All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

ITSI for Alert $result.service_name$ on host $result.src$ $result.description$ An event has been detected: Host: $result.host$ Source: $result.source$ Error Code: $result.error_code$ Description... See more...
ITSI for Alert $result.service_name$ on host $result.src$ $result.description$ An event has been detected: Host: $result.host$ Source: $result.source$ Error Code: $result.error_code$ Description: $result.description$ I'm fairly new to ITSI and Splunk in general and I couldn't find out any information on tokens that clearly. The only token that is working right now is $result.description$,. Any assistance will be much appreciated.    Thank you  
It is something that should rather be handled during the ingestion phase - clean your data before indexing.
Hi  I have an event which has prod and test based on env...if it is test it goes to nsps [{},{} ] object an check for the name say A,B,C,D an get their associate  ReadOnlyConsumerNames in tabular fo... See more...
Hi  I have an event which has prod and test based on env...if it is test it goes to nsps [{},{} ] object an check for the name say A,B,C,D an get their associate  ReadOnlyConsumerNames in tabular format Output as: Name      ReadOnlyConsumerNames  A               Application, Lst,data B               Application, Lst C             Lst D            Lst,Gt,PT       { [-] prod: { [] } test: { [-] DistinctAdminConsumers: [ [-] App pd. ] DistinctAdminUser: 2 DistinctReadConsumers: [ [-] Application. GT. Technology. data ] DistinctReadUser: 4 TotalAdminUser: 20 TotalNSPCount: 10 TotalReadUsers: 13 nsps: [ [-] { [-] AdminConsumerNames: [ [-] App. pd. ] AdminUserCount: 2 Name: A ReadOnlyConsumerNames: [ [-] Application Lst data ] ReadonlyUserCount: 3 } { [-] AdminConsumerNames: [ [-] App Data ] AdminUserCount: 2 Name: B ReadOnlyConsumerNames: [ [-] Application Lst ] ReadonlyUserCount: 3 } { [-] AdminConsumerNames: [ [-] preprod pd ] AdminUserCount: 2 Name: C ReadOnlyConsumerNames: [ [-] Lst ] ReadonlyUserCount: 1 } { [-] AdminConsumerNames: [ [+] ] AdminUserCount: 2 Name: D ReadOnlyConsumerNames: [ [-] Lst Gt PT ] ReadonlyUserCount: 1 } ] } }    
Since you have a SHC try this search on each individual SH to see if there is a config mismatch (I'm thinking if you grew from single to cluster maybe). | rest splunk_server=local /services/search/... See more...
Since you have a SHC try this search on each individual SH to see if there is a config mismatch (I'm thinking if you grew from single to cluster maybe). | rest splunk_server=local /services/search/distributed/peers The output should help you determine if one of the SH is out of sync. Other than that is your SHC set to indexer discovery via the CM which may still have those entries?
Hey im trying to play sounds in my dashboard studio dashboard. I heard its not possible because dashboard studio is not as customizable as classic dashboard. Does anyone know any workaround before I'... See more...
Hey im trying to play sounds in my dashboard studio dashboard. I heard its not possible because dashboard studio is not as customizable as classic dashboard. Does anyone know any workaround before I'll have to switch to classic dashboard?
HEC tokens are always stored plan text in .conf files as the token is not related to any authentication or authorization feature.  The token just helps funnel the incoming data to the appropriate ind... See more...
HEC tokens are always stored plan text in .conf files as the token is not related to any authentication or authorization feature.  The token just helps funnel the incoming data to the appropriate index and props configurations. All the encryption and secrecy items should be handled inside the TLS certificates to allow the HTTP handshake to occur.
You could design an input which sets the fields a particular team needs and use that token in a table command alongside the fields which are common to all teams | table _time comoon1 common2 $teamfi... See more...
You could design an input which sets the fields a particular team needs and use that token in a table command alongside the fields which are common to all teams | table _time comoon1 common2 $teamfields$
It is not clear what it is you actually want. For example, do you want an hourly average of the humidity for each hour, then the minimum and maximum average for that hour over your full time period, ... See more...
It is not clear what it is you actually want. For example, do you want an hourly average of the humidity for each hour, then the minimum and maximum average for that hour over your full time period, then discount events which are outside the minimum and maximum average for the hour they are taken. Or do you want the average for the day and then the minimum and maximum over the full time period and discount events which are outside this daily average. Or do you want the average over the whole time period and discount values which are more than a specified distance from the average. All of these would have different SPL. Please explain what you are trying to do in non-SPL terms.
I am working on a dashboard that has a bunch of field and will be used by multiple teams and people who will be needing different fields from the table.  Is there anyway to add a toggle or filter or... See more...
I am working on a dashboard that has a bunch of field and will be used by multiple teams and people who will be needing different fields from the table.  Is there anyway to add a toggle or filter or anything similar to give a couple of presets (ex fields A D E H to preset 1 for team 1, fields B C D F G to preset 2 for team 2 and so on) I also use filters on fields in the dashboard table as well if possible i would want hiding of the field to not impact the filters at all.  Thanks in advance.
