All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Please provide some anonymised sample events for both searches and what your expected output would look like
Hi @Dayalss , sorry but it isn't clear, could yuou share some sample of the normal condition (field1, field2 and field3 different), and the condition with field1, field2 and field3 the same? Ciao. ... See more...
Hi @Dayalss , sorry but it isn't clear, could yuou share some sample of the normal condition (field1, field2 and field3 different), and the condition with field1, field2 and field3 the same? Ciao. Giuseppe
Please give an example of your expected output for when the fields are the same and for when they are not the same.
The output is numerical with the inner search query. To validate this output, the next step is to check the p90 latencies in Splunk Observability Cloud for these traces and compare the values. Thank ... See more...
The output is numerical with the inner search query. To validate this output, the next step is to check the p90 latencies in Splunk Observability Cloud for these traces and compare the values. Thank you.
Splunk docs show all deployment components needing a minimum of x64, 12 cores, 12GB, 2GHZ My question is for a dedicated license server for a VERY small distributed system for training and developme... See more...
Splunk docs show all deployment components needing a minimum of x64, 12 cores, 12GB, 2GHZ My question is for a dedicated license server for a VERY small distributed system for training and development. I want a search head, and indexer and then separate LM, and DS.  The data volume is small, less than 2GB/day. Do I really need the full blown minimums for an LM that will have a single Dev License?  I wanted to put this onto an RPi, but ...... yeh ..... doesn't look like an option. I have a couple of low end NUC's that will be x64, but won't meet the minimums for cores or RAM. Would welcome any assistance or even mentoring on this project.
Hi Giuseppe, I did exactly what you said. but no luck! In another try, I even created a search and saved it as an alert, named it "rule-4444" then added a notable to it as an action. it appeared a... See more...
Hi Giuseppe, I did exactly what you said. but no luck! In another try, I even created a search and saved it as an alert, named it "rule-4444" then added a notable to it as an action. it appeared as "rule-4444" in the "Top Notable Events" in the Security Posture page. but when i click on it, it is redirected to incident review page but again all incidents listed. the same thing as ravida says happening. when u first click on it, you can see the notable name in the URL after (incident review page )"/incident_review?form.rule_name=rule-4444" followed by earliest/latest timestamps but after a while when the page load completes it disappears and is replaced with a new URL which only has the earliest/latest values
Hi, How can I combine a field value , if the other 3 field values are the same Ex:- If the field1 , field2 , field3 are same but the field4 is different and its creating a new row in my splunk ta... See more...
Hi, How can I combine a field value , if the other 3 field values are the same Ex:- If the field1 , field2 , field3 are same but the field4 is different and its creating a new row in my splunk table, I want to merge or combine the field4 values into one field value separated by commas if the field1 , field2 , field3 are same  
Look at cloning the default 'admin' role to a new role named anything such as 'team2admin'.  Then you can remove the permissions for things like: - add/modify roles - add/modify search index or inh... See more...
Look at cloning the default 'admin' role to a new role named anything such as 'team2admin'.  Then you can remove the permissions for things like: - add/modify roles - add/modify search index or inherited search index - many others you would want to review and confirm. What you want to do is not impossible but from a security point of view near impossible to audit and ensure team 2 is always restricted from accessing the indexes in question.  Additionally moving forward any permissive capabilities from 'admin' wouldn't carry forward to the cloned role so for every upgrade I would recommend an audit by proper admins.
Hi Team,  I am facing the below error while testing in my local SPLUNK web v9 while connecting with Chronicle Instance. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed cer... See more...
Hi Team,  I am facing the below error while testing in my local SPLUNK web v9 while connecting with Chronicle Instance. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106) I have created a python app to upload it in Splunk.  Have created a request_fn where below line of code is being executed - requests.get(host + url, verify=False, **kwargs) I made sure that SSL verification is disabled in Python code (above verify=False) and also I have disabled it from splunk settings - Server Settings > General > Https SSL set to NO  Enable SSL (HTTPS) in Splunk Web? - NO   also Have checked the webconf file where SSL is set to 0 (no) [settings] enableSplunkWebSSL = 0 But still when my SPLUNK LOCAL WEB is trying to make the http request it is giving SSL error -  [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106) Does anybody has any clue or faced the same issue ?
Had this issue with a different add-on.  When packaging an app/add-on using tar, use the following:   COPYFILE_DISABLE=1 tar --format ustar -cvzf <appname>.tar.gz <appname_directory>   You'll fi... See more...
