All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@anooshac  have you seen this post ?  export search results using curl - Splunk Community 
@KKuser  Scenario 1: Independent Instances If the two Splunk instances are completely independent: Data ingested into one instance will not be visible in the other. Dashboards, reports, alerts, a... See more...
@KKuser  Scenario 1: Independent Instances If the two Splunk instances are completely independent: Data ingested into one instance will not be visible in the other. Dashboards, reports, alerts, and searches are all tied to the data present in their respective instances. A dashboard created in Instance A will not be visible in Instance B unless manually exported and imported. Use Case: This setup is common when different teams or departments need isolated environments or when there are compliance or security boundaries. Scenario 2: Connected Instances (Search Head Clustering) If the instances are connected: Search Head Clustering: If both instances are part of a search head cluster, dashboards can be shared across the cluster. You could manually or automatically sync apps, including dashboards, between the instances.
@KKuser  There are 3 ways to file (or raise) a successful Support Case with Splunk. However you will need to be assigned to your Companies active Enterprise or Global Entitlement before doing so oth... See more...
@KKuser  There are 3 ways to file (or raise) a successful Support Case with Splunk. However you will need to be assigned to your Companies active Enterprise or Global Entitlement before doing so otherwise your case may navigate into our Community Queue which is not often monitored by our Engineers. 1. Support Portal (the best way to file a case) Login into "splunk.com" and navigate to "Support & Services" on the top left of the page and then click onto "Support Portal" on the drop down list 2. Email You can email us at "support@splunk.com" which will file a default P3 case. Please note your email address must be associated with your accounts entitlement. 3. Phone You can call our Support line on (855) SPLUNK-S or you can find local numbers Contact Information & Splunk Locations | Splunk
Thanks @livehybrid  not sure if its related to the mail i sent or an automatic process but at 3:00 AM i received an email that the app has been reinstated.  
@KKuser  Working with Splunk Support https://www.splunk.com/en_us/pdfs/support/working-with-support.pdf 
@KKuser  1. For a user to use Splunk support portal, should the user be granted access to the support portal? Don't they get the access inherently? Users need to be granted access to the Splunk Sup... See more...
@KKuser  1. For a user to use Splunk support portal, should the user be granted access to the support portal? Don't they get the access inherently? Users need to be granted access to the Splunk Support Portal. Access is not inherent and typically requires an active support entitlement. Users must log in with their credentials to access support resources. The support portal includes license management, support cases, downloads, and other resources that may contain sensitive or licensed information. So, access is usually restricted to certain roles within an organization. 2. Company has 2 different instances of Splunk. Will the dashboard created in one be visible in another as well? Are the 2 instances independent of each other? Can you paint a picture for me, how they'd be related? Yes, Splunk instances are generally independent of each other unless explicitly configured to share data. A dashboard created in one instance will not be visible in another unless: You export and import the dashboard manually. You set up search head clustering or data replication between instances.
@zksvcI suggest raising a Splunk support ticket.
it's not work in my case, do you have another solution ?
This rule already has a default from Splunk, with the earliest rt-65m@m and latest rt-5m@m timerange. But doesn't the drilldown only follow the time when the event is triggered? 
Thank you, Giuseppe!   I appreciate the help!
Hi All, I want to download a search result as csv file into my local folder. Can anyone suggest me some good methods to do it and how can i do it? I saw some examples using curl command and rest ap... See more...
Hi All, I want to download a search result as csv file into my local folder. Can anyone suggest me some good methods to do it and how can i do it? I saw some examples using curl command and rest api, but couldn't able to understand that fully. can anyone help me in this?
I added the notables to an investigation and was able to add notes as well. However, I'm trying to have an incident number for the incident so that I can use it for tracking purpose. I recently lear... See more...
I added the notables to an investigation and was able to add notes as well. However, I'm trying to have an incident number for the incident so that I can use it for tracking purpose. I recently learnt that Splunk ES version 8 provides an incident number along with the investigation we create. I should test this out first, because I'm using Splunk ES version 5. Correct me if I'm wrong. Thanks for your assistance!
1. For a user to use Splunk support portal, should the user be granted access to the support portal? Don't they get the access inherently? 2. Company has 2 different instances of Splunk. Will the da... See more...
1. For a user to use Splunk support portal, should the user be granted access to the support portal? Don't they get the access inherently? 2. Company has 2 different instances of Splunk. Will the dashboard created in one be visible in another as well? Are the 2 instances independent of each other? Can you paint a picture for me, how they'd be related? 3. In order for me to know the answers to these questions, what concepts/topics should I know well?
thanks, works for me.   
