnt show two new fields
10-16-2023
11:15 AM
1 Karma
It's under Server settings. I've updated my answer. Changing the setting will let you use older jQuery libraries. How exactly that happens doesn't really matter, does it?
10-16-2023
10:57 AM
Thanks for the quick response! Where do I find Internal Library settings? if I update my Settings, will Splunk find those files under the quarantine folder? Brad
10-16-2023
10:52 AM
2 Karma
Don't move the files. That directory contains old jQuery 3.4 files now that Splunk has moved to jQuery 3.5 for security reasons. If you need to use 3.4, go to Settings->Server settings->Internal Li...
See more...
Don't move the files. That directory contains old jQuery 3.4 files now that Splunk has moved to jQuery 3.5 for security reasons. If you need to use 3.4, go to Settings->Server settings->Internal Library Settings and click the "Unrestrict" button under "jQuery Libraries older than 3.5".
- Tags:
- jquery
10-16-2023
10:44 AM
search is not the problem it's the backend, the data is coming in extracted twice. thank you. someone will know.
10-16-2023
10:41 AM
That is not a query. A proper query will start with search or some other generating command. Go to Settings->Fields->Field Extractions to see if you have extractions defined for the sourcetype.
10-16-2023
10:41 AM
1 Karma
After migrating to Splunk 9.1.1, all of the controls under: splunk/search_mrsparkle/exposed/js/views/shared/controls/ are no longer there. Doing a search found them under: splunk/quarantined_files/s...
See more...
After migrating to Splunk 9.1.1, all of the controls under: splunk/search_mrsparkle/exposed/js/views/shared/controls/ are no longer there. Doing a search found them under: splunk/quarantined_files/share/splunk/search_mrsparkle/exposed/js/views/shared/controls folder. Was there a reason all of the controls where moved? I looked under the Release docs, but didn't find anything on this topic. Is there a reason all of these are quarantined or can I move them all back?
- Tags:
- missing controls
Labels
- Labels:
-
dashboard
-
javascript
10-16-2023
10:37 AM
It's time to stop the piecemeal business. Please share the full (sanitized, if necessary) query that produces the current results and perhaps someone can find a way to produce the desired results.
10-16-2023
10:28 AM
I had a similar issue where I needed to find spans of time where the logs I was looking for dropped to 0 to represent a potential outage. I used the `timechart` like what was described but then used ...
See more...
I had a similar issue where I needed to find spans of time where the logs I was looking for dropped to 0 to represent a potential outage. I used the `timechart` like what was described but then used `untable` to get it back into a usable format for my purposes. `Base search | timechart count by clientip useother=f limit=0 | untable _time clineip count` Then I could further stats to count my iterations of "0" values for a threshold. ` <BASE SEARCH> | timechart count by clientip useother=f limit=0 | untable _time clientip count | sort 0 clientip _time | eval no_events=if(count=0,1,0) | streamstats sum(no_events) as consecutive values(no_events) by clientip reset_before=count=1 | stats max(consecutive) as consecutive_missed by clientip | where consecutive_missed>=10 ```Adjust Based on Alert Period, e.g, 24h set to 3; 1hr set to 10; ``` `
10-16-2023
10:20 AM
Hi, Is it possible to fetch the account access key, which is under the license page, using the API command, instead of getting it from the controller Regards, Mohammed Saad
Labels
- Labels:
-
Accounts and Admin
10-16-2023
10:12 AM
Check your _internal index retention policy. If your index rolls to frozen in 30 days you simply don't have the events for a longer timespan.
