All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Sample events are attached.           
Hey Will, Still the exact same error. DO you have a list or checklist of things I should check? Any suggestions on which version of driver should I try? Thanks, Tanvi
Hi @yigaloz, What helped me identify errors in the configuration of this addon was enabling debug logging by editing the file $SPLUNK_HOME/etc/apps/TA-oci-logging-addon/bin/oci_logging.py, changing ... See more...
Hi @yigaloz, What helped me identify errors in the configuration of this addon was enabling debug logging by editing the file $SPLUNK_HOME/etc/apps/TA-oci-logging-addon/bin/oci_logging.py, changing the string ERROR to DEBUG on line 42. Then restart Splunk. You can check the logs using the query: index=_internal source=*oci_logging.log Another possibility would be to install a previous version of the addon, which might work.
Hey @vh, Quite strange behavior. Here I'm using version 1.0.23 of the add-on and 9.2.4 of Splunk Enterprise. You could try installing an earlier version of the add-on, it might work. On Splunkbase... See more...
Hey @vh, Quite strange behavior. Here I'm using version 1.0.23 of the add-on and 9.2.4 of Splunk Enterprise. You could try installing an earlier version of the add-on, it might work. On Splunkbase, the last version that supports only Splunk Enterprise is 1.0.24, that's a good version to try As a last resort, you could have only the heavy forwarder running version 9.2.3 of Splunk with the add-on installed. It would work, but it's not ideal. Let me know if it works
Wow, I hope that is not the case, because that endpoint returns "eai:data" which is the contents of the dashboard, this could contain sensitive information that shouldnt be exposed to people who dont... See more...
Wow, I hope that is not the case, because that endpoint returns "eai:data" which is the contents of the dashboard, this could contain sensitive information that shouldnt be exposed to people who dont have access to it. I'll go away and double check but this would be a big security issue for a number of my customers if that is the case! I'm fairly certain it only returns dashboards you have access to but I will go away and verify!
When you have this kind (big) environment with several serverclasses etc. you should use only conf files with git to manage that environment! With that way your DS wouldn't do anything else than wha... See more...
When you have this kind (big) environment with several serverclasses etc. you should use only conf files with git to manage that environment! With that way your DS wouldn't do anything else than what you tell it to do. PLA1310C_Splunk .conf24 Interactive Workshop this is something you should read.
You shoudn't ever write admin password in clear text in any file (like cron) in any system. You have lost your splunk installation(s) security by that way!!!!
When you have access to use REST you will get also some other information as output than you could really access with GUI (I haven't test it currently). For that reason you see there also other dashb... See more...
When you have access to use REST you will get also some other information as output than you could really access with GUI (I haven't test it currently). For that reason you see there also other dashboards by name even you haven't have access to those. For that reason you must expand all roles which this user have and also check that user have access to apps where those dashboards are. I can test this later on with my lab, but it takes some days before I have time for it.
Hi as you have Cluster Manager as your LM too this this severName is actually your CM's name not only your LM name.  I assume that you are using also e.g. indexer discovery and other stuff on your ... See more...
Hi as you have Cluster Manager as your LM too this this severName is actually your CM's name not only your LM name.  I assume that you are using also e.g. indexer discovery and other stuff on your environment? Is suppose that when you have changed that serverName then all those entities which are connected to your CM could have some issues as there is not existing that serverName what they are expecting. It's hard to say what all those are without deeper look into your environment. r. Ismo
@isoutamo Surely using the REST call to ` | rest splunk_server=local /servicesNS/-/-/data/ui/views Will only return views which the user is able to access, otherwise they wouldnt be returned from t... See more...
@isoutamo Surely using the REST call to ` | rest splunk_server=local /servicesNS/-/-/data/ui/views Will only return views which the user is able to access, otherwise they wouldnt be returned from the API call? The only thing they need to do is exclude themselves from eai:acl.owner if they dont want to see the ones they own | rest splunk_server=local /servicesNS/-/-/data/ui/views | search NOT [| rest /services/authentication/current-context splunk_server=local | fields + username | rename username as eai:acl.owner] | table label eai:acl.owner Or just remove the user-context entirely to see all views they have access to | rest splunk_server=local /servicesNS/-/-/data/ui/views | rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard | table App Dashboard Unless I have the wrong end of the stick here?! @tkwaller1   
@kiran_panchavat Re setting the sender field, The doc you have linked to states: This value is set by your Splunk Cloud Platform implementation and cannot be changed. Entering a value in this field ... See more...
@kiran_panchavat Re setting the sender field, The doc you have linked to states: This value is set by your Splunk Cloud Platform implementation and cannot be changed. Entering a value in this field has no effect.  
Hi @Alan_Chan  The short answer is No. It is not possible to change the sender address of emails in Splunk Cloud using native functionality. Regarding the "Send email as" setting in Server Setting... See more...
