All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi All,  I just wanted to know if there is any way to display text boxes upon clicking any of the buttons in my dashboard. I uploaded pic for your reference.  Upon clicking any of the button, i w... See more...
Hi All,  I just wanted to know if there is any way to display text boxes upon clicking any of the buttons in my dashboard. I uploaded pic for your reference.  Upon clicking any of the button, i want to display 2 text boxes. And later i would like to provide input in those text boxes and search for the logs.       <dashboard version="1.1" script="customview.js" theme="dark"> <label>Search Dashboard</label> <row> <panel> <html> <h1 style="text-align: center;">Choose from the below options to get started :)</h1> <!-- Centered button container --> <div style="display: flex; justify-content: center; align-items: center; gap: 10px; margin-top: 20px;"> <button id="proxySearch" onclick="showTextBoxes()" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">Proxy Search</button> <button id="WAFsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">WAF Search</button> <button id="DNSsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">DNS Search</button> <button id="Emailsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">Email Search</button> </div> <div id="mychart"></div> </html> </panel> </row> </dashboard>       I first wanted to know how to show text boxes upon clicking any of the button. I know we have to use js for this kind of activity, but can anyone suggest how it needs to be done?   
I haven't used it, but based on docs I suppose that it works also for HW based environments? https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux/centos-migration https://develo... See more...
I haven't used it, but based on docs I suppose that it works also for HW based environments? https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux/centos-migration https://developers.redhat.com/articles/2023/04/11/how-use-convert2rhel-migrate-centos-rhel#7_steps_to_migrate_centos_to_rhel_using_convert2rhel
Have you SPL-xxxx code for fix it? It will helps other to add this in their support cases.
I agree with @PickleRick about data optimization of bucket. Those warm and cold buckets are identically. Of course you could additionally configure tsindex reduction there, but it hasn't anything to d... See more...
I agree with @PickleRick about data optimization of bucket. Those warm and cold buckets are identically. Of course you could additionally configure tsindex reduction there, but it hasn't anything to do with warm -> cold movements. Here is one old, but still mostly valid presentation about event lifecycle. https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf After one have read it, one probably understand this better.
Case created.
Its on monitoring console, Disk Usage part. If we see there, there is a bar show the storage used. I already restart the service too, but the value still like the picture. I also inspect search from ... See more...
Its on monitoring console, Disk Usage part. If we see there, there is a bar show the storage used. I already restart the service too, but the value still like the picture. I also inspect search from the panel, and the value are same, i copy it on excel like this one.  
Ouch. This is a very ugly data. It's not only unnecessarily complicated and needs a lot of "untangling" to get it parsed properly (so that you cannot write reasonable extractions) it also contains ... See more...
Ouch. This is a very ugly data. It's not only unnecessarily complicated and needs a lot of "untangling" to get it parsed properly (so that you cannot write reasonable extractions) it also contains a huge blob of stuff that is effectively separate data points. So if you want to search for just one pf those hosts, you still have to make Splunk dig through whole load of completely irrelevant data. Additionally, you are doing something to your data because the body field if simply extracted from the json would have just have a long string, not separate fields. So maybe just post your search as it is. My glass orb is being fixed as we speak.
Hi, I cannot "login", truth is that after login I get 500 error and UI will only show following screenshot so Web UI is unusable.     
Yes. It does look as if the SHC members weren't properly communicating with one another. What is interesting though is that the captain is responsible for scheduling searches. So if you had connectiv... See more...
Yes. It does look as if the SHC members weren't properly communicating with one another. What is interesting though is that the captain is responsible for scheduling searches. So if you had connectivity problems you should also have problems with captain election. But your behaviour suggests that each cluster node works independently, What does your "splunk show shcluster status" say on each node?
Hi @Nawab , the correct action is that the Correlation Search is runned on only one of the SHs and only one Notable is created. If more than one Notable is created, means that the Cluster is out of... See more...
Hi @Nawab , the correct action is that the Correlation Search is runned on only one of the SHs and only one Notable is created. If more than one Notable is created, means that the Cluster is out of sync, as @aasabatini said. In this case, you have to check the sync and restart the members and eventually rebuild the configurations. For more infos see at https://docs.splunk.com/Documentation/Splunk/9.3.1/DistSearch/SHCdeploymentoverview Ciao. Giuseppe
I'm looking for a query to display a list of jobs stuck in queue (the past 7 days). Does anyone knows the query?  
Hi @mackey  If you have ES, it has a framework called "THREAT INTELLIGENCE" for managing threat feeds, detecting threats, and sending alerts. You should explore this functionality, as it can be quit... See more...
