All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @kzjbry1 , at first check if all the features of this dashboard in Classic Dashboard are also present in Dashboard Studio  version because there are some features that aren't still migrated, for ... See more...
Hi @kzjbry1 , at first check if all the features of this dashboard in Classic Dashboard are also present in Dashboard Studio  version because there are some features that aren't still migrated, for this reason I didn't still passed to Dashboard Studio. Anyway, if you cloned the dashboard to Dashboard Studio, to use the new dashboard instead of the original, you have also to modify the app menu in [Settings > User Interface > app menu] and in eventual drilldowns (if present). Ciao. Giuseppe
Can anyone tell me how to migrate a Microsoft Azure App for Splunk dashboard (security_center_alerts) from the original Classic format to Dashboard Studio? I realize I can clone the dashboard, but a... See more...
Can anyone tell me how to migrate a Microsoft Azure App for Splunk dashboard (security_center_alerts) from the original Classic format to Dashboard Studio? I realize I can clone the dashboard, but am not sure how to have the app recognize the migrated dashboard instead of the original one. Also, is there a way to add a new local dashboard to the app dropdown menus? Thanks in advance! Steve  Cook
Hi, struggling to get single values to show with trendline comparing to previous month.   | bin span=1mon _time | chart sum(cost) as monthly_costs over bill_date   Tried differnt varations. The ... See more...
Hi, struggling to get single values to show with trendline comparing to previous month.   | bin span=1mon _time | chart sum(cost) as monthly_costs over bill_date   Tried differnt varations. The above will show a single value for each month, but I want to add a trendline to the single value to compare to the previous month. Any ideas? Thanks!
One more addition: For testing we also now wrote a config for the collector that exports traces to both splunk and Jaeger at the same time, so we could see if it was just the collector not registeri... See more...
One more addition: For testing we also now wrote a config for the collector that exports traces to both splunk and Jaeger at the same time, so we could see if it was just the collector not registering span-links in general or something else down the line. When doing this, the span links appeared in Jaeger - but were still not visible in Splunk. So we think it's either the (default) configuration for the splunk-opentelemetry-collector (specifically the splunk export) not handling span-links, or something in the Observability Cloud not accepting our span-links. There is one more hint I got from the collector container logs, following message that appears a few seconds after the traces are sent: 2025-01-27T14:35:00.707Z info transport/http2_server.go:662 [transport] [server-transport 0xc0022ba000] Closing: EOF {"grpc_log": true} 2025-01-27T14:35:00.707810569Z 2025-01-27T14:35:00.707Z info transport/controlbuf.go:577 [transport] [server-transport 0xc0022ba000] loopyWriter exiting with error: transport closed by client {"grpc_log": true} This might indicate that the writer is stuck at sending the span links, since everything else is sent to splunk correctly. However, I am not sure about the inner workings there. I would appreciate any hints for debugging this!
Hi @jkamdar , let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Thanks, appreciate the help.
I don't see the span links in my trace view either.  This is strange. I've noticed in your example that you use the port 4318 in the collector url and thought that maybe the problem is somehow relate... See more...
I don't see the span links in my trace view either.  This is strange. I've noticed in your example that you use the port 4318 in the collector url and thought that maybe the problem is somehow related to the grpc protocol. But when I configure the "http/protobuf" with port 4318 in the local app, it doesn't change anything. The links just don't appear in the UI. Here is the Splunk OTel Collector configuration usiing docker compose: otelcol: image: quay.io/signalfx/splunk-otel-collector:latest environment: - SPLUNK_ACCESS_TOKEN=XXXXXXXXXXXXXXXXX - SPLUNK_REALM=eu1 ports: - "13133:13133" - "14250:14250" - "14268:14268" - "4317:4317" - "4318:4318" - "6060:6060" - "8888:8888" - "9080:9080" - "9411:9411" - "9943:9943" container_name: otelcol restart: unless-stopped
Hi @jkamdar , About the apps to migrate, I mean all the apps not contained in the Splunk installation, if you install the same version of Splunk, you could copy the full $SPLUNK_HOME/etc/apps folder... See more...
