All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Does the time range picker need to be a time range picker? You could set it up as a dropdown with 2 options: 24h and 1month, then make 2 panels in your dashboard which each depend on a token to be se... See more...
Does the time range picker need to be a time range picker? You could set it up as a dropdown with 2 options: 24h and 1month, then make 2 panels in your dashboard which each depend on a token to be set when the dropdown option is selected. Then set the panels to have searches whose <earliest> time is -24h and -1mon respectively. Only one panel will display at a time.   <form version="1.1" theme="dark"> <label>2 Time Picker Dashboard</label> <fieldset submitButton="false"> <input type="dropdown" token="field1"> <label>timerange</label> <choice value="1">24h</choice> <choice value="2">1month</choice> <change> <eval token="dp1">if($value$="1",true(),null())</eval> <eval token="dp2">if($value$="2",true(),null())</eval> </change> <default>1</default> <initialValue>1</initialValue> </input> </fieldset> <row depends="$dp1$"> <panel> <table> <search> <query>search index=* | head 5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$dp2$"> <panel> <table> <search> <query>search index=* | head 10</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>  
@yuanliu can you try clicking inspect on the magnifying glass and see  if that might help? If thats the case looks like a new bug to me. <button data-test="open-search-button" type="button" data... See more...
@yuanliu can you try clicking inspect on the magnifying glass and see  if that might help? If thats the case looks like a new bug to me. <button data-test="open-search-button" type="button" data-disabled="false" data-clickable="true"  
You can gently tell the indexers to go offline using "/opt/splunk/bin/splunk offline" . They will stop indexing, roll hot buckets to warm and upload them to remote storage, then you can bring them up... See more...
You can gently tell the indexers to go offline using "/opt/splunk/bin/splunk offline" . They will stop indexing, roll hot buckets to warm and upload them to remote storage, then you can bring them up again and they will rejoin the cluster. Ref: https://docs.splunk.com/Documentation/Splunk/9.3.1/Indexer/Takeapeeroffline
What replaces Splunk TV?
@sainag_splunk Working dashboards and problematic dashboards are both created inside Dashboard Studio in 9.2.2 in the same server.  This is why it is so puzzling.  Is there a setting to grey out "Ope... See more...
@sainag_splunk Working dashboards and problematic dashboards are both created inside Dashboard Studio in 9.2.2 in the same server.  This is why it is so puzzling.  Is there a setting to grey out "Open in Search" that I may accidentally enable?
Hi @hazem , if you're using the Add-on for WorkspaceOne, you should search the default sourcetype in props.conf, that should be taworkspaceone:log. Ciao. Giuseppe 
Are you able to use the ID of the div containing the text input to apply the border style? E.g. my test input has id=input1_11212 , so using: #input1_11212 { border: 2px solid #f6685e !importan... See more...
Are you able to use the ID of the div containing the text input to apply the border style? E.g. my test input has id=input1_11212 , so using: #input1_11212 { border: 2px solid #f6685e !important; } Results in a red border:  
Hi @Nawab , what's the local time of the user you're using? you can find it in the menu bar at preferences. Ciao. Giuseppe
Hi @new2splunk21 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karm... See more...
Hi @new2splunk21 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @Teddiz , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Poin... See more...
Hi @Teddiz , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
ok i get this, but little experience with rex and especially anchors   is the anchor the word i am looking to match?
Did you come up with any solution?  I'm curious how you had the webhook working with MS Teams before? I never could get the default Splunk Webhook action to properly send to the Teams Webhooks in... See more...
Did you come up with any solution?  I'm curious how you had the webhook working with MS Teams before? I never could get the default Splunk Webhook action to properly send to the Teams Webhooks integration. It seemed like the default Splunk Webhook json is not formatted in a way that Teams accepts?
I am seeing the same thing with a fresh install of v5.0.1 in Splunk Cloud. Splunk Cloud Version: 9.2.2403.109 Build: acf4711b7529   10-21-2024 16:07:58.193 +0000 INFO SavedSplunker - savedsearc... See more...
