All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

A golden shovel award goes to you, sir/madam. This is a thread from 11 years ago. And the answer to the original question is probably "someone made a typo and mistakenly multiplied by 364 instea... See more...
A golden shovel award goes to you, sir/madam. This is a thread from 11 years ago. And the answer to the original question is probably "someone made a typo and mistakenly multiplied by 364 instead of 365".
The lookup table 'ucd_count_chars_lookup' does not exist or is not available. [...] [ucd_category_lookup] Are you sure those shouldn't match?
ES depends heavily on kvstore. If - for some reason - your installation didn't complete correctly and your kvstore isn't fully configured it won't run properly. If your kvstore is not running, ES (an... See more...
ES depends heavily on kvstore. If - for some reason - your installation didn't complete correctly and your kvstore isn't fully configured it won't run properly. If your kvstore is not running, ES (and much of the "general Splunk") won't run either. But as far as I remember you might get this kind of problems as well if your user simply doesn't have required capabilities and permissions for running ES.
There is nothing special about AWS as such. You need to deploy your machines in AWS as described in "normal" Linux Installation Manual or using docker containers.
Hi Ryan, Support provided query for which we are unable to create metrics . we have tweeked s below SELECT (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) AS daysleft FROM intune_dep WH... See more...
Hi Ryan, Support provided query for which we are unable to create metrics . we have tweeked s below SELECT (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) AS daysleft FROM intune_dep WHERE tokenName = "Wipro-EY-Intune" AND (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) >= 30 and when created metrics we are getting error Following fields (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) AS daysleft in the select clause are not supported. could you help on the query
It sounds like you only have two fields? The first one will be used for the x-axis and the second will be a series (of that name) using the (numeric) values for the height of the columns. If this is ... See more...
It sounds like you only have two fields? The first one will be used for the x-axis and the second will be a series (of that name) using the (numeric) values for the height of the columns. If this is not what you have, please share your search in full (obfuscated as necessary to obscure sensitive information).
Hi @Amira , as you can read at https://splunkbase.splunk.com/app/2770, this addon is supported by Splunk. as you can read at https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/In... See more...
Hi @Amira , as you can read at https://splunkbase.splunk.com/app/2770, this addon is supported by Splunk. as you can read at https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/Install , You have to install this add-on on HF under conditions. I usually install all add-ons both on HFs and SHs to support index time parsing (HFs) and search time parsing (SHs). Ciao. Giuseppe
Hi Jerry, in that case where TA is installed on both Indexer and SH, Where the data input and all configurations are to be configured- on SH right (for Splunk Cloud deployment) below flow? Da... See more...
Hi Jerry, in that case where TA is installed on both Indexer and SH, Where the data input and all configurations are to be configured- on SH right (for Splunk Cloud deployment) below flow? Data sources --> HF(Syslog server) (TA not required)--> Cloud indexer (with TA)--> Cloud SH(with TA)    I'd also suggest if you could update the add-on documentation to include clear details pls. That would help. I have Splunk cloud with ITSI (not ES) and I want to test the Fortinet Add-on  
Dear Community members, It would be helpful if someone assist me with relevant document of deployment of Splunk enterprise security on AWS Containers & AWS ec2 instance to compare which is the appro... See more...
Dear Community members, It would be helpful if someone assist me with relevant document of deployment of Splunk enterprise security on AWS Containers & AWS ec2 instance to compare which is the appropriate model that will be supported by Splunk for any future issues along with upgradation. 
Thank you, gcusello, for your response! I would appreciate it if you could provide more details about the importance of installing this Add-on. Additionally, could you clarify who the owner of both... See more...
Thank you, gcusello, for your response! I would appreciate it if you could provide more details about the importance of installing this Add-on. Additionally, could you clarify who the owner of both the Add-on and the Application is? Were they developed by Splunk or NetScaler? Thank you in advance!
Hi @Amira , you have to install the Splunk Add-on for Citrix NetScaler also on the Heavy Forwarder. Then you have to create the index on the Indexer and  you must be sure that data are stored in th... See more...
Hi @Amira , you have to install the Splunk Add-on for Citrix NetScaler also on the Heavy Forwarder. Then you have to create the index on the Indexer and  you must be sure that data are stored in the correct index. Ciao. Giuseppe
Hi @masakazu , did you followed all the instructions in the above link? I never exerimented the above issue. My hint is to repeat all the steps in the installation procedure, checking if you have ... See more...
Hi @masakazu , did you followed all the instructions in the above link? I never exerimented the above issue. My hint is to repeat all the steps in the installation procedure, checking if you have kv-Store issues in your Splunk installation. If you don't solve, open a case to Splunk Support. Ciao. Giuseppe
https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallEnterpriseSecurity I installed Splunk Enterprise Security to verify operation, following the above manual, I installed and configured t... See more...
https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallEnterpriseSecurity I installed Splunk Enterprise Security to verify operation, following the above manual, I installed and configured the initial settings. When I opened the incident view in the app's menu bar, an error message appeared saying "An error occurred while loading some filters." When I opened the investigation, an error message appeared saying "Unknown Error: FAiled to fetch KV Store." I can't display the incident review and investigation. Is anyone else experiencing the same issue?
Please do not repeat the same question.  If needed, you can edit the post to correct or add more information; alternatively, delete one of them. Your posting does not demonstrate anything about only... See more...