Yes, unfortunately I realised that. Let's say it is a lack that can be useful to make the names inside the boxes or panels more readable and make the whole dashboard graphics look more trendy. I open... See more...
Yes, unfortunately I realised that. Let's say it is a lack that can be useful to make the names inside the boxes or panels more readable and make the whole dashboard graphics look more trendy. I opened a post on splunk ideas for this missing functionality.
Palo introduced HTTP Event stream in OS 8.x, so if you have anything recent install it should support that as outbound log streaming.  Alternatively the logs can be exported over syslog but becomes i... See more...
Palo introduced HTTP Event stream in OS 8.x, so if you have anything recent install it should support that as outbound log streaming.  Alternatively the logs can be exported over syslog but becomes infinitely more difficult ingest if you have a novice Splunk experience. Once you can export from Palo the HTTP Event stream then you need to setup your Splunk instance to collect HEC/HTTP Event Collection and there is a lot of documentation on how to do that. Warning: Palo can generate a tremendous amount of logs and almost certainly exceeds your trial license capacity.
You haven't mentioned anything about which OS specifically and what else is or may be using resources.  Since your system exceeds minimum recommendations I would look for the total package.  You may ... See more...
You haven't mentioned anything about which OS specifically and what else is or may be using resources.  Since your system exceeds minimum recommendations I would look for the total package.  You may need an OS expert and not a Splunk expert to help track this down.
So just to close the loop- after some deep diving by a splunk support rep the issues that caused me to not see all the jobs on that page were due to: 1- permission levels- I was not an ADMIN and so ... See more...
So just to close the loop- after some deep diving by a splunk support rep the issues that caused me to not see all the jobs on that page were due to: 1- permission levels- I was not an ADMIN and so several private jobs were not visible to me 2- incorrect expectations on how the page should work. I assumed it should show all jobs from x amount of time, regardless of how often a job runs or any other job attributes. The page was intended be used real time and not so much for historical runs like from a month ago. 3- TTL - each job has a life expectancy that determines how long its visible on that page. The calculations are convoluted and not obvious. So some jobs might show for longer vs others depending on various things like  scheduled search should adhere to that dispatch.ttl adhoc search should default to 10 minutes (no matter how long you are searching back alert should have a TTL that depends on the action that it is taking 4- a bug that created a 2025 expiry date on the TTL for some of my searches/jobs which contributed to the confusion as to why some jobs show and others dont.- Rep was unable to determine cause of the 2025 bug.
Text align is not currently an option with Markdown boxes in Dashboard Studio. Here is a link to what is possible. https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/chartsText#Source_opt... See more...
Text align is not currently an option with Markdown boxes in Dashboard Studio. Here is a link to what is possible. https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/chartsText#Source_options_for_Markdown  
Another option perhaps closer to what you seek is to have each input set a token with the appropriate query string.  Then the search will just invoke that token. For instance, if "banana" is selecte... See more...
Another option perhaps closer to what you seek is to have each input set a token with the appropriate query string.  Then the search will just invoke that token. For instance, if "banana" is selected, then the input token's <change> element might set a token called $query$ to what is needed to search for fruit.  The <query> element then becomes simply <query>$query$</query>  
Thanks for the reply, however Im not quite looking for an alternative solution. Im wondering if this is something splunk is capable of. 
No worries,  I suppose your attempts at English are better than my Japanese. Loopback is a name for a virtual network interface that every networked host has - it's an interface used by software to ... See more...
No worries,  I suppose your attempts at English are better than my Japanese. Loopback is a name for a virtual network interface that every networked host has - it's an interface used by software to talk to other components on the same host (that's the one having 127.0.0.1 address). Anyway. TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING This line says that your port 8000 is listening on 0.0.0.0, which means that it should be reachable from everywhere. (if the connections are not filtered on other layers). So you have to check your windows firewall - as far as I remember windows server by default blocks pretty much of incoming communication so you might need to create a rule to open traffic from the network to local 8000 port.
Hello everyone, I have built a dashboard with dashboard studio but in the panels I have noticed that you can use many properties but you cannot change the position of the markdown text. I have alre... See more...
Hello everyone, I have built a dashboard with dashboard studio but in the panels I have noticed that you can use many properties but you cannot change the position of the markdown text. I have already tried to see the documentation but to no avail (maybe I am missing something). By changing position I also mean simply aligning the panel text left,centre,right inside. Do you have any ideas? Thank you, biwanari
Hi @PickleRick,   That is indeed the set up I have.  That is correct there isnt a issue with connection between the HF and Splunk Cloud but rather my results from the DBconnect app not sending t... See more...
Hi @PickleRick,   That is indeed the set up I have.  That is correct there isnt a issue with connection between the HF and Splunk Cloud but rather my results from the DBconnect app not sending to Splunk Cloud.  I am more so looking to see if anyone else has faced this issue before because I have checked several things and all looks well but no real solution to get the data transferred 
Hi @Strangertinz , ok, let me know if I can help you further. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors