All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Does the error give any indication what's going on?   
Splunk got rid of DSP which did that and I'm aware that the aggregation features of DSP is something that EP is hopefully going to support at some point - note that Cribl could do this if you really ... See more...
Splunk got rid of DSP which did that and I'm aware that the aggregation features of DSP is something that EP is hopefully going to support at some point - note that Cribl could do this if you really wanted to go that route although it would entail another tech stack if you don't already use it.
@haph  Could you try using Dashboard Studio? Some custom CSS or JavaScript used in Classic dashboards may not work well with Safari/iOS Regards, Prewin Splunk Enthusiast | Always happy to help! I... See more...
@haph  Could you try using Dashboard Studio? Some custom CSS or JavaScript used in Classic dashboards may not work well with Safari/iOS Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Thank you for your supporting. However, my case are little bit complex when we have multiple urls in 1 field for each row in table chart . How to display dynamic all url of this
Hi Prewin27, thank you very much for your advice. Sorry, my mistake. The old version is 7.1.2.
Hi livehybrid, thank you very much for your advice. Sorry, my mistake. The old version is 7.1.2.
That's a shame, but reasonable I suppose. This feature should be resource heavy as it would need to keep a bunch of data in memory running "searches" with a high frequency, but it would have been a n... See more...
That's a shame, but reasonable I suppose. This feature should be resource heavy as it would need to keep a bunch of data in memory running "searches" with a high frequency, but it would have been a nice fix for my problem. 'pruned' is an understatement. Not to give it all away (in case someone happens to google their way here) but I've repeatedly pointed out that "you do not need to check if your running on a virtual machine/VPS once every hour, every day, forever". Especially if you are the service provider and know that you will never ever ever ever run on "Alibaba Cloud" and most likely never use QEMU. But that's a problem related to "drop-in solutions" for metric collection which no one has any interest of optimizing and over which I have no control. Hence, insanely detailed grep solutions and allowing some completely pointles audit log to trickle in is just the way it has to be for now. Thank you for your feedback, much appreciated.  
Hi @CyberSamurai , try to avoid to use join: Splunk isn't a relational database and join is a very slow command! my solution is more efficient. Ciao and happy splunking Giuseppe P.S.: Karma Poin... See more...
Hi @CyberSamurai , try to avoid to use join: Splunk isn't a relational database and join is a very slow command! my solution is more efficient. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @BradOH , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Just a further note, you will probably need to add the image domain to your dashboards_trusted_domain settings: For Splunk Cloud see https://help.splunk.com/en/splunk-cloud-platform/administer/admin... See more...
Just a further note, you will probably need to add the image domain to your dashboards_trusted_domain settings: For Splunk Cloud see https://help.splunk.com/en/splunk-cloud-platform/administer/admin-manual/9.3.2408/configure-your-splunk-cloud-platform-deployment/configure-dashboards-trusted-domains-list For Splunk Enterprise see https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/ConfigureDashboardsTrustedDomainsList In short, I was able to run the following curl command to set a domain for my testing (as an example): curl -k -u admin:topsecretpassword https://192.168.0.222:8089/servicesNS/nobody/system/web-features/feature:dashboards_csp -d dashboards_trusted_domain.testing=https://beta.dashpub.online    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @phupn1510  Here is another example using Dashboard Studio:   { "title": "ImageDashboardStudio", "description": "", "inputs": {}, "defaults": { "dataSources": { ... See more...
Hi @phupn1510  Here is another example using Dashboard Studio:   { "title": "ImageDashboardStudio", "description": "", "inputs": {}, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": {} } } } }, "visualizations": { "viz_BDEO1QhV": { "options": { "markdown": "This is a splunk.image" }, "type": "splunk.markdown" }, "viz_frONH0n1": { "options": { "markdown": "This is markdown\n![]($imgSearch:result.imageUrl$)" }, "type": "splunk.markdown" }, "viz_vNXqSiui": { "dataSources": { "primary": "ds_2vTXdmuT" }, "options": { "count": 20, "dataOverlayMode": "none", "drilldown": "none", "showInternalFields": false, "showRowNumbers": false }, "type": "splunk.table" }, "viz_zje45yZK": { "options": { "preserveAspectRatio": true, "src": "$imgSearch:result.imageUrl$" }, "type": "splunk.image" } }, "dataSources": { "ds_2vTXdmuT": { "name": "imgSearch", "options": { "enableSmartSources": true, "query": "|makeresults | eval imageUrl=\"https://beta.dashpub.online/screenshots/608f9a7d4726e06206c78ccbb488832f.jpg\"", "queryParameters": { "earliest": "-24h@h", "latest": "now" } }, "type": "ds.search" } }, "layout": { "globalInputs": [], "layoutDefinitions": { "layout_1": { "options": { "display": "auto", "height": 500, "width": 1440 }, "structure": [ { "item": "viz_vNXqSiui", "position": { "h": 250, "w": 720, "x": 0, "y": 0 }, "type": "block" }, { "item": "viz_zje45yZK", "position": { "h": 200, "w": 300, "x": 1090, "y": 70 }, "type": "block" }, { "item": "viz_frONH0n1", "position": { "h": 200, "w": 300, "x": 730, "y": 60 }, "type": "block" }, { "item": "viz_BDEO1QhV", "position": { "h": 30, "w": 300, "x": 1090, "y": 60 }, "type": "block" } ], "type": "absolute" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @phupn1510  Here is an example using classic dashboards:   <dashboard version="1.1" theme="light"> <label>ImageClassic</label> <row> <panel> <table> <search> ... See more...