Had this issue with a different add-on.  When packaging an app/add-on using tar, use the following:   COPYFILE_DISABLE=1 tar --format ustar -cvzf <appname>.tar.gz <appname_directory>   You'll find this in the documentation here.  
Hi @KhalidAlharthi , this issue appears when a peer is disconnected of a time from the Cluster Master (in my project it happend during a Disaster Recovery test). Sometimes one server has rhis issue... See more...
Hi @KhalidAlharthi , this issue appears when a peer is disconnected of a time from the Cluster Master (in my project it happend during a Disaster Recovery test). Sometimes one server has rhis issue but usually, if you give it more time it rebalances the data and the issue disappears, otherwise, you can force the situation with a rolling restart. Ciao. Giuseppe
I'm seeing this same behavior since upgrade of Splunk HF to version 9.2.2. There is a server that has been retired, usually I would delete the record, and if that system comes back online for any rea... See more...
I'm seeing this same behavior since upgrade of Splunk HF to version 9.2.2. There is a server that has been retired, usually I would delete the record, and if that system comes back online for any reason it would show back up. Is there another way to remove, or will it drop off over time? Kevin
Hi All, Hope you all are doing well. I am very new to Splunk Enterprise security, and i need your help  to understand how i can create a reverse integration with ServiceNow. So we are using ... See more...
Hi All, Hope you all are doing well. I am very new to Splunk Enterprise security, and i need your help  to understand how i can create a reverse integration with ServiceNow. So we are using ServiceNow Security Operation Integration to manually create incidents in ServiceNow for notables. We have a new ask from SOC to update the notables when the incidents are being created and closed in ServiceNow. We are using Splunk enterprise and wanted to know what endpoints we need to provide so that we can achieve reverse communication. I have created a user in splunk who has access to edit notables but i am not sure what endpoint i need to provide, is it just the url of my instance or do i need to add any services as well. Please let me know if you have any other questions. Thanks in advance.
i got many errors some of them indicating connection issues between one peer and cluster master when i checked everything ok    do i miss anything?
The URL is https://prd-p-xauy6.splunkcloud.com. Previously my browser (firefox) said it was an issue with an untrusted SSL cert. No network issues that I know about, port 443. This was a cloud trial.
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user ... See more...
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user clicks on a point in the line chart. Despite using the 'point.click' event, it doesn't seem to work as expected. Has anyone faced a similar issue or can anyone suggest what might be going wrong here? Any guidance or examples would be greatly appreciated. Thanks in advance for your help!
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user... See more...
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user clicks on a point in the line chart. Despite using the 'point.click' event, it doesn't seem to work as expected. Has anyone faced a similar issue or can anyone suggest what might be going wrong here? Any guidance or examples would be greatly appreciated. Thanks in advance for your help!   Here is the relevant part of my code: import React, { useEffect, useState} from 'react'; import Line from '@splunk/visualizations/Line'; const MemoryUtilizationLine = () => { const handleEvent = (e)=>{ console.log(e) } return <div className=' m-2 pie-border-style'> <Line pointClick ={handleEvent} options={{}} dataSources={{ primary: { requestParams: { offset: 0, count: 20 }, data: { fields: [ { name: '_time', }, { name: 'count', type_special: 'count', }, { name: 'percent', type_special: 'percent', }, ], columns: [ [ '2018-05-02T18:10:46.000-07:00', '2018-05-02T18:11:47.000-07:00', '2018-05-02T18:12:48.000-07:00', '2018-05-02T18:13:49.000-07:00', '2018-05-02T18:15:50.000-07:00', ], ['600', '525', '295', '213', '122', '19'], ['87.966380', '50.381304', '60.023780', '121.183272', '70.250513', '90.194752'], ], }, meta: { totalCount: 20 }, }, }} />
Hi, My team (Team1) has a cluster of indexers and a search head cluster. We want to add a dedicated a search head to Team 2 where they can be admin. A few conditions and restrictions: - Team 1 sho... See more...
Hi, My team (Team1) has a cluster of indexers and a search head cluster. We want to add a dedicated a search head to Team 2 where they can be admin. A few conditions and restrictions: - Team 1 should remain admins of the cluster but not of the dedicated search head. - Team 2 should not be able to search certain indexes nor change that setting by any means. In short, there are a few indexes which we do not want Team 2 to see nor tamper the settings to get access to, but we would like them to be admins of their own search head. any suggestions?      
Hi @shub_loginsoft , you have to open a case to Splunk Cloud Support. Ciao. Giuseppe
Hi @KhalidAlharthi , I don't know why but sometimes it happens. Perform a rolling restart and it will dispear. Ciao. Giuseppe