All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@VijaySrrie- It seems you have Proxy issue or Proxy SSL issue. App's GitHub page's Configuration section describe solution to this Proxy or SSL problem. https://github.com/CrossRealms/Splunk-App-Aut... See more...
@VijaySrrie- It seems you have Proxy issue or Proxy SSL issue. App's GitHub page's Configuration section describe solution to this Proxy or SSL problem. https://github.com/CrossRealms/Splunk-App-Auto-Update-MaxMind-Database   I hope this helps!!! Kindly upvote if this helps!!!
@tomapatan- I'm not 100% sure on what are you trying to do but what I can say is, you probably might not need JS file. Simple XML dashboard can do it without need of JS code. This is just another ex... See more...
@tomapatan- I'm not 100% sure on what are you trying to do but what I can say is, you probably might not need JS file. Simple XML dashboard can do it without need of JS code. This is just another example to explain you the usage. This example shows token on the Dropdown filter, but token on Table or Chart drilldown (on-click) would work the similar way. I'll put the reference doc below - https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/PanelreferenceforSimplifiedXML#drilldown <form> <label>dropdown</label> <fieldset submitButton="false"> <input type="dropdown" token="tkn_number"> <label>field1</label> <default>3</default> <fieldForLabel>count</fieldForLabel> <fieldForValue>count</fieldForValue> <search> <query>| makeresults count=10 | streamstats count</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <condition match="'value'==&quot;3&quot;"> <set token="tkn_show">true</set> </condition> <condition> <unset token="tkn_show"></unset> </condition> </change> </input> </fieldset> <row depends="$tkn_show$"> <panel> <table> <search> <query>index="_internal" |stats count by sourcetype</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>   I hope this helps!!! Kindly upvote if it does!!
@dionrivera- I've no personal experience with this App but I see it just uses HEC data input. And this should be allowed with new Cloud Victoria Experience stack. So, please reach out to Cloud suppo... See more...
@dionrivera- I've no personal experience with this App but I see it just uses HEC data input. And this should be allowed with new Cloud Victoria Experience stack. So, please reach out to Cloud support for App installation support and check with your support representative to see if he/she can fetch you more details about support on Cloud.   I hope this helps!!!
This is a bit theoretical, please can you give a concrete example of what your dashboard would look like?
@wmw- Please try removing extra slash (path separator) at the front. <form version="1.1" script="common_ui_util:js/close_div.js">   I hope this helps!!! If it does kindly upvote and accept the ans... See more...
@wmw- Please try removing extra slash (path separator) at the front. <form version="1.1" script="common_ui_util:js/close_div.js">   I hope this helps!!! If it does kindly upvote and accept the answer!!
I have my first query which creates a list of application names that are then displayed  in multiple single value fields.  This value fields are in the first column of a larger table. | where count=... See more...
I have my first query which creates a list of application names that are then displayed  in multiple single value fields.  This value fields are in the first column of a larger table. | where count=1 | fields app   In the rest of the columns I need to put a single value field with the compliance rate of that application across multiple metrics.   What I'm looking to do is set a variable per low on data load that would allow me to ensure I pull the right compliance number for the application name.   My original idea was to hard code the compliance visualization to search for a specific application name.  However if the list of applications is to change the metric will not match the name.  So how does one set a variable on search load to be used by other visualization 
@icecreamkid98- Yes there might be a newer approach that you should choose.   If you just want to build a custom visualization inside XML dashboard https://docs.splunk.com/Documentation/Splunk/la... See more...
@icecreamkid98- Yes there might be a newer approach that you should choose.   If you just want to build a custom visualization inside XML dashboard https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomVizTutorial https://dev.splunk.com/enterprise/docs/developapps/visualizedata/displaydataview/splunkplatformcustom/   But if you want full dashboard with everything being controlled by JS, then build it in new React Framework https://splunkui.splunk.com/Packages/react-ui/Overview   I hope this helps!!
In Splunk, the error message "The search you requested could not be found" typically indicates an issue related to accessing or locating a saved search or search job. Here are some common reasons for... See more...
