All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Samantha , as also @PickleRick and @ITWhisperer said, this seems to be a job for a scheduled report. If you want a dashboard, you could schedule a search (e.g. as an alert) running your search ... See more...
Hi @Samantha , as also @PickleRick and @ITWhisperer said, this seems to be a job for a scheduled report. If you want a dashboard, you could schedule a search (e.g. as an alert) running your search and sabing aggregated results in a summary index, then you could run the searches of your dashboard on this summary index. Ciao. Giuseppe
Hi @sumarri , Splunk isn't a database wre you can manually write notes. The only way it to add to your dashboard a link to a lookup to open using Splunk App for Lookup Editor, or use a workaround ... See more...
Hi @sumarri , Splunk isn't a database wre you can manually write notes. The only way it to add to your dashboard a link to a lookup to open using Splunk App for Lookup Editor, or use a workaround that I described in one past answer: https://community.splunk.com/t5/Dashboards-Visualizations/Dynamically-Update-a-lookup-file-on-click-of-a-field-and-showing/m-p/674605 Ciao. Giuseppe
Hi @mahesh27 , two questions: 1) do you see logs in a wrong format or don't you see logs? in the first case, props.conf is relevant, in the second case, there's a different issue. 2) if you see... See more...
Hi @mahesh27 , two questions: 1) do you see logs in a wrong format or don't you see logs? in the first case, props.conf is relevant, in the second case, there's a different issue. 2) if you see your logs in wrong format, I suppose that your logs are in one row (because you used SHOULD_LINEMERGE=false), so why are you using the LINE_BREAKER in that way? See how to index csv files using pipe as delimiter. My hint is to same some logs in a text file and try to ingest it using the manual Add logs feature, that guides you in props.conf definition and test. Ciao. Giuseppe
Hi, I am getting below error when trying to save the data inputs [all 5] which comes as part of Nutanix add-on. Has anyone seen this before and can suggest something?   Error- Encountered the foll... See more...
Hi, I am getting below error when trying to save the data inputs [all 5] which comes as part of Nutanix add-on. Has anyone seen this before and can suggest something?   Error- Encountered the following error while trying to save: Argument validation for scheme=nutanix_alerts: script running failed (PID 24107 killed by signal 9: Killed).  
metadata and with pipe at the front of .... completely new command/structure for me, but  it works, and works much faster But one more unexpected case has appeared due to this change. I cannot fi... See more...
metadata and with pipe at the front of .... completely new command/structure for me, but  it works, and works much faster But one more unexpected case has appeared due to this change. I cannot filter out rotated files which are in the directory and are not necessary . It looks something like file1.log file1.2024-09-01.log file1.2024-08-02.log etc. etc. and of course I only need the main , the most present file ( without any dates) so I tried | metadata type=sources where index=gwcc AND source !='*log.2024-*' | eval source2=lower(mvindex(split(source,".2024"),-1)) | eval file=lower(mvindex(split(source,"/"),-1)) | table source, source2, file but my "filter" does not work .
Hi Team "Could you please let us know when the latest version of the Splunk OVA for VMware will be released?"
Hi all, I'm having issues comparing user field in Palo Alto traffic logs vs last user reported by Crowdstrike/Windows events.Palo-Alto traffic logs is showing a different user in logs initiating the... See more...
Hi all, I'm having issues comparing user field in Palo Alto traffic logs vs last user reported by Crowdstrike/Windows events.Palo-Alto traffic logs is showing a different user in logs initiating the traffic during the time window compared to Crowd strike last user login reported for same endpoint. Has anyone you know faced similar issue ?   Thanks 
Using below props, but we don't see logs reporting to Splunk,   We are assuming that | (pipe symbol) works as a delimiter and we cannot use it in props.  Just want to know is this props are correct ... See more...
Using below props, but we don't see logs reporting to Splunk,   We are assuming that | (pipe symbol) works as a delimiter and we cannot use it in props.  Just want to know is this props are correct [tools:logs] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)\d{4}\-\d{2}\-\d{2}\s\|\d{2}:\d{2}:\d{2}.\d{3}\s\| TIME_PREFIX=^ TIME_FORMAT=%Y-%m-%d | %H:%M:%S.%3N MAX_TIMESTAMP_LOOKAHEAD=28 Sample logs:   2022-02-22 | 04:00:34:909 | main stream logs | Staticapp-1 - Restart completed 2022-02-22 | 05:00:34:909 | main stream applicationlogs | Staticapp-1 - application logs (total=0, active=0, waiting=0) completed 2022-02-22 | 05:00:34:909 | main stream applicationlogs | harikpool logs-1 - mainframe script (total=0, active=0, waiting=0) completed      
Splunk support confirmed this is a bug in 9.1.0.2. Based on the SPL, it has been resolved in Beryllium 9.1.4 and Cobalt 9.2.1. As a workaround until we upgrade, I have appended a bogus OR condition ... See more...
