All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

As I said earlier if you want to use hashed password instead of plain text, then you must use same splunk.secret on both nodes.
Here's what I ended up doing:  Created a dropdown for the versions and added conditions in that to pass to the panels with the queries.  Then I added a row at the top that displays for the user which... See more...
Here's what I ended up doing:  Created a dropdown for the versions and added conditions in that to pass to the panels with the queries.  Then I added a row at the top that displays for the user which version to pick from the dropdown.  This wasn't what I had in mind but for now it works.  Below is the dashboard code in case anyone smarter and more experienced happens to notice something I could improve on. <form version="1.1" theme="light"> <label>Education Title Report</label> <search> <query>| inputlookup HealthcareMasterList.csv | search propertyId=$propertyId$ | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* earliest=-24@h propertyId=$propertyId$ | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion</query> <preview> <eval token="MarinaVersion">$result.version$</eval> </preview> </search> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="propertyId" searchWhenChanged="true"> <label>Site</label> <fieldForLabel>FullHospitalName</fieldForLabel> <fieldForValue>propertyId</fieldForValue> <search> <query>| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* [| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | fields propertyId | format] | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion | sort FullHospitalName</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="WhichVersion"> <label>Marina Version</label> <choice value="Pre15">Pre15</choice> <choice value="Post15">Post15</choice> <choice value="NA">NA</choice> <change> <condition value="Post15"> <unset token="NoAssignments"></unset> <set token="IncludesAssignments">true</set> <unset token="NoInfo"></unset> </condition> <condition value="Pre15"> <set token="NoAssignments">true</set> <unset token="IncludesAssignments"></unset> <unset token="NoInfo"></unset> </condition> <condition value="NA"> <unset token="NoAssignments"></unset> <unset token="IncludesAssignments"></unset> <set token="NoInfo">true</set> </condition> </change> </input> <input type="time" token="field1" searchWhenChanged="true"> <label>Date Picker</label> <default> <earliest>-1mon@mon</earliest> <latest>@mon</latest> </default> </input> </fieldset> <row> <panel> <html>Please select the following for the Marina Version dropdown:</html> </panel> <panel> <html>$MarinaVersion$</html> </panel> </row>
This is old question, but I still comment here if someone needs it later. When you are using hashed password in user-seed.conf you mast hash it with same splunk.secret string as you have in your new ... See more...
This is old question, but I still comment here if someone needs it later. When you are using hashed password in user-seed.conf you mast hash it with same splunk.secret string as you have in your new server! If you have hashed it with some other random splunk.secret and in a new server you have something else in splunk.secret those didn't match as hash keys have been different.
Here's what I've ended up doing until I can find another solution.  I created a dropdown for the version and set up conditions that I then passed to the panels below with my queries to indicate which... See more...
Here's what I've ended up doing until I can find another solution.  I created a dropdown for the version and set up conditions that I then passed to the panels below with my queries to indicate which one to display.  I added two panels at the top that tell the user which version to choose from the Marina Version dropdown. <form version="1.1" theme="light"> <label>Education Title Report</label> <search> <query>| inputlookup HealthcareMasterList.csv | search propertyId=$propertyId$ | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* earliest=-24@h propertyId=$propertyId$ | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion</query> <preview> <eval token="MarinaVersion">$result.version$</eval> </preview> </search> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="propertyId" searchWhenChanged="true"> <label>Site</label> <fieldForLabel>FullHospitalName</fieldForLabel> <fieldForValue>propertyId</fieldForValue> <search> <query>| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* [| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | fields propertyId | format] | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion | sort FullHospitalName</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="WhichVersion"> <label>Marina Version</label> <choice value="Pre15">Pre15</choice> <choice value="Post15">Post15</choice> <choice value="NA">NA</choice> <change> <condition value="Post15"> <unset token="NoAssignments"></unset> <set token="IncludesAssignments">true</set> <unset token="NoInfo"></unset> </condition> <condition value="Pre15"> <set token="NoAssignments">true</set> <unset token="IncludesAssignments"></unset> <unset token="NoInfo"></unset> </condition> <condition value="NA"> <unset token="NoAssignments"></unset> <unset token="IncludesAssignments"></unset> <set token="NoInfo">true</set> </condition> </change> </input> <input type="time" token="field1" searchWhenChanged="true"> <label>Date Picker</label> <default> <earliest>-1mon@mon</earliest> <latest>@mon</latest> </default> </input> </fieldset> <row> <panel> <html>Please select the following for the Marina Version dropdown:</html> </panel> <panel> <html>$MarinaVersion$</html> </panel> </row>   Having the user have to use the version dropdown what not what I wanted to do but this at least works for now until stumble upon a better method.  
As @ITWhisperer says, you can use selections. See the documentation here https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#selection_.28area.2C_column.2C_and_li... See more...
As @ITWhisperer says, you can use selections. See the documentation here https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#selection_.28area.2C_column.2C_and_line_charts.29  
One additional comments which haven't mentioned yet. There is upper limits for buckets in clusters (if I recall right both per node and per cluster). Normally this is not an issue, but if you have qu... See more...
One additional comments which haven't mentioned yet. There is upper limits for buckets in clusters (if I recall right both per node and per cluster). Normally this is not an issue, but if you have quite active site which have hundreds/thousands sources and TB/PB ingesting per day, you could hit those limits.
I think that currently it is used XMLWinEventLog at least that is used on those nodes which I can check now.
