All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi everyone, I’m working on a dashboard in Dashboard Studio and need some guidance on exporting it as a PDF. Specifically, I would like to know how to split a multi-panel dashboard into several page... See more...
Hi everyone, I’m working on a dashboard in Dashboard Studio and need some guidance on exporting it as a PDF. Specifically, I would like to know how to split a multi-panel dashboard into several pages when downloading it as a PDF. Is there a way to configure the layout or settings to achieve this? Any tips or best practices for organizing content in Dashboard Studio to ensure each section appears on a separate PDF page would be greatly appreciated! Thanks in advance for your help!
As I said, this depends on e.g. are you using plain syslog, udp vs tcp vs tsl etc. If you are using udp there is no matter what you are doing, you will lose some events anyway.
hello @isoutamo  please advise the load balancing method connectivity from source IP to go to the forwarder node .. the persistency or we can keep it round robin? we have 2 forwarders
Oke Thankyou @isoutamo @PickleRick atleast in splunk can ingest everything. If want get specify data Analyst can regex it 
As I said, this depends on LB. In some vendors you will lose event if LB check if backend is up or down, and if it is down then e.g. F5 just drop the packet (or at least it done it couple of years ago... See more...
As I said, this depends on LB. In some vendors you will lose event if LB check if backend is up or down, and if it is down then e.g. F5 just drop the packet (or at least it done it couple of years ago when I last use it). You must change the profile to get it to work correctly.
That's true when you are using UDP and pure syslog. But fortunately usually you can select other transform protocol that UDP for syslog or even use rsyslog with RELP. In those cases I strongly recomme... See more...
That's true when you are using UDP and pure syslog. But fortunately usually you can select other transform protocol that UDP for syslog or even use rsyslog with RELP. In those cases I strongly recommend to use LB with correct configurations.
As most other configuration items this also has answer it depends on your environment. There are some known issues with some vendors and as @PickleRick said, pure syslog traffic with UDP is not good ... See more...
As most other configuration items this also has answer it depends on your environment. There are some known issues with some vendors and as @PickleRick said, pure syslog traffic with UDP is not good candidate for LB. But e.g. if you are using rsyslog with RELP protocol then it's totally different case. You could use e.g. F5 in front of rsyslog backends and this works well after you have select e.g. FastL4 profile for LB. Without it you will lost some events. r. Ismo
I agree with @PickleRick that this is quite probably ok. It’s totally dependent on your data.
Hello @gcusello  please advise the load balancing method connectivity from source IP to go to the forwarder node .. the persistency or we can keep it round robin? we have 2 forwarders
This actually looks OK-ish. You probably have some json data which gets parsed into those "multilevel" fields.
Well, not everything can be solved just by joined community wisdom. Sometimes you simply have to raise support case.
Hi @isoutamo  Thanks for your information, after i check it.  - Splunk Add-on for Unix and Linux [Installed] - Splunk Common Information Model (CIM) [Installed] - InfoSec App for Splunk [Not Inst... See more...
Hi @isoutamo  Thanks for your information, after i check it.  - Splunk Add-on for Unix and Linux [Installed] - Splunk Common Information Model (CIM) [Installed] - InfoSec App for Splunk [Not Installed] For the UF issue there is no problem at all, here I can get all the logs I need. It's just that the data I get has messy fields like this picture  I think it's not okay that's why i create topic for asking this problem  
Hi @PickleRick @marnall  Thankyou for your advice, but unfortunately i still can't change it even after i clear my cookies and/or cache. Can this issue solved using another method ?
Using windows 10, I installed splunk onto the drive folder itself (not the drive where windows was installed) and then I wasn't able to access the drive. Properties showed it had 0 storage and the de... See more...
Using windows 10, I installed splunk onto the drive folder itself (not the drive where windows was installed) and then I wasn't able to access the drive. Properties showed it had 0 storage and the default name of the drive in "My PC" was NFTS drive or something. Could not find the uninstall button in the apps settings, nor could I find any services related to splunk in windows services or task manager. I couldn't use the splunk application itself either. Couln't find a splunk folder in C drive either. I tried to run: chkdsk X: /f /r in CMD and I got the error "Chkdsk cannot dismount the volume because it is a system drive or there is an active paging file on it". I couldn't format the drive because it said it was in use. I ended up booting safe mode and formatted the drive there which has solved all my issues, but anyone know what the issue was?
My apologies, @elend.  I must modify my answer.  Whereas I haven't found a way to use cell value (by column) for drilldown in SimpleXML, what you ask is very easy in Dashboard Studio: Just set a toke... See more...
My apologies, @elend.  I must modify my answer.  Whereas I haven't found a way to use cell value (by column) for drilldown in SimpleXML, what you ask is very easy in Dashboard Studio: Just set a token using "value" option.  Here is a simple example { "visualizations": { "viz_L2lVmmIi": { "type": "splunk.table", "dataSources": { "primary": "ds_XAakW253" }, "title": "Set local => $set_tok$", "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "set_tok", "key": "value" } ] } } ] } }, "dataSources": { "ds_XAakW253": { "type": "ds.search", "options": { "query": "| makeresults format=csv data=\"_click\nA\nb\nC\nd\nfoo\nbar\nmore letters\"\n| eval click = \"You click \" . _click" }, "name": "Simple table" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "-24h@h", "latest": "now" } } } } }, "inputs": {}, "layout": { "type": "grid", "options": { "width": 1440, "height": 960 }, "structure": [ { "item": "viz_L2lVmmIi", "type": "block", "position": { "x": 0, "y": 0, "w": 1440, "h": 346 } } ], "globalInputs": [] }, "description": "", "title": "Drilldown to cell value" } Here are two screenshots, one click on column 1, the other on column2:  
The problem is in visualization type <event />.  Even though makeresults is a generative command, there is no real event.  Switch to <table /> visualization and the dashboard functions as expected. ... See more...
The problem is in visualization type <event />.  Even though makeresults is a generative command, there is no real event.  Switch to <table /> visualization and the dashboard functions as expected.   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="true"> <label></label> <default></default> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval INPUT = if(len("$text_tok$") &gt;0, "$text_tok$", "(none)")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>    
Here is a really simple dashboard:   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="tr... See more...
Here is a really simple dashboard:   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="true"> <label></label> <default></default> </input> </fieldset> <row> <panel> <event> <search> <query>| makeresults | eval INPUT = if(len("$text_tok$") &gt;0, "$text_tok$", "(none)")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>   Its function is really simple: When nothing is entered into the text input, display something like INPUT _time (none) 2024-09-28 17:33:54 Indeed, when I click the magnifying glass ("Open in search"), that's what I get If any string is entered, that string will be displayed.  For example, if a single letter "a" is entered, it should display INPUT _time a 2024-09-28 17:31:31 Just as well, "Open in search" gives this output However, no matter what is entered or not entered, the dashboard panel always says "Search did not return any events."   Test is done in Splunk 9.3.0. 
As Picklerick suggests, this may resolve if you clear your cookies and/or cache.
Does it produce different errors than "Unauthorized access" when you use other images?
@harishsplunk7  I hope this search will help you .. | rest /services/authentication/users splunk_server=local | table title, realname, last_successful_login | rename title AS username | addinfo |... See more...
@harishsplunk7  I hope this search will help you .. | rest /services/authentication/users splunk_server=local | table title, realname, last_successful_login | rename title AS username | addinfo | eval status=if(last_successful_login>info_min_time,"User logged in during the selected time range","User Not logged in during the selected time range") | convert ctime(*_login) ctime(*_time)|fields - *_time, info_sid ------ If you find this solution helpful, please consider accepting it and awarding karma points !!