Hi @AL3Z , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points...
See more...
Hi @AL3Z , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
You can define the underlying search as a report and use it to power the dashboard panel. Then set the report to be run as owner instead of the calling user.
Hello, I have a dashboard that checks all indexes and displays the event count for today and the last write time. This allows users of the dashboard to alert if an index has not been written to i...
See more...
Hello, I have a dashboard that checks all indexes and displays the event count for today and the last write time. This allows users of the dashboard to alert if an index has not been written to in a certain amount of time. My issue is that the dashboard runs when the user clicks into it and runs the searches using their permissions as expected. However they do not have access to all indexes so cannot see the stats for all indexes. What is the easiest way to change this so that they can see an event count for all indexes without having to give them access to the index?
Is it possible to change owner curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \
--data-urlencode name=notable_suppression-foo ...
See more...
Is it possible to change owner curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \
--data-urlencode name=notable_suppression-foo \
--data-urlencode description=bar \
--data-urlencode 'search=`get_notable_index` _time>1737349200 _time<1737522000' \
--data-urlencode disabled=false
--data-urlencode owner="new_user"
we have a scenario where we roll logs everyday. we want Splunk to index log file for yesterday only. We don't want to ingest todays log files. what specific setting d i require in my input. Conf f...
See more...
we have a scenario where we roll logs everyday. we want Splunk to index log file for yesterday only. We don't want to ingest todays log files. what specific setting d i require in my input. Conf file to only ingest yesterdays data. ignoreOlderThan = 1d also ingests todays logfiles which i do not want to.
Hello, I need some help adding colour to my dashboard. I've got the below block sitting on my high level dashboard view, but I want it to change colour (Red or Green) dependent on the values of the...
See more...
Hello, I need some help adding colour to my dashboard. I've got the below block sitting on my high level dashboard view, but I want it to change colour (Red or Green) dependent on the values of the underlying dashboard that it clicks through to which I will share below. This is the dashboard it displays below when you click on the above... Is there some way, that if any of these 5 boxes do not display "OK", then the top level block (EazyBI) will change to Red? Can anyone help me with that?
In that case @muhammadfahimma I think it is best to get this raised with Splunk Support, they should let you know the reference number once it has been logged and you can track it on the Release Not...
See more...
In that case @muhammadfahimma I think it is best to get this raised with Splunk Support, they should let you know the reference number once it has been logged and you can track it on the Release Notes (https://docs.splunk.com/Documentation/ES/latest/RN/NewFeatures) page. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
@AL3Z So you are seeing 2 hostnames in your internal logs? And/Or sources from both: C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log and C:\Program Files\Splunk\var\log\spl...
See more...
@AL3Z So you are seeing 2 hostnames in your internal logs? And/Or sources from both: C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log and C:\Program Files\Splunk\var\log\splunk\splunkd.log Does the windows_logs index exist on your main Splunk instance? In the context of the SplunkUniversalForwarder, can you run: C:\Program Files\SplunkUniversalForwarder\bin\splunk cmd btool inputs list Do your expected Windows inputs get listed? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi, @livehybrid > I had placed the inputs.conf file within an app folder $SPLUNK_HOME/etc/apps/yourApp/local/inputs.conf only. > Splunk Forwarder and Splunk Server are installed on the same...
See more...
Hi, @livehybrid > I had placed the inputs.conf file within an app folder $SPLUNK_HOME/etc/apps/yourApp/local/inputs.conf only. > Splunk Forwarder and Splunk Server are installed on the same host, yes forwarder deployment is sending its internal logs to the main instance.
Hi @khj Typically your server will use swap if there is not enough RAM available on the system for the processes that are running. Please could you let us know how much RAM the server has, and ho...
See more...
Hi @khj Typically your server will use swap if there is not enough RAM available on the system for the processes that are running. Please could you let us know how much RAM the server has, and how much is typically being used? It could be that it is under-spec'd for the ES role. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
@livehybrid Thanks for your reply I couldn't execute the splunk query in the splunk rest api using python script. Getting error message while executing the job. job has failed. | makeresults | eval...
See more...
@livehybrid Thanks for your reply I couldn't execute the splunk query in the splunk rest api using python script. Getting error message while executing the job. job has failed. | makeresults | eval msg="HelloWorld" i can execute it on splunk UI. It takes "This search has completed and has returned 1 results by scanning 0 events in 0.302 seconds". I
free -m As a result of this command, we found that the memory usage is about 3% lower, but the swap memory is 100% in use. The same thing happens when you restart Splunk shortly after. Does anyo...
See more...
free -m As a result of this command, we found that the memory usage is about 3% lower, but the swap memory is 100% in use. The same thing happens when you restart Splunk shortly after. Does anyone know the cause of the phenomenon and how to solve it The server environment is as follows. OS: CentOS 7 Splunk Enterprise 9.0.4
Hi @AL3Z , i don't think that you can install on the same VM both Spunk Enterprise and Splunk Universal Forwarder because they have the same IP and hostname and it's completely unuseful. If you wan...
See more...
Hi @AL3Z , i don't think that you can install on the same VM both Spunk Enterprise and Splunk Universal Forwarder because they have the same IP and hostname and it's completely unuseful. If you want to test the windows logs ingestion from the local machine, you don't need to use the UF and you can use your Splunk instance to create the input (you can do it also by GUI but It's always better to use the Splunk_TA_Windows enabling the interesting inputs). If instead you want to test the connection between an UF and an Indexer, you have to use two different VMs and, on the UF, install the Splunk_TA_Windows enabling the interesting inputs. Ciao. Giuseppe
Hi @BalajiRaju Please could you try two things to see if this gives us any further information on what might be happening here. Please could you run the same search in both Splunk UI and via REST ...
See more...
Hi @BalajiRaju Please could you try two things to see if this gives us any further information on what might be happening here. Please could you run the same search in both Splunk UI and via REST API and compare the runtimes for the same search. Please post the timing differences. Also, try a very basic search via the API such as | makeresults | eval msg="HelloWorld" How long does the makeresults command take? Are you using the Splunk Python SDK, if so, which version? Please feel free to post code snippets and searches to help us look into this further. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will