All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you So the acceptable solution to these issues is to adjust thresholds to not trigger under "normal operation". The follow-up regarding thresholds settings, from what I understand these alert... See more...
Thank you So the acceptable solution to these issues is to adjust thresholds to not trigger under "normal operation". The follow-up regarding thresholds settings, from what I understand these alerts are generated locally on the indexers in the indexer cluster. The health.conf settings are apparently not synced in an indexer cluster, only in the search head cluster where any changes has no effect (already tried). If thresholds are to be modified in the indexer cluster, what file and values are of interest to push from the manager to change relevant thresholds? I have not been able to identify these in the documentation. If not in the indexer cluster, then where?
Hi @XOR  You shouldnt need to add the port in the Prisma config as Splunk Cloud uses the default HTTPS port for HEC receiving. I assume the URL you used starts https:// ? As far as I know there is ... See more...
Hi @XOR  You shouldnt need to add the port in the Prisma config as Splunk Cloud uses the default HTTPS port for HEC receiving. I assume the URL you used starts https:// ? As far as I know there is no option to add an index into the Prisma configuration therefore the data will go into the default index you selected when you created the HEC token - Are you able to confirm that this is the index that you are checking in? Regarding the  service/collector or /service/collector/events, you should be able to use the first, or "/services/collector/event" - note no "S" on the end. Prisma Cloud sends HEC events so this is the correct endpoint to use.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
If you want to see actions performed then something like this: index=_dsappevent earliest=-24h | table _time data.action data.appName data.clientId data.result | append [ tstats first(data.hos... See more...
If you want to see actions performed then something like this: index=_dsappevent earliest=-24h | table _time data.action data.appName data.clientId data.result | append [ tstats first(data.hostname) as hostname, first(data.dns) as dns_name, first(data.ip) as ip WHERE earliest=-24h index=_dsclient by data.clientId] | stats values(*) as * by data.clientId | table hostname dns_name ip *    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
The Forwarder Management page in the DS will do that for you.  If it doesn't show what you want then please tell us your use case and we can suggest something.
Hi @rk60422  Here are some starters which might help: List of clients (and some useful info) |tstats first(data.hostname) as hostname, first(data.dns) as dns_name, first(data.ip) as ip, first(data... See more...
Hi @rk60422  Here are some starters which might help: List of clients (and some useful info) |tstats first(data.hostname) as hostname, first(data.dns) as dns_name, first(data.ip) as ip, first(data.splunkVersion) as splunkVersion, first(data.package) as package WHERE index=_dsclient by data.clientId Latest phonehome time by clientId |tstats latest(_time) as latest_phonehome where earliest=-24h index=_dsphonehome by data.clientId | eval friendlyPhonehomeTime=strftime(latest_phonehome,"%Y-%m-%d %H:%M:%S") These could be combined to get the last phonehome with the additional info: | tstats latest(_time) as latest_phonehome where earliest=-24h index=_dsphonehome by data.clientId | eval friendlyPhonehomeTime=strftime(latest_phonehome,"%Y-%m-%d %H:%M:%S") | append [ tstats first(data.hostname) as hostname, first(data.dns) as dns_name, first(data.ip) as ip, first(data.splunkVersion) as splunkVersion, first(data.package) as package WHERE earliest=-24h index=_dsclient by data.clientId] | stats values(*) as * by data.clientId    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Well, helllooooo. Definitely not obvious, but this will do the trick nicely.  Thanks for sharing!
Thanks, that's what we're doing now for the individual lookups, but I was hoping to find an option to build this dynamically, similar to the saved source option in navigation xml. Well at least that... See more...
Thanks, that's what we're doing now for the individual lookups, but I was hoping to find an option to build this dynamically, similar to the saved source option in navigation xml. Well at least that confirms I wasn't missing something obvious!
The IOWait health check is far too sensitive.  The threshold should be adjusted so normal activity does not trigger an alert.
Hello community, I have a question which has been floating around here for quite some time and though I've seen quite a few conversations and tips, I have not found a "single definitive source of tru... See more...
