All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @KhalidAlharthi , this issue appears when a peer is disconnected of a time from the Cluster Master (in my project it happend during a Disaster Recovery test). Sometimes one server has rhis issue... See more...
Hi @KhalidAlharthi , this issue appears when a peer is disconnected of a time from the Cluster Master (in my project it happend during a Disaster Recovery test). Sometimes one server has rhis issue but usually, if you give it more time it rebalances the data and the issue disappears, otherwise, you can force the situation with a rolling restart. Ciao. Giuseppe
I'm seeing this same behavior since upgrade of Splunk HF to version 9.2.2. There is a server that has been retired, usually I would delete the record, and if that system comes back online for any rea... See more...
I'm seeing this same behavior since upgrade of Splunk HF to version 9.2.2. There is a server that has been retired, usually I would delete the record, and if that system comes back online for any reason it would show back up. Is there another way to remove, or will it drop off over time? Kevin
Hi All, Hope you all are doing well. I am very new to Splunk Enterprise security, and i need your help  to understand how i can create a reverse integration with ServiceNow. So we are using ... See more...
Hi All, Hope you all are doing well. I am very new to Splunk Enterprise security, and i need your help  to understand how i can create a reverse integration with ServiceNow. So we are using ServiceNow Security Operation Integration to manually create incidents in ServiceNow for notables. We have a new ask from SOC to update the notables when the incidents are being created and closed in ServiceNow. We are using Splunk enterprise and wanted to know what endpoints we need to provide so that we can achieve reverse communication. I have created a user in splunk who has access to edit notables but i am not sure what endpoint i need to provide, is it just the url of my instance or do i need to add any services as well. Please let me know if you have any other questions. Thanks in advance.
i got many errors some of them indicating connection issues between one peer and cluster master when i checked everything ok    do i miss anything?
The URL is https://prd-p-xauy6.splunkcloud.com. Previously my browser (firefox) said it was an issue with an untrusted SSL cert. No network issues that I know about, port 443. This was a cloud trial.
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user ... See more...
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user clicks on a point in the line chart. Despite using the 'point.click' event, it doesn't seem to work as expected. Has anyone faced a similar issue or can anyone suggest what might be going wrong here? Any guidance or examples would be greatly appreciated. Thanks in advance for your help!
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user... See more...
Hello Splunk Community, I'm encountering a problem with the component from '@splunk/visualizations/Line' in my Splunk dashboard framework. I am trying to set up an event to be triggered when a user clicks on a point in the line chart. Despite using the 'point.click' event, it doesn't seem to work as expected. Has anyone faced a similar issue or can anyone suggest what might be going wrong here? Any guidance or examples would be greatly appreciated. Thanks in advance for your help!   Here is the relevant part of my code: import React, { useEffect, useState} from 'react'; import Line from '@splunk/visualizations/Line'; const MemoryUtilizationLine = () => { const handleEvent = (e)=>{ console.log(e) } return <div className=' m-2 pie-border-style'> <Line pointClick ={handleEvent} options={{}} dataSources={{ primary: { requestParams: { offset: 0, count: 20 }, data: { fields: [ { name: '_time', }, { name: 'count', type_special: 'count', }, { name: 'percent', type_special: 'percent', }, ], columns: [ [ '2018-05-02T18:10:46.000-07:00', '2018-05-02T18:11:47.000-07:00', '2018-05-02T18:12:48.000-07:00', '2018-05-02T18:13:49.000-07:00', '2018-05-02T18:15:50.000-07:00', ], ['600', '525', '295', '213', '122', '19'], ['87.966380', '50.381304', '60.023780', '121.183272', '70.250513', '90.194752'], ], }, meta: { totalCount: 20 }, }, }} />
Hi, My team (Team1) has a cluster of indexers and a search head cluster. We want to add a dedicated a search head to Team 2 where they can be admin. A few conditions and restrictions: - Team 1 sho... See more...
