All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi,   I am trying to update IT Essentials Work (ITEW) from v4.13.0 to v4.15.0. There is no much documentation on ITEW so I am using the documentation for IT Service Intelligence (ITSI). My understa... See more...
Hi,   I am trying to update IT Essentials Work (ITEW) from v4.13.0 to v4.15.0. There is no much documentation on ITEW so I am using the documentation for IT Service Intelligence (ITSI). My understanding is ITEW is the free version of ITSI without premium features. I checked the prerequisites, updated as per the documentation  1. Stopped the service (it is a single instance - SH) 2. Extracted the new version into $SPLUNK_HOME/etc/apps 3. Started the service Then opened the app on the search head to proceed with the update, it passed the pre checks, got to    2025-02-19 14:30:56,637+1100 process:654449 thread:MainThread INFO [itsi.migration] [itsi_migration_log:43] [info] UI: Running prechecker: EAPrechecks   I left it for 30 minutes or so, then checked the status by running    curl -k -u admin:changeme -X GET https://localhost:8089/servicesNS/nobody/SA-ITOA/migration/info   and it was is_running: false Cannot see anything alarming when I check the status. Tried several times and every time it is the same. Checked the permissions, Troubleshooting documentation, restarted the service - still could not update. Please, advise
Anyone please help in this 
I just stumbled on this looking for something else,  and wanted to say you can dynamically colour both the background and the major value:    "visualizations": { "viz_UVeH0JP5": { ... See more...
I just stumbled on this looking for something else,  and wanted to say you can dynamically colour both the background and the major value:    "visualizations": { "viz_UVeH0JP5": { "type": "splunk.singlevalue", "dataSources": { "primary": "ds_VyZ1EWbM" }, "options": { "majorColor": "> majorValue | matchValue(majorColorEditorConfig)", "backgroundColor": "> majorValue | matchValue(backgroungColorEditorConfig)" }, "context": { "majorColorEditorConfig": [ { "match": "NotDropped", "value": "#2f8811" }, { "match": "Dropped", "value": "#ffffff" } ], "backgroundColorEditorConfig": [ { "match": "NotDropped", "value": "#000000" }, { "match": "Dropped", "value": "#2f8811" } ] } },   You probably can't do it though the UI, though. I rarely use it, so I'm not sure. 
Has anyone been able to use the "| sendalert risk ..." command from the correlation search query, even when the search returns no results? I currently need to do this, but when there are no result... See more...
Has anyone been able to use the "| sendalert risk ..." command from the correlation search query, even when the search returns no results? I currently need to do this, but when there are no results I get the message "Error in 'sendalert' command: Alert script returned error code 3." Is there a way to truncate (abort) the sendalert command when there are no results?
| stats max(notificationId) by iNumber
I cannot download from the results pane as well. Here Export is greyed out. I am the admin but i cannot download as csv.    
Hello, I have this search query      index=app iNumber IN (72061271737983, 72061271737983, 72061274477906, 72061277215167) | stats count by notificationId, iNumber       This results in mult... See more...
Hello, I have this search query      index=app iNumber IN (72061271737983, 72061271737983, 72061274477906, 72061277215167) | stats count by notificationId, iNumber       This results in multiple notificationIds coming in for each iNumber in this list. What im trying to find out is the max notificationId value per iNumber, and output that list. Is there a way to do that?  somthing like: iNumber (Max)NotificationId 72061271737983 12345 72061271737983  78787   Thank you!
You can download the results in the panels to csv but clicking the download button. Is that what you mean?
Thank you @livehybrid !!!!! I knew I was dosing off at the end of the day.... LOL
Good Morning @livehybrid  Just wanted to wrap my head around the logic 2025-02-13 Yes 2025-02-14 Yes 2025-02-15 Yes So is the yes mean that it will alert on those dates? hence... See more...
Good Morning @livehybrid  Just wanted to wrap my head around the logic 2025-02-13 Yes 2025-02-14 Yes 2025-02-15 Yes So is the yes mean that it will alert on those dates? hence returning an result? Also lets say for example If an alert fired on the 15th and the lookuptable has the date 2025-02-15 Does it mute the next day? so the 16th ?wont get alerted? (if it falls within mon~thursday) where Friday it will jump to monday to mute so it would look like this 2025-02-15 no and  instead of displaying that in a event it will not actually return any results? If I want to only add 1 day would I change it like this?   | eval mute_date = if(day_of_week == Date + 86400)   all the best!
Hi @mbasharat  Add "| spath input=body" to your SPL - this will then extract the fields within the body JSON key as keyval fields in your results. Please let me know how you get on and consider acc... See more...
Hi @mbasharat  Add "| spath input=body" to your SPL - this will then extract the fields within the body JSON key as keyval fields in your results. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @vksplunk1  By default your KV store files will be stored in $SPLUNK_HOME/var/lib/splunk/kvstore/mongo - so if you have a backup of this directory you may be able to get the data back based on th... See more...
