All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @PavelP, I believe that the Splunk app menu configuration page is indecent, for this purpose I made a request on Splunk Ideas that please vote for the idea https://ideas.splunk.com/ideas/EID-I -7... See more...
Hi @PavelP, I believe that the Splunk app menu configuration page is indecent, for this purpose I made a request on Splunk Ideas that please vote for the idea https://ideas.splunk.com/ideas/EID-I -72 .  In any case, the only way to do it could be a phyton script, but there would always be the problem of rights: do all users have the right to modify the menu of an app? For these reasons, I am sorry, but I believe that your request cannot be satisfied. Ciao. Giuseppe
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/de... See more...
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/default.xml)? from:       <nav> <view name="summary"/> <collection label="NEW"> <view name="summary_new"/> </collection> </nav>       to:       <nav> <view name="summary_new"/> <collection label="OLD"> <view name="summary"/> </collection> </nav>         Currently the user must use UI to create a custom navigation setting (by creating local/data/ui/nav/default.xml).
@TNV20 - If you are using Splunklib (Splunk-SDK-Python) then you could do it with Option. https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.2/searchcommands.html from splunklib.searchcomman... See more...
@TNV20 - If you are using Splunklib (Splunk-SDK-Python) then you could do it with Option. https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.2/searchcommands.html from splunklib.searchcommands.decorators import Option file1 = Option( doc=''' **Syntax:** **file=***<file1>* **Description:** Name of the first file''', require=True)   And you can use it like: | compare file1="file1.csv" file2="file2.csv"   I hope this helps!!!
Hi @Praz_123 , It isn't so easy to create a dashboard, because you must use JavaScripts. I created a dashboard similar ro your requirement, but to selct and modify only one row not all the table. ... See more...
Hi @Praz_123 , It isn't so easy to create a dashboard, because you must use JavaScripts. I created a dashboard similar ro your requirement, but to selct and modify only one row not all the table. And anyway my dashboard isn't so easy to use as Lookup Editor. Ciao. Giuseppe
Hi @Splunk235 , yes, you can test your regex and it runs. let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe ... See more...
Hi @Splunk235 , yes, you can test your regex and it runs. let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
This query extracts all keys in JSON, after Properties.Activity column, In results first column in Properties.Activity and rest all are extracted from json is it possible to get the table ... See more...
This query extracts all keys in JSON, after Properties.Activity column, In results first column in Properties.Activity and rest all are extracted from json is it possible to get the table data in the below-mentioned columns? If so can you help to complete only for these 4 column "ActivityType, ClientId, Source, Properties.Activity"
Hi @splunkguy , follow these steps: make a copy of the Apps to migrate from the old SH to the SHC, install and configure the SH Cluster, copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/... See more...
Hi @splunkguy , follow these steps: make a copy of the Apps to migrate from the old SH to the SHC, install and configure the SH Cluster, copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/etc/shcluster, Deploy them using the command splunk apply shcluster-bundle -target URI:management_port -auth username:password You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.1/DistSearch/PropagateSHCconfigurationchanges  Ciao. Giuseppe
response from support / development: (last week) and now testing, worked and looks good sofar temporary workaround: --=-=--=-=-=-==-=-sendmail.py-=--=-=-=-=-- Do you have a test instance to che... See more...
response from support / development: (last week) and now testing, worked and looks good sofar temporary workaround: --=-=--=-=-=-==-=-sendmail.py-=--=-=-=-=-- Do you have a test instance to check the one parameter? We got an update from the developer team, to check the below parameter, open the file SPLUNK_HOME/etc/apps/search/bin/sendemail.py and you would find (approx line number 1571): clear_password = cli_common.decrypt(encrypted_password, setEnv=True) The setEnv flag needs to be modified from True to False, restart Splunk, and then check if the problem is resolved. Note: Try with your test instance. As the setEnv flag needs to be modified from True to False will be considered a temporary workaround for this issue. In the next release version 9.1.2, It will be fixed completely. -=-=-=-=-=---=-icon-=-=-=-=--= Additionally, the "loading" icon got stuck issue also will be fixed in version 9.1.2. -=-=--=-= regards AP  @wskinner @isoutamo 
How do I migrate Dashboards and alerts from older standalone search head to new standalone search 
Wow, that's a very useful information. Thanks for explaining @yuanliu. It's working perfectly!!!
Hi all, I try to develop a custom Python script and i want to input parameter from Search to my script. Could i do it? Example my script name is compare (already register on searchhead), and it nee... See more...
Hi all, I try to develop a custom Python script and i want to input parameter from Search to my script. Could i do it? Example my script name is compare (already register on searchhead), and it need 2 parameter to work, like:  | makeresults a=1 | compare file1.csv file2.csv (file1.csv, file2.csv is parameter). Thanks so much.
I'm also a beginner. Please speak to me like I know very little.  Because that's where I'm at. But I think it's an error with either the certificate/the certificate chain or in decrypting it
I'm in General Settings. I Enabled SSL (HTTPS) in Splunk Web. I restarted Splunk. It reads unable to connect. Warning Potential Security Risk Ahead because it is a self sign certificate. I pressed on... See more...
I'm in General Settings. I Enabled SSL (HTTPS) in Splunk Web. I restarted Splunk. It reads unable to connect. Warning Potential Security Risk Ahead because it is a self sign certificate. I pressed on Go Back Button(Recommended) when I should of pressed advanced and continue. Now All I get is a window That reads Unable to Connect. The Warning Potential Security Risk Ahead window is no longer available. I can't press advanced and continue. What do I do? I can't access Splunk. The connection was reset it says.
So, is it safe to assume that if no new data is ingested into this index the data should be gone by tomorrow (the same time I changed the config)?   Thanks again
Probably because there are also events (at least one) in that bucket that are younger.
I am so confused as to why there are still buckets with data in which the endEpochTime is older than the "Searchable Retention"  Thanks again  
Hi, thank you for replying back.   Settings: SmartStore: No Indexer clustering: No SF/RF Settings Splunk: SF=2, RF=3 Volume settings: Default settings Splunk Cloud: Yes Unfortunately, I am un... See more...
Hi, thank you for replying back.   Settings: SmartStore: No Indexer clustering: No SF/RF Settings Splunk: SF=2, RF=3 Volume settings: Default settings Splunk Cloud: Yes Unfortunately, I am unable to run the "btool". However, I am able to run the following rest API query to gather the info from specific parameters for the mentioned index: | rest /services/data/indexes | join type=outer title [ | rest splunk_server=n00bserver /services/data/indexes-extended ] | search title=* | eval retentionInDays=frozenTimePeriodInSecs/86400 | table * What should be the parameters to look for?   Thanks again.    
There is so much "depends" here that we could open a nursing home.  Are you using SmartStore?  Are you using indexer clustering?  What are your SF/RF settings?  Are you using Volume settings for your... See more...
There is so much "depends" here that we could open a nursing home.  Are you using SmartStore?  Are you using indexer clustering?  What are your SF/RF settings?  Are you using Volume settings for your indexers?  Are you Splunk Cloud?  What is the "btool" output for your indexes.conf from one of your indexers?
@woodcock 
gcusello Any guidance?