All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have an employee who keeps getting locked out. I wanted to know how to put a script in to find out which device is getting locked out. 
Is it possible to color the FONT text of the row not the background please ?? I need it done soon as such.   logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red   <for... See more...
Is it possible to color the FONT text of the row not the background please ?? I need it done soon as such.   logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red   <format type="color"> <colorPalette type="expression"> if(match(value,"logLevel=INFO"),"#4f34eb",null), if(match(value,"logLevel=WARNING"),"#ffff00",null), if(match(value,"logLevel=ERROR"),"#53A051",null) </colorPalette> </format>  
The structure of JSON in my log events is roughly as follows     { "Info": { "Apps": { "ReportingServices": { "ReportTags": [ "Tag1"... See more...
The structure of JSON in my log events is roughly as follows     { "Info": { "Apps": { "ReportingServices": { "ReportTags": [ "Tag1" ], "UserTags": [ "Tag2", "Tag3" ] }, "MessageQueue": { "ReportTags": [ "Tag1", "Tag4" ], "UserTags": [ "Tag3", "Tag4", "Tag5" ] }, "Frontend": { "ClientTags": [ "Tag12", "Tag47" ] } } } }     The number of fields in "Apps" is unknown, as are their names. Given this structure I need to check if a given tag ("Tag1", "Tag2", ...) exists in in a given array ("ReportTags", "UserTags", [..]), regardless of parent. If it does, I need the distinct names of parent field names that contain this. Example 1: The input to the query is "ReportTags" and "Tag1". I'd expect it to output both "ReportingServices" and "MessageQueue" because both of them contain a "ReportTags" array that contains "Tag1". Example 2: The input to the query is "UserTags" and "Tag5". I'd expect it to output only "MessageQueue" because only this one contains a "UserTags" array that contains this "Tag5". I have looked at various questions on this forum, tried various combinations of mvexpand and such but I have not been able to write a query that does exactly this. Any hints and/or help would be greatly appreciated.
I'm sure there's *someone* here who can help, but they will need some help from you first. What exactly do you mean by "is not working" (that phrase should be banned here, IMO)?  What is it (not) do... See more...
I'm sure there's *someone* here who can help, but they will need some help from you first. What exactly do you mean by "is not working" (that phrase should be banned here, IMO)?  What is it (not) doing?  How is the current behavior different from previous behavior? When did the behavior change?  What other changes happened around the same time? Is there anything in search.log for the alerts that might explain the change in behavior?
Suddenly the real-time alert is not working for Splunk, can anyone help on this how  to troubleshoot this issue
Hi @inventsekar Here are the answers to your questions : This is a dev/test instance, and my collegues are facing the same issue. I am using Splunk Enterprise (Splunk-9.2.1-78803f08aabb.x86_64.rpm... See more...
Hi @inventsekar Here are the answers to your questions : This is a dev/test instance, and my collegues are facing the same issue. I am using Splunk Enterprise (Splunk-9.2.1-78803f08aabb.x86_64.rpm) on SLES 12 SP5. Splunk is using  its built-in python 3.7. I tried reproducing the problem with several users with different level of access and it occured everytime, including with the admin account (with the most access).  Do you know where I could find the menu navigation xml file ?  Thank you for your help !   
what would be the best approach for IaC setup for Splunk enterprise?   Currently we are using Azure VM and deb installation of Splunk enterprise installation and update are done manualy. We would ... See more...
what would be the best approach for IaC setup for Splunk enterprise?   Currently we are using Azure VM and deb installation of Splunk enterprise installation and update are done manualy. We would like to improve this process to install Splunk from scratch and use a better setup: 1. install it in the AKS cluster  2. use docker approach 3. use terraform for iac   what would be best-suggested approach here we have a disk e.g around 1TB of data for Splunk   thank you in advance  
^ this worked for me
Hi, I have search which populates results with email address for 1000+users. I need to send ONLY the result tagged to appropriate user via email.I have tried couple of solutions from the community, ... See more...
Hi, I have search which populates results with email address for 1000+users. I need to send ONLY the result tagged to appropriate user via email.I have tried couple of solutions from the community, but it didn't help me. I want to combine all the results assosciated for indivual user and send them one single email as the data will be more, I don't want to spam their inbox. For example: result having 4, 5, 6 should be send in one email only to malik@gmail.com and so on for other users. Please suggest 
Thanks for the reply. I can confirm that if I set my profile preferences to "theme dark", the the default app pages like "Search", "Alerts", "Reports", etc. in my app becomes dark. So yes, the follow... See more...
