All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Gil , as also @livehybrid said, it isn't relevant the sharing level of your dashboards, but only if a role has or not has the grant to write the dashboard. If you want that some users can modif... See more...
Hi @Gil , as also @livehybrid said, it isn't relevant the sharing level of your dashboards, but only if a role has or not has the grant to write the dashboard. If you want that some users can modify some dashboards, you have to create a role, assign those users to this role and enable writing in dashboards to this new role. Ciao. Giuseppe
Hi @KJ10 , could you share your inputs.conf file? anyway, in general, the option index=<your_index> in inputs.conf, if the index is really existent, shouldn't have any issue. Didi you checked if t... See more...
Hi @KJ10 , could you share your inputs.conf file? anyway, in general, the option index=<your_index> in inputs.conf, if the index is really existent, shouldn't have any issue. Didi you checked if the index is really existent and if you gave the correct grants to it? Anyway, if you restore the original index name in inputs.conf, and restart Splunk on the Forwarder, logs should arrive to the original index; did you restarted the UF after restored the original index? Are you using a Deployment Server to deploy configurations on UF or did you manually modified them? Ciao. Giuseppe
How I can repair Data input index to normal state. I created Data input as per my Technical Add on , for some reason I changed my index in inputs.conf to new index, which apparently doesnt work in S... See more...
How I can repair Data input index to normal state. I created Data input as per my Technical Add on , for some reason I changed my index in inputs.conf to new index, which apparently doesnt work in Splunk 9.3 though I created new index from UI. Later I changed my index to original but somehow that Data input stuck and never executing at all. I tried reinstalling my TA app and splunk restart multiple time but no luck and no error in spulnkd.log. Same scenario happened at client end. Can anybody please guide me for this repair or what can be RCA though we reverted all inputs to normal.
Thank you for your suggestions. We do not have a test server to restore before restoring it on to prod server.    On a separate note, is it possible to schedule a report or a script to backup kvsto... See more...
Thank you for your suggestions. We do not have a test server to restore before restoring it on to prod server.    On a separate note, is it possible to schedule a report or a script to backup kvstore on a daily basis to avoid restoring from  backup of /opt/splunk/var/lib/splunk/backup  directory
It depends on your complete raw event - spath is likely to be part of the solution. Please share your raw event (anonymised appropriately) in a code block using the </> button.
No how would i do that? spath?
Hi @harryvdtol  Ive just tried that sample data and props config locally and it seems to work. Please can you confirm the stanza name (the text between the [ and ]) in the props.conf and the source... See more...
Hi @harryvdtol  Ive just tried that sample data and props config locally and it seems to work. Please can you confirm the stanza name (the text between the [ and ]) in the props.conf and the sourcetype that this is indexed into Splunk as? These should match but want to double check as it looks like it hasnt applied the props.conf Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
i tried to avoid give them the write permission to that app. so it will probably work but wont answer all my desires.
Hi @Gil  When you say public - Do you mean shared within the app for other app users? If so, the user will need to be in a role which has write permissions to that app (and dashboard) so they can sh... See more...
Hi @Gil  When you say public - Do you mean shared within the app for other app users? If so, the user will need to be in a role which has write permissions to that app (and dashboard) so they can share it within the app. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
| sort 0 _time host
i see what you say, but it does not help me with the fact that those users cannot change their dashboards to public.
Hi @Anit_Mathew  Did you get to the bottom of this?  This looks like the "Traffic Over Time By Protocol" panel which is broken? Which version of ES are you on? In ES 7.3.2 the search it runs is so... See more...
Hi @Anit_Mathew  Did you get to the bottom of this?  This looks like the "Traffic Over Time By Protocol" panel which is broken? Which version of ES are you on? In ES 7.3.2 the search it runs is something like this: | `tstats` count from datamodel=Network_Traffic.All_Traffic where * by _time,All_Traffic.transport span=10m | timechart minspan=10m useother=`useother` count by All_Traffic.transport | `drop_dm_object_name("All_Traffic")` Which doesnt look like it has a map command anywhere, unless you have altered any macros? Please can you confirm the ES and CIM app versions you are using and if any changes have been made to the macros? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Thanks @ITWhisperer , This seems to work.  How can I display results where all the names, locations, and descriptions from the same event are displayed together. For example: host _time Name L... See more...
Thanks @ITWhisperer , This seems to work.  How can I display results where all the names, locations, and descriptions from the same event are displayed together. For example: host _time Name Location Description host1 9:06 Name1 Location1 Description1 host1 9:06 Name2 Location2 Description2 host2 8:02 Name1 Location1 Description1 host2 8:02 Name2 Location2 Description2 If the event is sent at 9:02 lets say for a specific host. I want to make sure all names, locations, and descriptions are displayed below each other. I hope that makes sense. I would really appreciate your help. 
Hello, I am having trouble onboaring json array data. I read many contributions , but i still having troubles This is the json array input [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Mic... See more...
