All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Siddharthnegi , as I said, I don't know any tool that autamates the documentation writing of Splunk Dashboard. You could create a python (or another language) that extracts the contents of a da... See more...
Hi @Siddharthnegi , as I said, I don't know any tool that autamates the documentation writing of Splunk Dashboard. You could create a python (or another language) that extracts the contents of a dashboard and copies in a word file, but it must be created from scratch, maybe using ChatGPT or anothe AI. Ciao. Giuseppe  
Hi @jaibalaraman , do you need a dashboard or can you use a report? It's possible to share a report. To share a dashboard users must be authenticated, so the real question is: is it possible to im... See more...
Hi @jaibalaraman , do you need a dashboard or can you use a report? It's possible to share a report. To share a dashboard users must be authenticated, so the real question is: is it possible to implement SSO in Splunk? For more infos see at https://docs.splunk.com/Documentation/UBA/5.4.1/Admin/SSO Ciao. Giuseppe
Check out Embed scheduled reports - Splunk Documentation  You must save your dashboard searches as reports and then you enable embedding.  
like documentation of dashboard , if people want to understand about the dashboard
Hi @Siddharthnegi , what kind of document: a User Manual, or a technical documentation? Anyway I don't know any tool or command that generates documentation about a dashboard. Ciao. giuseppe
Klick on your table in Dashboard Studio and choose Data display --> Header row --> Fixed
Hi @Crotyo , I see from your screenshot that you have results, so what's the issue? Ciao. Giuseppe
Hi @Rak , at first, check the condition of the presence in both the main searches. Then, if you have the stats command you should have statistics, it's strange if you haven't, did you copied all my... See more...
Hi @Rak , at first, check the condition of the presence in both the main searches. Then, if you have the stats command you should have statistics, it's strange if you haven't, did you copied all my search, with also the stats command? Otherwise, please try this: (index=testindex OR index=testindex2 source="insertpath" ErrorCodesResponse=PlanInvalid TraceId=*) OR (index=test ("Test SKU")) | eval type=if(index="test","2","1") | stats earliest('@t') AS '@t' values('@m') AS '@m' values(RequestPath) AS RequestPath dc(type) AS type_count BY TraceId | where type_count=2 | eval date=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%Y-%m-%d"), time=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%H:%M") | fields - '@t' Ciao. Giuseppe
Good Morning! Is the order for the name always the same? So that VZEROP002 is always the first entry in the list? If yes you could try: index=zn| spath "items{0}.state" | spath "items{0}.name"| sea... See more...
Good Morning! Is the order for the name always the same? So that VZEROP002 is always the first entry in the list? If yes you could try: index=zn| spath "items{0}.state" | spath "items{0}.name"| search "items{0}.name"=VZEROP002 "items{0}.state"=1 Do you need the list entries in one event for comparison within the event or could you split them in separate events?    
Hello, My apologies, I hope this makes sense, still learning.  I have events coming in that look like this: I need to create an alert for when state = 1 for name = VZEROP002.  But, I can't figu... See more...
Hello, My apologies, I hope this makes sense, still learning.  I have events coming in that look like this: I need to create an alert for when state = 1 for name = VZEROP002.  But, I can't figure out how to write the query to only look at the state for VZEROP002.  The query I'm running is: index=zn | spath "items{1}.state" | search "items{1}.state"=1   But, the search results still return events where VZEROP002 has a state of 2, and VZEROP001 has the state of 1. I hope that makes sense, and thanks in advance for any help with this. Thanks, Tom    
I usually have to make document of splunk dashboard and its really time consuming as well , so I was thinking maybe I can automate it. So that it can make a simple document of any dashboard. Is it po... See more...
I usually have to make document of splunk dashboard and its really time consuming as well , so I was thinking maybe I can automate it. So that it can make a simple document of any dashboard. Is it possible?
Hi All I there any way to freeze the tile in the dashboard when we scroll down in the dashboard.   
Hi  Any help or use case for the below question ?? How do i share a dashboard to the internal team as an URL link , where it won't ask to enter user name and password and login directly into the da... See more...
Hi  Any help or use case for the below question ?? How do i share a dashboard to the internal team as an URL link , where it won't ask to enter user name and password and login directly into the dashboard as Read only ( Dashboard Studio).
Here's picture of my csv files and search result. It only display the result for the first number. When I search using OR, it does display correctly      
I'm afraid I met the same issue described in the original question at that time: I couldn't map data into the data model. The problem  was related to the macro (cim_Network_Resolution_indexes) define... See more...
I'm afraid I met the same issue described in the original question at that time: I couldn't map data into the data model. The problem  was related to the macro (cim_Network_Resolution_indexes) defined in the constraint of the Network Resolution (DNS) data model. I believe the person who asked this question several years ago might also be a beginner like me :). So, since I've solved the problem, the comment I left here was to help anyone else who might get stuck on this issue. Sorry for any inconvenience (if any) caused by bringing up this question. 
The question is, what can a tween do? Can this question get a library card? Can it make a facebook account?
Why don't you go to that event, do show source (or copy the raw event) into a new file and then go into Settings->Add data and upload that file and experiment with the props in the UI until... See more...
Why don't you go to that event, do show source (or copy the raw event) into a new file and then go into Settings->Add data and upload that file and experiment with the props in the UI until you can see it working
If it's ok to put some old files/logs into frozen state (I suppose that you have cold2frozen script on place, or you don't need those old events) then you can put your indexer into detention mode (it... See more...
If it's ok to put some old files/logs into frozen state (I suppose that you have cold2frozen script on place, or you don't need those old events) then you can put your indexer into detention mode (it's denying all new connections / indexing) and update min free space into some smaller value. Also you must check e.g. with "du -sh $SPLUNK_DB) which indexes are biggest / where you could archive some buckets. Based on that just update max retention time on indexes.conf for those. Then start splunk and wait that it archive those and you will get more space. Of course it you could just add more space into that filesystem it's probably the best way to fix the situation and get spunk up and running.  BUT after that I said that you must plan your data storage to use volumes (with separate filesystems) and update indexes definitions to use those volumes. This needs some planning and also some service break time. There are in splunk docs and in community how to move current indexes to another directories on indexer. Just follow those instructions or hire any splunk partner/PS or other consultant who could to it for you.
Hi One comment to use $SPLUNK_DB in volume definition.  Actually splunk use $SPLUNK_DB on different things and storing different stuff there. This means than when you are defining inside volume tha... See more...
Hi One comment to use $SPLUNK_DB in volume definition.  Actually splunk use $SPLUNK_DB on different things and storing different stuff there. This means than when you are defining inside volume that it's path = $SPLUNK_DB and set some size for it, it applies only for that volumes. When you have e.g. other indexes and some other stuff in same filesystem where your $SPLUNK_DB is, I think that spunk cannot count those size for that total volume sizes. It just counts those indexes which has definition to use that volume! Basically this means that your volume could be come to full and this will stopped splunk, even you have add enough low max volume size attribute for volume. For that reason I suggest that you shouldn't ever user $SPLUNK_DB as on any volume path/dir. You should always use some other separate filesystem in separate LV volume etc.  To be honest, I haven't test this is my lab to verify that my assumption is correct, but maybe other have done this test? r. Ismo
https://community.splunk.com/t5/Knowledge-Management/New-Splunk-Metrics-logging-interval/m-p/705328/highlight/true#M10338