All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Here is the events from left to right for the 3 panels. So here the DR1 is not showing but the 1st and 3rd panels work but the middle one does not.  The characters in the RED box is what the... See more...
Here is the events from left to right for the 3 panels. So here the DR1 is not showing but the 1st and 3rd panels work but the middle one does not.  The characters in the RED box is what the DR1 is looking for either SSM or ASM
Hi @gcusello ,   Thanks for the quick reply!  I am new to this, where would I add the DR1=* in my search?   Also not all the panels have the DR1 in there events but they still work.  This is part... See more...
Hi @gcusello ,   Thanks for the quick reply!  I am new to this, where would I add the DR1=* in my search?   Also not all the panels have the DR1 in there events but they still work.  This is part of why I don't understand why some work and not others.
Hi @DarrellR , are you sure that all the events have the DR1 field? you could try to add DR1=* to the main search. Ciao. Giuseppe
I have created a dashboard that reads a MQ flow that contains messages to different vendors.  I have created panels for the different vendors and am trying to group the messages for each of those ven... See more...
I have created a dashboard that reads a MQ flow that contains messages to different vendors.  I have created panels for the different vendors and am trying to group the messages for each of those vendors.  Each Vendor will receive 2 message types ASM and SSM.  2 panels work but the other does not, it only returns NULL yet there are messages. The search is exactly the same for all three with the exception of the Vendor address, here is the search index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1 The XXXXXX is the Vendor address and .YYYYYYY is the sender address.  The sender address will stay the same but the each panel will have a different XXXXXX value I can not figure out why only that 1 does not work and returns NULL when it receives basically the same messages just with a different XXXXXX value   I hope someone here can help me
I forgot to mention that you also need to comment out the line in the systemd unit file that reaches out to github because the failure of that line causes the whole startup to fail. 
Open a case with Splunk Support.
Honestly, I've never heard about such possibility. Since you're bootstrapping a SHC member from a deployer, how would you decide which SH is a part of which cluster? Also if you're applying shcluster... See more...
Honestly, I've never heard about such possibility. Since you're bootstrapping a SHC member from a deployer, how would you decide which SH is a part of which cluster? Also if you're applying shcluster bundle, you're pushing it to one member and let others replicate their config from there. How would you expect to do it with two SHCs? (OK, you could do the push explicitly to two different SHs but I'm not sure if that would work). Why do you even want to to something like that? If you have enough machines and they are supposed to have the same config why not create a single SHC?
It is also worth remembering that some sources can have their specific characteristics. For example if you're getting WEF-forwarded events with pull-mode, you can receive events in batches every 15 o... See more...
It is also worth remembering that some sources can have their specific characteristics. For example if you're getting WEF-forwarded events with pull-mode, you can receive events in batches every 15 or 30 minutes. For other sources there can be a significant jitter in event delay so they can be backfilling your indexes past the search window. These are just some specific examples to general issues raised earlier. So there is no single answer that fits all possible cases.
Hi everyone, There has been a change in Dashboard Studio, there are always “gray” frames around the element when you “move” the mouse pointer over an element, even a blue frame appears when you sele... See more...
Hi everyone, There has been a change in Dashboard Studio, there are always “gray” frames around the element when you “move” the mouse pointer over an element, even a blue frame appears when you select it. This gives unsightly effects, especially with drop-down menus etc. How can I deactivate this? Thank you
Hi, i've been wondering is there any method to get notifications when SOAR configured app is down.    I am using On prem SOAR and version is 6.1.1.211 Phantom 
Usually I ask, How fast you could fix the issue and use that answer to make decision how frequently those alerts should run. Normally I try to use something between 5min to 1h. Of course there could b... See more...
Usually I ask, How fast you could fix the issue and use that answer to make decision how frequently those alerts should run. Normally I try to use something between 5min to 1h. Of course there could be cases where this must be 1min or longer than 1h.
Hi~ I am trying to make a single Search Head deployer serving 2 individual search head clusters
Hi @Aedah , you could add this to splunk ideas (ideas.splunk.com) surely many people will be interesd on it. Ciao. Giuseppe
From experience - the initial answer from the requestors will be probably "as soon as possible". Don't fall for that.
Version interoperability of Splunk Add-on for CyberArk I was thinking of using the add-on for CyberArk to change logs' format from CyberArki PTA into CEF format input to Splunk Enterprise. Splunk A... See more...
Version interoperability of Splunk Add-on for CyberArk I was thinking of using the add-on for CyberArk to change logs' format from CyberArki PTA into CEF format input to Splunk Enterprise. Splunk Add-on for CyberArk | Splunkbase However, as the link above shows, it seems the latest version of the add-on support PTA 12.2, and there is no updates on this add-on. Anyone knows about the version interoperability of PTA version 14.2 and this add-on? Or, is there are alternatives for this add-on? I really apprecitate any comment. Thank you. ##Splunk-Add-on-for-CyberAr
Hi My setup is Splunk Enterprise on ubuntu server. Ive setup netflow config on the edgerouter but can't seem to get any data into splunk or the stream addon. I have looked online but conflicting in... See more...
Hi My setup is Splunk Enterprise on ubuntu server. Ive setup netflow config on the edgerouter but can't seem to get any data into splunk or the stream addon. I have looked online but conflicting instructions and I tried chatgpt. Can someone point me in the right direction into why I cant get it to work?
@richgalloway @VatsalJagani  Thank you for your reply.. And I have one more curious things. I mentioned you because I had additional questions. I would like to know which file each role's functiona... See more...
@richgalloway @VatsalJagani  Thank you for your reply.. And I have one more curious things. I mentioned you because I had additional questions. I would like to know which file each role's functionality maps to and which path it is. Currently, I have created a new role-Capability called manage_risky_commands and the operation method has not been mapped yet.
Thank you for your reply.. And I have one more curious things. I mentioned you because I had additional questions. I would like to know which file each role's functionality maps to and which path it... See more...
Thank you for your reply.. And I have one more curious things. I mentioned you because I had additional questions. I would like to know which file each role's functionality maps to and which path it is. Currently, I have created a new role-Capability called manage_risky_commands and the operation method has not been mapped yet.  
I applied for a preview version, downloaded the Data Monitoring App and uploaded it to my Splunk cloud stack. App validation is successful, but when I press the Install button, the installation will ... See more...
I applied for a preview version, downloaded the Data Monitoring App and uploaded it to my Splunk cloud stack. App validation is successful, but when I press the Install button, the installation will not be performed when the error is as follows.   Data Monitoring could not be installed. Unable to install package. - 1EF9555E-306C-4928-B9FF-2F8A03CC35A7
You can do this by overwriting some of the options within the table source: Have a look at the following example:   You can see that the colour is specified using SPL instead of logic within t... See more...
You can do this by overwriting some of the options within the table source: Have a look at the following example:   You can see that the colour is specified using SPL instead of logic within the Dashboard editor. Using a field prefixed with underscore _ will stop it showing in the table. Then update the options for the table and add/edit the columnFormat: "columnFormat": { "<YourHighlightedField>": { "rowBackgroundColors": "> table | seriesByName('_colour')" } }   I hope this helps!