All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the... See more...
I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the containers with and without artifacts. My solution was to add a dummy artifact at the start of the playbook and then delete it near the end.
I am trying to route my windows security logs to another specified index but it has to meet certain criteria. EventCode has to be 4688 and the Token Elevation Level equals either %%1936, %%1938, T... See more...
I am trying to route my windows security logs to another specified index but it has to meet certain criteria. EventCode has to be 4688 and the Token Elevation Level equals either %%1936, %%1938, TokenElevationTypeDefault, TokenElevationTypeLimited. So far i have written these regular expressions 1. REGEX = ((?s).*EventCode=4688*.)((?si).*(%%1936|TokenElevationTypeDefault|TokenElevationTypeLimited)*.) 2. REGEX = EventCode=4688.*TokenElevationType=(%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited) When using 1, All eventcodes 4688 come to the specified index when i only wanted 1936 and 1938. I wanted to leave the %%1937 token in its original index. When using 2, no data at all comes to the index even though its seems to be a much simpler regex. What am i missing to ensure 4688 is properly filter using transforms and props?
That looks like a Palo Alto Networks sourcetype. This documentation implies that these sourcetypes were used in a Palo Alto Networks app that is out of date, but has links for upgrading to the new ap... See more...
That looks like a Palo Alto Networks sourcetype. This documentation implies that these sourcetypes were used in a Palo Alto Networks app that is out of date, but has links for upgrading to the new app: https://pan.dev/splunk/docs/tune-or-reduce-firewall-logs/ I would expect that at least one of the Palo Alto Apps would include a dashboard and field extractions for pan:* sourcetypes.
@iamchris as far as I know, there is nothing available yet, but its in the roadmap. (subject to change) Please refer: https://ideas.splunk.com/ideas/EID-I-1913 there is this app, that might help:... See more...
@iamchris as far as I know, there is nothing available yet, but its in the roadmap. (subject to change) Please refer: https://ideas.splunk.com/ideas/EID-I-1913 there is this app, that might help: https://splunkbase.splunk.com/app/6859 or https://splunkbase.com/app/4342/#/details Cheers! If you find this helpful,  Please UpVote.
Splunkflix   ...just kidding. There is not a successor available for Splunk TV, but many people are asking for it to be brought back or succeeded by a new version. If you add your votes to it on Sp... See more...
Splunkflix   ...just kidding. There is not a successor available for Splunk TV, but many people are asking for it to be brought back or succeeded by a new version. If you add your votes to it on Splunk Ideas, then it is more likely that the Splunk company will work on it. https://ideas.splunk.com/ideas/EID-I-1913
Does the time range picker need to be a time range picker? You could set it up as a dropdown with 2 options: 24h and 1month, then make 2 panels in your dashboard which each depend on a token to be se... See more...
Does the time range picker need to be a time range picker? You could set it up as a dropdown with 2 options: 24h and 1month, then make 2 panels in your dashboard which each depend on a token to be set when the dropdown option is selected. Then set the panels to have searches whose <earliest> time is -24h and -1mon respectively. Only one panel will display at a time.   <form version="1.1" theme="dark"> <label>2 Time Picker Dashboard</label> <fieldset submitButton="false"> <input type="dropdown" token="field1"> <label>timerange</label> <choice value="1">24h</choice> <choice value="2">1month</choice> <change> <eval token="dp1">if($value$="1",true(),null())</eval> <eval token="dp2">if($value$="2",true(),null())</eval> </change> <default>1</default> <initialValue>1</initialValue> </input> </fieldset> <row depends="$dp1$"> <panel> <table> <search> <query>search index=* | head 5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$dp2$"> <panel> <table> <search> <query>search index=* | head 10</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>  
@yuanliu can you try clicking inspect on the magnifying glass and see  if that might help? If thats the case looks like a new bug to me. <button data-test="open-search-button" type="button" data... See more...
@yuanliu can you try clicking inspect on the magnifying glass and see  if that might help? If thats the case looks like a new bug to me. <button data-test="open-search-button" type="button" data-disabled="false" data-clickable="true"  
You can gently tell the indexers to go offline using "/opt/splunk/bin/splunk offline" . They will stop indexing, roll hot buckets to warm and upload them to remote storage, then you can bring them up... See more...
