All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have deployed a SH cluster and two SHs, every thing is working fine till now.   Now I have added a new member to the cluster, all configurations are replicated. But the apps are not replicated. ... See more...
I have deployed a SH cluster and two SHs, every thing is working fine till now.   Now I have added a new member to the cluster, all configurations are replicated. But the apps are not replicated. Q1: will the apps be replicated on new member automatically or should I run deploy bundle command on deployer.   Q2: when I run the command from deployer, I get network layer error and Splunk service is stopped automatically.
But that's for a dashboard right? I would need it for the add-on builder app. Which I'm not sure I can modify as it is a splunk app.
Can you please check this discussion if it helps you?
@bowesmana Thanks for the solution and investing your valuable time.  But still micro seconds are not matching.       
A date range/date selector
Hello @marnall , I see what you mean but doing it this way will apply the same login password to all inputs. That's not what I'm looking for The ‘best way’ for me is to use this solution and sto... See more...
Hello @marnall , I see what you mean but doing it this way will apply the same login password to all inputs. That's not what I'm looking for The ‘best way’ for me is to use this solution and stop editing my application using Add-on Builder. And if I need to update my application with Add-on Builder, I have to restore the files (globalConfig and <input>_rh_account) manually. Normally, I'll be taking part in the application building course on Monday. If I get the answer, I'll update this post.   Have a good day  
Hi @BalajiRaju , probably the condition I supposed isn't correct, correct it for your data, e.g. as @yuanliu hinted, but the approach is correct. Ciao. Giuseppe
Small improvements. The wildcard should apply to <anything>Tags{}. mvfind uses regex.  If you need string match, there is too much work to convert an arbitrary string into regex.  But Splunk's equ... See more...
Small improvements. The wildcard should apply to <anything>Tags{}. mvfind uses regex.  If you need string match, there is too much work to convert an arbitrary string into regex.  But Splunk's equality operator applies in multivalue context. So, using foreach suggested by @ITWhisperer, you can do   | foreach *Tags{} [| eval fields=mvappend(fields, if('<<FIELD>>' == "Tag4", "<<FIELD>>", null()))]   Your sample data will give fields Info.Apps.MessageQueue.ReportTags{} Info.Apps.MessageQueue.UserTags{} Since 8.2, Splunk introduced a set of JSON functions.  You can actually use a more formal, semantic approach, although the algorithm is messier because iteration capabilities are limited in SPL. (It is also limited as SPL doesn't support recursion.) Here is an illustration.   | eval key = json_array_to_mv(json_keys(_raw)) | mvexpand key | eval key1 = json_array_to_mv(json_keys(json_extract(_raw, key))) | mvexpand key1 | eval key = if(isnull(key1), key, key . "." . key1) | eval key1 = json_array_to_mv(json_keys(json_extract(_raw, key))) | mvexpand key1 | eval key = if(isnull(key1), key, key . "." . key1) | eval key1 = json_array_to_mv(json_keys(json_extract(_raw, key))) | mvexpand key1 | eval key = if(isnull(key1), key, key . "." . key1) | eval key1 = json_array_to_mv(json_keys(json_extract(_raw, key))) | eval key = if(isnull(key1), key, key . "." . key1) | eval value = json_array_to_mv(json_extract(_raw, key)) | where value == "Tag4"   The above code assumes a path depth of 5 even though your data only has depth of 4.  The result is key value Info.Apps.MessageQueue.ReportTags Tag1 Tag4 Info.Apps.MessageQueue.UserTags Tag3 Tag4 Tag5 Here is an emulation you can play with and compare with real data   | makeresults | eval _raw = "{ \"Info\": { \"Apps\": { \"ReportingServices\": { \"ReportTags\": [ \"Tag1\" ], \"UserTags\": [ \"Tag2\", \"Tag3\" ] }, \"MessageQueue\": { \"ReportTags\": [ \"Tag1\", \"Tag4\" ], \"UserTags\": [ \"Tag3\", \"Tag4\", \"Tag5\" ] }, \"Frontend\": { \"ClientTags\": [ \"Tag12\", \"Tag47\" ] } } } }" | fields - _time | spath ``` data emulation above ```  
Correct resolution for this issue is to force update content as mentioned in this article (if 1 time force update not work try it 3-4 times it will resolve issue) : https://splunk.my.site.com/custome... See more...
Correct resolution for this issue is to force update content as mentioned in this article (if 1 time force update not work try it 3-4 times it will resolve issue) : https://splunk.my.site.com/customer/s/article/SSE-Security-Content-not-loading-issue-KB-will-complet...  Also it required to have internet connectivity on Splunk Machines to use this App ---- Apply karma and mark solution if works.
Which type of input you are trying to create @meirclaroty @albjimen 
Was this successful? Would the Splunk Security Essentials Add-on work too? 
Splunk can only report what it finds in the logged events or something it "calculates" from the events. So, the question remains, what evidence do you have in your log events that show that the user ... See more...
