All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

should be possible i think.  maybe, could you please copy paste the dashboard's html here (removing / anonymizing hostnames, important details)
>>> Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it can use all HF features to forward events to the next full splunk instances (hf... See more...
>>> Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it can use all HF features to forward events to the next full splunk instances (hf, uf or indexer). It can just forward but not index anything.   yes @isoutamo .. we thought that idea. but, as HF does some "preprocessing" (field extractions, etc) of logs, right.. so, if we use HF just like a UF(only for forwarding the logs), then indexer's job is same like as if we dont have the HF at all, right (i mean, the indexer needs to do full job of all processing of logs)   EDIT >>> the HF - LM communication is always one way, from HF to LM never other way.  you mean, HF will send request to LM asking the license info then it takes care of its job. there is no need of LM requesting/sending/asking info from/to the HF? ok, simple question... between HF and LM... please update us the ports configuration. thanks @isoutamo , karma points given appreciating your response. thanks again. 
Hi, I have a simple xml dashboard. I want to be able to move the Export-To-PDF button (more of a html button) to the bottom of the dashboard in order to print the whole dashboard.  Any easy way of d... See more...
Hi, I have a simple xml dashboard. I want to be able to move the Export-To-PDF button (more of a html button) to the bottom of the dashboard in order to print the whole dashboard.  Any easy way of doing this? Thank You Everyone!  
It's not confusing, it should work if configured correctly. So having changed the <condition>, what does it do when you click google? What is the config for your <option name="drilldown">XXX</opti... See more...
It's not confusing, it should work if configured correctly. So having changed the <condition>, what does it do when you click google? What is the config for your <option name="drilldown">XXX</option> for that table? XXX should be row
@ITWhisperer @bowesmana  Thanks for the code, It didn't worked with my case.  Sorry if it's confusing... I have a dashboard table with below.  If i click value in "Organization" or URL, it has to ... See more...
@ITWhisperer @bowesmana  Thanks for the code, It didn't worked with my case.  Sorry if it's confusing... I have a dashboard table with below.  If i click value in "Organization" or URL, it has to go specific url  example: when i click google it has to direct to the url "  https://air222.com/recxGlfW9picLnjwj" in new tab.  or if that doesn't work at least if i click url it has to go that url in new tab Name     Organization                      URL                                                                                                              Bob            splunk                         https://air222.com/6FBPUQ3Di0FC3T                                            Matt           google                        https://air222.com/recxGlfW9picLnjwj                                     smith          facebook                  https://air222.com/recRRoUIFOMxSmjRf                                          
@alikorit -In the last month I have spent countless hours troubleshooting this with our Azure Architects, Splunk Support, Splunk CSM Engineers, Network Engineers and Azure China Engineers after we we... See more...
@alikorit -In the last month I have spent countless hours troubleshooting this with our Azure Architects, Splunk Support, Splunk CSM Engineers, Network Engineers and Azure China Engineers after we were receiving Authentication Error for the event hubs (_ssl:1106). Nothing that we did seemed to help getting this up and running , and everyone was pointing fingers back at the networking team stating this was a networking issue due to not being able to see any traffic within or to the Azure Platform. It wasn't until recently that I was able to find the python scripts below and make the modifications that we started seeing activity both ways along with events coming into our Cloud environment.   Before moving forward, make sure you have made the following changes to your firewall: Allowed NameSpace traffic. Open the ports for AMPQ traffic. (5671 & 5672) Add the Application rule to allow AAD Traffic (https://login.partner.microsoftonline.cn) As @tarungupta0311  mentioned, those two changes do have to be made. However if you are also trying to attach a storage account, then you also need to change the account class type to 3 there as well. You don't necessarily have to have an account secret set up, however, I did with it being an Access Token which is secret type 1. [Storage Account] account_name =  ****** account_secret = ****** account_secret_type = 1 account_class_type = 3   Other python scripts that I had to modify to get it working are as follows along with the change and string line:   mscs_const.py Added in line 111 (this was completely missing) CHINACLOUD_HOSTNAME = "management.chinacloudapi.cn"  mcsc_storage_service.py edited line 236  (.net will  take you no where when trying to resolve the DNS considering its in China) from: endpoint_suffix = "core.chinacloudapi.net" to :     endpoint_suffix = "core.chinacloudapi.cn " mscs_azure_event_hub.py (this was switched around, classtype 3 being Germany NOT China) edited line 681 from: 4: KnownAuthorities.Azure_CHINA to:      4:KnownAuthorities.Azure_GERMANY edited line 682 from 3: KnownAuthorities.Azure_GERMANY to:      3: KnownAuthorities.Azure_CHINA Once I made the last change and rebooted splunkd on the HF, data was flowing like a flood gate was opened.     
Hi basically you could install an additional individual server and add your current license to it (don’t remove it from your current LM). Then update that individual single server and check if your ... See more...
Hi basically you could install an additional individual server and add your current license to it (don’t remove it from your current LM). Then update that individual single server and check if your current license is valid or not. Then just order a new license for new version if needed from splunk support. Usually those old ones have worked without issues with new versions, but this is how you could ensure it. r. Ismo
Hi all splunk instances should accept nullQeue. But you must define this parameter/transformation on the first full splunk instance from UF/data source to indexers. It could be HF or indexer.   r. ... See more...
Hi all splunk instances should accept nullQeue. But you must define this parameter/transformation on the first full splunk instance from UF/data source to indexers. It could be HF or indexer.   r. Ismo
Hi if you are not stored anything on local disk/indexer then it’s not counted towards your license usage. Based on your scenario, I& I understand right you are forwarding all events to the next host... See more...
