All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This was a fun thread! I upvoted https://ideas.splunk.com/ideas/EID-I-2176.
Hi @zerocoolspain, I would use separate but similar radio inputs. Each radio input has its own set of tokens; however, updating a radio input also updates the global trobots token. The currently sel... See more...
Hi @zerocoolspain, I would use separate but similar radio inputs. Each radio input has its own set of tokens; however, updating a radio input also updates the global trobots token. The currently selected trobots1 and trobots2 values are preserved across changes to the tintervalo token. <form version="1.1" theme="light"> <label>intervalo</label> <init> <unset token="trobots"></unset> </init> <fieldset> <input type="dropdown" token="tintervalo" searchWhenChanged="true"> <label>Intervalo</label> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoultimasemana">Última semana completa</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoultimomes">Último mes completo</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoultimotrimestre">Último trimestre completo</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoultimoaño">Último año completo</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusomescurso">Mes en curso</choice> <choice value="|loadjob savedsearch=&quot;q71139x:vap:precalculoVAPusoañoencurso">Año en curso</choice> <choice value="7">Otros</choice> <change> <condition match="'tintervalo'==7"> <set token="show_trobots1">true</set> <unset token="show_trobots2"></unset> <set token="trobots">$trobots1$</set> </condition> <condition match="'tintervalo'!=7"> <unset token="show_trobots1"></unset> <set token="show_trobots2"></set> <set token="trobots">$trobots2$</set> </condition> </change> </input> <input type="radio" token="trobots1" depends="$show_trobots1$" id="inputRadioRI1" searchWhenChanged="true"> <label>Robots</label> <choice value="| eval delete=delete">Yes</choice> <choice value="`filter_robots` `filter_robots_ip`">No</choice> <initialValue>`filter_robots` `filter_robots_ip`</initialValue> <change> <set token="trobots">$trobots1$</set> </change> </input> <input type="radio" token="trobots2" depends="$show_trobots2$" id="inputRadioRI2" searchWhenChanged="true"> <label>Robots</label> <choice value="conBots">Yes</choice> <choice value="sinBots">No</choice> <initialValue>sinBots</initialValue> <change> <set token="trobots">$trobots2$</set> </change> </input> </fieldset> <row> <html> <table> <tr> <td><b>tintervalo:</b></td><td>$tintervalo$</td> </tr> <tr> <td><b>trobots1:</b></td><td>$trobots1$</td> </tr> <tr> <td><b>trobots2:</b></td><td>$trobots2$</td> </tr> <tr> <td><b>trobots:</b></td><td>$trobots$</td> </tr> </table> </html> </row> </form>  
Hi @tscroggins and all, Could you pls check this: the file http_error_code.csv StatusCode,Meaning 100,Continue 101,Switching protocols 403,Forbidden 404,Not Found the file http_error_co... See more...
Hi @tscroggins and all, Could you pls check this: the file http_error_code.csv StatusCode,Meaning 100,Continue 101,Switching protocols 403,Forbidden 404,Not Found the file http_error_codes_400.csv StatusCode,Meaning 400,Bad Request 401,Unauthorized 402,Payment Required 403,Forbidden 404,Not Found  
Hi There, hope u r doing good, thanks for reading.  1) A fresh install of Splunk Enterprise 9.3.2 showing this security warning: Security risk warning: Found an empty value for 'allowedDomainList'... See more...
Hi There, hope u r doing good, thanks for reading.  1) A fresh install of Splunk Enterprise 9.3.2 showing this security warning: Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web.12/2/2024, 5:40:52 AM 2)  I have noticed this error around 2 or 3 months ago, but as its a simple and low priority / functionality related one, i ignored it. 3) last week as we Splunkers were discussing in our usergroup meeting about this, one of my friend asked - ok, this is a low priority issue for you, but for an organizations infosec perspective this could be a medium/big issue. 4) He suggested me that - the default config files should be configured to keep things in secured fashion(similar to that "zero-trust" security policy), giving a warning message isnt enough, right. i had to agree with him.  5) Screenshot attached for your note:
Yes  @PickleRick  the docs require bit more detailed info.  I see the docs are not updated yet(screenshot attached) (even after my idea request https://ideas.splunk.com/ideas/EID-I-2176) and my bug ... See more...
