@Marco, @jokertothequinn , @manasbellani - What is your file/folder permission looks like? Please check on linux machine with below command. ls -l I hope this helps!!! Kindly upvote if it does!!!
I'm using cmd |iplocation src, and the results produce results for the City. Next i want to compare each City and report when results is different. Example when result for a City is Miami and next h...
See more...
I'm using cmd |iplocation src, and the results produce results for the City. Next i want to compare each City and report when results is different. Example when result for a City is Miami and next hour or so in the same field for the City is Boston.
I am creating a panel and input type select as "link".
There multiple choice filed is created, how to keep all choice button in a line using splunk classic.
<panel id="panel_id_1">
<input type="l...
See more...
I am creating a panel and input type select as "link".
There multiple choice filed is created, how to keep all choice button in a line using splunk classic.
<panel id="panel_id_1">
<input type="link" token="token_tab" searchWhenChanged="true" id="details">
<label></label>
<choice value="x">X</choice>
<choice value="Y">Y</choice>
<choice value="z">Z</choice>
</panel>
I want keep all choice value as X Y Z, but for me it is coming
X Y
Z
Hi @nyajoefit22 Yes! you can push the authentication config from Deployer without bind password and just add the bind password under system/local and restart each search head/rolling restart of SHC...
See more...
Hi @nyajoefit22 Yes! you can push the authentication config from Deployer without bind password and just add the bind password under system/local and restart each search head/rolling restart of SHC. This would avoid plain text password in TA.
props.conf :
[sap_failure]
TRANSFORMS-filter = setnull,stanza
transform.conf :
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[stanza]
REGEX = "successful, returned exit code '0'"
DE...
See more...
props.conf :
[sap_failure]
TRANSFORMS-filter = setnull,stanza
transform.conf :
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[stanza]
REGEX = "successful, returned exit code '0'"
DEST_KEY = queue
FORMAT = indexQueue
Content:
[16/Sep/2024:02:00:36 -05:00] INFO : [PID:0185317:Backup:360] [1] successful, returned exit code '0' [16/Sep/2024:02:00:36 -05:00] DEBUG: [PID:0185317:SAPHANA:648] SQLSTRING: 'BACKUP DATA FOR FULL SYSTEM CLOSE SNAPSHOT BACKUP_ID 1726470003540 SUCCESSFUL 'hana_data_FHL__2024-09-16T070003-1779190Z''
Here in content if you see i have other events which is not having the desired text string . I need to filter all other events .
has context menu
Here is the JS. I gave the input id="user_name". require([
"splunkjs/mvc",
"splunkjs/mvc/simplexml/ready!"
], function (mvc) {
// get default token model
var tokens = mvc.Component...
See more...
Here is the JS. I gave the input id="user_name". require([
"splunkjs/mvc",
"splunkjs/mvc/simplexml/ready!"
], function (mvc) {
// get default token model
var tokens = mvc.Components.getInstance("default");
var user_name = document.getElementById("user_name");
// Set required style if init value is undefined to channel
if (tokens.get("user_name") === 'Enter a User') {
user_name.classList.add("required");
}
// Dropdown change on channel
tokens.on("change:user_name", function (model, value) {
if (value === 'Enter a User') {
user_name.classList.add("required");
} else {
user_name.classList.remove("required");
}
});
}); Here is the CSS again just to capture it all in the same reply. .required button{
border: 2px solid #f6685e !important;
} I use this code (more or less) on other dashboards to perform the same "required" function on other inputs like drop downs and it works by creating a red outline around the drop down until a choice is made.
Hello @JagsP 1. What is the dataflow ? For Eg: UF->HF->Indexer and where have you placed your configurations. 2. Also, share the sample event , so accordingly I can help you with regex part.
What would be the proper way to push an authentication.conf from the deployer and have the bind password not left in clear text? Is it possible to push the authentication from the deployer without th...
See more...
What would be the proper way to push an authentication.conf from the deployer and have the bind password not left in clear text? Is it possible to push the authentication from the deployer without the bind password and then add another authentication.conf manually to each search head in system local with only the bind password in the stanza? After restart of the search head cluster I’m thinking the bind password would then be encrypted? Would this be the proper way to do this? Would appreciate any other suggestions.
