All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @isoutamo  Thanks for your information, after i check it.  - Splunk Add-on for Unix and Linux [Installed] - Splunk Common Information Model (CIM) [Installed] - InfoSec App for Splunk [Not Inst... See more...
Hi @isoutamo  Thanks for your information, after i check it.  - Splunk Add-on for Unix and Linux [Installed] - Splunk Common Information Model (CIM) [Installed] - InfoSec App for Splunk [Not Installed] For the UF issue there is no problem at all, here I can get all the logs I need. It's just that the data I get has messy fields like this picture  I think it's not okay that's why i create topic for asking this problem  
Hi @PickleRick @marnall  Thankyou for your advice, but unfortunately i still can't change it even after i clear my cookies and/or cache. Can this issue solved using another method ?
Using windows 10, I installed splunk onto the drive folder itself (not the drive where windows was installed) and then I wasn't able to access the drive. Properties showed it had 0 storage and the de... See more...
Using windows 10, I installed splunk onto the drive folder itself (not the drive where windows was installed) and then I wasn't able to access the drive. Properties showed it had 0 storage and the default name of the drive in "My PC" was NFTS drive or something. Could not find the uninstall button in the apps settings, nor could I find any services related to splunk in windows services or task manager. I couldn't use the splunk application itself either. Couln't find a splunk folder in C drive either. I tried to run: chkdsk X: /f /r in CMD and I got the error "Chkdsk cannot dismount the volume because it is a system drive or there is an active paging file on it". I couldn't format the drive because it said it was in use. I ended up booting safe mode and formatted the drive there which has solved all my issues, but anyone know what the issue was?
My apologies, @elend.  I must modify my answer.  Whereas I haven't found a way to use cell value (by column) for drilldown in SimpleXML, what you ask is very easy in Dashboard Studio: Just set a toke... See more...
My apologies, @elend.  I must modify my answer.  Whereas I haven't found a way to use cell value (by column) for drilldown in SimpleXML, what you ask is very easy in Dashboard Studio: Just set a token using "value" option.  Here is a simple example { "visualizations": { "viz_L2lVmmIi": { "type": "splunk.table", "dataSources": { "primary": "ds_XAakW253" }, "title": "Set local => $set_tok$", "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "set_tok", "key": "value" } ] } } ] } }, "dataSources": { "ds_XAakW253": { "type": "ds.search", "options": { "query": "| makeresults format=csv data=\"_click\nA\nb\nC\nd\nfoo\nbar\nmore letters\"\n| eval click = \"You click \" . _click" }, "name": "Simple table" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "-24h@h", "latest": "now" } } } } }, "inputs": {}, "layout": { "type": "grid", "options": { "width": 1440, "height": 960 }, "structure": [ { "item": "viz_L2lVmmIi", "type": "block", "position": { "x": 0, "y": 0, "w": 1440, "h": 346 } } ], "globalInputs": [] }, "description": "", "title": "Drilldown to cell value" } Here are two screenshots, one click on column 1, the other on column2:  
The problem is in visualization type <event />.  Even though makeresults is a generative command, there is no real event.  Switch to <table /> visualization and the dashboard functions as expected. ... See more...
The problem is in visualization type <event />.  Even though makeresults is a generative command, there is no real event.  Switch to <table /> visualization and the dashboard functions as expected.   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="true"> <label></label> <default></default> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval INPUT = if(len("$text_tok$") &gt;0, "$text_tok$", "(none)")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>    
Here is a really simple dashboard:   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="tr... See more...
Here is a really simple dashboard:   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="true"> <label></label> <default></default> </input> </fieldset> <row> <panel> <event> <search> <query>| makeresults | eval INPUT = if(len("$text_tok$") &gt;0, "$text_tok$", "(none)")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>   Its function is really simple: When nothing is entered into the text input, display something like INPUT _time (none) 2024-09-28 17:33:54 Indeed, when I click the magnifying glass ("Open in search"), that's what I get If any string is entered, that string will be displayed.  For example, if a single letter "a" is entered, it should display INPUT _time a 2024-09-28 17:31:31 Just as well, "Open in search" gives this output However, no matter what is entered or not entered, the dashboard panel always says "Search did not return any events."   Test is done in Splunk 9.3.0. 
As Picklerick suggests, this may resolve if you clear your cookies and/or cache.
Does it produce different errors than "Unauthorized access" when you use other images?
@harishsplunk7  I hope this search will help you .. | rest /services/authentication/users splunk_server=local | table title, realname, last_successful_login | rename title AS username | addinfo |... See more...
