All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am getting the same error as the original post and tried your suggestions.  I am still getting an email alert with this error.  My Splunk search has only has Python 3.9.18 installed.  Any other sug... See more...
I am getting the same error as the original post and tried your suggestions.  I am still getting an email alert with this error.  My Splunk search has only has Python 3.9.18 installed.  Any other suggestions to fix this error?
Hello looks like an issue with the certificate. Please check this out :https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Verification-of-SAML/m-p/322376... See more...
Hello looks like an issue with the certificate. Please check this out :https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Verification-of-SAML/m-p/322376#M12073 If this is a brand new implementation, you can also use Splunk's "ondemand services" for help. The Professional Services ( experts can "shoulder surf" this and help get it resolved.  
Looking for the best/easiest way to retrieve or reconstruct a splunk url to an event retrieved using python to then post into browser and view the event though the web ui. Thanks!
Figured it out:   *** File Extension Pie Chart:  Works *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the... See more...
Figured it out:   *** File Extension Pie Chart:  Works *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results. *** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart ** index="user_files"  | rex field="document" "\.(?<extension>[^\.]*$$)" | where extension = "$token$" | table ... Thanks PickleRick for given a response in helping figure this out.  Much appreciate. 
Realizing I need to run the rex command in my table because Splunk doesn't have any value in that search fin the raw data to associated with the token.  Going to try some alternative queries for now ... See more...
Realizing I need to run the rex command in my table because Splunk doesn't have any value in that search fin the raw data to associated with the token.  Going to try some alternative queries for now to see if I can come up with the solution now considering that. 
That was a type, copy and pasted.   My token I am using in my search string is (source=$token$)  Not sure where/why I added the (*) in the token name. 
Python is the least important thing here. The question is a about the overall architecture of your solution. What exactly do you want to achieve technically? Because, you know, Splunk dashboards are ... See more...
Python is the least important thing here. The question is a about the overall architecture of your solution. What exactly do you want to achieve technically? Because, you know, Splunk dashboards are not something you can "pull" out of Splunk and use without Splunk. So what are you trying to do?
It's no confusion. I meant to show you that you're trying to use a token named "*token". Even if it was syntactically correct which I doubt - I think the token name syntax is more restricted - it wou... See more...
It's no confusion. I meant to show you that you're trying to use a token named "*token". Even if it was syntactically correct which I doubt - I think the token name syntax is more restricted - it would still be a different token than the one you have defined. If you define a token named "token" you use it as $token$, not $*token$, not $my_token$,  not $token_I_forgot_about$. These are all different literals.
The token value I am trying to carry over in my table is the(token=$click.value$) using the field extracted In the drilldown editor.  I have my values/parameters set to: on click  set "token"= $cli... See more...
The token value I am trying to carry over in my table is the(token=$click.value$) using the field extracted In the drilldown editor.  I have my values/parameters set to: on click  set "token"= $click.value$.  I named my token name "Token" in the drilldown editor for simplicity.  In initial post I stated ***User Pie Chart with the drilldown token: token_user=$click.value$ ***              but  should by  ***User Pie Chart with the drilldown token: "token"=$click.value$ *** *** File Extension Pie Chart with the drilldown token: "token"=$click.value$ *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results. *** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart ** index="user_files" source=$*token$ | table _time, user_name, computer_name, source_directory, document Apologize for the confusion.  Hope that clears it up a little.  
You must explicitly add an action to add an alert to triggered alerts. So if your only action was email, you must check why the email wasn't delivered (look in _internal for sendemail.py). At first g... See more...
You must explicitly add an action to add an alert to triggered alerts. So if your only action was email, you must check why the email wasn't delivered (look in _internal for sendemail.py). At first glance your logs suggest that the alert notifier was actually dispatched.
this worked for me | rest /services/authentication/current-context thanks! 
$*token$ - what is it supposed to be? Maybe, just maybe *$token$ could work. Definitely not the way you're trying to do. You have no token named "*token"
Need help with creating an interactive drill down with value extracted using the rex command.  I want to monitor users saving files to a certain folder and also sort and look at file extension types ... See more...
