Most likely there's some line breaking problem. Documentation is Configure event line breaking (and the entire Configure event processing. You would also get better discussion in the forum Getting ...
See more...
Most likely there's some line breaking problem. Documentation is Configure event line breaking (and the entire Configure event processing. You would also get better discussion in the forum Getting Data In.
Hi @Robwhoa78 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Po...
See more...
Hi @Robwhoa78 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
First things first. What is a "sub event"? How do you get "subevent"? How do you count "subevent"? Secondly, please construct your desired output like a real table (e.g., by using the table templ...
See more...
First things first. What is a "sub event"? How do you get "subevent"? How do you count "subevent"? Secondly, please construct your desired output like a real table (e.g., by using the table template above, craft HTML table, or some means suitable for you). The illustration you give is not even aligned and impossible to interpret.
Hello, Example I have 2 lookups, first.csv and second.csv first.csv have 1 column name=fruit_name and with multivalue first.csv fruit_name apple banana melon mango grapes guyab...
See more...
Hello, Example I have 2 lookups, first.csv and second.csv first.csv have 1 column name=fruit_name and with multivalue first.csv fruit_name apple banana melon mango grapes guyabano coconut second.csv have 2 column fruits and remarks with multivalue under fruits column fruits remarks apple mango guyabano visible How can i check if all the values of second.csv (apple,mango,guyabano) are present in the column fruit_name under first.csv then echo out the remarks with the value of visible Thanks in advance
Hi Team, Due to SSL cert issue I see the Database queries tab is not loading which we are working on it. Customer is asking to fetch the following data => Query, time executed, time took for complet...
See more...
Hi Team, Due to SSL cert issue I see the Database queries tab is not loading which we are working on it. Customer is asking to fetch the following data => Query, time executed, time took for completion etc. Is there any way we can get the data from the database? Queries data is located in which database also the path to DB? Please can share the DB and table name to so we can export the data from database. Thanks
Hello Splunkers!!
In a scheduled search within Splunk, we have set up email notifications with designated recipients. However, there is an intermittent issue where sometime recipients do not consis...
See more...
Hello Splunkers!!
In a scheduled search within Splunk, we have set up email notifications with designated recipients. However, there is an intermittent issue where sometime recipients do not consistently receive the scheduled search email. To address this, we need to determine if there is a way within Splunk to verify whether the recipients successfully received the email notifications.
Please help me identify how address and how to check this things in Splunk.
index=_internal source=*splunkd.log sendemail
I have tried above search but above search is not providing the information about receipents email address.
Note i'm using : 1. Splunk Enterprise Version : 9.3.1 2. Enterprise Security Version : 7.3.2 According to this documentation : https://docs.splunk.com/Documentation/VersionCompatibility/curren...
See more...
Note i'm using : 1. Splunk Enterprise Version : 9.3.1 2. Enterprise Security Version : 7.3.2 According to this documentation : https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/CompatMatrix All is good, but i don't have any idea why this is happening.
Hi, i got error after completed set up Enterprise Security on my lab. First im using Windows but when want to setup Enterprise Security always got Error in 'essinstall' command: (InstallExcepti...
See more...
Hi, i got error after completed set up Enterprise Security on my lab. First im using Windows but when want to setup Enterprise Security always got Error in 'essinstall' command: (InstallException) "install_apps" stage failed - Splunkd daemon is not responding: ('Error connecting to /services/admin/localapps: The read operation timed out',) then i want to try install fresh Splunk Enterprise in WSL (in my case Ubuntu 22) i got success install and can doing anything normally. After that, i try install Enterprise Security again. And now i got successful notification when setup Enterprise Security via WebGUI, but unfortunately when successful restart i can't open Splunk Enterprise This is my CLI looks like i cannot see any error in my CLI that's why i ask it here, maybe somebody can help me ?
Hello @Cheng2Ready The global time range picker cannot be applied to saved searches in Dashboard Studio since each saved search has its own predefined time range. Unlike Classic Dashboards, when yo...
See more...
Hello @Cheng2Ready The global time range picker cannot be applied to saved searches in Dashboard Studio since each saved search has its own predefined time range. Unlike Classic Dashboards, when you reference a Saved Search in Studio, it will always use its own time range settings, ignoring any global time range selections. For your use case, I recommend: Schedule a report with your required metrics Use the '|collect' command to store results in a new index Create a new role for third-party access that only has permissions for this new index Optionally, you can: Disable specific capabilities for this role Restrict access to only the required dashboard This approach helps maintain security by avoiding direct access to the original index. If this reply helps you. Please UpVote.
@PickleRick I am using single column multiple entries and just trying to compare values in lookup file with the logs which contains those values and output the results
@ITWhisperer I am using lookup file with single column, multiple entries which contains filenames. I am trying to match that names with the Filename field in query to obtain results which matches the...
See more...
@ITWhisperer I am using lookup file with single column, multiple entries which contains filenames. I am trying to match that names with the Filename field in query to obtain results which matches the value.
LOL...so you formatted the data as json then used |collect mode=raw i ended up just editing the limits.conf to enable mv mode for raw mode collect and didnt end up using the json at all
Hi @catta99, To clear the server-side cache, restart splunkweb as you have done: $SPLUNK_HOME/splunk/bin/splunk restart splunkweb To clear the client-side cache, use your browser's cache functions...
See more...
Hi @catta99, To clear the server-side cache, restart splunkweb as you have done: $SPLUNK_HOME/splunk/bin/splunk restart splunkweb To clear the client-side cache, use your browser's cache functions or temporarily disable caching in your browser's dev tools. To prevent splunkweb from caching source files during development, you can disable caching in web.conf and restart Splunk: # $SPLUNK_HOME/etc/system/local/web.conf [settings] cacheBytesLimit = 0 The example I provided can be expanded as needed. If you're still having issues after clearing all caches, reply with a reduced SimpleXML and JavaScript example, and we'll take another look.
Hi there, we worked around this problem by having the same 'splunk.secret' file on all instances, this enables you to have encrypted passwords or secrets in your deployment apps. Hope this helps .....
See more...
Hi there, we worked around this problem by having the same 'splunk.secret' file on all instances, this enables you to have encrypted passwords or secrets in your deployment apps. Hope this helps ... cheers, MuS
I believe I was over think it. I was able to get what I needed with this.
index=store source="softwareinventory" host="SNC****"
| dedup host
| rex field=host "(SNC|POPS)(?<Store>\d+)"
| searc...
See more...
I believe I was over think it. I was able to get what I needed with this.
index=store source="softwareinventory" host="SNC****"
| dedup host
| rex field=host "(SNC|POPS)(?<Store>\d+)"
| search "Message.Rogue.AllDskID{}"="E:" OR "Message.Rogue.AllDskID{}"="F:" OR "Message.Rogue.AllDskID{}"="G:"
| rename Message.Rogue.AllDskID{} as Drive_Letter
| rename Message.Rogue.AllVlmName{} as Volume_Name
| table Store Drive_Letter Volume_Name
Oddly - no. In the other (non orig) index, '...|table myField,_raw' shows nothing for myField, and the _raw data is there, represented as full JSON, including myField with the expected value.