Are you able to show that query? Using subsearches will not work for datasets where the subsearch has more than 50k results - not sure what your meaning of a 'large' dataset is. If you can show an a... See more...
Are you able to show that query? Using subsearches will not work for datasets where the subsearch has more than 50k results - not sure what your meaning of a 'large' dataset is. If you can show an anonymised version of each of the data sets and show the relationships it will help us provide a solution.  
If your lookup only contains hostname, ip address and location, how will you find any events where MESSAGE_TEXT="Radius"?
I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "ra... See more...
I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "radius". |inputlookup filename | search (MESSAGE_TEXT="Radius")
Hi there, Please contact your Splunk sales account team for this, they are able to help you. cheers, MuS
Reply:   Can we enforce the data to be rolled from the Hot/warm to Cold after one month then from Cold to frozen after one month.
Hello Splunker,   I have two volumes with the following specs: Hot/Warm Volume: 5.25 TB Cold Volume: 4.75 TB ================================ [volume:hot] path = /opt/splunk-hwdata maxVolume... See more...
Hello Splunker,   I have two volumes with the following specs: Hot/Warm Volume: 5.25 TB Cold Volume: 4.75 TB ================================ [volume:hot] path = /opt/splunk-hwdata maxVolumeDataSizeMB = 7602176 [volume:cold] path = /opt/splunk-Colddata maxVolumeDataSizeMB = 4980736 ================================== [Win] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume [FW] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume   ==================================== Notice we have re-configured the below: [diskUsage] minFreeSpace = 20000 Finally, we have reached the bottom of the question  .   I am doubt if this configuration can maintain the below requirements: The data retention period for the online data is 2 months. - Hot/Warm – 1 month - Cold – 1 month        
Hi there, Can you please post an example _raww event in a code block, thanks  cheers, MuS
This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared.  import urllib.parse #This line won't change between differe... See more...
This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared.  import urllib.parse #This line won't change between different searches base_url = "[splunk URL]/en-US/app/SplunkEnterpriseSecuritySuite/search?q=" #This should be dynamically built with whatever you're searching for. my_search = "index=* | stats count by index" #This is optional, Splunk will use your default if you don't include it #Times should be epoch format time_range = f'&earliest={[start]}&latest={[end]}' #Urllib parse is required. It's the difference between "index=* | stats count by index" (human readable) and "index%3D%2A%20..." (working URL) full_url = base_url + urllib.parse.quote(my_search) + time_range  
A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hop... See more...
A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hoping to chain several OR statements into a single lookup value, but I guess that isn't possible.
Hello, I'm trying to extract fields from an event, but am not up to par on my regex, and I can't seem to get this to work.  So these work in regex101, but not within the Splunk Field Extraction for... See more...
Hello, I'm trying to extract fields from an event, but am not up to par on my regex, and I can't seem to get this to work.  So these work in regex101, but not within the Splunk Field Extraction for some reason.  Within the event there is the following: "alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777," I need to create 3 fields from this: Host = FL-NS-VPX-INT-1 ServiceGroup = mobileapist Server = vnetapis003 When trying for Host with:  (?<="alias":")[^|]* It never finds it in Splunk.  Can't figure out why.   Extra credit:   Just kidding.  The last field I need, I can't get either with:   (?<="team","name":")[^"]* "team","name":"Monitoring_Admin"}], Here's the full event as well. INFO[2024-11-13T13:37:23.9114215-05:00] Message body: {"actionType":"custom","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","ownerDomain":"integration","ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","discardScriptResponse":true,"sendCallbackToStreamHub":false,"requestId":"18dcdb1b-14d6-4b10-ad62-3f73acaaef2a","action":"Close","productSource":"Opsgenie","customerDomain":"siteone","integrationName":"Opsgenie Edge Connector","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","customerTransitioningOrConsolidated":false,"source":{"name":"","type":"system"},"type":"oec","receivedAt":1731523037863,"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","params":{"type":"oec","alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","integrationName":"Opsgenie Edge Connector","integrationType":"OEC","customerDomain":"siteone","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","receivedAt":1731523037863,"customerConsolidated":false,"customerTransitioningOrConsolidated":false,"productSource":"Opsgenie","source":{"name":"","type":"system"},"alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf"},"integrationType":"OEC","alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"customerConsolidated":false,"customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"}} messageId=7546739e-2bab-414d-94b5-b0f205208932   Thank you for all the help on this one, Thanks, Tom    
This is in request to add the steps for adding Splunk Enterprise Security to my enterprise account, Thanks.  
Yes, you probably can get a Splunk Cloud stack (more than just a license), but it most likely will not be free beyond the initial (7 days) trial period.
Currently running Splunk 9.3.0. IT Essentials Work 4.18.1. VMware Dashboards and Reports content pack 1.2.0 All dashboards in the VMware Dashboards and Reports app where there is a "Quick Search" fr... See more...
Currently running Splunk 9.3.0. IT Essentials Work 4.18.1. VMware Dashboards and Reports content pack 1.2.0 All dashboards in the VMware Dashboards and Reports app where there is a "Quick Search" free text option, is not working. It used to provide as list as you typed of matching hosts/VMs depending on the dashboard. Now I can't get it to do anything.  Can anyone provide what the data source is for this input? I think I am probably missing a lookup file but cannot find which one.  For example, this shows the radio button that gets you to the text input. The radio button works but the text input does nothing.