All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Mark_Heimer , obviously cloning a CS you have the same settings of the original one, so also the same Notable name. My hint is to enter in the cloned Create Notable Adaptive Response Action, an... See more...
Hi @Mark_Heimer , obviously cloning a CS you have the same settings of the original one, so also the same Notable name. My hint is to enter in the cloned Create Notable Adaptive Response Action, and modify the Notable Name, in this way, you'll have in the Incident View the modified name. About the app to contain the custom CSs, this is an hint from PS. Ciao. Giuseppe
Go back to using ids but adopt a naming convention e.g. all those you want to affect begin with the same word <dashboard version="1.1" theme="light"> <label>Tables</label> <row> <panel> <table id="t... See more...
Go back to using ids but adopt a naming convention e.g. all those you want to affect begin with the same word <dashboard version="1.1" theme="light"> <label>Tables</label> <row> <panel> <table id="test_1"> <search> <query>| makeresults | fields - _time | eval random=random() | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table id="test_2"> <search> <query>| makeresults | fields - _time | eval random=random() | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table id="nottest_A"> <search> <query>| makeresults | fields - _time | eval random=random() | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> <panel depends="$alwaysHide$"> <html> <style> div[id^="test_"] th{ color:red !important; border: 1px solid white !important; } </style> </html> </panel> </row> </dashboard>
下記の事項について、ご存じの方が居られましたら、 お手数をお掛け致しますが、ご教授お願い致します。 やりたい事 ーーーーーーーーーー 特定の日付を選択後、 Splunk画面に表示されている複数のレポート(カード)内のグラフが 選択した日付のデータのみ表示するようフィルタを掛けたい 詰まっている事・知りたい事 ーーーーーーーーーー Spunk画面上で、特定の日付を選択させる方... See more...
下記の事項について、ご存じの方が居られましたら、 お手数をお掛け致しますが、ご教授お願い致します。 やりたい事 ーーーーーーーーーー 特定の日付を選択後、 Splunk画面に表示されている複数のレポート(カード)内のグラフが 選択した日付のデータのみ表示するようフィルタを掛けたい 詰まっている事・知りたい事 ーーーーーーーーーー Spunk画面上で、特定の日付を選択させる方法が分からない。 日付や日時の範囲選択させる入力・選択ボックスを実装配置できる機能があることは分かったのですが、 シンプルにカレンダーから1つの日付を選択してグラフをフィルタさせるといった実装方法が知りたいです。jQueryなどコーディングが必要になるのでしょうか。 お手数をお掛け致しますが、ご教授お願い致します。
As the title suggests, I want to change the CSS style of a table within Splunk dashboard using classes instead of id. The reason is I have multiple tables with different values BUT applying a similar... See more...
As the title suggests, I want to change the CSS style of a table within Splunk dashboard using classes instead of id. The reason is I have multiple tables with different values BUT applying a similar style. If I want to make changes or create a new table with similar style, I have to keep iterating the id (e.g. tableid_10) which is impractical. I have inspected element and cannot change the Splunk default class "panel-element-row" as this will affect other tables on my dashboard.  e.g. for panel below the css works fine if I use the id as a selector. <panel> <table id="test"> <search> <query>index="test" | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> With the following css #test th{ color:#808080 !important; border: 1px solid white !important; } However, if I switch it to using class selector, <panel> <table class="test"> <search> <query>index="test" | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> With the following css .test th{ color:#808080 !important; border: 1px solid white !important; } It no longer works.
Hi  dear Giuseppe, when i clone a rule, Adaptive Response Actions  options (i.e. Notable) and most of the times, Risk Analysis are present by default as are other fields and options the same as the ... See more...
Hi  dear Giuseppe, when i clone a rule, Adaptive Response Actions  options (i.e. Notable) and most of the times, Risk Analysis are present by default as are other fields and options the same as the original rule. that's why i clone a rule. second, i used to do so for a long time but never had come up with this problem. and as you mentioned earlier my custom rules were working just fine. about the app, i used my custom app and "SA-AccessProtection" was my last try. And for newly created custom app i do create notable. thanks
Hello members,   i'm facing an issue with index clustering and indexers peers one of peers has addingbatch status and after a while he goes up then return to batchadding   other peer is going up ... See more...
Hello members,   i'm facing an issue with index clustering and indexers peers one of peers has addingbatch status and after a while he goes up then return to batchadding   other peer is going up and after while pending then going up again   i can't figure out the problem why this occur can any one help...   this picture shows the problem      
こんにちは Splunkのオブザーバビリティプラットフォームでブラウザテスト用の多要素認証シナリオを設定できないかと考えていました。 たとえば、時間ベースのワンタイムパスワード(TOTP)を使用する場合は、秘密鍵またはQRコードを生成してテスト環境に設定します。 秘密鍵またはQRコードをグローバル変数として設定します。 これにより、テスト中に認証コードを自動的に生成できます。 Data... See more...
こんにちは Splunkのオブザーバビリティプラットフォームでブラウザテスト用の多要素認証シナリオを設定できないかと考えていました。 たとえば、時間ベースのワンタイムパスワード(TOTP)を使用する場合は、秘密鍵またはQRコードを生成してテスト環境に設定します。 秘密鍵またはQRコードをグローバル変数として設定します。 これにより、テスト中に認証コードを自動的に生成できます。 Datadog 製品を使用する場合、グローバル変数を作成して秘密鍵を入力したり、認証プロバイダーから QR コードをアップロードしたりできます。 SPLUNK製品を使用する場合、認証プロバイダーから秘密鍵を入力したり、QRコードをアップロードしたりするためのグローバル変数を作成できますか?