You can gently tell the indexers to go offline using "/opt/splunk/bin/splunk offline" . They will stop indexing, roll hot buckets to warm and upload them to remote storage, then you can bring them up again and they will rejoin the cluster. Ref: https://docs.splunk.com/Documentation/Splunk/9.3.1/Indexer/Takeapeeroffline
What replaces Splunk TV?
@sainag_splunk Working dashboards and problematic dashboards are both created inside Dashboard Studio in 9.2.2 in the same server.  This is why it is so puzzling.  Is there a setting to grey out "Ope... See more...
@sainag_splunk Working dashboards and problematic dashboards are both created inside Dashboard Studio in 9.2.2 in the same server.  This is why it is so puzzling.  Is there a setting to grey out "Open in Search" that I may accidentally enable?
Hi @hazem , if you're using the Add-on for WorkspaceOne, you should search the default sourcetype in props.conf, that should be taworkspaceone:log. Ciao. Giuseppe 
Are you able to use the ID of the div containing the text input to apply the border style? E.g. my test input has id=input1_11212 , so using: #input1_11212 { border: 2px solid #f6685e !importan... See more...
Are you able to use the ID of the div containing the text input to apply the border style? E.g. my test input has id=input1_11212 , so using: #input1_11212 { border: 2px solid #f6685e !important; } Results in a red border:  
Hi @Nawab , what's the local time of the user you're using? you can find it in the menu bar at preferences. Ciao. Giuseppe
Hi @new2splunk21 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karm... See more...
Hi @new2splunk21 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @Teddiz , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Poin... See more...
Hi @Teddiz , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
ok i get this, but little experience with rex and especially anchors   is the anchor the word i am looking to match?
Did you come up with any solution?  I'm curious how you had the webhook working with MS Teams before? I never could get the default Splunk Webhook action to properly send to the Teams Webhooks in... See more...
Did you come up with any solution?  I'm curious how you had the webhook working with MS Teams before? I never could get the default Splunk Webhook action to properly send to the Teams Webhooks integration. It seemed like the default Splunk Webhook json is not formatted in a way that Teams accepts?
I am seeing the same thing with a fresh install of v5.0.1 in Splunk Cloud. Splunk Cloud Version: 9.2.2403.109 Build: acf4711b7529   10-21-2024 16:07:58.193 +0000 INFO SavedSplunker - savedsearc... See more...
I am seeing the same thing with a fresh install of v5.0.1 in Splunk Cloud. Splunk Cloud Version: 9.2.2403.109 Build: acf4711b7529   10-21-2024 16:07:58.193 +0000 INFO SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_host_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_host_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729526878, window_time=-1, skipped_count=11, filtered_count=0 10-21-2024 12:52:14.196 +0000 INFO SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_sourcetype_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_sourcetype_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729515134, window_time=-1, skipped_count=10, filtered_count=0 10-21-2024 12:26:30.121 +0000 INFO SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_index_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_index_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729513590, window_time=-1, skipped_count=10, filtered_count=0      Looking at the savedsearches.conf that comes with this version of the app and comparing to the documentation (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf), each of these three searches defines "counttype = number of events" but does not define "quantity" or relation. To fix this in Splunk Enterprise, just remove the config "counttype = number of events" for each search directly in default/savedsearches.conf. To fix in Splunk Cloud, click Edit > Advanced Edit on each search and change "alert_type" from "number of events" to empty. Keep in mind that the app will need to be completely uninstalled and reinstalled when this is fixed to remove the /local/ versions of the searches. Cheers, Jacob --- If this reply helps you, Karma would be appreciated.
Previously created war room template fail to load and attempting to recreated them gives errors.  I've tried as both SAML and Local user accounts, both with admin rights.  
I am planning on upgrading our Splunk infrastructure which requires our Splunk indexers to go offline for few minutes.   I am using smartstore for splunk indexing.  Before I start the upgrade and tak... See more...
I am planning on upgrading our Splunk infrastructure which requires our Splunk indexers to go offline for few minutes.   I am using smartstore for splunk indexing.  Before I start the upgrade and take down our indexers, I want to roll over all the data that is in hot bucket to the smartstore and then start the upgrade.  What is the best way to do this ?