All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hei, Getting these messages constantly:  Splunk Version 9.4.0 - Running on Windows LogFile: python.log 2025-01-31 23:24:17,145 +0100 WARNING splunk_internal_telemetry:53 - Failed to send telemetr... See more...
Hei, Getting these messages constantly:  Splunk Version 9.4.0 - Running on Windows LogFile: python.log 2025-01-31 23:24:17,145 +0100 WARNING splunk_internal_telemetry:53 - Failed to send telemetry event: [HTTP 401] Client is not authenticated 2025-01-31 23:24:17,146 +0100 INFO decorators:130 - loading uri: /en-us/custom/splunk_app_stream/ping/   web_service.log 2025-01-31 23:29:39,276 INFO [679d4ed33f235afb52220] decorators:130 - loading uri: /en-us/custom/splunk_app_stream/ping/ 2025-01-31 23:29:45,106 WARNING [679d4ed914235b03d1d60] splunk_internal_telemetry:53 - Failed to send telemetry event: [HTTP 401] Client is not authenticated 2025-01-31 23:29:45,108 INFO [679d4ed914235b03d1d60] decorators:130 - loading uri: /en-us/custom/splunk_app_stream/ping/ 2025-01-31 23:29:50,167 WARNING [679d4ede26235b0268070] splunk_internal_telemetry:53 - Failed to send telemetry event: [HTTP 401] Client is not authenticated 2025-01-31 23:29:50,169 INFO [679d4ede26235b0268070] decorators:130 - loading uri: /en-us/custom/splunk_app_stream/ping/ 2025-01-31 23:29:55,246 WARNING [679d4ee338235b0268130] splunk_internal_telemetry:53 - Failed to send telemetry event: [HTTP 401] Client is not authenticated 2025-01-31 23:29:55,248 INFO [679d4ee338235b0268130] decorators:130 - loading uri: /en-us/custom/splunk_app_stream/ping/
I have a query From source A that i need to get a list of 3 parameters back and for one of these parameters which is a ID and i need to get the the actual name of the object from another query from s... See more...
I have a query From source A that i need to get a list of 3 parameters back and for one of these parameters which is a ID and i need to get the the actual name of the object from another query from source B using this ID. Eventually i need  i want to create a table to print the 3 parameter including the name also. Any help would be greatly appreciated?
Hey, In your request to the suppression endpoint add ?count=-1 or ?count=0 to the end and I believe this should remove the limit on the number of results returned. Good luck! Will
In case anyone runs into this old post with the same issue, I opened a support case and was informed that: the "updated" field in the API is a generic field on most Splunk APIs to track changes ... See more...
In case anyone runs into this old post with the same issue, I opened a support case and was informed that: the "updated" field in the API is a generic field on most Splunk APIs to track changes to configuration such as changes in permissions done from the UI. It is not an accurate method to track changes done to the lookup files themselves.  
Hi Guys, Need a help i am trying to check my suppression list in rest endpoint i have almost 100+ suppression showing in the notable suppression. but i see only very few 20-30 suppression in the e... See more...
Hi Guys, Need a help i am trying to check my suppression list in rest endpoint i have almost 100+ suppression showing in the notable suppression. but i see only very few 20-30 suppression in the endpoint https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions is there a way to see all 100+ suppression in the endpoint
Hi, I have a problem that i do not have props.conf and transforms.conf because  i do not have agent or forwarder we just getting data through HEC. so we do not have props and conf file and hec is bi... See more...
Hi, I have a problem that i do not have props.conf and transforms.conf because  i do not have agent or forwarder we just getting data through HEC. so we do not have props and conf file and hec is bind to host that is indexer directly? what to do in this case or we have to create props.conf?
My fault, I already saw the link
Hi   unfortunately there isn't any link to documentation on splunkbase page.
Another possible way is to use a refreshing search to set up some tokens and use the depends attribute on the panels the display them in turn.
Assuming you mean you have used a cron schedule for your alert, this means it will execute on that schedule, you just need to configure the alert to trigger when it finds a result worth reporting. Th... See more...