Hello community, I have a question which has been floating around here for quite some time and though I've seen quite a few conversations and tips, I have not found a "single definitive source of truth". At some point, some time ago, when bumping Splunk from v8 to v9 we started noting Iowait alerts from the health monitor. I've checked our resource usage on our indexers (which are generating the alerts) and the cause of the alert seem to be spikes in resource usage. 3 out of x indexers have spikes in resource usage within 10 minutes which triggers an alert. Most of the time these alert seem wound really tight and the alerts somewhat overblown, on the other hand they should be there for a reason and I am not sure of tuning the alert levels is the right way to go. I have gone through the following threads: https://community.splunk.com/t5/Monitoring-Splunk/Why-is-IOWait-red-after-upgrade/m-p/600262#M8968 https://community.splunk.com/t5/Deployment-Architecture/IOWAIT-alert/m-p/666536#M27634 https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-receiving-this-error-message-IOWait-Resource-usage/m-p/578077#M10932 https://community.splunk.com/t5/Splunk-Search/Configure-a-Vsphere-VM-for-Splunk/td-p/409840 https://community.splunk.com/t5/Monitoring-Splunk/Running-Splunk-on-a-VM-CPU-contention/m-p/107582 Some recommendations exist to either ignore or adjust thresholds. Continuously ignoring seems like a slippery slope to desensitization and continuously monitoring add to the risk of alert fatigue. Other recommends ensuring adequate resources to solve the core issue, which seems logical though I am unsure regarding how. I am left with two questions 1) What are concrete actions could be taken to minimize the chance of these alerts/issues in a deployment based on VMWare Linux servers. In other words, what can/should I forward to the server group that they can work with, check and confirm in order to minimize the chance of these alerts? 2) What recommendations if any exists regarding modifying default thresholds? I could set thresholds high enough to not alert on "normal activity", is this the recommended adjustment or are there any concrete recommended modifications?
Hi @BradOH , the only solution is to open a lookup using the Lookup Editor app (https://splunkbase.splunk.com/app/1724 adding a row like the following in the menu App editor: <a href="/app/looku... See more...
Hi @BradOH , the only solution is to open a lookup using the Lookup Editor app (https://splunkbase.splunk.com/app/1724 adding a row like the following in the menu App editor: <a href="/app/lookup_editor/lookup_edit?owner=nobody&amp;namespace=myapp&amp;lookup=mylookup&amp;type=csv">MyLookup</a> Ciao. Giuseppe
Hi @BradOH  Its not possible to limit the display on the lookup editor app page by passing params in the URI, however this might(??) help...Im using the rest endpoint "/services/data/lookup-table-fi... See more...
Hi @BradOH  Its not possible to limit the display on the lookup editor app page by passing params in the URI, however this might(??) help...Im using the rest endpoint "/services/data/lookup-table-files/" to get a table of lookups including their app and owner, then setting this a table in a dashboard which when you click on the row takes you to the edit page in the lookup editor app (e.g. "/en-US/app/lookup_editor/lookup_edit?owner=nobody&namespace=Splunk_Security_Essentials&lookup=account_status_tracker.csv&type=csv") Here is the JSON for the dashboard studio dashboard if this helps: { "title": "LookupDrilldown", "description": "", "inputs": {}, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } } }, "visualizations": { "viz_wTIE1OIS": { "dataSources": { "primary": "ds_lwh4A7Zo" }, "eventHandlers": [ { "options": { "tokens": [ { "key": "row._uri.value", "token": "uri" } ] }, "type": "drilldown.setToken" }, { "options": { "newTab": true, "url": "$uri$" }, "type": "drilldown.customUrl" } ], "options": { "count": 20, "dataOverlayMode": "none", "drilldown": "none", "showInternalFields": false, "showRowNumbers": false }, "type": "splunk.table" } }, "dataSources": { "ds_lwh4A7Zo": { "name": "Table search", "options": { "query": "| rest /services/data/lookup-table-files/\n| eval _uri=\"/en-US/app/lookup_editor/lookup_edit?owner=\".'eai:acl.owner'.\"&namespace=\".'eai:acl.app'.\"&lookup=\".title.\"&type=csv\"\n| table eai:acl.app title eai:acl.owner _uri", "queryParameters": { "earliest": "-24h@h", "latest": "now" } }, "type": "ds.search" } }, "layout": { "globalInputs": [], "layoutDefinitions": { "layout_1": { "options": { "display": "auto", "height": 960, "width": 1440 }, "structure": [ { "item": "viz_wTIE1OIS", "position": { "h": 250, "w": 1440, "x": 0, "y": 0 }, "type": "block" } ], "type": "absolute" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hey there, I'm trying to create a custom/filtered list of lookups to simplify edits by end users pulling reports. I've dug through the docs and can't find anything, although perhaps I'm missing it in... See more...
