All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Well, helllooooo. Definitely not obvious, but this will do the trick nicely.  Thanks for sharing!
Thanks, that's what we're doing now for the individual lookups, but I was hoping to find an option to build this dynamically, similar to the saved source option in navigation xml. Well at least that... See more...
Thanks, that's what we're doing now for the individual lookups, but I was hoping to find an option to build this dynamically, similar to the saved source option in navigation xml. Well at least that confirms I wasn't missing something obvious!
The IOWait health check is far too sensitive.  The threshold should be adjusted so normal activity does not trigger an alert.
Hello community, I have a question which has been floating around here for quite some time and though I've seen quite a few conversations and tips, I have not found a "single definitive source of tru... See more...
Hello community, I have a question which has been floating around here for quite some time and though I've seen quite a few conversations and tips, I have not found a "single definitive source of truth". At some point, some time ago, when bumping Splunk from v8 to v9 we started noting Iowait alerts from the health monitor. I've checked our resource usage on our indexers (which are generating the alerts) and the cause of the alert seem to be spikes in resource usage. 3 out of x indexers have spikes in resource usage within 10 minutes which triggers an alert. Most of the time these alert seem wound really tight and the alerts somewhat overblown, on the other hand they should be there for a reason and I am not sure of tuning the alert levels is the right way to go. I have gone through the following threads: https://community.splunk.com/t5/Monitoring-Splunk/Why-is-IOWait-red-after-upgrade/m-p/600262#M8968 https://community.splunk.com/t5/Deployment-Architecture/IOWAIT-alert/m-p/666536#M27634 https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-receiving-this-error-message-IOWait-Resource-usage/m-p/578077#M10932 https://community.splunk.com/t5/Splunk-Search/Configure-a-Vsphere-VM-for-Splunk/td-p/409840 https://community.splunk.com/t5/Monitoring-Splunk/Running-Splunk-on-a-VM-CPU-contention/m-p/107582 Some recommendations exist to either ignore or adjust thresholds. Continuously ignoring seems like a slippery slope to desensitization and continuously monitoring add to the risk of alert fatigue. Other recommends ensuring adequate resources to solve the core issue, which seems logical though I am unsure regarding how. I am left with two questions 1) What are concrete actions could be taken to minimize the chance of these alerts/issues in a deployment based on VMWare Linux servers. In other words, what can/should I forward to the server group that they can work with, check and confirm in order to minimize the chance of these alerts? 2) What recommendations if any exists regarding modifying default thresholds? I could set thresholds high enough to not alert on "normal activity", is this the recommended adjustment or are there any concrete recommended modifications?
Hi @BradOH , the only solution is to open a lookup using the Lookup Editor app (https://splunkbase.splunk.com/app/1724 adding a row like the following in the menu App editor: <a href="/app/looku... See more...
Hi @BradOH , the only solution is to open a lookup using the Lookup Editor app (https://splunkbase.splunk.com/app/1724 adding a row like the following in the menu App editor: <a href="/app/lookup_editor/lookup_edit?owner=nobody&amp;namespace=myapp&amp;lookup=mylookup&amp;type=csv">MyLookup</a> Ciao. Giuseppe
Hi @BradOH  Its not possible to limit the display on the lookup editor app page by passing params in the URI, however this might(??) help...Im using the rest endpoint "/services/data/lookup-table-fi... See more...