Hi, My team (Team1) has a cluster of indexers and a search head cluster. We want to add a dedicated a search head to Team 2 where they can be admin. A few conditions and restrictions: - Team 1 should remain admins of the cluster but not of the dedicated search head. - Team 2 should not be able to search certain indexes nor change that setting by any means. In short, there are a few indexes which we do not want Team 2 to see nor tamper the settings to get access to, but we would like them to be admins of their own search head. any suggestions?      
Hi @shub_loginsoft , you have to open a case to Splunk Cloud Support. Ciao. Giuseppe
Hi @KhalidAlharthi , I don't know why but sometimes it happens. Perform a rolling restart and it will dispear. Ciao. Giuseppe
Hi @Mark_Heimer , obviously cloning a CS you have the same settings of the original one, so also the same Notable name. My hint is to enter in the cloned Create Notable Adaptive Response Action, an... See more...
Hi @Mark_Heimer , obviously cloning a CS you have the same settings of the original one, so also the same Notable name. My hint is to enter in the cloned Create Notable Adaptive Response Action, and modify the Notable Name, in this way, you'll have in the Incident View the modified name. About the app to contain the custom CSs, this is an hint from PS. Ciao. Giuseppe
Go back to using ids but adopt a naming convention e.g. all those you want to affect begin with the same word <dashboard version="1.1" theme="light"> <label>Tables</label> <row> <panel> <table id="t... See more...
Go back to using ids but adopt a naming convention e.g. all those you want to affect begin with the same word <dashboard version="1.1" theme="light"> <label>Tables</label> <row> <panel> <table id="test_1"> <search> <query>| makeresults | fields - _time | eval random=random() | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table id="test_2"> <search> <query>| makeresults | fields - _time | eval random=random() | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table id="nottest_A"> <search> <query>| makeresults | fields - _time | eval random=random() | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> <panel depends="$alwaysHide$"> <html> <style> div[id^="test_"] th{ color:red !important; border: 1px solid white !important; } </style> </html> </panel> </row> </dashboard>
下記の事項について、ご存じの方が居られましたら、 お手数をお掛け致しますが、ご教授お願い致します。 やりたい事 ーーーーーーーーーー 特定の日付を選択後、 Splunk画面に表示されている複数のレポート(カード)内のグラフが 選択した日付のデータのみ表示するようフィルタを掛けたい 詰まっている事・知りたい事 ーーーーーーーーーー Spunk画面上で、特定の日付を選択させる方... See more...
下記の事項について、ご存じの方が居られましたら、 お手数をお掛け致しますが、ご教授お願い致します。 やりたい事 ーーーーーーーーーー 特定の日付を選択後、 Splunk画面に表示されている複数のレポート(カード)内のグラフが 選択した日付のデータのみ表示するようフィルタを掛けたい 詰まっている事・知りたい事 ーーーーーーーーーー Spunk画面上で、特定の日付を選択させる方法が分からない。 日付や日時の範囲選択させる入力・選択ボックスを実装配置できる機能があることは分かったのですが、 シンプルにカレンダーから1つの日付を選択してグラフをフィルタさせるといった実装方法が知りたいです。jQueryなどコーディングが必要になるのでしょうか。 お手数をお掛け致しますが、ご教授お願い致します。
As the title suggests, I want to change the CSS style of a table within Splunk dashboard using classes instead of id. The reason is I have multiple tables with different values BUT applying a similar... See more...
As the title suggests, I want to change the CSS style of a table within Splunk dashboard using classes instead of id. The reason is I have multiple tables with different values BUT applying a similar style. If I want to make changes or create a new table with similar style, I have to keep iterating the id (e.g. tableid_10) which is impractical. I have inspected element and cannot change the Splunk default class "panel-element-row" as this will affect other tables on my dashboard.  e.g. for panel below the css works fine if I use the id as a selector. <panel> <table id="test"> <search> <query>index="test" | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> With the following css #test th{ color:#808080 !important; border: 1px solid white !important; } However, if I switch it to using class selector, <panel> <table class="test"> <search> <query>index="test" | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> With the following css .test th{ color:#808080 !important; border: 1px solid white !important; } It no longer works.