Look at using INGEST_EVAL, where you can remove data from the JSON simply using eval statements, e.g. the following eval statement   _raw=json_delete(_raw, "avg_ingress_latency_fe", "conn_est_time_... See more...
Look at using INGEST_EVAL, where you can remove data from the JSON simply using eval statements, e.g. the following eval statement   _raw=json_delete(_raw, "avg_ingress_latency_fe", "conn_est_time_fe", "client_insights")   https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/IngestEval  
Hi @Ciccius  I feel your frustration - I've written multiple inputs and had issues like this and it can be pain to resolve. I've always found the best place to start is with the following: $SPLUNK_... See more...
Hi @Ciccius  I feel your frustration - I've written multiple inputs and had issues like this and it can be pain to resolve. I've always found the best place to start is with the following: $SPLUNK_HOME/bin/splunk cmd splunkd print-modinput-config yourSchema yourStanza If you've create a simple input then yourSchema might = yourStanza, however if you have are runnign as a single instance, but if not you might have multiple stanzas for a single instance (e.g. yourInput://stanza1 and yourInput://stanza2) If you run the above then it should spit out the schema for your stanza. If you get any errors then you should investigate! If you get an XML output then you can try running: $SPLUNK_HOME/bin/splunk cmd splunkd print-modinput-config yourSchema yourStanza | $SPLUNK_HOME/bin/splunk cmd python3 /opt/splunk/etc/apps/adsmart_summary/bin/getCampaignData.py In this scenario it is invoking the modular input as it would from within Splunk as a scheduled ExecProcess. This might give you more insight into the goings-on within your input.  I use this all the time to test inputs so I dont need to wait for the interval to pass!  Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will  
Hi @kemeris  Ive been having a play around with this, the only way I can make this work is using Saved Searches, as follows: Create saved searches for each platform in a format such as "MySearch - ... See more...
Hi @kemeris  Ive been having a play around with this, the only way I can make this work is using Saved Searches, as follows: Create saved searches for each platform in a format such as "MySearch - $platform$" (e.g. MySearch - Amazon) Create a dropdown with multiple options, each of which the value is set to the name of your saved searches (e.g. Name: Amazon, Value: MySearch - Amazon). Assume the name of your Dropdown is "ds_token" Create a base search in dashboard studio with the following search: | savedsearch $ds_token|s$ The |s (Pipe "S") will enclose the name in quotes. This will then load your saved search with the name set in the value of the dropdown when selected. You can use this search throughout your dashboard, or chain additional searches as required. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
You would therefore use "vs_name" in-place of "_raw" in the replace command. You can use multiple transforms on a single sourcetype - even if you're already using an INGEST_EVAL. For example == pr... See more...
You would therefore use "vs_name" in-place of "_raw" in the replace command. You can use multiple transforms on a single sourcetype - even if you're already using an INGEST_EVAL. For example == props.conf == [yourSourcetype] TRANSFORMS-defineIndex =.defineIndex TRANSFORMS-extractServerId =.extractServerId ... etc ... Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Sure @jialiu907  Just to mention, by default rex works on the _raw field, however you can specify field=<fieldName> to run it against a different field. Breakdown of the rex (regular expression): ... See more...
Sure @jialiu907  Just to mention, by default rex works on the _raw field, however you can specify field=<fieldName> to run it against a different field. Breakdown of the rex (regular expression): \)\: Matches a literal ) followed by a :. The backslash (\) escapes the closing parenthesis ) since it's a special character in regex. \s Matches a single whitespace character (space, tab, or newline). (?<Disconnect>SSLSocket Disconnected from Cloud) This is a named capturing group called Disconnect which means it creates your new Splunk field called "Disconnect". It captures the exact phrase "SSLSocket Disconnected from Cloud". - If there is no exact match (Case-Sensitive) then it will not match! The (?<name>pattern) syntax is used to name the capturing group and extract the field. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @MichalDerySam  I had this issue previously - I would recommend sending an email to splunkbase-admin@splunk.com with the details of your app and let them know you have submitted a new version and... See more...
Hi @MichalDerySam  I had this issue previously - I would recommend sending an email to splunkbase-admin@splunk.com with the details of your app and let them know you have submitted a new version and they will be able to un-archive it for you.  Their turnaround is usually relatively quick!   Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will