All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Perfect, that worked for the URL and setting the tokens. However, the search on the second dashboard (operating system), still says "Search is waiting for input..."
@ITWhisperer  you're right, the correct source type is  access_combined  
You aren't using multi-selects, you are using dropdowns, these are different types of inputs. Anyway, that probably isn't your issue. Try encoding the tokens for use in an URL (with the |u modifier) ... See more...
You aren't using multi-selects, you are using dropdowns, these are different types of inputs. Anyway, that probably isn't your issue. Try encoding the tokens for use in an URL (with the |u modifier) <a target="_blank" href="/app/app/operating_system_artifacts?case_token=$case_token|u$&amp;host_name=$host_name|u$">&lt;h1&gt;Operating System Artifacts&lt;/h1&gt;</a>  
  when I run this search query in splunk search and reporting apps my output looks like this as mentioned below   Search query:   index="dcn_b2b_use_case_analytics" sourcetype=lime_process_monit... See more...
  when I run this search query in splunk search and reporting apps my output looks like this as mentioned below   Search query:   index="dcn_b2b_use_case_analytics" sourcetype=lime_process_monitoring   Output:   Time  3/19/25 2:32:15.000 PM Event { [-]     BCD_AB_UY_01: 1     BCD_AB_UY_02: 0     BCD_BC_01: 1     BCD_BC_02: 0     BCD_CD_01: 1     BCD_CD_02: 1     BCD_CD_03: 0     BCD_KPI_01: 1     BCD_KPI_02: 1     BCD_KPI_03: 0     BCD_MY_01: 1     BCD_MY_02: 1     BCD_RMO_PZ_01: 1     BCD_RMO_PZ_02: 1     BCD_RMO_PZ_03: 0     BCD_RMO_PZ_04: 0     BCD_RSTA_01: 1     BCD_RSTA_02: 1     BCD_RSTA_03: 0     BCD_SHY_01: 1     BCD_SHY_02: 1     BCD_UK_01: 1     BCD_UK_02: 1     BCD_UK_03: 1     BCD_UK_04: 1     BCD_UK_05: 1     BCD_UK_06: 1     BCD_UK_07: 1     BCD_UK_08: 0     BCD_UK_09: 0     BCD_UK_10: 0     BCD_UK_11: 0     BCD_UK_12: 0 }   host = RSQWERTYASD04index = dcn_b2b_use_case_analyticssource = DCNPassFoldersourcetype = lime_process_monitoring Please Note- if a process value is 1 it means the process ran successfully, if it is 0 it means the process failed   Now my query is I want to trigger an alert for these processes mentioned below so that when these background processes fail I get an incident in my queue  in SNOW   BCD_AB_UY_01: 0 BCD_BC_01: 0 BCD_CD_01: 0 BCD_CD_02: 0 BCD_KPI_01: 0 BCD_KPI_02: 0 BCD_MY_01: 0 BCD_MY_02: 0 BCD_RMO_PZ_01: 0 BCD_RMO_PZ_02: 0 BCD_RSTA_01: 0 BCD_RSTA_02: 0 BCD_SHY_01: 0 BCD_SHY_02: 0 BCD_UK_01: 0 BCD_UK_02: 0 BCD_UK_03: 0 BCD_UK_04: 0 BCD_UK_05: 0 BCD_UK_06: 0 BCD_UK_07: 0     This is the alert search query I designed but when I run this alert I get multiple tickets instead I want a particular ticket where servicename(process name) and servername(hostname) is clearly mentioned to uniquely identify the process is from which server, please help me write and configure the splunk alert properly: Search query- index="dcn_b2b_use_case_analytics" sourcetype=lime_process_monitoring    | where BGS_AR_UY_01=0 OR BGS_BR_01=0 OR BGS_BS_01=0 OR BGS_BS_02=0 OR BGS_KAU_01=0 OR BGS_KAU_02=0 OR BGS_MX_01=0  OR BGS_MX_02=0 OR BGS_RMH_PZ_01=0  OR BGS_RMH_PZ_02=0 OR BGS_RSTO_01=0 OR BGS_RSTO_02=0 OR BGS_SHA_01=0 OR BGS_SHA_02=0  OR BGS_US_01=0 OR BGS_US_02=0 OR BGS_US_03=0 OR BGS_US_04=0 OR  BGS_US_05=0 OR BGS_US_06=0 OR BGS_US_07=0    | eval metricLabel="URGENT !! Labware - < ServiceName > has been stopped in Server"   | eval metricValue="Hello Application Support team, The below service has been stopped in the server, Service name :  < ServiceName > Timestamp :  < Timestamp >   Server : <ServerName>  Please take the required action to resume the service. Thank you. Regards, Background Service Check Automation Bot"   | eval querypattern="default" | eval assignmentgroup="PTO ABC Lab - Operatives" | eval business_service="LIME Business Service"   | eval serviceoffering="LIME" | eval Interface="CLMTS" | eval urgency=2 | eval impact=1     Cron expression * * * * * Trigger For each result Trigger actions PTIX SNOWALERT          
There are coming some new features in future splunk versions which are using postgresql. Currently some of those are in beta/private preview phase, but I haven't heard that none of those are yet in us... See more...