Thanks for the reply. I can confirm that if I set my profile preferences to "theme dark", the the default app pages like "Search", "Alerts", "Reports", etc. in my app becomes dark. So yes, the following link is dark: https://mysplunk.com/en-GB/app/MyCustomApp/search  I checked all the 18 different dashboards in the app, and all of then are still in light mode though. I expected all of them to be in dark mode now. There are not custom CSS and such in the dashboards. Is this as intended, do I need to add some setting to all my dashboards to make them dynamically suppoert light and dark mode? I could of course manually set the dashboards to dark mode, but then they would be stuck in dark mode, if I understand correctly. I want the dashboards to change dynamically between dark and light.
@gcusello If i want to search multiple keywords using comma seperate in the same text field.
Hello @somesoni2 @lguinn2 @landen99 @jonatanjosefson any solution on this? I want to specify source::mylog_* Thanks for your help!
Thanks for your reply. I couldnt get any result on this query. if i removed the where condition i get the result i ran the query with last 4hrs like time                                     o/p1 ... See more...
Thanks for your reply. I couldnt get any result on this query. if i removed the where condition i get the result i ran the query with last 4hrs like time                                     o/p1 o/p2 2024-11-09 01:02:00  1         1 2024-11-09 02:02:00   1         1    
Hi @Ryan.Paredez , We were able to fix the problem by disabling the config.xd in the EUM snippet config.xd = {enable : false}; Example: <script charset='UTF-8'> window['adrum-start-time'] = n... See more...
Hi @Ryan.Paredez , We were able to fix the problem by disabling the config.xd in the EUM snippet config.xd = {enable : false}; Example: <script charset='UTF-8'> window['adrum-start-time'] = new Date().getTime(); (function(config){ config.appKey = 'EUM-XYZ-ABC'; config.adrumExtUrlHttp = 'https://cdn.appdynamics.com'; config.adrumExtUrlHttps = 'https://cdn.appdynamics.com'; config.beaconUrlHttp = 'https://eum.myappd.com'; config.beaconUrlHttps = 'https://eum.myappd.com'; config.xd = {enable : false}; })(window['adrum-config'] || (window['adrum-config'] = {})); </script> <script src='https://cdn.appdynamics.com/adrum/adrum-latest.js'></script> Regards, Khalid
Yeah, same for me. I assume that it is a "feature" of Splunk Add-on Builder because it will use template from UI to generate globalConfig.json and <appname>_rh_account.py and not read content of the... See more...
Yeah, same for me. I assume that it is a "feature" of Splunk Add-on Builder because it will use template from UI to generate globalConfig.json and <appname>_rh_account.py and not read content of these files. So from my side best option is to edit <appname>_rh_account.py  and globalConfg.json and add new fields or edit existing and create a copy of this files somewhere. After each change in add-on builder code editor you need to replace both files. Some kind of option is to change code directly in /bin/input_<inputname>.py and only change versions of app in properties. So there will be no need to use code editor and overwright your changes. Unfortunately when you want to add new parameter to input you will need to prepare manualy new veriosn of globalConfig.json becasue best option will be to add it via add-on builder UI and add you custom modification to it.
Hi, we use the app Splunk Add-on for Microsoft Cloud Services version 5.3.1 on our HeavyForwarder. We ingest data from an eventhub which is splitted in a lot of eventhub names for different microsof... See more...
Hi, we use the app Splunk Add-on for Microsoft Cloud Services version 5.3.1 on our HeavyForwarder. We ingest data from an eventhub which is splitted in a lot of eventhub names for different microsoft services (e.x. sharepoint, exchange etc.) The default sourcetype is "mscs:azure:eventhub" but the data isn't parsed with that. In some forums it was mentioned using the sourcetype "ms:o365:management". Someone had the same trouble finding the correct sourcetype? That app itself as a lot of config in props/transforms. Thanks  
Hi @marnall, Thanks a lot for your feedback ! I also thought about using a password field instead of Global account settings.  But I will have to re-enter the client secret every time I update the... See more...
Hi @marnall, Thanks a lot for your feedback ! I also thought about using a password field instead of Global account settings.  But I will have to re-enter the client secret every time I update the input which is not a good experience for the end user. Again this solution "works" but temporary and I don't understand why it is not persistent
Hello @nvonkorff , @tgombos  It doesn't worked for me It works but for example when I update the script of the addon then click the "Finish" button it goes back to default value. Did you had th... See more...
Hello @nvonkorff , @tgombos  It doesn't worked for me It works but for example when I update the script of the addon then click the "Finish" button it goes back to default value. Did you had the same issue ? Thanks,
Hi @hahhhaxin , for csv files you have to add also to UFs. Ciao. Giuseppe
Hi @BalajiRaju  try using stats, but you have tyo span the timestamps, e.g. every hour: index=sample sample="value1" | bin span=1h -time | stats count BY _time field1 | where field1>30 | timechart... See more...
Hi @BalajiRaju  try using stats, but you have tyo span the timestamps, e.g. every hour: index=sample sample="value1" | bin span=1h -time | stats count BY _time field1 | where field1>30 | timechart values(count) AS count BY field1 Ciao. Giuseppe