Yes  @PickleRick  the docs require bit more detailed info.  I see the docs are not updated yet(screenshot attached) (even after my idea request https://ideas.splunk.com/ideas/EID-I-2176) and my bug report to Splunk (i spent few hrs on multiple conference calls with Splunk Support, but no fruitful results) (New readers, could you pls spend a min and upvote that idea 2176, so at least i can tell my friends that i have found a bug on Splunk and suggested an idea of worth 100 upvotes   ) okies, sure, agreed that its not a big show stopper for Splunk.  ----- i have submitted the docs feedback just now.  ----- next steps - around 3 or 4 months i worked on an app creations (following the footsteps of @tscroggins 's superb suggestions), but i got stuck at the app packaging areas.  ------ working on this "small task" again now, let me update you all the progress soon, thanks. 
@karthi2809 I tend to use a text box where I can insert a where clause, like this <row id="button_row"> <panel> <input id="events_where" type="text" token="where_clause" searchWhenChange... See more...
@karthi2809 I tend to use a text box where I can insert a where clause, like this <row id="button_row"> <panel> <input id="events_where" type="text" token="where_clause" searchWhenChanged="true"> <label>Event filter where clause</label> <default></default> </input> <event> <search> <query> index=_internal host=bla | where $where_clause$ </query> <earliest>$selection.earliest$</earliest> <latest>$selection.latest$</latest> </search> </event> </panel> </row> it gives you flexibility to construct whatever you want, so as long as you know how to write valid SPL queries, you can use whatever eval statements you like, e.g.   You can do it with a search clause, but I find more flexibility to use eval based filters. You can also make your text box nice and wide using the id="xxx" in the <input> and then add this css <row depends="$CSS$"> <panel> <html> <style> #events_where .splunk-textinput { width: 400px !important; } </style> </html> </panel> </row>
As an additional exercise, we can compare diff with combinations of inputlookup. The following searches should return the same results: A | set diff [| inputlookup test.csv ] [| inputlookup test2.c... See more...
As an additional exercise, we can compare diff with combinations of inputlookup. The following searches should return the same results: A | set diff [| inputlookup test.csv ] [| inputlookup test2.csv ] B | inputlookup test.csv where NOT [| inputlookup test2.csv ] | inputlookup append=t test2.csv where NOT [| inputlookup test.csv ]
Hi @munang, The set command and the join command perform overlapping but different functions. set diff returns the symmetric difference of the subsearches: I.e. set diff returns all events in ... See more...
Hi @munang, The set command and the join command perform overlapping but different functions. set diff returns the symmetric difference of the subsearches: I.e. set diff returns all events in either subsearch A or subsearch B but not both: A url A_field https://www.splunk.com/ A_value https://www.appdynamics.com/ A_value   B url A_field https://www.appdynamics.com/ A_value https://www.cisco.com/ A_value   diff url A_field https://www.splunk.com/ A_value https://www.cisco.com/ A_value   Both join type=left and join type=outer perform a left outer join by joining all fields in all events in the base search with all fields from the first (default: max=1) matching event in the subsearch: I.e.: A url A_field https://www.splunk.com/ A_value https://www.appdynamics.com/ A_value   B url B_field https://www.appdynamics.com/ B_value1 https://www.appdynamics.com/ B_value2   join url A_field B_field https://www.splunk.com/ A_value (null) https://www.appdynamics.com/ A_value B_value1   As written, your join search is equivalent to join type=inner. The where command removes all events from the base search that were not joined to an event in the subsearch. To return the difference using the join command, the command would need to support a full outer join, and it does not.
Try something like this (in SimpleXML of course!) <row id="banner"> <panel> <html> <style> div[id="banner"].dashboard-row { top: 0; position: st... See more...
Try something like this (in SimpleXML of course!) <row id="banner"> <panel> <html> <style> div[id="banner"].dashboard-row { top: 0; position: sticky; z-index: 9999; } div[id="banner"] div { background-color: yellow; } </style> <h1>Your banner panel</h1> </html> </panel> </row>
Hi @munang  May i know if Splunk Enterprise or Splunk Cloud and the Splunk version number pls.  Let me try to recreate this situation and see how do we troubleshoot this issue. thanks. 
I assume you are using compatible versions of all the components. If not then ensure they are at the right versions. ( https://docs.splunk.com/Documentation/DSDL/5.1.2/User/InstallDSDL ) DSDL - 5.1.... See more...
I assume you are using compatible versions of all the components. If not then ensure they are at the right versions. ( https://docs.splunk.com/Documentation/DSDL/5.1.2/User/InstallDSDL ) DSDL - 5.1.2 MLTK - 5.4.0 PSC - 3.1.0, 4.1.0, or 4.1.2 Splunk - 8.1.x+ Another test you can do is to try connecting to your docker container outside of Splunk to see if the issue is due to restrictions on accessing localhost.
