All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello all, I am trying to understand the type of fields command. Documentation says it is a "distributable streaming" which means  it can be run on the indexer, which improves processing time.  ... See more...
Hello all, I am trying to understand the type of fields command. Documentation says it is a "distributable streaming" which means  it can be run on the indexer, which improves processing time.  If I use fields command to specify fields which are extracted in the search head (using field discovery for example) , how can it still considered as distributable streaming?  If I am not mistaken, field extraction on the indexers is possible using rex command or with indexed fields. Thank you in advance!
One way you could do this is by appending the color code to the values of AverageExecutionTime (making it a multi-value field), then reference that color code value in the colorPalette expression, th... See more...
One way you could do this is by appending the color code to the values of AverageExecutionTime (making it a multi-value field), then reference that color code value in the colorPalette expression, then throw in some CSS to hide the color code in the multi-value field: <row> <panel> <html depends="$hidecsspanel$"> <style> #ColoredTable table tbody td div.multivalue-subcell[data-mv-index="1"]{ display: none; } </style> </html> <title>TEST XRT Execution Dashboard</title> <table id="ColoredTable"> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?&lt;Datetime&gt;\d{8}_\d{6})_usr@(?&lt;Username&gt;[\w\.]+)_ses@\d+_\d+_MAXL#(?&lt;TemplateName&gt;\d+)_apd@(?&lt;ScriptName&gt;[\w]+)_obj#(?&lt;ObjectID&gt;[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?&lt;calc_time&gt;\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 0) | lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | eval colorCode = if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName, colorCode | search $ScriptName$ $ObjectID$ | sort - AverageExecutionTime | eval AverageExecutionTime = mvappend(AverageExecutionTime,colorCode) | fields - colorCode</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <format type="color" field="AverageExecutionTime"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> </table> </panel> </row>  
Thanks for posting livehybrid.  The rex did not work.  Karma points to you for giving it a go 
Technically, yes, but everything is a little re-arranged in the code.  My tabs and items tags are at the very bottom of the page.   I'll see if I can line it up to match what you have here and see if... See more...
Technically, yes, but everything is a little re-arranged in the code.  My tabs and items tags are at the very bottom of the page.   I'll see if I can line it up to match what you have here and see if it works. 
I see that the serverName already has the default value as $HOSTNAME (the docs of server.conf mentioned it), so it means that I can just delete the key-value pair, right?
In our environment, we have kept modular input in DS under deployment apps and pushed it to HF using serverclass. Is this the issue? Do modular inputs directly needs to be installed on HF rather than... See more...
In our environment, we have kept modular input in DS under deployment apps and pushed it to HF using serverclass. Is this the issue? Do modular inputs directly needs to be installed on HF rather than pushing from DS? 
Thank you very much! I think I've got it working as intended now!
Okay @Na_Kang_Lim  So the manual approach is to update the $SPLUNK_HOME/etc/instange.cfg and replace the guid = <oldGuid> with a new random guid. Then update the $SPLUNK_HOME/etc/system/local/serve... See more...
Okay @Na_Kang_Lim  So the manual approach is to update the $SPLUNK_HOME/etc/instange.cfg and replace the guid = <oldGuid> with a new random guid. Then update the $SPLUNK_HOME/etc/system/local/server.conf and change the serverName under the [general] stanza. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Thank you for your detail automation solution! Then what about the manual solution? If I were to write a guide for the owners of the server, what do I need them to do, and what do I have to do too? A... See more...
Thank you for your detail automation solution! Then what about the manual solution? If I were to write a guide for the owners of the server, what do I need them to do, and what do I have to do too? And yes, I am having both duplicate Instance GUID and Instance Name! The hostname of course it is not the same, I believe it takes the Computer Name of the Host, but the Instance GUID and Instance Name do duplicate!
Hello, I'm having a problem with the colouring of a column in my table. I need to colour the AverageExecutionTime column according to the value of Treshold. If AverageExecutionTime > Treshold then ... See more...