Hi @jkamdar , About the apps to migrate, I mean all the apps not contained in the Splunk installation, if you install the same version of Splunk, you could copy the full $SPLUNK_HOME/etc/apps folder. beware to the last point: if in your apps there is some path, you have to manually modify paths to adapt them from linux to Windows, e.g. splunk internal logs must be moved from /opt/splunk/var/log/splunk to C:\Program Files\splunk\var\log\splunk. Ciao. Giuseppe
also forgot to type this in my example search, but most of my queries for these alerts use Latest=@h, keeping the window the same  
Makes sense https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html Security NoNewPrivileges= Takes a boolean argument. If true, ensures that the service process and all its chil... See more...
Makes sense https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html Security NoNewPrivileges= Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false. In case the service will be run in a new mount namespace anyway and SELinux is disabled, all file systems are mounted with MS_NOSUID flag. Also see No New Privileges Flag.
Hi! thanks for the response, like you predicted, the time frame is no where I am facing issue with my search, so it must be something to do with latency like you said. Is there any ways to change how... See more...
Hi! thanks for the response, like you predicted, the time frame is no where I am facing issue with my search, so it must be something to do with latency like you said. Is there any ways to change how the search is run? and by two alerts, do you mean running different timed alerts, or separate queries?
Thanks @isoutamo 
The very ugly solution would be to search for the "initial" results, then do fillnull and then search for particular values. But. That would be hopelessly ineffective because you'd need to dig thro... See more...
The very ugly solution would be to search for the "initial" results, then do fillnull and then search for particular values. But. That would be hopelessly ineffective because you'd need to dig through all events each time you run your search. If the search is meant to be run relatively often you could think of summary indexing and transform your data so that it contains some default "non-present" entry.
Thanks @gcusello  Yes, it's a stand alone server.  My comments/questions in-line below start from the same Splunk Version - Yes, good point, will do that copy the apps from the old to the new on... See more...
Thanks @gcusello  Yes, it's a stand alone server.  My comments/questions in-line below start from the same Splunk Version - Yes, good point, will do that copy the apps from the old to the new one - Are you referring to apps like add-ons, Splunk_TA_nix and Splunk_TA_windows? modify eventual monitor inputs using the new path - Do you mean update inputs.conf?  
Of course. I'll experiement and see what I can figure out. I hadn't even considered editing the HTML to achieve my goal, so it's certainly progress. Thank you.
Your issue as you have expanded is as I had interpreted it in the first place. Having said that, there could still be issues if you attempt to use my solution with logic operators such as OR. For exa... See more...
Your issue as you have expanded is as I had interpreted it in the first place. Having said that, there could still be issues if you attempt to use my solution with logic operators such as OR. For example ( $choice_token$ OR field="*" ) might give you a parsing error if the choice_token is an empty string, so you might want to consider a superfluous condition such as 1==1 or NOT 1==1 depending on how your search logic should work in this case. Another possibility is that the OR is included in the choice_token. But you would have to work this out depending on what your search is trying to do under the various different scenarios of tokens being used to filter the events.
If there are some scheduled alerts/reports etc. then those cannot run after account has removed. There are some ways to transfer ownership of those to you. Maybe the easiest is just remove account a... See more...
If there are some scheduled alerts/reports etc. then those cannot run after account has removed. There are some ways to transfer ownership of those to you. Maybe the easiest is just remove account and then splunk warning you that there are some scheduled tasks which haven't owner and give you a link where you can change ownership. Another way is go Settings -> All Configurations  Then on top right is button "Reassign knowledge objects" and use it. Third option is use external command which can change those on cli. You could found it from some old answers.
Thank you, I'll see if I can do this. However, because the other responder had issues understanding my issue, I've placed my response to them below as well in case you had trouble understanding my re... See more...
