All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@T_K_421 Based on what you are seeing the likely issues are either Network or Permissions on the Azure side.  If you followed the instructions then it should work. It may be worth either re-validati... See more...
@T_K_421 Based on what you are seeing the likely issues are either Network or Permissions on the Azure side.  If you followed the instructions then it should work. It may be worth either re-validating the existing config or starting again. 
Please try:   (`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold") | eval problem=if(sourcetype="problem",number,dv_pr... See more...
Please try:   (`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold") | eval problem=if(sourcetype="problem",number,dv_problem) | stats values(eval(if(sourcetype="problem_task",number,null()))) as number, latest(eval(if(sourcetype="problem_task",active,null()))) as task_active, latest(eval(if(sourcetype="problem_task", dv_u_review_type,null()))) as dv_u_review_type, latest(eval(if(sourcetype="problem_task",dv_due_date,null()))) as task_due, latest(eval(if(sourcetype="problem",dv_opened_at,null()))) as prb_opened, latest(eval(if(sourcetype="problem",dv_active,null()))) as prb_active by problem | fields problem, number, task_active, dv_u_review_type, task_due, prb_opened, prb_active | search problem!="" AND task_active!=false
The missing custom fields are present on local and remote searchHeads? 
I dont want any of the events for a ptask where there is result of task_active=false I can't just do a search for task_active=true because it just brings back events from when the ptasks that are ... See more...
I dont want any of the events for a ptask where there is result of task_active=false I can't just do a search for task_active=true because it just brings back events from when the ptasks that are now task_active=false from when they were previously true I was thinking of a solution of having a marker before I did the stats latest | eval OutOfScope=if(task_active="false",1,0) then I'd need something to say if for number if one event is OutOfScope=1 then all events for that ptask number are OutOfScope=1
@petsafe Please describe the steps that you executed for the upgrade. 
does removing it from the serverclass cause it to be deinstalled on the forwarders in the class?
Update While this works : | inputlookup servers | dedup host | sort host | table host host The issue I have here is I need to use the token to shrink the returned list.  As noted above, this DO... See more...
Update While this works : | inputlookup servers | dedup host | sort host | table host host The issue I have here is I need to use the token to shrink the returned list.  As noted above, this DOES NOT work: | inputlookup servers where environment = $token$ | dedup host | sort host | table host host  ...this returns NOTHING and I've spent several hours going bald trying to figure this out.  Then I found it. The issue is the WHERE clause.  Apparently, you cannot do an inputlookup to return 1 field while doing the comparision on another field.  Who knew?  So if the query is returning both the host AND the environment...then it works. What I ended up with is: | inputlook servers | table host, environment | where environment = "$token$" | fields - environment ...and now it's happy.   Thanks to all as I wouldn't haven't this far w/o getting the answers to my stupid questions!   
Sorry, still not clear for me how the expected outcome should look like.
No luck.   The Health and Status dashboards work, so it does see the lookups, we just can't access them in the main screen.  We're currently on Splunk 9.2.2, so maybe it will clear up once we move to... See more...
No luck.   The Health and Status dashboards work, so it does see the lookups, we just can't access them in the main screen.  We're currently on Splunk 9.2.2, so maybe it will clear up once we move to 9.3.
Thank you both for your replies, i was afraid of making a mess keeping a "cluster" with just one node.  I have SF and Rf=2, im a aware that probably the searches will trigger a warning about a missi... See more...
Thank you both for your replies, i was afraid of making a mess keeping a "cluster" with just one node.  I have SF and Rf=2, im a aware that probably the searches will trigger a warning about a missing node in the cluster but the searches will be performed only for historical reasons. Thank you again! This is a really good community, and Splunk is really an excellent product, im really sad that i had to let this go.     
Could you please check your splunkd.log for any error events and share them?
Yes, so the results that are coming back are the latest events from the ptasks marked red, I'd want to omit all events related to these so the latest events from the green task are populated in m... See more...
Yes, so the results that are coming back are the latest events from the ptasks marked red, I'd want to omit all events related to these so the latest events from the green task are populated in my results
Do you wanna filter out some events based on the results that are produced by our shared search? Would be great if you could clarify the expected outcome. Furthermore please provide some sample data.
Hi all. I am running into an issue with the Azure AD Graph asset in SOAR. I had an app created in Azure app registrations with the correct permissions based on the documentation. I configured the ass... See more...
Hi all. I am running into an issue with the Azure AD Graph asset in SOAR. I had an app created in Azure app registrations with the correct permissions based on the documentation. I configured the asset in SOAR with the corresponding tenant, app, and secret information. The redirect URI was entered into the Azure app registration page with /result per the instructions. When I test connectivity, the test will time out after about a minute. I may have missed something in the documentation, but the configuration all seems correct. Has anyone else run into this?
For feature enhancement requests you should visit https://ideas.splunk.com/ and if there is no existing idea matching with your request/idea you should raise a new idea.
The "query" (or in Splunk terminology - search) you're looking for will depend on what data you have indexed in your Splunk.
@prasireddy Sorry was on vacation the last two weeks. Are you still facing the issue?
It's the query to search those logs that I am looking for.  
@Iñigo you can already make dynamic list options in the prompts but you need to use custom code and bear in mind it "breaks" the VPE control of the prompt block. You can use any of the API options t... See more...
@Iñigo you can already make dynamic list options in the prompts but you need to use custom code and bear in mind it "breaks" the VPE control of the prompt block. You can use any of the API options to grab the dynamic fields you want to use then you just need to build the  choices variable in response_types and the prompt will show them. The issue you will have though is then how to handle the response if they are truly dynamic. i.e how would you know what they could choose to then handle the response. It can be done but needs to also be considered.  # responses response_types = [ { "prompt": "", "options": { "type": "list", "choices": [ "a", "b" ], }, } ]
Change the time period of your search to include both time periods e.g. (earliest=<start of first period> latest=<end of first period>) OR (earliest=<start of second period> latest=<end of second per... See more...
Change the time period of your search to include both time periods e.g. (earliest=<start of first period> latest=<end of first period>) OR (earliest=<start of second period> latest=<end of second period>). Then evaluate which period the event falls into eval period=if(_time < end of first period, "first", "second"). Then add period to you by clause.