@harishsplunk7  I hope this search will help you .. | rest /services/authentication/users splunk_server=local | table title, realname, last_successful_login | rename title AS username | addinfo | eval status=if(last_successful_login>info_min_time,"User logged in during the selected time range","User Not logged in during the selected time range") | convert ctime(*_login) ctime(*_time)|fields - *_time, info_sid ------ If you find this solution helpful, please consider accepting it and awarding karma points !!  
If you are getting no output, I would recommend removing the lines of the search one by one from the end until you get output, so you can narrow down your troubleshooting to the problematic line. Do ... See more...
If you are getting no output, I would recommend removing the lines of the search one by one from the end until you get output, so you can narrow down your troubleshooting to the problematic line. Do you get any output if you remove the last line: | stats dc values("modifiedUser") by Action "Actioned By"  
You're thinking in wrong order. That's why I'm saying it's not possible with Splunk alone. If you don't know this one, it's one of the mainstays of understanding of Splunk indexing process- https://... See more...
You're thinking in wrong order. That's why I'm saying it's not possible with Splunk alone. If you don't know this one, it's one of the mainstays of understanding of Splunk indexing process- https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774 As you can see, line breaking is one of the absolute first things happening with the input stream. You can't "backtrack" your way within the ingestion pipeline to do SEDCMD before line breaking. And, as I wrote already, it's really a very bad idea to tackle structured data with regexes.
I have a KPI alert using adhoc search which outputs custom fields and then custom alert action is configured on Notable aggregation policies ( NEAP) action rules which trigger the action on KPI notab... See more...
I have a KPI alert using adhoc search which outputs custom fields and then custom alert action is configured on Notable aggregation policies ( NEAP) action rules which trigger the action on KPI notable event . alert_actions.conf has all the params defined. But $results.fieldname$ is always blank on the script.  results_file only have ITSI /KPI specific fields but do not have the custom fields.   How   
Thank you. I deleted the file and it worked great. 
This is meaning that you don't need a separate DS server until you have something like 50 UF Deployment Clients. Usually you should configure own app to manage that DS configuration to UFs. You cou... See more...
This is meaning that you don't need a separate DS server until you have something like 50 UF Deployment Clients. Usually you should configure own app to manage that DS configuration to UFs. You could use same or separate app for outputs.conf too. If you set those on installation phase then it's hard to change those later as those are configured under ...\etc\system\local which you cannot manage by DS.
Hi Have you look e.g Splunk Add-on for Unix and Linux https://splunkbase.splunk.com/app/833 to ingest those logs into Splunk? Usually it's best to use some TA as those do lot of need stuff like mak... See more...
Hi Have you look e.g Splunk Add-on for Unix and Linux https://splunkbase.splunk.com/app/833 to ingest those logs into Splunk? Usually it's best to use some TA as those do lot of need stuff like make inputs as a CIM complaint https://splunkbase.splunk.com/app/1621 Then you can easily use e.g. InfoSec app https://splunkbase.splunk.com/app/4240 to monitor what is happening in your environment. Those which has suffix -too_small is somenthing which haven't any sourcetype definitions on splunk side. Splunk just generate that name for those. You should do a real data onboarding for those files/sources. One other thing what you should check and change if needed. You should never run UF on those nodes as root. Use some other user like splunk or splunkfwd. Then your issue is that those user haven't access to all those logs and that you also needs to fix. r. Ismo
Hi actually this has changed on 9.x. Currently you can have newer UF/HF versions than Splunk server or SCP have. Earlier (pre 9) it was instructed that sever must have higher or equal version than... See more...
Hi actually this has changed on 9.x. Currently you can have newer UF/HF versions than Splunk server or SCP have. Earlier (pre 9) it was instructed that sever must have higher or equal version than UF/HF/IHF. I prefer to wait some time after a new version has released to see if there is any issues with new version. Just like I do with server side. Usually you could/should do those upgrades e.g. couple of time per year like any other OS/other tools. Of course when there is any security issue then you should do updates out of you normal update cycle. r. Ismo
Hi As this is quite old thread, please create a new question to get answer. I suppose that most of us, didn't read and try to find new comments/questions from old and answered threads. Based on fi... See more...
Hi As this is quite old thread, please create a new question to get answer. I suppose that most of us, didn't read and try to find new comments/questions from old and answered threads. Based on field name you try to convert epoch time to epoch?
What is your current reason why you are trying this and what is your original issue which you are solving?
Hi or is it possible to use this example with REST query and cURL on cli? https://community.splunk.com/t5/Other-Usage/Why-can-t-I-change-alert-with-REST-It-change-permission-from-app/td-p/646456 r.... See more...
Hi or is it possible to use this example with REST query and cURL on cli? https://community.splunk.com/t5/Other-Usage/Why-can-t-I-change-alert-with-REST-It-change-permission-from-app/td-p/646456 r. Ismo
regex101.com is your friend https://regex101.com/r/rB5kWs/1