Hi if you are not stored anything on local disk/indexer then it’s not counted towards your license usage. Based on your scenario, I& I understand right you are forwarding all events to the next host (indexers): then it’s not counted on your license onHF level..  r. Ismo
Hi as @gcusello said it’s better to take Splunk PS or your local splunk parter to figure out this case with all those details which you can’t share here. But basically this is doable when latency i... See more...
Hi as @gcusello said it’s better to take Splunk PS or your local splunk parter to figure out this case with all those details which you can’t share here. But basically this is doable when latency is enough low between those sites (should be) and you are using multi site clustering. Of course you can’t use SmartStore with this configuration. In business point of view this is actually the preferred installation as then you are not dependent of one cloud provider! r. Ismo
Hi if you have normal SHs without any additional components like MC then your steps should be enough. But if you have e.g. MC configured like distributed mode with those individual nodes (you should... See more...
Hi if you have normal SHs without any additional components like MC then your steps should be enough. But if you have e.g. MC configured like distributed mode with those individual nodes (you shouldn’t) then you need to remove those from distributed search list. So check your distributed search list definition  and update it if needed.. r. Ismo
Hi the HF - LM communication is always one way, from HF to LM never other way.  Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it c... See more...
Hi the HF - LM communication is always one way, from HF to LM never other way.  Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it can use all HF features to forward events to the next full splunk instances (hf, uf or indexer). It can just forward but not index anything. r. Ismo
  <drilldown> <condition field="Name"> <link target="_blank">| inputlookup myfile.csv</link> </condition> <condition field="Organization"> <link... See more...
  <drilldown> <condition field="Name"> <link target="_blank">| inputlookup myfile.csv</link> </condition> <condition field="Organization"> <link target="_blank">$row.URL|n$</link> </condition> <condition field="URL"> <link target="_blank">$click.value2|n$</link> </condition> </drilldown>  
@Naa_Win In your drilldown code do <condition field="Organization"> <link target="_blank">$row.URL$</link> </condition> Note that if you want to add any characters to the URL or url string that m... See more...
@Naa_Win In your drilldown code do <condition field="Organization"> <link target="_blank">$row.URL$</link> </condition> Note that if you want to add any characters to the URL or url string that must be encoded, use $row.URL|s$ or if you want to prevent any character encoding use $row.URL|n$ If you also want to do the same if the URL field is clicked, add a new condition with the field=URL
Thank you very much!
Please refer to my first post - these are the tokens that represent the attributes of your chart for when you click on the chart. Your stats statement will NOT show the clicked values because it's an... See more...
Please refer to my first post - these are the tokens that represent the attributes of your chart for when you click on the chart. Your stats statement will NOT show the clicked values because it's an incorrect statement. What is your HTML panel and what are you seeing when you click values and what are you expecting to see. Please show the XML for your drilldown and HTML panel.
This probably means that they are defined as automatic lookups, so will always be executed if the matching conditions are true for that lookup definition, e.g. it is the correct sourcetype. The fact... See more...
This probably means that they are defined as automatic lookups, so will always be executed if the matching conditions are true for that lookup definition, e.g. it is the correct sourcetype. The fact that it is failing could be that you don't have permissions to see some part of the lookup or that the lookup is not present and the definition is trying to refer to a non existent lookup, or that the automatic lookup definition is wrong. For example you can cause this problem by creating a field in the automatic lookup that does not exist in the lookup file and you will get this message. Do you have a Splunk sys admin - they should look at this to find out what is wrong with the automatic lookup.
@bowesmana    I'm using the stats statement to help with debugging the actions I'm doing on the UI.   I've tried adding a html panel to help better understand the various actions from the drill dow... See more...
@bowesmana    I'm using the stats statement to help with debugging the actions I'm doing on the UI.   I've tried adding a html panel to help better understand the various actions from the drill down.  However I'm not seeing what I'm expecting to see.     I currently have a stacked column chart.  I would like to hover or click on any of the data in the stacked chart, to get the x,y, z data.  (i.e. x = build, y = duration time, and z= name of task/column-segment)   Do you happen to know how I can capture this information, when I click on a point in the stacked column?   
You CAN actually do conditional lookup, as long as your lookup is a CSV https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/ConditionalFunctions#lookup.28.26lt.3Blookup_table.26gt.3B.... See more...
You CAN actually do conditional lookup, as long as your lookup is a CSV https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/ConditionalFunctions#lookup.28.26lt.3Blookup_table.26gt.3B.2C.26lt.3Bjson_object.26gt.3B.2C.26lt.3Bjson_array.26gt.3B.29 I don't think it's very commonly used, but works well ... search... | eval output=if(field1!=field2, lookup("mylookup.csv", json_object("department", field2), json_array("output_field1","output_field2")), "{}")  You will get back a field output with a JSON representation of the output fields listed in the JSON array
Hi Splunkers...  Assumptions... The HF we want to deploy.. it should be inside a DMZ network, the license master is outside the DMZ and all necessary ports will be opened as required now the questi... See more...
Hi Splunkers...  Assumptions... The HF we want to deploy.. it should be inside a DMZ network, the license master is outside the DMZ and all necessary ports will be opened as required now the question is.. Can License Master to HF have only one way direction communication(info flow is only from LM to HF... not two way, in the sense... there will be no HF to LM info flow) OR the LM to HF requires two way communication by default.    please suggest, thanks.