Thank you, I'll see if I can do this. However, because the other responder had issues understanding my issue, I've placed my response to them below as well in case you had trouble understanding my request even though you've already given me a suggestion on how to rectify it.       --------------------------------------------------------------------------------------------   Got it, I'll try to explain better. This is the actual base search:   (index=email source=/var/logs/esa_0.log attachments=$file$ sha256=$hash$) OR (index=cyber source=/varlogs/fe01.log) (suser="$sender$" OR sender="$sender$") (duser="$recipient$" OR recipient="$recipient$") (subject="$subject$" OR msg="$subject$") (id="'<$email_id$>'" OR message-id="$email_id$") (ReplyAddress="$reply_add$" OR from-header="$reply_add$")   If you look, you'll see the various fields I have setup to filter by: sender, recipient, subject, etc. Part of what I'm doing is actually consolidating email information from two different sourctypes. That's why I have the various filters being matched against the equalvalient field in the other sourcetype. For instance, in this part 'suser="$sender$" OR sender="$sender$" ', it'll filter out emails by sender, keeping only the events in both sourcetypes where the sender is somebody@gmail.com, for example. However, the default value for this field(and the rest) is a wildcard * to match everything, so even if I don't fill in a value to filter by, it'll default to that. As a result, the search becomes this ' suser="*" OR sender="*" ' at search time. You see the problem? With this kind of filter, it *requires* the suser or sender field to be present in the events lest they get filtered out, even though I'm not trying to filter by that. Now, in the case of fields like sender, recipient, subject, and even email_id, this is okay because *every* email has to have these fields. They're not optional. In the case of email attachments, however, that isn't the case. Not all emails have attachments, therefore not all events have an 'attachments' field. However, because the search ultimately defaults to this ' attachments=* ', it requires them. This is the problem. It makes it impossible to search for emails without attachments. Ideally, I'd love to be able to simply tell Splunk not to filter by that field at all unless I fill it with something that isn't a wildcard, but that doesn't appear to be possible. Does this clear up any confusion?
Got it, I'll try to explain better. This is the actual base search:   (index=email source=/var/logs/esa_0.log attachments=$file$ sha256=$hash$) OR (index=cyber source=/varlogs/fe01.log) (suser="$se... See more...
Got it, I'll try to explain better. This is the actual base search:   (index=email source=/var/logs/esa_0.log attachments=$file$ sha256=$hash$) OR (index=cyber source=/varlogs/fe01.log) (suser="$sender$" OR sender="$sender$") (duser="$recipient$" OR recipient="$recipient$") (subject="$subject$" OR msg="$subject$") (id="'<$email_id$>'" OR message-id="$email_id$") (ReplyAddress="$reply_add$" OR from-header="$reply_add$")   If you look, you'll see the various fields I have setup to filter by: sender, recipient, subject, etc. Part of what I'm doing is actually consolidating email information from two different sourctypes. That's why I have the various filters being matched against the equalvalient field in the other sourcetype. For instance, in this part 'suser="$sender$" OR sender="$sender$" ', it'll filter out emails by sender, keeping only the events in both sourcetypes where the sender is somebody@gmail.com, for example. However, the default value for this field(and the rest) is a wildcard * to match everything, so even if I don't fill in a value to filter by, it'll default to that. As a result, the search becomes this ' suser="*" OR sender="*" ' at search time. You see the problem? With this kind of filter, it *requires* the suser or sender field to be present in the events lest they get filtered out, even though I'm not trying to filter by that. Now, in the case of fields like sender, recipient, subject, and even email_id, this is okay because *every* email has to have these fields. They're not optional. In the case of email attachments, however, that isn't the case. Not all emails have attachments, therefore not all events have an 'attachments' field. However, because the search ultimately defaults to this ' attachments=* ', it requires them. This is the problem. It makes it impossible to search for emails without attachments. Ideally, I'd love to be able to simply tell Splunk not to filter by that field at all unless I fill it with something that isn't a wildcard, but that doesn't appear to be possible. Does this clear up any confusion?
Hi all Does anyone know if there is a built-in visualisation similar to that provided by Graphistry (https://www.splunk.com/en_us/blog/tips-and-tricks/visualising-network-patterns-with-splunk-and-gr... See more...
Hi all Does anyone know if there is a built-in visualisation similar to that provided by Graphistry (https://www.splunk.com/en_us/blog/tips-and-tricks/visualising-network-patterns-with-splunk-and-graphistry.html)? Thanks