Hello, I am having trouble onboaring json array data. I read many contributions , but i still having troubles This is the json array input [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2KX-2025 2025-10-14 23:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}] - My first attempt: i put a props.conf on the UF DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured The data was nicely split into separte json events, but the table command doubled the data. Like this issues https://community.splunk.com/t5/Splunk-Cloud-Platform/Why-does-json-data-get-duplicated-after-tabling-the-events/m-p/587724 https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-with-INDEXED/td-p/188551?_ga=2.153916656.937356172.1646061092-893813366.1631658459   - Then i moved the props.conf into the index-cluster Now the _raw event is the same as the input array, and not splitted ito separated json events, like this     I have to use spath commad during search as workaround. So I can workaround the issue, but I 'd rather import the data correctly Where do i go wrong?  Any help is appreciated. Reagrds, Harry
We have a dashboard a user is having a problem with which I have been able to replicate some of the time. They have a link to a dashboard with selected values in the URL, however they get a 'Cannot ... See more...
We have a dashboard a user is having a problem with which I have been able to replicate some of the time. They have a link to a dashboard with selected values in the URL, however they get a 'Cannot create search' error on one of the dropdowns since it doesn't populate with the value assigned to the field in the URL.  When using debug I can see instead of having the selected value the field name is there ex: form.product_label.  Of course, if you select a value from the product dropdown then it properly populates the dashboard.  It seems like Chrome the dashboard properly auto populates when using the URL most often.   Since I have admin access and the issue happens for me about 60% of the time I don't think it's a permissions problem.    The user has read only access to the dashboard.  A colleague of theirs supposedly doesn't have any issues but haven't been able to confirm what browser they're using.   The user, with the issue,  states they're using Chrome and apparently, it's not loading for them at all.  I've asked them to try refreshing the page which they state hasn't worked either  Since there's no actual search ran I can't inspect the job because there isn't one. When checking console I can see this depreciation log.  Haven't found anything online to confirm if this would be the cause of the problem. [Deprecation] Listener added for a 'DOMSubtreeModified' mutation event. Support for this event type has been removed, and this event will no longer be fired. See URL for more information. My questions are if the Deprecation warning could explain why the dashboard isn't properly loading.  If that's not it, then what else could it be that I'm missing. thanks
Hi @SN1  Did you copy the Data model JSON files over from the old SH when migrating? (<yourapp>/local/data/models) Is there any other context either side of the log you provided which might tell us... See more...
Hi @SN1  Did you copy the Data model JSON files over from the old SH when migrating? (<yourapp>/local/data/models) Is there any other context either side of the log you provided which might tell us which DataModel is having the issue? Are you able to use, or even see the datamodel in the UI?   Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @Gil , after you created the new role, did you give to this role the write grant to your dashboards? To each dashboard you can give read and/or write grants. It's not possible to do this in bul... See more...
Hi @Gil , after you created the new role, did you give to this role the write grant to your dashboards? To each dashboard you can give read and/or write grants. It's not possible to do this in bulk mode. Ciao. Giuseppe
Hi @Karthikeya  You say you pushed from DS to CM and then pushed to IDX? This isnt a supported architecture so be careful here. If this is the setup you have, have you been able to confirm the rele... See more...
Hi @Karthikeya  You say you pushed from DS to CM and then pushed to IDX? This isnt a supported architecture so be careful here. If this is the setup you have, have you been able to confirm the relevant config is in the manager-apps folder on the CM, and also checked that this has reached the indexers? If you have been able to confirm this then I would suggest running a btool on an IDX to confirm what is being picked up and ensure that nothing is overriding anywhere. Check props and transforms: $SPLUNK_HOME/bin/splunk cmd btool props list YourSourcetypeName --debug $SPLUNK_HOME/bin/splunk cmd btool transforms list idname_extract --debug Ensure that the props returns the expected "TRANSFORMS-1_extract_idname = idname_extract" and that the transforms is also as you originally detailed. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Unfortunately there are no options to override the width of the dropdown, it is fixed width regardless of the text contents. The list of options that can be applied to the dropdown can be found here... See more...
Unfortunately there are no options to override the width of the dropdown, it is fixed width regardless of the text contents. The list of options that can be applied to the dropdown can be found here https://splunkui.splunk.com/Packages/dashboard-docs/Dropdown Sorry this might not be the answer you were hoping for, however please consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @Gil  Does your user have a role which has write permissions to the app that you want them to be able to add/edit dashboards in? In order to share dashboards within an app they need write permis... See more...
Hi @Gil  Does your user have a role which has write permissions to the app that you want them to be able to add/edit dashboards in? In order to share dashboards within an app they need write permissions. Go to https://yourSplunkDeployment/en-US/manager/search/apps/local and then click on "Permissions" in the "Sharing" column for the app you wish to give them permissions on. Ensure that a role the user has is ticked under the "Write" column. If you want more segregation you could create a new role just for this purpose and then assign the role Write permissions, then add your user(s) to the role. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will