All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @niketn ,  Thanks your help and contributions to the Splunking community.  I have a question for you: Can we remove the categories from a Splunk Dashboard made with the Dashboard Studio app? ... See more...
Hello @niketn ,  Thanks your help and contributions to the Splunking community.  I have a question for you: Can we remove the categories from a Splunk Dashboard made with the Dashboard Studio app? Since they're json I tried using "xAxisText":"" to no avail.    Thanks in advance!
Thanks all,    I've split out the Forwarded events and subscriptions to be more granular. And the dedicated sysmon channel + the TA is working well. I think we're roughly running 9 minutes behind.... See more...
Thanks all,    I've split out the Forwarded events and subscriptions to be more granular. And the dedicated sysmon channel + the TA is working well. I think we're roughly running 9 minutes behind. which isn't too bad, but i want to ensure we don't miss any logs. I'm still collecting some event IDs, but not seeing them in Splunk at all. I am seeing them in other solutions. Can i increase the cache size of the universal forwarder itself? I've increased the persistentCacheSize to 10GB, but unsure if i've set this property correctly or if it impacts the windows_TA Thanks
@uagraw01 Please refer this https://docs.splunk.com/Documentation/Splunk/9.3.2/Admin/Authorizeconf Based on what I see the role might have inherited "admin_all_objects" from a different role. & al... See more...
@uagraw01 Please refer this https://docs.splunk.com/Documentation/Splunk/9.3.2/Admin/Authorizeconf Based on what I see the role might have inherited "admin_all_objects" from a different role. & also check “edit_own_objects” and “list_all_objects” capabilities [capability::admin_all_objects] * Lets a user access all objects in the system, such as user objects and knowledge objects. * Lets a user bypass any Access Control List (ACL) restrictions, similar to the way root access in a *nix environment does. * the Splunk platform checks this capability when accessing manager pages and objects.   Use this    ./splunk btool authorize list role_Splunk_engineer --debug   If this helps, please upvote.
Data Flow: Data goes DIRECTLY from UF to indexers on port 9997 (not to cluster manager) Cluster Manager only handles configuration distribution Configuration Management: Props and transforms ... See more...
Data Flow: Data goes DIRECTLY from UF to indexers on port 9997 (not to cluster manager) Cluster Manager only handles configuration distribution Configuration Management: Props and transforms configs are deployed via cluster manager These configs are pushed to index peers via index cluster bundle Processing Location: All parsing happens on the indexers (index peers) Each indexer applies the deployed configurations independently For Deep Understanding: Refer: https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774 Review props.conf documentation: docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Propsconf  docs.splunk.com/Documentation/ITSI/4.17.0/Configure/transforms.conf Since there are many pipeline components, I encourage you to read through these resources for a complete understanding. Simple Data Flow here. If this Helps, Please Upvote.
(Attaching the updated docs link since my prior comment, as the URL has changed: https://dev.splunk.com/enterprise/docs/developapps/createapps/buildapps/adduithemes) @hettervik could you please conf... See more...
(Attaching the updated docs link since my prior comment, as the URL has changed: https://dev.splunk.com/enterprise/docs/developapps/createapps/buildapps/adduithemes) @hettervik could you please confirm that the search page in your app context is displaying correctly (ex. /en-US/app/MyCustomApp/search)? Also, curious what pages specifically are light mode for your app that you're expecting to be dark? Custom app pages will require additional updates for related files.
Please can you show an example of where the events are not sorted by these two fields?
How do you know which response is related to which request?
Hi, We've installed this app and tried configuring it to send Splunk alerts to Jira. After entering the API URL and key and hitting 'Complete Setup,' it keeps redirecting back to the configuration p... See more...
Hi, We've installed this app and tried configuring it to send Splunk alerts to Jira. After entering the API URL and key and hitting 'Complete Setup,' it keeps redirecting back to the configuration page. Is anyone else experiencing this issue on Splunk Cloud?
If I understand correctly, you want to persist the stage set in the dropdown for a particular event in the table. You would have to manage that yourself, by storing the stage you set in the dropdown... See more...
