All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

My apologies, @elend.  I must modify my answer.  Whereas I haven't found a way to use cell value (by column) for drilldown in SimpleXML, what you ask is very easy in Dashboard Studio: Just set a toke... See more...
My apologies, @elend.  I must modify my answer.  Whereas I haven't found a way to use cell value (by column) for drilldown in SimpleXML, what you ask is very easy in Dashboard Studio: Just set a token using "value" option.  Here is a simple example { "visualizations": { "viz_L2lVmmIi": { "type": "splunk.table", "dataSources": { "primary": "ds_XAakW253" }, "title": "Set local => $set_tok$", "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "set_tok", "key": "value" } ] } } ] } }, "dataSources": { "ds_XAakW253": { "type": "ds.search", "options": { "query": "| makeresults format=csv data=\"_click\nA\nb\nC\nd\nfoo\nbar\nmore letters\"\n| eval click = \"You click \" . _click" }, "name": "Simple table" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "-24h@h", "latest": "now" } } } } }, "inputs": {}, "layout": { "type": "grid", "options": { "width": 1440, "height": 960 }, "structure": [ { "item": "viz_L2lVmmIi", "type": "block", "position": { "x": 0, "y": 0, "w": 1440, "h": 346 } } ], "globalInputs": [] }, "description": "", "title": "Drilldown to cell value" } Here are two screenshots, one click on column 1, the other on column2:  
The problem is in visualization type <event />.  Even though makeresults is a generative command, there is no real event.  Switch to <table /> visualization and the dashboard functions as expected. ... See more...
The problem is in visualization type <event />.  Even though makeresults is a generative command, there is no real event.  Switch to <table /> visualization and the dashboard functions as expected.   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="true"> <label></label> <default></default> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval INPUT = if(len("$text_tok$") &gt;0, "$text_tok$", "(none)")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>    
Here is a really simple dashboard:   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="tr... See more...
Here is a really simple dashboard:   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="true"> <label></label> <default></default> </input> </fieldset> <row> <panel> <event> <search> <query>| makeresults | eval INPUT = if(len("$text_tok$") &gt;0, "$text_tok$", "(none)")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>   Its function is really simple: When nothing is entered into the text input, display something like INPUT _time (none) 2024-09-28 17:33:54 Indeed, when I click the magnifying glass ("Open in search"), that's what I get If any string is entered, that string will be displayed.  For example, if a single letter "a" is entered, it should display INPUT _time a 2024-09-28 17:31:31 Just as well, "Open in search" gives this output However, no matter what is entered or not entered, the dashboard panel always says "Search did not return any events."   Test is done in Splunk 9.3.0. 
As Picklerick suggests, this may resolve if you clear your cookies and/or cache.
Does it produce different errors than "Unauthorized access" when you use other images?
@harishsplunk7  I hope this search will help you .. | rest /services/authentication/users splunk_server=local | table title, realname, last_successful_login | rename title AS username | addinfo |... See more...
@harishsplunk7  I hope this search will help you .. | rest /services/authentication/users splunk_server=local | table title, realname, last_successful_login | rename title AS username | addinfo | eval status=if(last_successful_login>info_min_time,"User logged in during the selected time range","User Not logged in during the selected time range") | convert ctime(*_login) ctime(*_time)|fields - *_time, info_sid ------ If you find this solution helpful, please consider accepting it and awarding karma points !!  
If you are getting no output, I would recommend removing the lines of the search one by one from the end until you get output, so you can narrow down your troubleshooting to the problematic line. Do ... See more...
If you are getting no output, I would recommend removing the lines of the search one by one from the end until you get output, so you can narrow down your troubleshooting to the problematic line. Do you get any output if you remove the last line: | stats dc values("modifiedUser") by Action "Actioned By"  
You're thinking in wrong order. That's why I'm saying it's not possible with Splunk alone. If you don't know this one, it's one of the mainstays of understanding of Splunk indexing process- https://... See more...
You're thinking in wrong order. That's why I'm saying it's not possible with Splunk alone. If you don't know this one, it's one of the mainstays of understanding of Splunk indexing process- https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774 As you can see, line breaking is one of the absolute first things happening with the input stream. You can't "backtrack" your way within the ingestion pipeline to do SEDCMD before line breaking. And, as I wrote already, it's really a very bad idea to tackle structured data with regexes.