Splunk support confirmed this is a bug in 9.1.0.2. Based on the SPL, it has been resolved in Beryllium 9.1.4 and Cobalt 9.2.1. As a workaround until we upgrade, I have appended a bogus OR condition with a wildcard, e.g.: OR noSuchField=noSuchValue* to the other OR conditions in our WHERE clauses, and this causes Splunk to return the correct result.
Hi @harsmarvania57 ,   Thanks, it's working with BMC Helix integration
Unless you call that transform from props.conf, it's completely ineffective. But that's just a side note. There are two separate issues here. One is to make sure only selected events get forwarded t... See more...
Unless you call that transform from props.conf, it's completely ineffective. But that's just a side note. There are two separate issues here. One is to make sure only selected events get forwarded to syslog server. The way to go is probably to define two syslog groups - one with a real syslog server and one - a deafult one - with a dummy syslog server. The default syslog output is just a sink to catch all events not redirected using transforms to a working syslog output. Another thing is to make sure specific data is not getting forwarded using splunk-tcp connection to downstream indexers. You can either use index filtering for this (but this works globally on tcp outputs) or you can do the same thing as with syslog but in reverse - do a dummy output and redirect there all events you don't want sent to indexers.
i got the indexes from existing use cases and searched. but i think i am supposed to add those indexes.   Thank you for the insight
I would like to clean up the messaging I'm sending to Slack for splunk alerts.  I've tried markdown [text](http://url) which doesn't work and renders the text exactly as displayed here.  I've also ... See more...
I would like to clean up the messaging I'm sending to Slack for splunk alerts.  I've tried markdown [text](http://url) which doesn't work and renders the text exactly as displayed here.  I've also tried <text|http://url> which renders verbatim also.  Is there anyway to have slack hide URLs behind text like a normal hyperlink?  My alerts look really awful with huge links back to slack searches and dashboards.  TYIA
License server is I think the least stressed component of the Splunk architecture (maybe along with a SHC deployer) so it usually can be scaled down and/or deployed as a joint role with something els... See more...
License server is I think the least stressed component of the Splunk architecture (maybe along with a SHC deployer) so it usually can be scaled down and/or deployed as a joint role with something else (for example a SHC deployer doubling down as license server). That's from a strictly "technical" point of view. If that's a small scale lab, you can probably get away with something much much smaller for a LM. But of course if it was a prod environment the usual answer from support for any issues would probably be "your servers are below specs".
Access control happens on the search head. So if you are an admin on a search head, you can effectively do anything on that search head including granting yourself rights to search any index you want... See more...
Access control happens on the search head. So if you are an admin on a search head, you can effectively do anything on that search head including granting yourself rights to search any index you want. You still don't get write permissions to the search peers - this is something else and is done on the indexers themselves especially since you don't do indexer changes from a SH. So you can have two independent search environments with separate sets of users (or even different authentication mechanisms) but I don't recall any mechanism allowing limiting searched indexes per whole search-head environments. So the thing that you could do is to create a "restricted admin" role inheriting from several atomic roles - each allowing access to one of the indexes, having ability to grant roles from this particular set of roles and remove index access rights from all other roles grantable by this user. But it might not be enough if you really need a "full admin" user with abilities to do all admin stuff on tne SH.
Did you ever find a resolution to this? 
Wait a second. Where are you getting "index not found"? What exactly are you doing so that you get this message? Normal search over a non-existing index simply yields no results as far as I remember.
It depends on a use case. What and how you're searching. Are you trying to search raw data or summarized datamodel? Are you using that lookup to generate search terms using a subsearch or are you us... See more...
It depends on a use case. What and how you're searching. Are you trying to search raw data or summarized datamodel? Are you using that lookup to generate search terms using a subsearch or are you using the lookup command? What amount of data are we talking about?  
So, I want to create a dashboard for a particular team in my company and they want to add notes to dashboard for everyone on their team to view. Is that possible, and if yes, can you refer me to some... See more...
So, I want to create a dashboard for a particular team in my company and they want to add notes to dashboard for everyone on their team to view. Is that possible, and if yes, can you refer me to something?    Thank you! 
Hi @pgoldweic - I did not receive a response back. I was told to email the dev team's support directly: webplatform@splunk.com or hit up their Slack channel: #webplatform