All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The token value I am trying to carry over in my table is the(token=$click.value$) using the field extracted In the drilldown editor.  I have my values/parameters set to: on click  set "token"= $cli... See more...
The token value I am trying to carry over in my table is the(token=$click.value$) using the field extracted In the drilldown editor.  I have my values/parameters set to: on click  set "token"= $click.value$.  I named my token name "Token" in the drilldown editor for simplicity.  In initial post I stated ***User Pie Chart with the drilldown token: token_user=$click.value$ ***              but  should by  ***User Pie Chart with the drilldown token: "token"=$click.value$ *** *** File Extension Pie Chart with the drilldown token: "token"=$click.value$ *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results. *** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart ** index="user_files" source=$*token$ | table _time, user_name, computer_name, source_directory, document Apologize for the confusion.  Hope that clears it up a little.  
You must explicitly add an action to add an alert to triggered alerts. So if your only action was email, you must check why the email wasn't delivered (look in _internal for sendemail.py). At first g... See more...
You must explicitly add an action to add an alert to triggered alerts. So if your only action was email, you must check why the email wasn't delivered (look in _internal for sendemail.py). At first glance your logs suggest that the alert notifier was actually dispatched.
this worked for me | rest /services/authentication/current-context thanks! 
$*token$ - what is it supposed to be? Maybe, just maybe *$token$ could work. Definitely not the way you're trying to do. You have no token named "*token"
Need help with creating an interactive drill down with value extracted using the rex command.  I want to monitor users saving files to a certain folder and also sort and look at file extension types ... See more...
Need help with creating an interactive drill down with value extracted using the rex command.  I want to monitor users saving files to a certain folder and also sort and look at file extension types that are saved in folder and by who.  Raw test data has: time, user, computer, directory and document as seen below. Test Data _time                     user_name      computer_name      source_directory                document 10/11/2024      user1                  Destop_user1            \\cpn-local\priv\cus\      document1.pdf 10/11/2024      user4                 Destop_user1             \\cpn-local\priv\cus\      document2.doc 10/10/2024      user1                 Destop_user1             \\cpn-local\priv\cus\      document3.pdf 10/10/2024      user2                 Destop_user2             \\cpn-local\priv\cus\      document4.pdf 10/9/2024         user3                 Destop_user3             \\cpn-local\priv\cus\      document5.pdf 10/9/2024         user4                 Destop_user4             \\cpn-local\priv\cus\      document6.doc 10/9/2024         user2                 Destop_user2             \\cpn-local\priv\cus\      document7.doc I have created a drill using a token value of the queried data from the raw logs which allows me to selecte a user from a pie chart and show all logs in a second table. Those two dashboard panels are below and work. ***User Pie Chart with the drilldown token: token_user=$click.value$ *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(user_name) BY user_name ***User Record Table *** index="user_files" user_name = $token$ | table _time, user_name, computer_name, source_directory, document I am now trying to create a dashboard taking the same raw data, add a rex command to filter out extension and have the pie chart show the specific file extension I have logs from an index which I have done using the following query *** File Extension Pie Chart:  Works *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results. *** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart ** index="user_files" source=$*token$ | table _time, user_name, computer_name, source_directory, document I also tried (index="user_files" extension=$*token$") and ("|where extension="$token$") in the query and still no results are seen in the record table. Any help would be greatly appreciated.  I understand the logic needed, just having problems executing the drill down.   Thanks
and here i have tried the scheduled alert and here is the logs related to that alert: log 1: 10-14-2024 22:16:01.088 +0400 INFO SavedSplunker - AlertNotifier::notifySearchCompleted: called for sid=... See more...
and here i have tried the scheduled alert and here is the logs related to that alert: log 1: 10-14-2024 22:16:01.088 +0400 INFO SavedSplunker - AlertNotifier::notifySearchCompleted: called for sid=scheduler__kareem__search__kareem_at_1728929760_35, condition=1 log 2: 10-14-2024 22:16:01.809 +0400 INFO SavedSplunker - savedsearch_id="nobody;search;kareem", search_type="scheduled", search_streaming=0, user="kareem", app="search", savedsearch_name="kareem", priority=default, status=success, digest_mode=1, durable_cursor=0, scheduled_time=1728929760, window_time=0, dispatch_time=1728929760, run_time=0.178, result_count=1531, alert_actions="email", sid="scheduler__kareem__search__kareem_at_1728929760_35", suppressed=0, action_time_ms=718, thread_id="AlertNotifierWorker-0", workload_pool=""
My group and I are creating a senior project for a SIEM through a VM. We were planning to implement Splunk dashboards into the project with python code. To give some background we are starting from s... See more...
My group and I are creating a senior project for a SIEM through a VM. We were planning to implement Splunk dashboards into the project with python code. To give some background we are starting from scratch with python code, and we would like to implement Splunk dashboards into that python code. In short, when we run the python code we would like the Splunks GUI to pop up ( which ever one we choose: charts, pie charts, global map) with the data that we are collecting through the python code. Is there a way we can achieve this goal? 
email was the only action  and how did i know is by checking the triggered alerts secion under activity, and as i said i tried scueduled alerts the same issue   
1. Please, don't use real-time alerts. Except for very very rare cases real-time searches should be avoided altogether. 2. How did you confirm that the alerts weren't triggered? Is the email the onl... See more...