In Splunk, the error message "The search you requested could not be found" typically indicates an issue related to accessing or locating a saved search or search job. Here are some common reasons for this error and possible solutions: 1. Expired Search Jobs Saved search jobs in Splunk have a Time to Live (TTL) value, after which they expire and are deleted. If the job you are trying to access has already expired, Splunk will display this error. Solution: Try rerunning the search or adjusting the TTL of the search job for future cases.   When you open the saved search, you'll find a section called 'Job Settings.' Inside that, there's an option labeled 'lifetime,' which allows you to set the duration to either 10 minutes or 7 days. This might be useful for what you're trying to achieve.   Refer this link for more info :  https://docs.splunk.com/Documentation/Splunk/9.2.1/Search/Extendjoblifetimes 2. Job ID Not Found If you're trying to view a specific search job using its ID (e.g., via the URL or search job history), the job might not exist anymore, or the ID could be incorrect. Solution: Double-check the job ID or re-run the search to generate a new job ID. 3. Permissions or Access Issues The saved search might have been moved, renamed, or deleted, or you may not have the necessary permissions to view it. Solution: Verify that you have the correct permissions to access the saved search and ensure that it still exists. 4. Corrupted Search Job In rare cases, search jobs might become corrupted or incomplete, causing Splunk to fail when trying to load the search results. Solution: If possible, rerun the search to create a fresh job. 5. App Context Change If a saved search was created in a different app context (e.g., in one Splunk app and you're trying to access it from another), Splunk might not be able to find the search. Solution: Switch to the app where the search was created, or ensure the search is shared across apps. 6. Search Scheduling Conflicts If the saved search is scheduled and there was an issue during one of its scheduled runs, Splunk might show this error if it can't retrieve the job. Solution: Review the schedule settings or try manually running the search to confirm it works.   ------ If you find this solution helpful, please consider accepting it and awarding karma points !!
The search you requested could not be found. The search has probably expired or been deleted. Clicking "Rerun search" will run a new search based on the expired search's search string in the expire... See more...
The search you requested could not be found. The search has probably expired or been deleted. Clicking "Rerun search" will run a new search based on the expired search's search string in the expired search's original time period. Alternatively, you can return back to Splunk.
Thank you all very much for the help, so the issue was related to the solution @ITWhisperer gave. In my search I was referencing the table for the lookup, that should have been the definition that I ... See more...
Thank you all very much for the help, so the issue was related to the solution @ITWhisperer gave. In my search I was referencing the table for the lookup, that should have been the definition that I created.   Thanks again for all the help. 
I was also facing the same issue. You need to instal the Java and then restart splunk you would be able to see it.
Hi, I changed my compnay and I'd like to change the Community eMail, but every time I do it, after some hours I have again the previous eMail. I Opened a case to Splunk Support but without success.... See more...
Hi, I changed my compnay and I'd like to change the Community eMail, but every time I do it, after some hours I have again the previous eMail. I Opened a case to Splunk Support but without success. How can I solve my issue? Thank you for your support. Ciao. Giuseppe
This is the old way of using the custom JS and CSS for react visualisation, instead can you follow new framework to develop react app 
@yuanliu 01100011 was _not_ hex. It was binary for 0x63. That's why I'm completely confused by  @PickleRick Lol you wouldn't believe how much time I spent trying to decipher the OP's intent from... See more...