Splunk can only report what it finds in the logged events or something it "calculates" from the events. So, the question remains, what evidence do you have in your log events that show that the user is locked out or off-site? (To be fair, you haven't told us what "locked out" or "off-site" mean, let alone shown evidence of these states!)
Sure ! Thanks. Let me know how we can do this
According to the docs the MAX_TIMESTAMP_LOOKAHEAD is applied _from_ the TIME_PREFIX-defined location.
Generally these format options apply to the cell - so you can colour a cell using the expression option, but you need to specify the field as part of the <format> specifier, see https://docs.splunk.... See more...
Generally these format options apply to the cell - so you can colour a cell using the expression option, but you need to specify the field as part of the <format> specifier, see https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/TableFormatsXML#Color_format_rules Take a look at the dashboard examples app https://splunkbase.splunk.com/app/1603 as that has some Javascript examples on how to colour rows based on cell values.  See the Table Row Highlighting example.    
So now you need to set the time prefix to match your actual raw text, i.e. "time":"2024... AND you need the lookahead set, because time is at the end of your JSON. Your raw data does not appear to ... See more...
So now you need to set the time prefix to match your actual raw text, i.e. "time":"2024... AND you need the lookahead set, because time is at the end of your JSON. Your raw data does not appear to have any whitespace in between the fields/colon/value, so try   MAX_TIMESTAMP_LOOKAHEAD = 550 TIME_PREFIX = \"time\":\" TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z   EDIT: MAX_TIMESTAMP_LOOKAHEAD not needed - see @PickleRick comment below.
Yeah, I ran into the same issue. I had to make all my changes again after losing them the first time. When clicking Finish after making the Python changes, it resets those scripts to defaults, bas... See more...
Yeah, I ran into the same issue. I had to make all my changes again after losing them the first time. When clicking Finish after making the Python changes, it resets those scripts to defaults, based on the inputs in the add-on builder. You need to setup any other inputs that you need configured in the add-on Builder, then add the fields and code to those Python scripts. Might be best to keep a backup of them with the changes applied, in case you need to do anything else in the add-on builder in future and you accidentally overwrite them again.
Let me first comment that your use case should NOT be a freetext "search box" as input.  It should be a multiselect.  Play with the following example and see if it fits your needs: <form version="1.... See more...
Let me first comment that your use case should NOT be a freetext "search box" as input.  It should be a multiselect.  Play with the following example and see if it fits your needs: <form version="1.1" theme="light"> <label>Multivalue input</label> <description>https://community.splunk.com/t5/Splunk-Search/How-to-filter-events-using-text-box-values/m-p/704698</description> <fieldset submitButton="false"> <input type="multiselect" token="multivalue_field_tok" searchWhenChanged="true"> <label>select all field values</label> <choice value="INFO">INFO</choice> <choice value="WARNING">WARNING</choice> <choice value="ERROR">ERROR</choice> <choice value="*">All</choice> <default>*</default> </input> <input type="multiselect" token="multivalue_term_tok" searchWhenChanged="true"> <label>select all terms</label> <choice value="INFO">INFO</choice> <choice value="WARNING">WARNING</choice> <choice value="ERROR">ERROR</choice> <choice value="*">All</choice> <default>*</default> <delimiter> OR </delimiter> </input> </fieldset> <row> <panel> <event> <search> <query>index = _internal log_level IN ($multivalue_field_tok$)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> <panel> <event> <title>no field name</title> <search> <query>index = _internal ($multivalue_term_tok$)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form> If comma-delimited freetext term input is needed, it is doable, but will not be as efficient as the above.  Please state your use case clearly (without help of SPL) so volunteers can give you concrete help.
Assuming the values of the groupby field, namely field1, is stable ("output1", "output2"), the solution depends on how granular you want the timechart to be.  If timechart itself is 10min, the simple... See more...
Assuming the values of the groupby field, namely field1, is stable ("output1", "output2"), the solution depends on how granular you want the timechart to be.  If timechart itself is 10min, the simplest solution would be index=sample sample="value1" | timechart span=10m count by field1 | where output1 > 0.3 * output2 Else you need to perform stats twice as @gcusello suggests, but change the where command to fit your requirement.  Consider a case where your timechart is sparser than 10m, say 1h.  You can do index=sample sample="value1" | timechart span=10m count by field1 | where output1 > 0.3 * output2​ | timechart span=1h sum(count) To have a timechart more granular than 10min, you'll have to do some crazy math but it's also doable.
CEF is a fairly annoying format to deal with. It has some part defined one way - as delimited values, and another as key=value pairs. There is an app on Splunkbase for handling CEF events - https://s... See more...
CEF is a fairly annoying format to deal with. It has some part defined one way - as delimited values, and another as key=value pairs. There is an app on Splunkbase for handling CEF events - https://splunkbase.splunk.com/app/487 But I don't remember if it's any good TBH.