I am seeing the same thing with a fresh install of v5.0.1 in Splunk Cloud. Splunk Cloud Version: 9.2.2403.109 Build: acf4711b7529   10-21-2024 16:07:58.193 +0000 INFO SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_host_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_host_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729526878, window_time=-1, skipped_count=11, filtered_count=0 10-21-2024 12:52:14.196 +0000 INFO SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_sourcetype_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_sourcetype_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729515134, window_time=-1, skipped_count=10, filtered_count=0 10-21-2024 12:26:30.121 +0000 INFO SavedSplunker - savedsearch_id="nobody;broken_hosts;Lookup Gen - bh_index_cache", search_type="scheduled", user="nobody", app="broken_hosts", savedsearch_name="Lookup Gen - bh_index_cache", priority=default, status=skipped, reason="Relation '' is unknown.", scheduled_time=1729513590, window_time=-1, skipped_count=10, filtered_count=0      Looking at the savedsearches.conf that comes with this version of the app and comparing to the documentation (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf), each of these three searches defines "counttype = number of events" but does not define "quantity" or relation. To fix this in Splunk Enterprise, just remove the config "counttype = number of events" for each search directly in default/savedsearches.conf. To fix in Splunk Cloud, click Edit > Advanced Edit on each search and change "alert_type" from "number of events" to empty. Keep in mind that the app will need to be completely uninstalled and reinstalled when this is fixed to remove the /local/ versions of the searches. Cheers, Jacob --- If this reply helps you, Karma would be appreciated.
Previously created war room template fail to load and attempting to recreated them gives errors.  I've tried as both SAML and Local user accounts, both with admin rights.  
I am planning on upgrading our Splunk infrastructure which requires our Splunk indexers to go offline for few minutes.   I am using smartstore for splunk indexing.  Before I start the upgrade and tak... See more...
I am planning on upgrading our Splunk infrastructure which requires our Splunk indexers to go offline for few minutes.   I am using smartstore for splunk indexing.  Before I start the upgrade and take down our indexers, I want to roll over all the data that is in hot bucket to the smartstore and then start the upgrade.  What is the best way to do this ?      
You could try something like this | eventstats min(CurrentWeek) as lower max(CurrentWeek) as upper min(CurrentWeek-1) as lower1 max(CurrentWeek-1) as upper1 min(CurrentWeek-2) as lower2 max(CurrentW... See more...
You could try something like this | eventstats min(CurrentWeek) as lower max(CurrentWeek) as upper min(CurrentWeek-1) as lower1 max(CurrentWeek-1) as upper1 min(CurrentWeek-2) as lower2 max(CurrentWeek-2) as upper2 | eval lower=min(lower, lower1, lower2), upper=max(upper, upper1, upper2) | fields - lower1 upper1 lower2 upper2 | eval _lowerrate="lower", _upperrate="upper", _predictedrate="CurrentWeek"
Awesome, will do this right away!    Thanks,    JJ 
Assuming your names follow the apparent pattern you have shown, you could do something like this | eval name_prefix=mvjoin(mvindex(split(NAME,"-"),0,1),"-") | eventstats values(eval(if(STATE="master... See more...
Assuming your names follow the apparent pattern you have shown, you could do something like this | eval name_prefix=mvjoin(mvindex(split(NAME,"-"),0,1),"-") | eventstats values(eval(if(STATE="master",STATE,null()))) as master by name_prefix | where master="master"
Thanks for all the info. We are going to go with increasing the truncate on the index server.
Hi, I need help to fetch field based on other field condition. I have lookup table  as below, NAME STATE abc-a-0 host1 master abc-a-1 host2 local abc-a-2 host3 local abc-b-0 host4 local abc-b... See more...
Hi, I need help to fetch field based on other field condition. I have lookup table  as below, NAME STATE abc-a-0 host1 master abc-a-1 host2 local abc-a-2 host3 local abc-b-0 host4 local abc-b-1 host4 local abc-b-2 host4 local I want to retrieve abc-a-* NAME based on STATE which it is as master. The master STATE is dynamic, it will be abc-b-* group also sometimes. Example: NAME HOST STATE abc-a-0 host1 local abc-a-1 host2 local abc-a-2 host3 local abc-b-0 host4 local abc-b-1 host5 master abc-b-2 host6 local The problem is, 1. Retrieve the current master STATE if it is abc-a-* or abc-b* NAME 2. Then fetch 3 NAMEs based on condition if it is abc-a-* or abc-b-*