Hello. I know this is an old post, but running into this same issue with the bind password being insecure on the deployer. What would be the proper way to push an authentication.conf from the deploye...
See more...
Hello. I know this is an old post, but running into this same issue with the bind password being insecure on the deployer. What would be the proper way to push an authentication.conf from the deployer and have the bind password not left in clear text? Is it possible to push the authentication from the deployer without the bind password and then add another authentication.conf manually to each search head in system local with only the bind password in the stanza?
Create an init block which sets the default values for stageToken and indexToken <init>
<set token="stageToken">test</set>
<set token="indexToken">ap</set>
</init>
Is there any issue with the below settings ? Also is the Regex wrong here ? [sourcetype] TRANSFORMS-filter = setnull,stanza transforms: [setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue...
See more...
Is there any issue with the below settings ? Also is the Regex wrong here ? [sourcetype] TRANSFORMS-filter = setnull,stanza transforms: [setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue [stanza] REGEX = "Snapshot created successfully" DEST_KEY = queue FORMAT = indexQueue A
Thank you for replying. No. I don't use proxy server. My server is in my home. Windows Server is one and Windows clients are two. Own server cannot access local IP address, and my clients too. An...
See more...
Thank you for replying. No. I don't use proxy server. My server is in my home. Windows Server is one and Windows clients are two. Own server cannot access local IP address, and my clients too. And my router doesn't become proxy server. I will try when I access 192.168.0.8 from my client pc, server's firewall access log is written or not.
What unit of time is your BatteryAge in, seconds, hours, days? How long is a month? If your current day is the 5th of the month and the age equates to 40 days, what result would you expect?
Unfortunatly, i still get null values with these changes. I'm trying to get a comprehensive dashboard, that shows every sourcetype, pr. index, with a first event time, and last event time, to see ...
See more...
Unfortunatly, i still get null values with these changes. I'm trying to get a comprehensive dashboard, that shows every sourcetype, pr. index, with a first event time, and last event time, to see when we started logging events, and to see if we suddenly stop, or have an unusually large gap since last event. We want to set up an alarm to notify us, if an index havnt recieved an event of a specific sourcetype, within a given threshold of time. (Sorry if my english is slightly off here). This specific dashboard is supposed to be a complete sort of dictionary over our indexes and sourcetypes
What is it you are trying to achieve? Can you still get what you want if you try these changes? | sort 0 sourcetype
| stats list(TotalEvents) AS TotalEvents list(FirstEvent) AS "First Even...
See more...
What is it you are trying to achieve? Can you still get what you want if you try these changes? | sort 0 sourcetype
| stats list(TotalEvents) AS TotalEvents list(FirstEvent) AS "First Event" by index, sourcetype
@gcusello - You were correct, bad code I hadn't understood the requirement for <fieldForValue>MountedOn</fieldForValue> Once set, the drop down populates Thank you very much !!
I found this very usefull search for a dashboard on gosplunk: | rest /services/data/indexes | dedup title | fields title | rename title AS index | map maxsearches=1500 search="| metadata t...
See more...
I found this very usefull search for a dashboard on gosplunk: | rest /services/data/indexes | dedup title | fields title | rename title AS index | map maxsearches=1500 search="| metadata type=sourcetypes index=\"$index$\" | eval Retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | fields index sourcetype TotalEvents FirstEvent LastEvent Retention | sort sourcetype | stats list(sourcetype) AS SourceTypes list(TotalEvents) AS TotalEvents list(FirstEvent) AS "First Event" by index | append [| rest /services/data/indexes | dedup title | fields title | rename title AS index] | dedup index | fillnull value=null SourceTypes TotalEvents "First Event" "Last Event" Retention | sort index | search index=* (SourceTypes=*) However, when i first ran it, some of the "lastevent" values appeared correctly. Ever since then, "LastEvent" and "Retention" have allways been "Null". I cant figure out why i dont get any return values on these fields. I got an error saying the limit on "list" command of 100 was surpassed. So i tried replacing "list()" with "values()" in the search, but the result is the same, just without the error.