There are coming some new features in future splunk versions which are using postgresql. Currently some of those are in beta/private preview phase, but I haven't heard that none of those are yet in use. Are you sure that you have official version where you see PostgreSql?
categoryId is not used in the vendor_sales sourcetype - try looking in the access_combined_wcookie sourcetype (there is no additional lookup for this information).
I did this, but it still doesn't work. When I click on the link, this is the URL that flashes: /apps/apps/operating_system_artifacts?form.case_token=index=index_burns*&form.host_name=$host_name$ Th... See more...
I did this, but it still doesn't work. When I click on the link, this is the URL that flashes: /apps/apps/operating_system_artifacts?form.case_token=index=index_burns*&form.host_name=$host_name$ Then, immediately after, it changes to: /apps/apps/operating_system_artifacts?form.case_token=index&form.host_name=%24host_name%24 Do you think the issue could be how the multi-select token works?
Hi @SeanO_VA  I would raise via support who will be able to instruct you of if/how you can safely remove postgres, however for what its worth - I havent yet found a feature of 9.4.x which requires t... See more...
Hi @SeanO_VA  I would raise via support who will be able to instruct you of if/how you can safely remove postgres, however for what its worth - I havent yet found a feature of 9.4.x which requires the postgres to be configured/running - Is it running on your server? If it isnt running then it isnt vulnerable to the SQL Injection of the referenced CVEs. It could be that future updates to Splunk require postgres for certain features, in which case I would hope that they've already updated Postgres   Fingers crossed it is updated for the next release. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
| eval AvgResponse=tostring(round(AvgAdScene,0),"duration")
Tutorial data can found from https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Systemrequirements#Download_the_tutorial_data_files
You can't set tokens like this, they should be tokens from an input. Try something like this <a target="_blank" href="/app/app/operating_system_artifacts?form.case_token=$case_token$&amp;for... See more...
You can't set tokens like this, they should be tokens from an input. Try something like this <a target="_blank" href="/app/app/operating_system_artifacts?form.case_token=$case_token$&amp;form.host_name=$host_name$">&lt;h1&gt;Operating System Artifacts&lt;/h1&gt;</a> And convert your target dashboard to a form and add a couple of hidden text inputs <row> <panel> <input type="text" token="case_token" depends="$alwaysHide$"></input> <input type="text" token="host_name" depends="$alwaysHide$"></input> <html encoded="1">&lt;h1&gt;Prefetch&lt;/h1&gt;</html> </panel> </row>
count retail sales events for strategy games   I can't find categoryId field by default from the search tutorial data. It has been added by a lookup file but I don't know where can I download it.... See more...
count retail sales events for strategy games   I can't find categoryId field by default from the search tutorial data. It has been added by a lookup file but I don't know where can I download it. Can anyone help help this ? Thanks
Thank you @VatsalJagani  I took that and I'm trying to get the avg response time for each year. AvgAtScene is in seconds, so I'm trying to get that into the duration. Any suggestions there? ... See more...