Hi @Alan_Chan  The short answer is No. It is not possible to change the sender address of emails in Splunk Cloud using native functionality. Regarding the "Send email as" setting in Server Settings-> Email Settings - The docs state: This value is set by your Splunk Cloud Platform implementation and cannot be changed. Entering a value in this field has no effect. https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Steps_for_Splunk_Cloud_Platform:~:text=This%20value%20is%20set%20by%20your%20Splunk%20Cloud%20Platform%20implementation%20and%20cannot%20be%20changed.%20Entering%20a%20value%20in%20this%20field%20has%20no%20effect. Even if you could change this, the emails are sent from Splunk's email provider and would not match the anti-spam configurations of your own domain, thus mail relays would likely block it anyway. Depending on the type of emails you wanted to send (e.g. Alerts rather than PDF reports) you could look at other options like using AWS SNS or something like an Office 365 / Azure Alert action to send using your O365 creds however I believe output SMTP from SplunkCloud is blocked so you would need to use something with an API call and you could not substitute this for all email sending actions from Splunk Cloud. Sorry it wasnt the answer you were looking for, but hopefully this helps you avoid going down other rabbit-holes! Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Have you any sample events which you can share with us? If yes, then anonymous those if/as needed.
Shortly: You must 1st expand all roles which that user has. Don't forget expand also inherited roles Then you must look in which apps user have read access by any of his/her roles And last look w... See more...
Shortly: You must 1st expand all roles which that user has. Don't forget expand also inherited roles Then you must look in which apps user have read access by any of his/her roles And last look which views under those apps have read access for any roles what has applied for that user. eai:acl.perms.read admin sc_admin   I think that you could found some answers which give SPL for item 1. But I haven't look/done those 2 and 3. So maybe you can found those or not? r. Ismo
Hi @tkwaller1  Just a small tweak to the SPL you already have, to use search NOT (current-context) and rename username to eai:acl.owner instead of user. This would filter out all the ones which the ... See more...
Hi @tkwaller1  Just a small tweak to the SPL you already have, to use search NOT (current-context) and rename username to eai:acl.owner instead of user. This would filter out all the ones which the current user owns. | rest splunk_server=local /servicesNS/-/-/data/ui/views | search NOT [| rest /services/authentication/current-context splunk_server=local | fields + username | rename username as eai:acl.owner] | rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard | table Dashboard eai:acl.owner If you just want to see all views which the user can access, then this will be any which are returned from the REST call | rest splunk_server=local /servicesNS/-/-/data/ui/views | rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard | table App Dashboard eai:acl.owner Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @KJ10  Thanks for your response, ultimately its going to be hard to identify the best approach to this without having the code, but I would suggest determining how its currently written and then ... See more...
Hi @KJ10  Thanks for your response, ultimately its going to be hard to identify the best approach to this without having the code, but I would suggest determining how its currently written and then checking out the best-practices for the approach taken. Typically there are 3 ways to create a Splunk app: Splunk Add-on builder UCC Framework (my preference) Custom Python  I'd start by looking at the common code between the 5 existing modules and find where you can put a loop to loop over the the different endpoint (presumably?) that you need to query so that you combine the inputs. Be sure to update the source/sourcetype accordingly for each of the iterations so that your data doesnt end up in one big source/sourcetype and hard to separate between the 5 types. If you're able to share the code on here (anonymised if required) then I might be able to tailor the help but please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will 
Hi The reason why this isn't working is that spunk didn't manage that volume as you haven't there any hot/warm or cold index spaces. When you have moved buckets into frozen state then splunk didn't ... See more...
Hi The reason why this isn't working is that spunk didn't manage that volume as you haven't there any hot/warm or cold index spaces. When you have moved buckets into frozen state then splunk didn't count those anyhow. Only thing what is looking with those is that your cold to frozen script will return zero when splunk has called it. If it's not zero then it didn't remove that bucket from cold volume. If you want to look other space/volumes/fs mountpoints you must use e.g. Splunk Add-on for Unix and Linux | Splunkbase or other inputs which just run df for that. r. Ismo
@RSS_STT wrote: split function proving error. I'm not sure what to make of that, but take it you get an (undescribed) error with the code I provided.  I found a missing argument so please try... See more...
@RSS_STT wrote: split function proving error. I'm not sure what to make of that, but take it you get an (undescribed) error with the code I provided.  I found a missing argument so please try the revised SPL.
Simple search but Im having issues nailing down what I want to see. This search returns all the views the logged in user owns. | rest splunk_server=local /servicesNS/-/-/data/ui/views | rename auth... See more...
Simple search but Im having issues nailing down what I want to see. This search returns all the views the logged in user owns. | rest splunk_server=local /servicesNS/-/-/data/ui/views | rename author as user| search [| rest /services/authentication/current-context splunk_server=local| fields + username | rename username as user] | rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard | table Dashboard I would like to have it show all the views the logged in user has access to instead, not just the ones that are owned. Thanks for the help
HI Team  Can someone please help me to find how we can fetch the status of the application A1 having 5 jobs (Job1 , Job2 , Job3 , Job4 , Job5) running every day.  Status of Application : This needs... See more...