Hi @mackey  If you have ES, it has a framework called "THREAT INTELLIGENCE" for managing threat feeds, detecting threats, and sending alerts. You should explore this functionality, as it can be quite beneficial. Additionally, there are several other high-quality sources of threat data available in that  which just need to be activated if required OR if you have your own custom feeds, you can also integrate them as custom lookups in threat intelligence. As mentioned by @gcusello you have two options , explore it as per your requirement.  For more info on this , please refer the below docs:  https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_intelligence/Using_threat_intelligence_in_Splunk_Enterprise_Security https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/threatintelligenceframework/ https://www.splunk.com/en_us/pdfs/feature-brief/splunk-threat-intelligence-management.pdf   If this helps, accept the answer by upvoting !! Happy Splunking !!  
I have access to ES yes. 
Hello @PickleRick , Yes, this is the search on the basis of email logs which is giving me one result and i need that search to be multivalued not single valued as you can see in my snippet its giv... See more...
Hello @PickleRick , Yes, this is the search on the basis of email logs which is giving me one result and i need that search to be multivalued not single valued as you can see in my snippet its giving statistics 1 rather than 3131 which is actually there in the data. LOGS: I need this 3131 to be spiltted into mutiple rows with my other following fields as shown in the previous screenshot. when i am doing mvexpand Computer_name its coming 3131 but as soon as i am applying other fields its not showing the data.    
Whereas the syntax problem that @PickleRick pointed out can be rectified by adding a pipe like this   index=index1 source="/somefile.log" uri="/path/with/id/some_id/" | rex field=uri "/path/with/i... See more...
Whereas the syntax problem that @PickleRick pointed out can be rectified by adding a pipe like this   index=index1 source="/somefile.log" uri="/path/with/id/some_id/" | rex field=uri "/path/with/id/(?<some_id>[^/]+)/*" | search [ search index=index2 source="/another.log"" "condition-i-want-to-find" | rex field=_raw "some_id:(?<some_id>[^,]+),*" | dedup some_id | fields some_id ]   this method reduces the advantage of using subsearch in your dataset. To improve efficiency, "renaming field some_id to "search" as  some have said would help" actually will help. (In part because / is a hard separator in Splunk.)  You just need to add a format command:   index=index1 source="/somefile.log" uri="/path/with/id/some_id/" [ search index=index2 source="/another.log"" "condition-i-want-to-find" | rex field=_raw "some_id:(?<search>[^,]+),*" | dedup search | fields search | format ] | rex field=uri "/path/with/id/(?<some_id>[^/]+)/*"   Here is an emulation.  Play with it and compare with your data.   index = _internal log/splunk ``` the above emulates index=index1 source="/somefile.log" uri="/path/with/id/some_id/" ``` [makeresults format=csv data="search supervisor.log splunkd_ui_access.log" ``` the above emulates [ search index=index2 source="/another.log"" "condition-i-want-to-find" | rex field=_raw "some_id:(?<search>[^,]+),*" | dedup search | fields search | format ] ``` | format] | rex field=series "log/splunk/(?<some_id>[^\"]+)" ``` emulates | rex field=uri "/path/with/id/(?<some_id>[^/]+)/*" ``` | stats count by some_id   On my laptop, it gives some_id count splunkd_ui_access.log 59 supervisor.log 1045 As you can see, among all the logs, the output is limited to the two values in the subsearch.
Hello, I'm still new to Splunk, recently I was testing with BrowsingHistoryView Add-on for Splunk. I was able to deploy it and push to the windows clients. However it is not working properly, basica... See more...
Hello, I'm still new to Splunk, recently I was testing with BrowsingHistoryView Add-on for Splunk. I was able to deploy it and push to the windows clients. However it is not working properly, basically BrowsingHistoryView.exe is not working fully under virtual splunk account, if I run loader .bat script under my account it working perfectly. Can anyone help on this ? Thank you.
If I put a lower value on TTL for the dispatch directory - this would be a good idea in this case?
edited
Hi, I have a splunk server that has tonnes of data in it. What we would like to do is have a system on a dedicated search head, that does a search lookup, then exports the data it finds to an S3 buc... See more...
Hi, I have a splunk server that has tonnes of data in it. What we would like to do is have a system on a dedicated search head, that does a search lookup, then exports the data it finds to an S3 bucket for another system to ingest and do analysis on. I have looked at several adds including Export Everything, and S3 Uploader for Splunk, but neither of them have clear instructions and I am having issues. Are there any resources that are clear on how to setup the connection to export search results from Splunk into an S3 bucket?
Did you find solution to this? my problem is that it will trigger on all shc members and when i assign notable from on sh it is not reflected on other shs