Hi @BradOH  Its not possible to limit the display on the lookup editor app page by passing params in the URI, however this might(??) help...Im using the rest endpoint "/services/data/lookup-table-files/" to get a table of lookups including their app and owner, then setting this a table in a dashboard which when you click on the row takes you to the edit page in the lookup editor app (e.g. "/en-US/app/lookup_editor/lookup_edit?owner=nobody&namespace=Splunk_Security_Essentials&lookup=account_status_tracker.csv&type=csv") Here is the JSON for the dashboard studio dashboard if this helps: { "title": "LookupDrilldown", "description": "", "inputs": {}, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } } }, "visualizations": { "viz_wTIE1OIS": { "dataSources": { "primary": "ds_lwh4A7Zo" }, "eventHandlers": [ { "options": { "tokens": [ { "key": "row._uri.value", "token": "uri" } ] }, "type": "drilldown.setToken" }, { "options": { "newTab": true, "url": "$uri$" }, "type": "drilldown.customUrl" } ], "options": { "count": 20, "dataOverlayMode": "none", "drilldown": "none", "showInternalFields": false, "showRowNumbers": false }, "type": "splunk.table" } }, "dataSources": { "ds_lwh4A7Zo": { "name": "Table search", "options": { "query": "| rest /services/data/lookup-table-files/\n| eval _uri=\"/en-US/app/lookup_editor/lookup_edit?owner=\".'eai:acl.owner'.\"&namespace=\".'eai:acl.app'.\"&lookup=\".title.\"&type=csv\"\n| table eai:acl.app title eai:acl.owner _uri", "queryParameters": { "earliest": "-24h@h", "latest": "now" } }, "type": "ds.search" } }, "layout": { "globalInputs": [], "layoutDefinitions": { "layout_1": { "options": { "display": "auto", "height": 960, "width": 1440 }, "structure": [ { "item": "viz_wTIE1OIS", "position": { "h": 250, "w": 1440, "x": 0, "y": 0 }, "type": "block" } ], "type": "absolute" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hey there, I'm trying to create a custom/filtered list of lookups to simplify edits by end users pulling reports. I've dug through the docs and can't find anything, although perhaps I'm missing it in... See more...
Hey there, I'm trying to create a custom/filtered list of lookups to simplify edits by end users pulling reports. I've dug through the docs and can't find anything, although perhaps I'm missing it in my searches.   What I was hoping would be to add a custom HREF link in the menu to a filtered lookup list, but it doesn't appear the lookup_list accepts parameters (or I haven't found the right ones). For example... https://splunk-srvr/en-US/app/lookup_editor/lookup_edit?namespace=user_reports_app&type=csv If this isn't possible, the other option I had thought of was a dashboard section with a filtered list of the appropriate lookups similar to the Lookup App overview page, but this appears to be build directly in the app using javascript and not something easily replicated. Have I missed something completely obvious, or is this even possible?  Thanks!  
I have a modified version of the mitre matrx TA, but if understand it corerctly it uses a few things: Javascript file (.js) Stylesheet file (.css) and the Source on a Dashboard. At the top of... See more...
I have a modified version of the mitre matrx TA, but if understand it corerctly it uses a few things: Javascript file (.js) Stylesheet file (.css) and the Source on a Dashboard. At the top of your sourceof your Dashbaord write the following:  <form script="jsFileName.js" stylesheet="cssFileName.css" version"1.1" theme="light"> Now I have to call portions of my .js file in for a table to work accordingly but that may differ from your dashboard. Here I have to call the components of 'mitrematrix' into my table from the .js .js dashboard source: Something to keep in mind. --- If this reply helps you, Karma would be appreciated.
Hi, we use iPads in our production area to display Splunk dashboards. The dashboards are classic ones with enhanced JS/CSS functionallity but standard dashboard searches. We have the issue, that som... See more...
Hi, we use iPads in our production area to display Splunk dashboards. The dashboards are classic ones with enhanced JS/CSS functionallity but standard dashboard searches. We have the issue, that sometimes the searches are not run. When we inspect the console/network within safari dev settings, the request is sent but after 50ms an error occurs and no response is received. If we try again, mostly the search runs as expected.  On Windows devices those problems never occured. Our network department says there are no network issues.  Anybody have a similar problem? Thanks!
Did this error resolve? if yes, How? @arber 
Has anyone figured out how to successfully join the three new _DS indexes into a meaningful report? I would like to create a report that shows me when a UF/HF phoned home and what actions it may h... See more...
Has anyone figured out how to successfully join the three new _DS indexes into a meaningful report? I would like to create a report that shows me when a UF/HF phoned home and what actions it may have performed.
Hi guys, I'm trying to customize an app I created. For the dashboards, I placed the CSS file in appserver/static and linked it in the dashboard using stylesheet="my.css". How does it work for the a... See more...