If I understand correctly, you want to persist the stage set in the dropdown for a particular event in the table. You would have to manage that yourself, by storing the stage you set in the dropdown into a lookup associated with the row you are editing and then in your search you would need to lookup the event against that lookup to find any previously set Stage for the appropriate event assuming the time/date are within your bounds As the JS implies, the 'BasicCellRenderer' is just that - it's simply for rendering the table visually, and will not store anything for you. You could possible set a token in the JS when the dropdown value is changed and then have some additional logic that saves the state of the event to the lookup. You would need to find a way to identify the event, e.g. based on a hash of the data or some unique id.
I've been pondering over this example for a couple days now and I'm still lost as to how to change my current set up to allow the third field determine which query to run based on what software versi... See more...
I've been pondering over this example for a couple days now and I'm still lost as to how to change my current set up to allow the third field determine which query to run based on what software version a customer has.   I'm struggle to understand what "$tok_searchfieldvalue$" represents and how displaying it in a panel will inform the dashboard which of the two queries to run and display results from. Using the <choice value=......> in the fieldset section is something I haven't worked with before so I'll go try to find more documentation or online use cases for this and see if I can apply those to my situation.   Can I have more than two of these <choice value=....> lines?  And then could I use one of them to tell the dashboard to say hide one panel but unhide the other one and display it's results?   I appreciate the attempt to help me but I fear I may be too new to these dashboard customizations to grasp how your example applies to mine.  
Also if there is a way to locate these events with the help of "rex" command also let me know so that i can use that as well
Both the request and response are from the same API. Just that i could not use spath to specify the path of bannerid and location code to get those values. Please help
I dont have any plain text data. All the data are feeded as REquest and response in splunk from which i need to retrieve bannerID and location codes. Could you please help me how to retrive that in s... See more...
I dont have any plain text data. All the data are feeded as REquest and response in splunk from which i need to retrieve bannerID and location codes. Could you please help me how to retrive that in splunk 
You don't need a subsearch and using join/append are rarely necessary and should be avoided where possible. Subsearches have limitations. You just need to search both datasets at the start with an (... See more...
You don't need a subsearch and using join/append are rarely necessary and should be avoided where possible. Subsearches have limitations. You just need to search both datasets at the start with an (A) or (B) search then collect them together with stats. I am not sure why you are using eventstats - you don't need that and it will not perform well anyway. Try this. (index=a component=serviceA "incoming data") OR (search index=a component=serviceB "data from") | stats values(name) as name ,values(age) as age, values(parentName) as parentName ,values(parentAge) as parentAge by id1,id2 | eval mismatch=case(isnull(name) AND isnull(age) ," data doesn't exist in serviceA", isnull(parentName) AND isnull(parentAge) ," data doesn't exist in serviceB", true, "No mismatch") | table name,age,parentAge,parentName,mismatch,id1,id2  
Hi all, I'm trying to figure out a way to edit the alert that is sent to PagerDuty.  Currenty I have a bunch of alerts that are being sent to the notable index, and then a single alert that searche... See more...
Hi all, I'm trying to figure out a way to edit the alert that is sent to PagerDuty.  Currenty I have a bunch of alerts that are being sent to the notable index, and then a single alert that searches that index and is sent to PagerDuty. The problem is, the alert is sending the name of the original alert in the "alert" section (not the notification). Is there a way I can edit the catch-all alert so that it doesn't send the name of the original alert?
You need to use proper field name. Prepended by the dataset name. Don't know your datamodel but as an example, with one of CIM datamodels. It's not | tstats count from datamodel=Network_Traffic by... See more...
You need to use proper field name. Prepended by the dataset name. Don't know your datamodel but as an example, with one of CIM datamodels. It's not | tstats count from datamodel=Network_Traffic by src_ip but | tstats count from datamodel=Network_Traffic by All_Traffic.src_ip Of course you need to adjust it to your datamodel.
Unless you explicitly do something to the data (for example, add an indexed field containing the name of the forwarder) Splunk doesn't keep this kind of metadata.
you can try REPORT instead of TRANSFORMS in props.conf
you can check field call "splunk_server"