Please do not repeat the same question.  If needed, you can edit the post to correct or add more information; alternatively, delete one of them. Your posting does not demonstrate anything about only one value is passed at a time.  How do you know?  Without showing the data, the selections you make, the search you use, and the output, no one can read your mind.  Here is a dashboard I constructed for another question and adapted to demonstrate that multiple values are being passed: <form version="1.1" theme="light"> <label>Multivalue input</label> <description>https://community.splunk.com/t5/Splunk-Search/Passing-a-mutiple-values-of-label-in-input-dropdown/m-p/705987</description> <fieldset submitButton="false"> <input type="multiselect" token="multivalue_field_tok" searchWhenChanged="true"> <label>select all field values</label> <choice value="*">All</choice> <default>WARN,WARNING</default> <delimiter> </delimiter> <fieldForLabel>log_level</fieldForLabel> <fieldForValue>log_level</fieldForValue> <search> <query>| makeresults format=csv data="log_level INFO WARN WARNING ERROR"</query> </search> </input> <input type="multiselect" token="multivalue_term_tok" searchWhenChanged="true"> <label>select all terms</label> <choice value="Installed">Installed</choice> <choice value="binary">binary</choice> <choice value="INFO">INFO</choice> <choice value="WARNING">WARNING</choice> <choice value="ERROR">ERROR</choice> <choice value="*">All</choice> <default>binary,ERROR</default> <delimiter> OR </delimiter> </input> </fieldset> <row> <panel> <title>$multivalue_field_tok$</title> <event> <search> <query>index = _internal log_level IN ($multivalue_field_tok$)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> <panel> <title>$multivalue_term_tok$</title> <event> <title>no field name</title> <search> <query>index = _internal ($multivalue_term_tok$)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form> As you can see, you can select any combination of values.  They are passed faithfully into respective searches.
Hi Pickle, I wanted to update you that I made a mistake with the configuration in authentication.conf. Instead of defining a specific stanza for RADIUS, I should have used the [Scripted] stanza. Wi... See more...
Hi Pickle, I wanted to update you that I made a mistake with the configuration in authentication.conf. Instead of defining a specific stanza for RADIUS, I should have used the [Scripted] stanza. With this correction, the Python script is now working properly. It handles local authentication for dumped users and successfully authenticates one user via the script configured for RADIUS. I’m now working on customizing the script further to directly authenticate users from RADIUS. Thank you!
Hi Splunk Community, I’m new to integrating Citrix NetScaler with Splunk, but I have about 9 years of experience working with Splunk. I need your guidance on how to successfully set up this integrat... See more...
Hi Splunk Community, I’m new to integrating Citrix NetScaler with Splunk, but I have about 9 years of experience working with Splunk. I need your guidance on how to successfully set up this integration to ensure that: All data from NetScaler is ingested and extracted correctly. The dashboards in the Splunk App for Citrix NetScaler display the expected panels and trends. Currently, I have a 3-machine Splunk environment (forwarder, indexer, and search head). Here's what I’ve done so far: I installed the Splunk App for Citrix NetScaler on the search head. Data is being ingested from the NetScaler server via the heavy forwarder, but I have not installed the Splunk Add-on for Citrix NetScaler on the forwarder or indexer. Despite this, the dashboards in the app show no data. From your experience, is it necessary to install the Splunk Add-on for Citrix NetScaler on the heavy forwarder (or elsewhere) to extract and normalize the data properly? If so, would that resolve the issue of empty dashboards? Any insights or steps to troubleshoot and ensure proper integration would be greatly appreciated! Thanks in advance!    
"""https://docs.splunk.com/observability/en/rum/rum-rules.html#use-cases Write custom rules for URL grouping in Splunk RUM — Splunk Observability Cloud documentation Write custom rules to group URL... See more...
"""https://docs.splunk.com/observability/en/rum/rum-rules.html#use-cases Write custom rules for URL grouping in Splunk RUM — Splunk Observability Cloud documentation Write custom rules to group URLs based on criteria that matches your business specifications, and organize data to match your business needs. Group URLs by both path and domain.  you also need custom URL grouping rules to generate page-level metrics (rum.node.*) in Splunk RUM.""   As per the splunk documentation ,we have configured custom URL grouping. But rum.node.* metrics not available.   pls help on this Path configured    
Hello There,    I would like to pass mutiple values in label, Where in the current search i can able to pass onlu one values at a time, <input type="multiselect" token="siteid" searchWhenChanged... See more...
Hello There,    I would like to pass mutiple values in label, Where in the current search i can able to pass onlu one values at a time, <input type="multiselect" token="siteid" searchWhenChanged="true"> <label>Site</label> <choice value="*">All</choice> <choice value="03">No Site Selected</choice> <fieldForLabel>displayname</fieldForLabel> <fieldForValue>prefix</fieldForValue> <search> <query> | inputlookup site_ids.csv |search displayname != "ABCN8" AND displayname != "ABER8" AND displayname != "AFRA7" AND displayname != "AMAN2" </query> <earliest>-15m</earliest> <latest>now</latest> </search> <delimiter>_fc7 OR index=</delimiter> <suffix>_fc7</suffix> <default>03</default> <initialValue>03</initialValue> <change> <eval token="form.siteid">case(mvcount('form.siteid') == 2 AND mvindex('form.siteid', 0) == "03", mvindex('form.siteid', 1), mvfind('form.siteid', "\\*") == mvcount('form.siteid') - 1, "03", true(), 'form.siteid')</eval> </change> <change> <set token="tokLabel">$label$</set> </change> </input> I need to pass this label value as well, which is a multiselect value. Thanks!
I have field name/column name called ssh_status and {Noncompliant, successful logins , failed logins etc) are its sub fields or values. and under "Visualisation" , Noncompliant, successful logins , f... See more...
I have field name/column name called ssh_status and {Noncompliant, successful logins , failed logins etc) are its sub fields or values. and under "Visualisation" , Noncompliant, successful logins , failed logins etc these are showing in same color.
Choropleth map provides city level resolution, is there way to get higher resolution such as street or block level? thanks!