Hi @Mark_Heimer , you should have, in the bottom of the form, the choice of the Adaptive Response Action, and between them you should have Create Notable. In this part of the Form, you can modify t... See more...
Hi @Mark_Heimer , you should have, in the bottom of the form, the choice of the Adaptive Response Action, and between them you should have Create Notable. In this part of the Form, you can modify the name of the Notable. About the app, Splunk PS hints to save own Correlation Searches in a dedicated custom app not in "SA-AccessProtection". Ciao. Giuseppe
Hi Community, How can I access a TI provider's API from Splunk Cloud if the provider has whitelisted IPs but Splunk Cloud's IP is not static?  
  Hello, I am following this  to import multiple services along with their dependencies, and below is the sample excel CSV  i am trying to import, utf-8 encoded : Service Title Service Descrip... See more...
  Hello, I am following this  to import multiple services along with their dependencies, and below is the sample excel CSV  i am trying to import, utf-8 encoded : Service Title Service Description Dependent Services Splunk   SHC | IND SHC   Server1 IND   server2 server1     server2     But when the upload is finished, the file preview shows 0 total lines as in the below screenshot:     When i tried to do the same file import in another splunk environment, it went well. Given that i am admin in both environments and both environments with versions as below: Splunk Version: 9.0.4.1 ITSI Version: 4.18.1 What could be the issue/missing in the first environment ?
tbh, i tried more than 2 day's to fix this situation i end up with SEDCMD i look at the event field extractions and it's appears good enough i know what are you referring if there is quotes already p... See more...
tbh, i tried more than 2 day's to fix this situation i end up with SEDCMD i look at the event field extractions and it's appears good enough i know what are you referring if there is quotes already persent it will miss with key=value fields    any ways thanks for everything now i'm facing such headche problem batch adding issue with indexers and i think it's because the bandwith of the end-points . @PickleRick 
Thanks dural_yyz that's saying current.backupRestoreStatus = ready current.status=failed so looks it's in use but not happy, and that's probably why the command isn't working. i've found a hit ab... See more...
Thanks dural_yyz that's saying current.backupRestoreStatus = ready current.status=failed so looks it's in use but not happy, and that's probably why the command isn't working. i've found a hit about an old mongod.lock being present, so I'm going to arrange an outage to restart after removing the lock file.   Will report back how this goes.... thanks
Are you trying to use live capture for preview? https://docs.splunk.com/Documentation/Splunk/latest/Data/DataIngest#Create_a_ruleset_with_the_Ingest_Actions_page
Hi dear Giuseppe, thanks for fast reply. here is what i did. I click on Configure menu, then go on to Content/Content Management. From filers I select and check Correlation Search from the drop-... See more...
Hi dear Giuseppe, thanks for fast reply. here is what i did. I click on Configure menu, then go on to Content/Content Management. From filers I select and check Correlation Search from the drop-down list. then from "Actions" on the top right corner i hit "Clone". in the new window there are "New Search Label" which i add "- custom"  to the end of it. then i select the App and put it on "SA-AccessProtection". next in "Edit Correlation Search " i  will make any change to the "Search" and click save. Done! this is all i do. The point is even if i enable both of them, the two will appear in the "Top Notable Events" pane and both are working simultaneously. clicking on the original rule redirects u to the "Incident Review" page with the correct rule selected as source. but when clicking on the cloned or newly created rule you'll be redirected to the "Incident Review" page with all incidents listed and source field has no selected value. the strange part is that rules that i had created or cloned in the past (about ) are working fine.
Splunk-build Add-ons usually have pretty decent docs. Did you read this one? https://splunk.github.io/splunk-add-on-for-google-cloud-platform/
"Connection timed out" is _not_ a SSL error. It usually signals network-level problems or attempts to connect to a wrong destination. Please share more details - are we talking about a trial instanc... See more...
"Connection timed out" is _not_ a SSL error. It usually signals network-level problems or attempts to connect to a wrong destination. Please share more details - are we talking about a trial instance or a full paid one? Where are you trying to connect to (which port(s))? Are you connecting from home, from work, somewhere else? Do you have any network restrictions in that environment?
You cannot do this. At least not using Splunk's built-in functionality. Splunk handles each event separately and doesn't keep "state" so you cannot conditionally influence ingestion process based on ... See more...
You cannot do this. At least not using Splunk's built-in functionality. Splunk handles each event separately and doesn't keep "state" so you cannot conditionally influence ingestion process based on other events' values/properties. You'd need to use some custom script pre-processing the events before ingesting them to Splunk.
Yes. I'm not talking about space, I'm talking about quotes. For example, if part of your event was cs4=SVCHOST SUSPICIOUS "PARENT" PROCESS (I don't care if that makes sense as such, it's just abo... See more...
Yes. I'm not talking about space, I'm talking about quotes. For example, if part of your event was cs4=SVCHOST SUSPICIOUS "PARENT" PROCESS (I don't care if that makes sense as such, it's just about syntax) Your regex will turn it into cs4="SVCHOST SUSPICIOUS "PARENT" PROCESS" And Splunk will extract only the part up to the second or third quote. That's why I don't like CEF - it's troublesome to manipulate. Because if you try to manually extract fields using regex anchoring on the equal sign, you end up trying to make sure it doesn't break if your equal sign is in the value of the field. (I'm not even sure CEF properly handles such situation; don't remember).
if the key=value the value has space it will quote it so splunk can parse it without any issue if there is no space splunk already knows key=value so he will parse the information without any issue .... See more...
if the key=value the value has space it will quote it so splunk can parse it without any issue if there is no space splunk already knows key=value so he will parse the information without any issue .   @PickleRick thanks for your helping now i'm facing big problem regarding batchadding
OK. That's one way to do it. Be aware thought that it probably will break if you get quotes in your field values.