All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We made this change, and it worked fine! Thank you so much for your help.
It worked! thank you!
Hi @redmandba , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @CyberWolf , I suppose that you want to check this for each Account_name, you could try with stats: <your_search> | iplocation src | stats dc(city) AS city_count BY Account_name | where city_cou... See more...
Hi @CyberWolf , I suppose that you want to check this for each Account_name, you could try with stats: <your_search> | iplocation src | stats dc(city) AS city_count BY Account_name | where city_count>1 use the Account_name field you have in your logs. Ciao. Giuseppe
| streamstats latest(city) as previous current=f
When you force a default it will populate the token, as long as the token is populated then the search will return results.  I would remove the default but I feel like you set that for a reason.  So ... See more...
When you force a default it will populate the token, as long as the token is populated then the search will return results.  I would remove the default but I feel like you set that for a reason.  So maybe I'm not understanding the full use case.
Here <source>means have you typed exact path of the file or just <source> as is?
If you put that setting under the specific stanza for that sourcetype then changes to default stanza wont impact.  Anything under default stanza is only considered if the same setting has NOT been se... See more...
If you put that setting under the specific stanza for that sourcetype then changes to default stanza wont impact.  Anything under default stanza is only considered if the same setting has NOT been set in a more specific stanza.  
Try making the labels shorter
Hello @JagsP  Please update the [stanza] regex as follows: REGEX = successful\, returned exit code \'0\' Note: Make sure to place the configurations correctly otherwise it will not work . ... See more...
Hello @JagsP  Please update the [stanza] regex as follows: REGEX = successful\, returned exit code \'0\' Note: Make sure to place the configurations correctly otherwise it will not work . For eg: If your data flow is UF->HF->Indexer, parsing occurs at the full enterprise instance, with the HF being the first layer where this takes place.  Additionally, here is the documentation for routing and filtering data, which will help you understand the core concepts. https://docs.splunk.com/Documentation/Splunk/9.3.1/Forwarding/Routeandfilterdatad For learning and writing regex for your data, you can use the platform  https://regex101.com/ If this resolves your issue, please accept and upvote the answers. Happy Splunking!
We use json for Zeek, if we change that setting, will it impact Zeek logs?
Hi, I was able to resolve the issue. The issue: You are probably trying to perform vetting in a windows environment. This is causing the file & directories to have improper accesses which do not co... See more...
Hi, I was able to resolve the issue. The issue: You are probably trying to perform vetting in a windows environment. This is causing the file & directories to have improper accesses which do not comply with the App inspect procedures in splunk as they are built around NIX OS. Solution: 1. Dowload CYGWIN (https://www.cygwin.com/setup-x86_64.exe), and install it in your windows machine, and open CYGWIN. 2. Go into /cygdrive/<your app location> and run the following commands: find <your app> -type f -exec chmod 644 '{}' \; find <your app> -type d -exec chmod 700 '{}' \; (Make sure to check the permissions by running the command: ls -lR) 3. Create the .spl file also by using cygwin terminal: tar -zvcf <your_app_name.spl> <app_name> 4. Now try vetting procedure, I did it using postman, and this time it worked.
@Marco, @jokertothequinn , @manasbellani - What is your file/folder permission looks like? Please check on linux machine with below command. ls -l   I hope this helps!!! Kindly upvote if it does!!!
I'm using cmd |iplocation src, and the results produce results for the City. Next i want to compare each City and report when results is different. Example when result for a City is Miami and next h... See more...
I'm using cmd |iplocation src, and the results produce results for the City. Next i want to compare each City and report when results is different. Example when result for a City is Miami and next hour or so  in the same field for the City is Boston.
I am creating a panel and input type select as "link". There multiple choice filed is created, how to keep all choice button in a line using splunk classic. <panel id="panel_id_1"> <input type="l... See more...
I am creating a panel and input type select as "link". There multiple choice filed is created, how to keep all choice button in a line using splunk classic. <panel id="panel_id_1"> <input type="link" token="token_tab" searchWhenChanged="true" id="details"> <label></label> <choice value="x">X</choice> <choice value="Y">Y</choice> <choice value="z">Z</choice> </panel> I want keep all choice value as X Y Z, but for me it is coming X Y Z
Hi @nyajoefit22  Yes! you can push the authentication config from Deployer without bind password and just add the bind password under system/local and restart each search head/rolling restart of SHC... See more...
Hi @nyajoefit22  Yes! you can push the authentication config from Deployer without bind password and just add the bind password under system/local and restart each search head/rolling restart of SHC. This would avoid plain text password in TA.
props.conf : [sap_failure] TRANSFORMS-filter = setnull,stanza transform.conf : [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [stanza] REGEX = "successful, returned exit code '0'" DE... See more...
props.conf : [sap_failure] TRANSFORMS-filter = setnull,stanza transform.conf : [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [stanza] REGEX = "successful, returned exit code '0'" DEST_KEY = queue FORMAT = indexQueue Content: [16/Sep/2024:02:00:36 -05:00] INFO : [PID:0185317:Backup:360] [1] successful, returned exit code '0' [16/Sep/2024:02:00:36 -05:00] DEBUG: [PID:0185317:SAPHANA:648] SQLSTRING: 'BACKUP DATA FOR FULL SYSTEM CLOSE SNAPSHOT BACKUP_ID 1726470003540 SUCCESSFUL 'hana_data_FHL__2024-09-16T070003-1779190Z''   Here in content if you see i have other events which is not having the desired text string . I need to filter all other events .   has context menu
Here is the JS.  I gave the input id="user_name". require([ "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function (mvc) { // get default token model var tokens = mvc.Component... See more...
Here is the JS.  I gave the input id="user_name". require([ "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function (mvc) { // get default token model var tokens = mvc.Components.getInstance("default"); var user_name = document.getElementById("user_name"); // Set required style if init value is undefined to channel if (tokens.get("user_name") === 'Enter a User') { user_name.classList.add("required"); } // Dropdown change on channel tokens.on("change:user_name", function (model, value) { if (value === 'Enter a User') { user_name.classList.add("required"); } else { user_name.classList.remove("required"); } }); });   Here is the CSS again just to capture it all in the same reply. .required button{ border: 2px solid #f6685e !important; }   I use this code (more or less) on other dashboards to perform the same "required" function on other inputs like drop downs and it works by creating a red outline around the drop down until a choice is made.  
Hello @JagsP  1. What is the dataflow ? For Eg: UF->HF->Indexer and where have you placed your configurations.  2. Also, share the sample event , so accordingly I can help you with regex part. 
still facing this issue