Thank you @VatsalJagani  I took that and I'm trying to get the avg response time for each year. AvgAtScene is in seconds, so I'm trying to get that into the duration. Any suggestions there?  
Hello there. After updating from 9.3.1 to 9.4.1 my KVstore stoped working. During quick investigation I found the following errors: 2025-03-19T14:35:15.556Z I NETWORK [listener] connection accepte... See more...
Hello there. After updating from 9.3.1 to 9.4.1 my KVstore stoped working. During quick investigation I found the following errors: 2025-03-19T14:35:15.556Z I NETWORK [listener] connection accepted from 127.0.0.1:41888 #1188 (1 connection now open) 2025-03-19T14:35:15.566Z E NETWORK [conn1188] SSL peer certificate validation failed: unable to get issuer certificate 2025-03-19T14:35:15.566Z I NETWORK [conn1188] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unable to get issuer certificate. Ending connection from 127.0.0.1:41888 (connection id: 1188) openssl s_client -connect 127.0.0.1:8191 -showcerts  gives me valid certificate info. Any idea why I receive this errors? Thx  
It brings me to the next dashboard, but the tokens aren't set.
Here is the initial dashboard: <form version="1.1" theme="dark"> <label>Case Overview</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="case_token" searchW... See more...
Here is the initial dashboard: <form version="1.1" theme="dark"> <label>Case Overview</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> <prefix>index=virtuoso_</prefix> <suffix>*</suffix> <fieldForLabel>case</fieldForLabel> <fieldForValue>case</fieldForValue> <search> <query>| tstats count where index=index_* by index | rex field=index "\_(?&lt;case&gt;.*?)\_" | dedup case | table case</query> <earliest>0</earliest> <latest></latest> </search> </input> <input type="time" token="global_time"> <label>Global Time Range</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <input type="dropdown" token="host_token" searchWhenChanged="true"> <label>Host</label> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where $case_token$ by host | table host</query> <earliest>0</earliest> <latest></latest> </search> </input> </fieldset> <row> <panel> <html><div> <a target="_blank" href="/app/app/operating_system_artifacts?case_token=$case_token$&amp;host_name=$host_name$">&lt;h1&gt;Operating System Artifacts&lt;/h1&gt;</a> </div></html> </panel> </row> </form> Here is the connecting dashboard: <dashboard version="1.1" theme="dark"> <label>Operating System Artifacts</label> <row> <panel> <html encoded="1">&lt;h1&gt;Prefetch&lt;/h1&gt;</html> </panel> </row> <row> <panel> <table> <title>Prefetch Files</title> <search> <query>$case_token$ host=$host_token$ | table ApplicationPath, LastRun, TimesRan</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="ApplicationPath"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> </table> </panel> </row> </dashboard>
Please provide more information - what do you mean by "not working"? What does the rest of your dashboard look like? What does your target dashboard look like? I have not been able to reproduce the ... See more...
Please provide more information - what do you mean by "not working"? What does the rest of your dashboard look like? What does your target dashboard look like? I have not been able to reproduce the issue from the limited information you have provided, however, I have created a dashboard with tokens making up a link in an HTML panel which does work.
Idea submitted, but with the attitude "Snapshots are our Friend", I'm willing to roll the dice if there's even an unsupported "how-To" out there Idea: https://ideas.splunk.com/ideas/EID-I-2527
Do not mess with software that ships with Splunk.  You may break something and/or lose support. Open a support case or go to https://ideas.splunk.com to report the vulnerabilities.
Depending on your environment you may need to add an environmental variable for a proxy server. This allows apps to be "proxy aware" in cases where they are not. You can test it out on windows usin... See more...
Depending on your environment you may need to add an environmental variable for a proxy server. This allows apps to be "proxy aware" in cases where they are not. You can test it out on windows using the setx command. setx https_proxy <your proxy server ip>:443 setx http_proxy <your proxy server ip>:443 I know what your are thinking - "it is over port 8089" not "443" but try it out, it worked for me.