@yuanliu 01100011 was _not_ hex. It was binary for 0x63. That's why I'm completely confused by  @PickleRick Lol you wouldn't believe how much time I spent trying to decipher the OP's intent from the various posted replies to everybody's attempt to help.  After hours of scrolling up and down, back and forth, I distilled the instructions into the following algorithm given an even numbered HEX string, e.g., aabbcc Break the string into 2-HEX chunks. (OP used the term 2-bytes - I realize that is actually 4-bytes) Convert each chunk into binary. Reverse the order of the binary chunks. Count the positions of nonzero bits of the full reversed binary string from the right. (As I said, I can't think of a practical purpose of this exercise. By the way, to anyone who is going to ask a question here, even though I strongly encourage describing problem without SPL first, please make the description as algorithmic as possible.)  As a weird game, this applies to any even-length HEX string.  Here's a sequence of up to 16 HEX characters. hex padded_binary nonzero_bits 01 00000001 0 0002 00000010 00000000 9 000003 00000011 00000000 00000000 16 17 00000004 00000100 00000000 00000000 00000000 26 0000000005 00000101 00000000 00000000 00000000 00000000 32 34 000000000006 00000110 00000000 00000000 00000000 00000000 00000000 41 42 00000000000007 00000111 00000000 00000000 00000000 00000000 00000000 00000000 48 49 50 0000000000000008 00001000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 59 90000000000000 00000000 00000000 00000000 00000000 00000000 00000000 10010000 4 7 a00000000000 00000000 00000000 00000000 00000000 00000000 10100000 5 7 b000000000 00000000 00000000 00000000 00000000 10110000 4 5 7 c0000000 00000000 00000000 00000000 11000000 6 7 d00000 00000000 00000000 11010000 4 6 7 e000 00000000 11100000 5 6 7 f0 11110000 4 5 6 7 Another thing I realize is that I must handle 2-HEX (single-chunk) specially.  Here is the emulation code   | makeresults format=csv data="hex 01 0002 000003 00000004 0000000005 000000000006 00000000000007 0000000000000008 90000000000000 a00000000000 b000000000 c0000000 d00000 e000 f0" ``` data emulation above ``` | eval idx = mvrange(0, len(hex) / 2) | eval reverse2hex = mvreverse(mvmap(idx, substr(hex, idx*2 + 1, 2))) | eval ASbinary=if(idx < 1, tostring(tonumber(reverse2hex,16),"binary"), mvmap(reverse2hex, tostring(tonumber(reverse2hex,16),"binary"))) | eval padded_binary = if(idx < 1, printf("%08d", ASbinary), mvmap(ASbinary, printf("%08d", ASbinary))) | eval reverse_bits = mvreverse(mvmap(padded_binary, split(padded_binary, ""))), position = -1 | foreach reverse_bits mode=multivalue [eval position = position + 1, nonzero_bits = if(<<ITEM>> == 0, nonzero_bits, mvappend(nonzero_bits, position))] | fields hex padded_binary nonzero_bits   (Technically this works for odd number of HEX characters, too, if OP can define where to split.) 
Convert the pcap file to a text file before ingesting into splunk
Try something like this index=julie sourcetype!="julie:uat:user_activity" host!="julie-uat.home.location.net:8152" application_id=julie1 | eval DAVESessionID=if(policy_id="FETCH-DAVESESSION-ID" AND... See more...
Try something like this index=julie sourcetype!="julie:uat:user_activity" host!="julie-uat.home.location.net:8152" application_id=julie1 | eval DAVESessionID=if(policy_id="FETCH-DAVESESSION-ID" AND action="create_ticket",session_id,null()) | eventstats values(DAVESessionID) as DAVESessionID by device_session_id | where policy_id="framework" AND action="session_end" AND error_code=9999
## Solution found: - Issue was the windows defender firewall for outbound traffic in the windows 10 (UF machine). Added a new outbound rule for any traffic outgoing via splunkd.exe. And now I can se... See more...
## Solution found: - Issue was the windows defender firewall for outbound traffic in the windows 10 (UF machine). Added a new outbound rule for any traffic outgoing via splunkd.exe. And now I can see the device in Forwarder management.
Tried fresh installation with config for DS as well, didnt work.  
Check here under "Join datasets on fields that have different names". You may want to test by assigning aliases to see what populates from which side of the join.  Furthermore, perform an additio... See more...
Check here under "Join datasets on fields that have different names". You may want to test by assigning aliases to see what populates from which side of the join.  Furthermore, perform an additional table statement after your join to pull in all of the data and troubleshoot from there. --- If this reply helps you, Karma would be appreciated.
No. Your AIO (all-in-one) box which works as SH and indexer can also be a DS. (And it tries to be since you have the forwarder management section enabled in your gui).