HI Team  Can someone please help me to find how we can fetch the status of the application A1 having 5 jobs (Job1 , Job2 , Job3 , Job4 , Job5) running every day.  Status of Application : This needs to be extracted using the query attached below:  Planned : If current time is less than the expected time of JOB1  OK-Running :  If Current time is between the expected time of JOB1 and expected time of JOB5 + Status of all the JOBs is either OK  or PLANNED KO-FAILED : if Current time is between the expected time of JOB1 and expected time of JOB5 + Status of any the 1 JOBs is either KO.  Query used today to fetch the status of each job in the application:  index = ABC ( TERM(JOB1) OR TERM(JOB4) OR TERM(JOB2) OR TERM(JOB3) OR TERM(JOB5) OR TERM(JOB6) OR TERM(JOB7) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | stats max(Date_of_reception) as Date_of_reception max(ENDED_TIME) as ENDED_TIME max(STARTED_TIME) as STARTED_TIME max(ABEND_TIME) as ABEND_TIME by JOBNAME | inputlookup append=t ESES_Job_MIFID_PPE.csv | stats values(*) as * by JOBNAME | eval DAY_OF_WEEK = strftime(strptime(Date_of_reception, "%d/%m/%Y"), "%A") ,today = strftime(1743030000, "%Y-%m-%d") , TO_DAY = strftime(strptime(today, "%Y-%m-%d"), "%A") , Diff=ENDED_TIME-STARTED_TIME | rename STARTED_TIME as START_TIME1 , ENDED_TIME as END_TIME1 , ABEND_TIME as ABEND_TIME1 | eval diff_time = tostring(Diff , "duration"), diff_time_1=substr(diff_time,1,8) , START_TIME = Date_of_reception." ".strftime((START_TIME1),"%H:%M:%S") , END_TIME = Date_of_reception." ".strftime((END_TIME1),"%H:%M:%S") , END_TIME2 = strftime((END_TIME1),"%H:%M:%S") , ABEND_TIME = Date_of_reception." ".strftime((ABEND_TIME1),"%H:%M:%S") , ABEND_TIME2 = strftime((ABEND_TIME1),"%H:%M:%S") , EXPECTED_TIME = exp_time , DEADLINE_TIME = high_dl2 ```EXPECTED_TIME_run = Date_of_reception." ".EXPECTED_TIME, EXPECTED_TIME_run = strptime(EXPECTED_TIME_run, "%d/%m/%Y %H:%M:%S") , TimeDiff=EXPECTED_TIME_run-now() , EXP_TIME_norun = if (TO_DAY = "Friday" , exp_time2 , exp_time1) ,EXPECTED_TIME_norun = today + " " + EXP_TIME_norun, EXPECTED_TIME_norun = strptime(EXPECTED_TIME_norun, "%Y-%m-%d %H:%M:%S") , TimeDiff_norun =EXPECTED_TIME_norun-now() , Time_Diff=now() - strptime(START_TIME, "%d/%m/%Y %H:%M:%S") ``` | eval STATUS = if(isnotnull(END_TIME2) AND (END_TIME2 <= ABEND_TIME2),"ABEND", if(isnotnull(END_TIME2) AND (END_TIME2 <= DEADLINE_TIME),"OK", if(isnotnull(END_TIME2) AND (END_TIME2 > DEADLINE_TIME),"BREACHED", if(isnull(END_TIME2) AND isnull(START_TIME1) AND (TimeDiff_norun > 300),"PLANNED", if(isnull(END_TIME2) AND isnull(START_TIME1) AND isnull(TimeDiff) AND (TimeDiff_norun < -600) AND (TimeDiff_norun >= -1800),"JOB NOT STARTED YET", if(isnull(END_TIME2) AND isnull(START_TIME1) AND isnull(TimeDiff) AND (TimeDiff_norun < -1800),"JOB DID NOT EXECUTED", if(isnull(END_TIME2) AND isnotnull(START_TIME1) AND (Time_Diff>600),"FAILED", if(isnull(END_TIME2) AND isnotnull(START_TIME1) and (TimeDiff<=600),"RUNNING", if( isnull(END_TIME2) AND isnull(START_TIME1) AND JOBNAME IN ("$JOB3" ) , "OK-Interest file is received" , if( isnull(END_TIME2) AND isnull(START_TIME1) AND JOBNAME IN ("$JOB6") , "OK-Mifid 2 file is received" , if( isnotnull(END_TIME2) AND isnotnull(START_TIME1) AND JOBNAME IN ("$JOB3" ) , "KO-Interest file Not received" , if( isnotnull(END_TIME2) AND isnotnull(START_TIME1) AND JOBNAME IN ("$JOB6") , "KO-Mifid 2 file Not received" , "WARNING")))))))))))) | rename diff_time_1 as EXECUTION_TIME | sort Order | table Application,JOBNAME,Description, EXPECTED_TIME , DEADLINE_TIME , START_TIME , END_TIME ,EXECUTION_TIME, STATUS | fillnull value="-"