I have a KPI alert using adhoc search which outputs custom fields and then custom alert action is configured on Notable aggregation policies ( NEAP) action rules which trigger the action on KPI notab... See more...
I have a KPI alert using adhoc search which outputs custom fields and then custom alert action is configured on Notable aggregation policies ( NEAP) action rules which trigger the action on KPI notable event . alert_actions.conf has all the params defined. But $results.fieldname$ is always blank on the script.  results_file only have ITSI /KPI specific fields but do not have the custom fields.   How   
Thank you. I deleted the file and it worked great. 
This is meaning that you don't need a separate DS server until you have something like 50 UF Deployment Clients. Usually you should configure own app to manage that DS configuration to UFs. You cou... See more...
This is meaning that you don't need a separate DS server until you have something like 50 UF Deployment Clients. Usually you should configure own app to manage that DS configuration to UFs. You could use same or separate app for outputs.conf too. If you set those on installation phase then it's hard to change those later as those are configured under ...\etc\system\local which you cannot manage by DS.
Hi Have you look e.g Splunk Add-on for Unix and Linux https://splunkbase.splunk.com/app/833 to ingest those logs into Splunk? Usually it's best to use some TA as those do lot of need stuff like mak... See more...
Hi Have you look e.g Splunk Add-on for Unix and Linux https://splunkbase.splunk.com/app/833 to ingest those logs into Splunk? Usually it's best to use some TA as those do lot of need stuff like make inputs as a CIM complaint https://splunkbase.splunk.com/app/1621 Then you can easily use e.g. InfoSec app https://splunkbase.splunk.com/app/4240 to monitor what is happening in your environment. Those which has suffix -too_small is somenthing which haven't any sourcetype definitions on splunk side. Splunk just generate that name for those. You should do a real data onboarding for those files/sources. One other thing what you should check and change if needed. You should never run UF on those nodes as root. Use some other user like splunk or splunkfwd. Then your issue is that those user haven't access to all those logs and that you also needs to fix. r. Ismo
Hi actually this has changed on 9.x. Currently you can have newer UF/HF versions than Splunk server or SCP have. Earlier (pre 9) it was instructed that sever must have higher or equal version than... See more...
Hi actually this has changed on 9.x. Currently you can have newer UF/HF versions than Splunk server or SCP have. Earlier (pre 9) it was instructed that sever must have higher or equal version than UF/HF/IHF. I prefer to wait some time after a new version has released to see if there is any issues with new version. Just like I do with server side. Usually you could/should do those upgrades e.g. couple of time per year like any other OS/other tools. Of course when there is any security issue then you should do updates out of you normal update cycle. r. Ismo
Hi As this is quite old thread, please create a new question to get answer. I suppose that most of us, didn't read and try to find new comments/questions from old and answered threads. Based on fi... See more...
Hi As this is quite old thread, please create a new question to get answer. I suppose that most of us, didn't read and try to find new comments/questions from old and answered threads. Based on field name you try to convert epoch time to epoch?
What is your current reason why you are trying this and what is your original issue which you are solving?
Hi or is it possible to use this example with REST query and cURL on cli? https://community.splunk.com/t5/Other-Usage/Why-can-t-I-change-alert-with-REST-It-change-permission-from-app/td-p/646456 r.... See more...
Hi or is it possible to use this example with REST query and cURL on cli? https://community.splunk.com/t5/Other-Usage/Why-can-t-I-change-alert-with-REST-It-change-permission-from-app/td-p/646456 r. Ismo
regex101.com is your friend https://regex101.com/r/rB5kWs/1
Hi as this is quite old thread, it's better to create a new question to get someone to answer you. r. Ismo
So basically your issue is know if there is some data integrations which haven't sent events event those should? There are several apps and examples on community how this can solved.
Hi I think that you need a separate lookup file, which contains all users, which have capability to login into splunk. If user hasn't ever logged in, then (depending how you have configured your user... See more...
Hi I think that you need a separate lookup file, which contains all users, which have capability to login into splunk. If user hasn't ever logged in, then (depending how you have configured your users like splunk user, LDAP user, SSO users) it's quite probably that you haven't those names on your system. For that reason rest cannot return those to you. You need just replace that subquery [|rest....] on @richgalloway 's answer with inputlookup query for those user accounts. r. Ismo