Assuming you mean you have used a cron schedule for your alert, this means it will execute on that schedule, you just need to configure the alert to trigger when it finds a result worth reporting. This is up to you to decide how to construct your search so that it only triggers when something interesting has happened.
So if I understand this correctly in simple terms - you want to get notified whenever there's a notable event with certain urgency? If so, do you want to get notified via Email? We can use Notable m... See more...
So if I understand this correctly in simple terms - you want to get notified whenever there's a notable event with certain urgency? If so, do you want to get notified via Email? We can use Notable macro (`notable`) in order to get the notable details along with urgency and use fields like source and urgency - in order to get the specific result.
I used the default cron schedule that is listed in Splunk's documentation. What would I need to set so it goes off as soon as there is a match? 
@livehybrid's idea is one possible way. Another way would be to render one bigger dashboard and use some clever CSS/JS to slide the contents within the visible area.
I am trying to suppress some specifc exceptions in Business transactions until the developers can handle them in code, because they are messing up my Availability percentages. And although I seem to... See more...
I am trying to suppress some specifc exceptions in Business transactions until the developers can handle them in code, because they are messing up my Availability percentages. And although I seem to be able to suppress the errors so that they don't show up in the Tier counting against availability, the seem to continue to show up in the Business Transaction, and in Service Endpoints. If I have successfully suppressed an exception so that it no longer counts against Availabilty in the Tier, should that error also be suppressed in Business Transactions and Service Endpoints? I need to have them suppressed in the Service Endpoints, primarily, because I have Custom Service Endpoints set up for api calls for particular clients, for example.  But even though I suppress the errors so that they no longer show up in the tier, they still show up in BT's and SEP's. Is there a way to suppress an error so that it no longer counts as an error in BT's and SEP's? Thanks.
mvdedup() helps. Thanks.  Still there is a one more question. If I have mvalues in manager name column, and both names are same. I want to let it be the same but want to display in separate lines.... See more...
mvdedup() helps. Thanks.  Still there is a one more question. If I have mvalues in manager name column, and both names are same. I want to let it be the same but want to display in separate lines. What to do?
If you edit the source of the dashboard you should be able to find a section called "layout" within the JSON, as below.  Adjust the "w" value for each of your visualization to 1/3 of the "width" val... See more...
If you edit the source of the dashboard you should be able to find a section called "layout" within the JSON, as below.  Adjust the "w" value for each of your visualization to 1/3 of the "width" value (in my case 1440/3 = 480). Set the second viz "x" position to 480 and the third viz "x" position to 2x480 (960) and this should give you an even 1/3 split. It doesnt look like there is an easier way (ie it "snapping" to 1/3 grid size) unfortunately. "layout": { "type": "grid", "options": { "width": 1440, "height": 960, "display": "auto" }, "structure": [ { "item": "viz_NFlIOSoJ", "type": "block", "position": { "x": 0, "y": 0, "w": 480, "h": 250 } }, { "item": "viz_ZN3u7AG0", "type": "block", "position": { "x": 480, "y": 0, "w": 480, "h": 250 } }, { "item": "viz_6G8sJ2GL", "type": "block", "position": { "x": 960, "y": 0, "w": 480, "h": 250 } } ], "globalInputs": [ "input_global_trp" ] },   I hope this helps!
I know this is an older post, but we are experiencing the same issue, and are using the same curl statement parameters.  What did the support team do to correct the issue for you?
Dashboard studio gives me the ability to drop panels and and move them around, which I love.  I can drag a panel on top of another and quickly create two equal size panels, each 50% of the size of th... See more...
Dashboard studio gives me the ability to drop panels and and move them around, which I love.  I can drag a panel on top of another and quickly create two equal size panels, each 50% of the size of the dashboard.  If I drag a 3rd panel into the same area though, I get three panels, one of which is 50% of the screen, and the other two are 25% each.  Is it possible to get them to be three equal sizes (~33%) or is my only option to fiddle with the sliders a bit and settle for good enough?
@JLange  you're welcome