Hello, I'm having a problem with the colouring of a column in my table. I need to colour the AverageExecutionTime column according to the value of Treshold. If AverageExecutionTime > Treshold then the AverageExecutionTime column is coloured red. If AverageExecutionTime < Treshold then the AverageExecutionTime column is coloured green. I've tried lots of things but it doesn't work, the conidition isn't respected, and AverageExutionTime is always coloured green.  The first line should be in red   <row> <panel> <title>XRT Execution Dashboard</title> <table> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?&lt;Datetime&gt;\d{8}_\d{6})_usr@(?&lt;Username&gt;[\w\.]+)_ses@\d+_\d+_MAXL#(?&lt;TemplateName&gt;\d+)_apd@(?&lt;ScriptName&gt;[\w]+)_obj#(?&lt;ObjectID&gt;[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?&lt;calc_time&gt;\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 3) |lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName |search $ScriptName$ $ObjectID$ $TemplateName$ |sort - AverageExecutionTime</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <!--format type="color" field="AverageExecutionTime"> <colorPalette type="expression"> <mapping field="AverageExecutionTime"> if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") </mapping> </colorPalette> </format--> <!-- Mise en couleur conditionnelle --> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="Color"> <colorPalette type="map">{"High":"#D94E17", "Low":"#55C169"}</colorPalette> </format> <drilldown> <condition field="ScriptName"> <link target="_blank">/app/search/dev_vwt_dashboards_uc31_details?ScriptName=$row.ScriptName$&amp;Script_Execution_Details=true&amp;earliest=$earliest$&amp;latest=$latest$</link> </condition> </drilldown> </table> </panel> </row> <row> <panel> <title>TEST XRT Execution Dashboard</title> <table> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?&lt;Datetime&gt;\d{8}_\d{6})_usr@(?&lt;Username&gt;[\w\.]+)_ses@\d+_\d+_MAXL#(?&lt;TemplateName&gt;\d+)_apd@(?&lt;ScriptName&gt;[\w]+)_obj#(?&lt;ObjectID&gt;[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?&lt;calc_time&gt;\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 0) | lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | eval colorCode = if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName, colorCode | search $ScriptName$ $ObjectID$ | sort - AverageExecutionTime</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <format type="color" field="AverageExecutionTime"> <colorPalette type="expression">if(AverageExecutionTime &gt; Treshold,"#D94E17", "#55C169")</colorPalette> </format> </table> </panel> </row>
Hi @DaClyde  Its worth viewing the dashboard source   And look for the "layout" section,  Do you have a "layoutDefinitions" with "layout_1" and then a "type" containing a value? Similar to t... See more...
Hi @DaClyde  Its worth viewing the dashboard source   And look for the "layout" section,  Do you have a "layoutDefinitions" with "layout_1" and then a "type" containing a value? Similar to this? "layout": { "tabs": { "items": [ { "layoutId": "layout_1", "label": "New tab" } ] }, "layoutDefinitions": { "layout_1": { "type": "absolute", "options": { "height": 1185, "display": "auto-scale", "backgroundColor": "#C8DAE0" }, "structure": [ { ... Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Unfortunately, we had some issue with a recent Splunk upgrade to 9.4.1 and had to roll back to 9.3.2. However, I had just built a dashboard in Studio 9.4.1with some drill down, but after the roll ba... See more...
Unfortunately, we had some issue with a recent Splunk upgrade to 9.4.1 and had to roll back to 9.3.2. However, I had just built a dashboard in Studio 9.4.1with some drill down, but after the roll back, now I just get this helpful message: "Layout undefined is not defined" Any ideas what was added to Studio in 9.4.x that wouldn't be compatible with 9.3.x? The only part of the dashboard that is loading is the time picker.  If I view the source, everything is still there.
Excellent, let us know how you get on Will
You could start with something like this and narrow down as required: index=_internal host=<YourServerName> log_level=Error Please let me know how you get on and consider adding karma to this or an... See more...
You could start with something like this and narrow down as required: index=_internal host=<YourServerName> log_level=Error Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
In addition to my previous message, I've realised that all the servers might have the same serverName in $SPLUNK_HOME/etc/system/local/server.conf - Is that the case too? [general] serverName = <You... See more...
In addition to my previous message, I've realised that all the servers might have the same serverName in $SPLUNK_HOME/etc/system/local/server.conf - Is that the case too? [general] serverName = <YourServerName> This also cannot be overwritten with an app config because its in the system/local directory, so if you want to update this then you would need to do something similar to the regenerate_guid script I posted. Reminder - That script is less than ideal so proceed with caution   Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
My splunkd.log please check  
Hi @Na_Kang_Lim  You're right in that the GUID is set in $SPLUNK_HOME/etc/instance.cfg Such as [general] guid = 5e7f7ee5-ab7b-4e90-8f9e-b2cf1f86e6f3 Unfortunately the DS isnt designed to write ... See more...