1. Please, don't use real-time alerts. Except for very very rare cases real-time searches should be avoided altogether. 2. How did you confirm that the alerts weren't triggered? Is the email the only action you have defined? Maybe the problem is with your action, not the alert itself.
my alert is not triggered even with many matching events here are the details:   while the activity that generate these logs is running the real time alert is processing and found those eve... See more...
my alert is not triggered even with many matching events here are the details:   while the activity that generate these logs is running the real time alert is processing and found those events in the screenshot. i have waited for 5 mins and same issue i have also tries scheduled and still the same issue no triggering
Anyone have a tip on how to have a token(from field)- and then determine which query to run based on that input?  For example (datasources/queries: fruit, meat, vegetable) Field: banana ->run... See more...
Anyone have a tip on how to have a token(from field)- and then determine which query to run based on that input?  For example (datasources/queries: fruit, meat, vegetable) Field: banana ->run query for fruit ->display table about banana from said query.  Struggling with this one- trying to make a dynamic search bar that populates tables based on the input- thus making multiple of my dashboard redundant. Slimming things down. 
Hello @ITWhisperer ,    Is that be possible if all the field has only 2 values, that is been repeadily occuring. Also the numeric values can be replaced with text values as well. Thanks!
If you'll forgive the late reply... I ran into your problem this morning and found a workaround. (And wanted to answer in case someone else runs across this thread in the future, like I did.) E... See more...
If you'll forgive the late reply... I ran into your problem this morning and found a workaround. (And wanted to answer in case someone else runs across this thread in the future, like I did.) Either leave the "Earliest Offset" value blank, or default, and then hard-code the time you need into your search. For example, I needed to look back 1 month, so I added the following to my first line: earliest=-1mon That solved the issue for me.
Hi @Kashinath.Kumbharkar, Thanks for asking your question on the community. At this point, I think it would be best if you reached out to AppD Support or contact your AppD Rep to talk more about yo... See more...
Hi @Kashinath.Kumbharkar, Thanks for asking your question on the community. At this point, I think it would be best if you reached out to AppD Support or contact your AppD Rep to talk more about your specific goals and outcomes with this project. Your AppD Admin should be able to help with this. 
Charts show numeric values (y-axis) against a base (x-axis) - what you are asking for can't be done with charts.
Hi sainag, thanks for response. No we are not using scripted authentication. The pasted authentication.conf above it the complete config.  I am also not able to see the log     Unknown role 'ld... See more...
Hi sainag, thanks for response. No we are not using scripted authentication. The pasted authentication.conf above it the complete config.  I am also not able to see the log     Unknown role 'ldap_user"       What I figured out: I changed the default reply URL to  https://<instance>.westeurope.cloudapp.azure.com/saml/acs  instead of https://<instance>.westeurope.cloudapp.azure.com/en-GB/account/login  And now this error is gone: (that is maybe responsible for the evalutaion of the attributes)?  BUT now I get different Error:      10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=342:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: subject=/CN=SSO-Certificate; issuer=/C N=SSO-Certificate; err=20; msg=unable to get local issuer certificate 10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=381:obj=x509-store:subj=unknown:error=71:certificate verification failed:subject=/CN=SSO-Certificate; issuer=/CN=SSO-Certif icate; err=20; msg=unable to get local issuer certificate 10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecOpenSSLKeyDataX509VerifyAndExtractKey:file=x509.c:line=1505:obj=x509:subj=unknown:error=72:certificate is not found:details=NULL 10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecOpenSSLKeyDataX509XmlRead:file=x509.c:line=654:obj=x509:subj=xmlSecOpenSSLKeyDataX509VerifyAndExtractKey:error=1:xmlsec library function failed: 10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=114:obj=x509:subj=xmlSecKeyDataXmlRead:error=1:xmlsec library function failed:node=X509Data 10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecKeysMngrGetKey:file=keys.c:line=1227:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec library function failed:node=KeyInfo 10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key is not found:details=NULL 10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: 10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecDSigCtxVerify:file=xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed: 10-14-2024 15:31:01.405 +0000 ERROR Saml [4858 webui] - Error: failed to verify signature with cert :/opt/splunk/etc/auth/idpCerts/idpCert.pem; 10-14-2024 15:31:01.405 +0000 ERROR Saml [4858 webui] - Unable to verify Saml document 10-14-2024 15:31:01.405 +0000 ERROR UiSAML [4858 webui] - Verification of SAML assertion using the IDP's certificate provided failed. Error: failed to verify signature with cert   are these errors somehow related? Any ides how to fix that ? How can I turn on debug for SAML ? 
Hello,    I would like to create chart with multiple fields in Y axis and time in x axis,  Y axis - FIELD_01 FIELD_02 FIELD_03 FIELD_04 FIELD_05 FIELD_06 (All field values are in strings and numb... See more...
Hello,    I would like to create chart with multiple fields in Y axis and time in x axis,  Y axis - FIELD_01 FIELD_02 FIELD_03 FIELD_04 FIELD_05 FIELD_06 (All field values are in strings and numbers as well) x axis - _time Lets say, If the FIELD_01 consists of values Stopped, Started, Stopped, Stopped In y axis it should change its values with some colours. FIELD_06     Field values FIELD_05     Field values FIELD_04     Field value FIELD_03     Field value FIELD_02     Field value FIELD_01     Field value Y axis/ x axis                                         _time Thanks in Advance!
Can you explain more?  Which file should be edit? Send path and file name 
My Splunk installation can't read files from windows host from a specific folder on the C:// drive. Logs are collected from another folder without problems. There are no errors in index _internal, st... See more...
My Splunk installation can't read files from windows host from a specific folder on the C:// drive. Logs are collected from another folder without problems. There are no errors in index _internal, stanza in inputs.conf looks standard, monitor on the folder and the path are specified correctly. The rights to the folder and files are system ones, as are other files that we can collect. What could be the problem?
Hello @BRFZ when was the last reboot on this search head ? looks like its hung up. I encourage to reach out to support if this not get resolved.