Hi @vksplunk1  By default your KV store files will be stored in $SPLUNK_HOME/var/lib/splunk/kvstore/mongo - so if you have a backup of this directory you may be able to get the data back based on the time it was backed up, however I would look at recovering this to a different / test server rather than your production instance as it isnt possible to pick and choose which files to restore.  Therefore you might need to recover the whole backup and then take a backup from the recovered data before restoring. Do you have other lookups also? This will affect those if you overwrite from an old backup. You could try this approach, and depending on the size of your lost KV Store lookup. you could export it from the restored backup, then load it back into the KV Store on your production instance using a mixture of |inputlookup <restoredData.csv> | outputlookup <OriginalLookupName> Do you think this might work for your situation? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi - We have accidentally deleted kvstore with outputlookup command. We do not have a backup from splunk.   How to Restore KVStore from back up of  splunk home( /opt/splunk )directory backup
Has anyone managed to set up source control for workbooks?  Pulling the information down via API to upload to gitlab is straightforward. You can run a get request against [base_url]/rest/workbook_te... See more...
Has anyone managed to set up source control for workbooks?  Pulling the information down via API to upload to gitlab is straightforward. You can run a get request against [base_url]/rest/workbook_template (REST Workbook). The problem is with pushing information. As far as I've been able to find, you can only create new phases or tasks. You're not able to specify via name or ID that you want to update an object. There's also no way I've found to delete a phase or task which would make creating a new one more reasonable.
Hi. I have below raw event/s. Highlighted Syntax: { [-]    body: {"isolation": "isolation","device_classification": "Network Access Control","ip": "1.2.3.4", "mac": "Unknown","dns_hn": "XYZ","po... See more...
Hi. I have below raw event/s. Highlighted Syntax: { [-]    body: {"isolation": "isolation","device_classification": "Network Access Control","ip": "1.2.3.4", "mac": "Unknown","dns_hn": "XYZ","policy": "TEST_BLOCK","network_fn": "CounterACT Device","os_fingerprint": "CounterACT Appliance","nic_vendor": "Unknown Vendor","ipv6": "Unknown",}    ctupdate: notif    eventTimestamp: 1739913406    ip: 1.2.3.4    tenant_id: CounterACT__sample } Raw Text: {"tenant_id":"CounterACT__sample","body":"{\"isolation\": \"isolation\",\"device_classification\": \"Network Access Control\",\"ip\": \"1.2.3.4\", \"mac\": \"Unknown\",\"dns_hn\": \"XYZ\",\"policy\": \"TEST_BLOCK\",\"network_fn\": \"CounterACT Device\",\"os_fingerprint\": \"CounterACT Appliance\",\"nic_vendor\": \"Unknown Vendor\",\"ipv6\": \"Unknown\",}","ctupdate":"notif","ip":"1.2.3.4","eventTimestamp":"1739913406"} I need below fields=value extracted from each event at search time. It is a very small dataset: isolation=isolation policy=TEST_BLOCK ctupdate=notif ip=1.2.3.4 ipv6=Unknown mac=Unknown dns_hn=XYZ eventTimestamp=1739913406 Thank you in advance!!!
I am trying to export the dashboard into a csv file. But i am not seeing CSV under export.  How do i enable the csv export.? My data is in table format.  
Hello, I want to get the ML toolkit however, how will it affect the hard rules we write? Can we use the toolkit as a verification method of the same index data? I meant for the same index and same sp... See more...
Hello, I want to get the ML toolkit however, how will it affect the hard rules we write? Can we use the toolkit as a verification method of the same index data? I meant for the same index and same splunk account, can we write hard rule sets as we do now and also get the ML toolkit as the same time?  thanks a lot 
It appears that the latest version of this app is having this issue. Uninstall it and install an older version 
As of the time of writing this it is only available on single value, single value icon, and single radial visualizations. I very much would like to see them add it for line graph visualizations.
Hello! I hope you can help! I have installed splunk enterprise 8.12 on my MAC OS 14.6.1 to study for an exam. Splunk installed fine. However the lab asked me to create an app called "destinations" wh... See more...
Hello! I hope you can help! I have installed splunk enterprise 8.12 on my MAC OS 14.6.1 to study for an exam. Splunk installed fine. However the lab asked me to create an app called "destinations" which i did and i set the proper permissions. However, when i go to the app in the search head and type "index=main" it sees it but doesn't display any records. I have copied down eventgen to the samples folder in Destinations  folder in the samples folder and copied the eventgen.conf to the local folder as directed but it still does not display.  I also see that the main index is enabled in indexes using theb $SPLUNK_DB/defaultdb/db  it also shows that it indexed 1mg out of 500gb.  I have a feeling that its something obvious but im not seeing it.   I really need this lab to work can you assist?  I used SPLK-10012.PDF instructions. not sure if you have access to that. i pulled down the files fro github  - eventgen. Maybe this is an easy fix?  Thank you