Hi  dear Giuseppe, when i clone a rule, Adaptive Response Actions  options (i.e. Notable) and most of the times, Risk Analysis are present by default as are other fields and options the same as the ... See more...
Hi  dear Giuseppe, when i clone a rule, Adaptive Response Actions  options (i.e. Notable) and most of the times, Risk Analysis are present by default as are other fields and options the same as the original rule. that's why i clone a rule. second, i used to do so for a long time but never had come up with this problem. and as you mentioned earlier my custom rules were working just fine. about the app, i used my custom app and "SA-AccessProtection" was my last try. And for newly created custom app i do create notable. thanks
Hello members,   i'm facing an issue with index clustering and indexers peers one of peers has addingbatch status and after a while he goes up then return to batchadding   other peer is going up ... See more...
Hello members,   i'm facing an issue with index clustering and indexers peers one of peers has addingbatch status and after a while he goes up then return to batchadding   other peer is going up and after while pending then going up again   i can't figure out the problem why this occur can any one help...   this picture shows the problem      
こんにちは Splunkのオブザーバビリティプラットフォームでブラウザテスト用の多要素認証シナリオを設定できないかと考えていました。 たとえば、時間ベースのワンタイムパスワード(TOTP)を使用する場合は、秘密鍵またはQRコードを生成してテスト環境に設定します。 秘密鍵またはQRコードをグローバル変数として設定します。 これにより、テスト中に認証コードを自動的に生成できます。 Data... See more...
こんにちは Splunkのオブザーバビリティプラットフォームでブラウザテスト用の多要素認証シナリオを設定できないかと考えていました。 たとえば、時間ベースのワンタイムパスワード(TOTP)を使用する場合は、秘密鍵またはQRコードを生成してテスト環境に設定します。 秘密鍵またはQRコードをグローバル変数として設定します。 これにより、テスト中に認証コードを自動的に生成できます。 Datadog 製品を使用する場合、グローバル変数を作成して秘密鍵を入力したり、認証プロバイダーから QR コードをアップロードしたりできます。 SPLUNK製品を使用する場合、認証プロバイダーから秘密鍵を入力したり、QRコードをアップロードしたりするためのグローバル変数を作成できますか?
Hi @Mark_Heimer , you should have, in the bottom of the form, the choice of the Adaptive Response Action, and between them you should have Create Notable. In this part of the Form, you can modify t... See more...
Hi @Mark_Heimer , you should have, in the bottom of the form, the choice of the Adaptive Response Action, and between them you should have Create Notable. In this part of the Form, you can modify the name of the Notable. About the app, Splunk PS hints to save own Correlation Searches in a dedicated custom app not in "SA-AccessProtection". Ciao. Giuseppe
Hi Community, How can I access a TI provider's API from Splunk Cloud if the provider has whitelisted IPs but Splunk Cloud's IP is not static?  
  Hello, I am following this  to import multiple services along with their dependencies, and below is the sample excel CSV  i am trying to import, utf-8 encoded : Service Title Service Descrip... See more...
  Hello, I am following this  to import multiple services along with their dependencies, and below is the sample excel CSV  i am trying to import, utf-8 encoded : Service Title Service Description Dependent Services Splunk   SHC | IND SHC   Server1 IND   server2 server1     server2     But when the upload is finished, the file preview shows 0 total lines as in the below screenshot:     When i tried to do the same file import in another splunk environment, it went well. Given that i am admin in both environments and both environments with versions as below: Splunk Version: 9.0.4.1 ITSI Version: 4.18.1 What could be the issue/missing in the first environment ?