All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @hazem , it's usually continouslòy monitored every 30 seconds, but you can cheange this frequency, even fi I'didn't do it. Ciao. Giuseppe
If your file is already external to Splunk, you could write a script to send it to your external system for enrichment, and place the returned file somewhere so that it can be ingested into Splunk (a... See more...
If your file is already external to Splunk, you could write a script to send it to your external system for enrichment, and place the returned file somewhere so that it can be ingested into Splunk (assuming that's where you want the enriched data).
Hi @gcusello  what about reading log from application log files? is it continuously monitoring or can we make it interval?  
| sort 0 _time | streamstats latest(count) as previous by Table_Name window=1 global=f current=f | eval increase=round(100*(count-previous)/previous,0)
Hi, there were average values due to time period too large.
Ok , I see your point. Yes easiest way would be as you suggested to filter within the analytics data but another option which we have done for this exact purpose was to just a create a little script ... See more...
Ok , I see your point. Yes easiest way would be as you suggested to filter within the analytics data but another option which we have done for this exact purpose was to just a create a little script which queries the SEP's data, and just inserted it into analytics on a schedule. Did a similar thing for Remote services Ciao
Hello,  I would like to know if it's possible to setup a "lot" of automation broker in a single instance within the same tenant ? Or is it only 1 by "tenant" ? My main usecase would be to have ... See more...
Hello,  I would like to know if it's possible to setup a "lot" of automation broker in a single instance within the same tenant ? Or is it only 1 by "tenant" ? My main usecase would be to have access and act upon a lot of "Onprem" client with a few SOAR cloud instance (client are already merge by "group of client", therefore I do not want to re-split with 1 tenant = 1 client)  PSA : I did not manage to find the details about the possibility to have multiple "automation broker" in both Splunk SOAR and Splunk Automation Broker, I assume it's possible based on the API and the "id" for the broker, I just want to confirm it, thanks ! 
Thank you very much for your time and effort. I have created both a support ticket and an idea.   Kind regards
Hi Husnain Don't believe there is an official documented API, What we did was just open developer tools in your browser and create a new test metric, check the way the payload is structured, you ... See more...
Hi Husnain Don't believe there is an official documented API, What we did was just open developer tools in your browser and create a new test metric, check the way the payload is structured, you can then automate or build them using Curl or any scripting method of your choice. Ciao
@PickleRick , File can be in any format. So, basically we have file in our local system or if a email consist any file, we would like to take that file as an input via custom command and send that fi... See more...
@PickleRick , File can be in any format. So, basically we have file in our local system or if a email consist any file, we would like to take that file as an input via custom command and send that file to third party TI providers API as the query param.
Hi @neerajs_81 , as I said, there's no way to intervene on Classic Dashboards Inputs layout, you can only use Dashboard Studio. Ciao. Giuseppe
ok thanks, how about is there a way to increase gap between two input boxes?   How can i add more space between Source IP and DestIP Condition as shown below ?   
Hi @Nicolas2203, checkpoints are managed in different ways (e.g. DB-Connect uses a kv-store table), so you have to understand what's the repository of your checkpoints and you have to align between ... See more...
Hi @Nicolas2203, checkpoints are managed in different ways (e.g. DB-Connect uses a kv-store table), so you have to understand what's the repository of your checkpoints and you have to align between HFs using a scheduled script that copies configurations and checkpoints, so the HFs will be aligned to the last run of the script. ciao. Giuseppe
Hello @gcusello  Thanks for the answer.  Ok I understand, I will install the app on both HF and just activate it on one. When you say yu have to manage checkpoints between HFs. How is t... See more...
Hello @gcusello  Thanks for the answer.  Ok I understand, I will install the app on both HF and just activate it on one. When you say yu have to manage checkpoints between HFs. How is that possible in Splunk ? Assuming that logs are stored on the source for 2 weeks in case of an outage, when I activate log collection on the second HF, it will start collecting logs from the day it is activated, and it won't be aware of the logs already ingested into Splunk?
I'm thinking either an external lookup or a custom search command. But what confuses me here is that you're talking about a "file". What file do you have in mind?
Hi @neerajs_81 , using Classic Dashboards, you can only put the input boxes on the same row on top of the dashboard; if you want a different position, you have to use Dashboard Studio. Ciao. Giuse... See more...
Hi @neerajs_81 , using Classic Dashboards, you can only put the input boxes on the same row on top of the dashboard; if you want a different position, you have to use Dashboard Studio. Ciao. Giuseppe
There is an easier way. index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort 0 +_time -count | dedup 10 _time
Hi, i am using classic dashboard. I have below 2 INPUT boxes ( SRC_Condition and Source IP)  to filter the src_ip.  By default, we can only place input boxes next to one another.   How can i align th... See more...
Hi, i am using classic dashboard. I have below 2 INPUT boxes ( SRC_Condition and Source IP)  to filter the src_ip.  By default, we can only place input boxes next to one another.   How can i align these 2 on top of one another ?   Splunk doesn't allow us to drag and drop them on top of each other.   
@marnall  We want this, OUT of Splunk into a service that takes the file and returns enrichment information about the file.
Hi, I'm trying to drilldown on a table using two different input values (from two radio button inputs). When I have input from one radio button, it works all fine. For eg, if I have this statement ... See more...
Hi, I'm trying to drilldown on a table using two different input values (from two radio button inputs). When I have input from one radio button, it works all fine. For eg, if I have this statement in drilldown tag of table it works perfectly: <set token="tokenNode">$click.value$</set>   However, when I place second set token statements It just says No Results Found: I tried both click.value & click.value2 Option 1: <set token="tokenNode">$click.value$</set> <set token="tokenSwitch">$click.value$</set>   Option 2:   <set token="tokenNode">$click.value$</set> <set token="tokenSwitch">$click.value2$</set>