Need help with creating an interactive drill down with value extracted using the rex command.  I want to monitor users saving files to a certain folder and also sort and look at file extension types that are saved in folder and by who.  Raw test data has: time, user, computer, directory and document as seen below. Test Data _time                     user_name      computer_name      source_directory                document 10/11/2024      user1                  Destop_user1            \\cpn-local\priv\cus\      document1.pdf 10/11/2024      user4                 Destop_user1             \\cpn-local\priv\cus\      document2.doc 10/10/2024      user1                 Destop_user1             \\cpn-local\priv\cus\      document3.pdf 10/10/2024      user2                 Destop_user2             \\cpn-local\priv\cus\      document4.pdf 10/9/2024         user3                 Destop_user3             \\cpn-local\priv\cus\      document5.pdf 10/9/2024         user4                 Destop_user4             \\cpn-local\priv\cus\      document6.doc 10/9/2024         user2                 Destop_user2             \\cpn-local\priv\cus\      document7.doc I have created a drill using a token value of the queried data from the raw logs which allows me to selecte a user from a pie chart and show all logs in a second table. Those two dashboard panels are below and work. ***User Pie Chart with the drilldown token: token_user=$click.value$ *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(user_name) BY user_name ***User Record Table *** index="user_files" user_name = $token$ | table _time, user_name, computer_name, source_directory, document I am now trying to create a dashboard taking the same raw data, add a rex command to filter out extension and have the pie chart show the specific file extension I have logs from an index which I have done using the following query *** File Extension Pie Chart:  Works *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results. *** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart ** index="user_files" source=$*token$ | table _time, user_name, computer_name, source_directory, document I also tried (index="user_files" extension=$*token$") and ("|where extension="$token$") in the query and still no results are seen in the record table. Any help would be greatly appreciated.  I understand the logic needed, just having problems executing the drill down.   Thanks
and here i have tried the scheduled alert and here is the logs related to that alert: log 1: 10-14-2024 22:16:01.088 +0400 INFO SavedSplunker - AlertNotifier::notifySearchCompleted: called for sid=... See more...
and here i have tried the scheduled alert and here is the logs related to that alert: log 1: 10-14-2024 22:16:01.088 +0400 INFO SavedSplunker - AlertNotifier::notifySearchCompleted: called for sid=scheduler__kareem__search__kareem_at_1728929760_35, condition=1 log 2: 10-14-2024 22:16:01.809 +0400 INFO SavedSplunker - savedsearch_id="nobody;search;kareem", search_type="scheduled", search_streaming=0, user="kareem", app="search", savedsearch_name="kareem", priority=default, status=success, digest_mode=1, durable_cursor=0, scheduled_time=1728929760, window_time=0, dispatch_time=1728929760, run_time=0.178, result_count=1531, alert_actions="email", sid="scheduler__kareem__search__kareem_at_1728929760_35", suppressed=0, action_time_ms=718, thread_id="AlertNotifierWorker-0", workload_pool=""
My group and I are creating a senior project for a SIEM through a VM. We were planning to implement Splunk dashboards into the project with python code. To give some background we are starting from s... See more...
My group and I are creating a senior project for a SIEM through a VM. We were planning to implement Splunk dashboards into the project with python code. To give some background we are starting from scratch with python code, and we would like to implement Splunk dashboards into that python code. In short, when we run the python code we would like the Splunks GUI to pop up ( which ever one we choose: charts, pie charts, global map) with the data that we are collecting through the python code. Is there a way we can achieve this goal? 
email was the only action  and how did i know is by checking the triggered alerts secion under activity, and as i said i tried scueduled alerts the same issue   
1. Please, don't use real-time alerts. Except for very very rare cases real-time searches should be avoided altogether. 2. How did you confirm that the alerts weren't triggered? Is the email the onl... See more...
1. Please, don't use real-time alerts. Except for very very rare cases real-time searches should be avoided altogether. 2. How did you confirm that the alerts weren't triggered? Is the email the only action you have defined? Maybe the problem is with your action, not the alert itself.
my alert is not triggered even with many matching events here are the details:   while the activity that generate these logs is running the real time alert is processing and found those eve... See more...
my alert is not triggered even with many matching events here are the details:   while the activity that generate these logs is running the real time alert is processing and found those events in the screenshot. i have waited for 5 mins and same issue i have also tries scheduled and still the same issue no triggering
Anyone have a tip on how to have a token(from field)- and then determine which query to run based on that input?  For example (datasources/queries: fruit, meat, vegetable) Field: banana ->run... See more...
Anyone have a tip on how to have a token(from field)- and then determine which query to run based on that input?  For example (datasources/queries: fruit, meat, vegetable) Field: banana ->run query for fruit ->display table about banana from said query.  Struggling with this one- trying to make a dynamic search bar that populates tables based on the input- thus making multiple of my dashboard redundant. Slimming things down. 
Hello @ITWhisperer ,    Is that be possible if all the field has only 2 values, that is been repeadily occuring. Also the numeric values can be replaced with text values as well. Thanks!