Hey there, I'm trying to create a custom/filtered list of lookups to simplify edits by end users pulling reports. I've dug through the docs and can't find anything, although perhaps I'm missing it in my searches.   What I was hoping would be to add a custom HREF link in the menu to a filtered lookup list, but it doesn't appear the lookup_list accepts parameters (or I haven't found the right ones). For example... https://splunk-srvr/en-US/app/lookup_editor/lookup_edit?namespace=user_reports_app&type=csv If this isn't possible, the other option I had thought of was a dashboard section with a filtered list of the appropriate lookups similar to the Lookup App overview page, but this appears to be build directly in the app using javascript and not something easily replicated. Have I missed something completely obvious, or is this even possible?  Thanks!  
I have a modified version of the mitre matrx TA, but if understand it corerctly it uses a few things: Javascript file (.js) Stylesheet file (.css) and the Source on a Dashboard. At the top of... See more...
I have a modified version of the mitre matrx TA, but if understand it corerctly it uses a few things: Javascript file (.js) Stylesheet file (.css) and the Source on a Dashboard. At the top of your sourceof your Dashbaord write the following:  <form script="jsFileName.js" stylesheet="cssFileName.css" version"1.1" theme="light"> Now I have to call portions of my .js file in for a table to work accordingly but that may differ from your dashboard. Here I have to call the components of 'mitrematrix' into my table from the .js .js dashboard source: Something to keep in mind. --- If this reply helps you, Karma would be appreciated.
Hi, we use iPads in our production area to display Splunk dashboards. The dashboards are classic ones with enhanced JS/CSS functionallity but standard dashboard searches. We have the issue, that som... See more...
Hi, we use iPads in our production area to display Splunk dashboards. The dashboards are classic ones with enhanced JS/CSS functionallity but standard dashboard searches. We have the issue, that sometimes the searches are not run. When we inspect the console/network within safari dev settings, the request is sent but after 50ms an error occurs and no response is received. If we try again, mostly the search runs as expected.  On Windows devices those problems never occured. Our network department says there are no network issues.  Anybody have a similar problem? Thanks!
Did this error resolve? if yes, How? @arber 
Has anyone figured out how to successfully join the three new _DS indexes into a meaningful report? I would like to create a report that shows me when a UF/HF phoned home and what actions it may h... See more...
Has anyone figured out how to successfully join the three new _DS indexes into a meaningful report? I would like to create a report that shows me when a UF/HF phoned home and what actions it may have performed.
Hi guys, I'm trying to customize an app I created. For the dashboards, I placed the CSS file in appserver/static and linked it in the dashboard using stylesheet="my.css". How does it work for the a... See more...
Hi guys, I'm trying to customize an app I created. For the dashboards, I placed the CSS file in appserver/static and linked it in the dashboard using stylesheet="my.css". How does it work for the app's CSS? Where should I put the CSS file? Do I also need to reference it in any .conf file? Thanks for your attention.  
Hi @PrewinThomas , I configured a summary range of 2 days to reduce the summarization time, but data have a retention of 30 days and anyway searches are always on the last 10-15 minutes. Ciao. Giu... See more...
Hi @PrewinThomas , I configured a summary range of 2 days to reduce the summarization time, but data have a retention of 30 days and anyway searches are always on the last 10-15 minutes. Ciao. Giuseppe
When you set up the alert - what app are you using? Wondering if it’s a permission issue? My alert is defined in the search app.
Hi at all, I noted that there are very many buckets, do you think that it could be useful to enlarge the buckets dimension from the default (750 MB) to a larger value (e.g.: 1500 MB)? Even if the e... See more...
Hi at all, I noted that there are very many buckets, do you think that it could be useful to enlarge the buckets dimension from the default (750 MB) to a larger value (e.g.: 1500 MB)? Even if the effect will be sensible in the future. Ciao. Giuseppe