Hi @Na_Kang_Lim  You're right in that the GUID is set in $SPLUNK_HOME/etc/instance.cfg Such as [general] guid = 5e7f7ee5-ab7b-4e90-8f9e-b2cf1f86e6f3 Unfortunately the DS isnt designed to write to this location as you would typically distribute apps from it.  Depending how confident you are feeling, it would be possible to write a script which you could deploy to all the clients using your DS which would write a new GUID to that file, once applied you can then remove the app.  Below I'll include snippets of an app I've used previously for this problem - Disclaimer - Its generally not advised to do this sort of thing, use extreme caution   1. Create an app on your deployment server - something like "regenerate_guid": 2. Create a bin directory within the app and create the following file called regenerate_guid.py import uuid import os import configparser INSTANCE_CFG_PATH = "/opt/splunkforwarder/etc/instance.cfg" def generate_guid(): return str(uuid.uuid4()) def write_guid_to_instance_cfg(guid): config = configparser.ConfigParser() try: config['general'] = {'guid': guid} # Always write the GUID, overwriting any previous value with open(INSTANCE_CFG_PATH, "w") as f: config.write(f) print(f"Successfully wrote new GUID to {INSTANCE_CFG_PATH}") except Exception as e: print(f"Error writing to {INSTANCE_CFG_PATH}: {e}") def main(): new_guid = generate_guid() write_guid_to_instance_cfg(new_guid) print("Regenerated and overwrote GUID.") if __name__ == "__main__": main()   3. Create inputs.conf: Create an inputs.conf file in the default/ directory of your app: [script://./bin/regenerate_guid.py] # Run once a day (86400) but in reality the app should be removed after actioned! interval = 86400 source = regenerate_guid sourcetype = regenerate_guid index = main disabled = 0   [script://./bin/regenerate_guid.py]: This defines a script input that runs the Python script. The path is relative to the app's directory structure. interval: How often the script should run (in seconds). We only want it to run once so Ive set this to 1 day, remove the app once it has run. source/sourcetype/index - Not really useful as we dont want the data it outputs but typical for a modular input. disabled = 0: Enables the input.   4. Create default/app.conf: [install] state = enabled [launcher] author = Your Name description = DANGEROUS APP: Periodically checks and regenerates the Splunk Instance GUID if it's missing. USE WITH EXTREME CAUTION! REQUIRES inputs.conf for proper deployment. version = 1.1.0 [package] id = regenerate_guid Workflow: The Deployment Server deploys the regenerate_guid app to the forwarder, configure the DS so the app causes a restart. The input should run straight away once installed and then every 24hrs, check the _internal index to check it has run.  Uninstall the app by removing the app or the client(s) from the serverclass/DS Important Considerations (Reiterated!) This approach is still potentially dangerous if mishandled! The script runs periodically. This means it will reset the GUID every 24 hours. Make sure you remove it once it has run. Permissions are critical. If the Splunk user does not have write access to instance.cfg, the script will fail. Testing is essential! Test in a non-production environment before deploying it to production, or at least deploy to a single host you can directly access to validate etc. Monitor the logs! Monitor the splunkd.log file on the forwarders to ensure the script is running correctly. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
@RCavazana2023 can you please help on this ticket - https://community.splunk.com/t5/Getting-Data-In/Akamai-data-input-throwing-error/m-p/742944#M118031
Java already installed on splunk instance.
Hi @Karthikeya  Please check your splunk.log in $SPLUNK_HOME/var/log/splunk/splunkd.log for any other errors around the ModularInputs component - Do you have other errors relating to this TA-Akamai_... See more...
Hi @Karthikeya  Please check your splunk.log in $SPLUNK_HOME/var/log/splunk/splunkd.log for any other errors around the ModularInputs component - Do you have other errors relating to this TA-Akamai_SIEM? Alternatively try the following search index=_internal component=ModularInputs log_level=Error Do you see anything like "script running failed (PID 51184 exited with code 127)" ? Have you setup Java? This is required for the app to work, not having the correct java setup can cause the endpoint to initialise and thus you will get error messages. For more info on installation check out https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector#install-the-splunk-connector Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will