Hi guys, I'm trying to customize an app I created. For the dashboards, I placed the CSS file in appserver/static and linked it in the dashboard using stylesheet="my.css". How does it work for the app's CSS? Where should I put the CSS file? Do I also need to reference it in any .conf file? Thanks for your attention.  
Hi @PrewinThomas , I configured a summary range of 2 days to reduce the summarization time, but data have a retention of 30 days and anyway searches are always on the last 10-15 minutes. Ciao. Giu... See more...
Hi @PrewinThomas , I configured a summary range of 2 days to reduce the summarization time, but data have a retention of 30 days and anyway searches are always on the last 10-15 minutes. Ciao. Giuseppe
When you set up the alert - what app are you using? Wondering if it’s a permission issue? My alert is defined in the search app.
Hi at all, I noted that there are very many buckets, do you think that it could be useful to enlarge the buckets dimension from the default (750 MB) to a larger value (e.g.: 1500 MB)? Even if the e... See more...
Hi at all, I noted that there are very many buckets, do you think that it could be useful to enlarge the buckets dimension from the default (750 MB) to a larger value (e.g.: 1500 MB)? Even if the effect will be sensible in the future. Ciao. Giuseppe
Hi @meetmshah , yes I used default parameters and then I'm trying to modify some of them, without luck! Now I will try your hints and I'll inform you. Ciao. Giuseppe  
Hi @PrewinThomas , this is authentication DM stanza in datamodels.conf: [Authentication] acceleration = true acceleration.earliest_time = -2d acceleration.hunk.dfs_block_size = 0 acceleration.poll_... See more...
Hi @PrewinThomas , this is authentication DM stanza in datamodels.conf: [Authentication] acceleration = true acceleration.earliest_time = -2d acceleration.hunk.dfs_block_size = 0 acceleration.poll_buckets_until_maxtime = true acceleration.schedule_priority = default tags_whitelist = cleartext,cloud,default,insecure,multifactor,pci,privileged Ciao. Giuseppe
Guys i have Splunk Cloud , i created Http Event Collector & in prisma i gave url /service/collector   but logs are not showing up in splunk .. my questions :  should i add port number after my http... See more...
Guys i have Splunk Cloud , i created Http Event Collector & in prisma i gave url /service/collector   but logs are not showing up in splunk .. my questions :  should i add port number after my http url ? after url is it  /service/collector or /service/collector/events   what should i check as i tesed my prisma said tested pass    
@spisiakmi  Normal Splunk upgrade path will be, Splunk 4.x to 6.5.x then to 7.3.x then to 8.2.x then to 9.4.x But it will be lengthy process and each step requires installing that version and ... See more...
@spisiakmi  Normal Splunk upgrade path will be, Splunk 4.x to 6.5.x then to 7.3.x then to 8.2.x then to 9.4.x But it will be lengthy process and each step requires installing that version and letting it upgrade your config and indexed data. Also consider, Since you are moving to new hardware , you can install the latest version and migrate data from old one. Stop Splunk on the old server Roll hot buckets to warm Copy configs to new server -Eg: $SPLUNK_HOME/etc Copy indexed data - Eg: $SPLUNK_HOME/var/lib/splunk Install latest Splunk on new server Replace the new install’s etc and var/lib/splunk with your copied folders Start Splunk and verify. Since you are migrating from very old version, i would recommend to test this first to make sure nothing is breaking. Also better to raise a Support ticket to be on safer side. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Are you using the default acceleration parameters? If so, can you try having Max Concurrent Searches as 4 (instead of 3), Max Summarization Search time as 15 Mins (instead of 60), Lower the backfill ... See more...
Are you using the default acceleration parameters? If so, can you try having Max Concurrent Searches as 4 (instead of 3), Max Summarization Search time as 15 Mins (instead of 60), Lower the backfill range (if you are sure that there are no major historical events we need to take care about). I faced the similar issue for a large (40 TB+ a day) customer, and had to tweak those parameters for Network_Traffic and couple of other Data Models. Reference Doc - https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.3/use-data-summaries-to-accelerate-searches/accelerate-data-models#ariaid-title10