Does calls on C++ layer are considered in overall calls ? Suppose there is one transaction which flows from Web Server to Java to Node.Js then it will counted as 3 calls or one call? 
Is there any pattern between the ticket type and the values appearing? E.g. does the Customer value always appear in Normal Tickets but never in Error Tickets? Or does it look random? Also when you ... See more...
Is there any pattern between the ticket type and the values appearing? E.g. does the Customer value always appear in Normal Tickets but never in Error Tickets? Or does it look random? Also when you say that "In Splunk, it is confirmed that the value exists", can you say it definitely exists for all records, even for the tickets that say it doesn't exist? Try running your alert search, but looking for rows where the field does not have a value. <yoursearch> | search NOT Client=*
It seems that your alert job is successfully running. When you say "the test email was successful", do you mean a test email from Splunk or from a different interface? If it was not Splunk that sent... See more...
It seems that your alert job is successfully running. When you say "the test email was successful", do you mean a test email from Splunk or from a different interface? If it was not Splunk that sent the test email, could you test it with a search like this? It should either send you a simple test email or give you errors indicating what is going wrong: | makeresults | sendemail to="<youremailaddress>" subject="test splunk email"
Ultimately Splunk needs a date to know where to file your event. If the date is missing from the logs, then you need to supply or assume it from somewhere else. E.g. if Splunk sees the time "17:22:2... See more...
Ultimately Splunk needs a date to know where to file your event. If the date is missing from the logs, then you need to supply or assume it from somewhere else. E.g. if Splunk sees the time "17:22:29.875", then do you want Splunk to assume that the date is the day of indexing? So if yesterday, then the full timestamp would be 2024-30-11 17:22:29.875
@bowesmana    The two methods you provided also produce different results. Is there a reason why I get different results even if I exclude fields with underscores?
According to the docs, you should use the sourcetype based on the configured event hub. Select the source type based on the configured Event Hub. Supported source types are mscs:azure:eventhub, azur... See more...
According to the docs, you should use the sourcetype based on the configured event hub. Select the source type based on the configured Event Hub. Supported source types are mscs:azure:eventhub, azure:monitor:aad, azure:monitor:resource and azure:monitor:activity. The default sourcetype is mscs:azure:eventhub https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/Configureeventhubs/ It seems that this add-on contains a props.conf stanza for the sourcetype "ms:o365:management" to CIM-normalize data from that sourcetype, but it does not contain any inputs.conf or scripts in bin which pull in the data. It is not clear why it is bundled that way. I would expect this CIM-normalizing config to be bundled in an add-on which also pulls the ms:o365:management data.  
I am curious about this, could you say which TA is trying to initialize the modular input even if the inputs.conf stanzas are disabled?
In my case i need to search in textbox with dynamic values from message field not with predefined values. Dynamic doesn't mean it should be free text.  This next example gives you two inputs, on... See more...
In my case i need to search in textbox with dynamic values from message field not with predefined values. Dynamic doesn't mean it should be free text.  This next example gives you two inputs, one a truly dynamic, multiselect, the other a free text if you absolutely want to go that route.   <form version="1.1"> <label>Multivalue input</label> <description>https://community.splunk.com/t5/Splunk-Search/How-to-filter-events-using-text-box-values/m-p/704698</description> <fieldset submitButton="false"> <input type="multiselect" token="multiselect_tok" searchWhenChanged="true"> <label>select all applicable</label> <choice value="*">All</choice> <initialValue>*</initialValue> <fieldForLabel>log_level</fieldForLabel> <fieldForValue>log_level</fieldForValue> <search> <query>index = _internal log_level = * | stats count by log_level</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="text" token="multivalue_text_tok" searchWhenChanged="true"> <label>enter comma separated</label> <default>*</default> </input> </fieldset> <row> <panel> <event> <title>Using &gt;$multiselect_tok$&lt;</title> <search> <query>index = _internal log_level IN ($multiselect_tok$)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> <panel> <event> <title>Using &gt;$multivalue_text_tok$&lt;</title> <search> <query>index = _internal [| makeresults | fields - _time | eval log_level = upper(trim(split("$multivalue_text_tok$", ",")))]</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>   The problem with free text is that people make far more mistakes than machines do.  My code tries to cope with that as much as possible.  But unless you have a use case that uses free text in a meaningful way, forget comma delimited input.
Is there any solution ...