Hi @phupn1510  Here is an example using classic dashboards:   <dashboard version="1.1" theme="light"> <label>ImageClassic</label> <row> <panel> <table> <search> <query>|makeresults | eval imageUrl="https://beta.dashpub.online/screenshots/608f9a7d4726e06206c78ccbb488832f.jpg"</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="image_url">$result.imageUrl$</set> </done> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <html> <a href="$image_url$" target="_blank"> <img src="$image_url$" width="500"/> </a> </html> </panel> </row> </dashboard>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Alan_Chan  This sounds like your event_hub_namespace is incorrect, or cannot be resolved using the DNS server on your Splunk instance. The Azure Event Hub Namespace (FQDN). On portal.azure.com,... See more...
Hi @Alan_Chan  This sounds like your event_hub_namespace is incorrect, or cannot be resolved using the DNS server on your Splunk instance. The Azure Event Hub Namespace (FQDN). On portal.azure.com, on your Event Hubs Namespace page, the event_hub_namespace is displayed as Host Name in the Essentials section. It has the following formatting: .servicebus.windows.net. Firstly, please validate that this is configured correctly. If this is correct then check that you can resolve this from your system: nslookup <yourEventHubNamespace>.servicebus.windows.net. Alternatively you could use "dig" if your system has it. Does this resolve to an IP address? If not then you will need to investigate further why it is not resolving, I'd start by trying to resolve other known dns entries (e.g. google.com) to confirm your DNS resolution is working.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I have a dashboard to show a statistic about user events. I have a field that return dynamic urls and I want to show Image from that Url. Alternatively, it can be a hyperlink to click on it to open i... See more...
I have a dashboard to show a statistic about user events. I have a field that return dynamic urls and I want to show Image from that Url. Alternatively, it can be a hyperlink to click on it to open image on another browser. Currently, I tested on both Dashboard Studio and Dashboard Classic   Thank you
@genesiusj  Standalone ITSI and Search Head Clusters (SHC) do not automatically share knowledge objects. To ensure your ITSI instance has the necessary tags, you must manually install the required a... See more...
@genesiusj  Standalone ITSI and Search Head Clusters (SHC) do not automatically share knowledge objects. To ensure your ITSI instance has the necessary tags, you must manually install the required apps or deploy them via the Deployment Server. Alternatively, you can create a custom app containing all your knowledge objects and deploy it to both your SHC and ITSI environments. This approach ensures consistency and simplifies management across both platforms. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
@gcusello  acceleration.backfill_time = 12h acceleration.max_time = 1800 acceleration.manual_rebuilds = true   Can you add this to your .conf and check how it's running now.
@Alan_Chan  Error you highlighted looks like DNS resolution failure, not the authentication failure. Can you double check your event_hub_namespace #https://splunk.github.io/splunk-add-on-for-micro... See more...
@Alan_Chan  Error you highlighted looks like DNS resolution failure, not the authentication failure. Can you double check your event_hub_namespace #https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/Configureeventhubs/ Perform nslookup/ping/wget to your event hub namespace fqdn and verify. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
One more question should I go to hec and copy paste that link right ... Can you pls give me example how that hec link should be like.   Eg my link look lke this https://splunkcloudname.com/httpcoll... See more...
One more question should I go to hec and copy paste that link right ... Can you pls give me example how that hec link should be like.   Eg my link look lke this https://splunkcloudname.com/httpcollector
I am using the Splunk Add-on for Microsoft Cloud Services to retrieve Event Hub data in Splunk Cloud, but I encountered the following error in the internal log. 2025-07-09 02:16:40,345 level=ERROR... See more...
I am using the Splunk Add-on for Microsoft Cloud Services to retrieve Event Hub data in Splunk Cloud, but I encountered the following error in the internal log. 2025-07-09 02:16:40,345 level=ERROR pid=1248398 tid=MainThread logger=modular_inputs.mscs_azure_event_hub pos=mscs_azure_event_hub.py:run:925 | datainput="Azure_Event_hub" start_time=1752027388 | message="Error occurred while connecting to eventhub: Failed to authenticate the connection due to exception: [Errno -2] Name or service not known Error condition: ErrorCondition.ClientError Error Description: Failed to authenticate the connection due to exception: [Errno -2] Name or service not known The credentials should not be an issue, as I am using the same credentials in FortiSIEM and successfully get the data from event hub. Could anyone help identify the cause of the issue and suggest how to resolve it?  
You could also look at ingest actions https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/DataIngest which gives you a slightly easier way to achieve the same thing - at least it can be done in... See more...
You could also look at ingest actions https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/DataIngest which gives you a slightly easier way to achieve the same thing - at least it can be done in the UI, so you can get an interactive way of seeing the results of your configuration.