In your interactions, you can use predefined tokens to set your own token, which can then be used in another panel - name will give you the name of the field (column) which was clicked
Hi @aab1 , as I said, there's only one solution: create a custom admin without that feature and without the feature of altering roles, no other solution. Ciao. Giuseppe
This can be done with CSS which you can define in your SimpleXML in a html panel. Essentially, what you need to do is to turn columns into a multi-value fields with an indicator for the format option...
See more...
This can be done with CSS which you can define in your SimpleXML in a html panel. Essentially, what you need to do is to turn columns into a multi-value fields with an indicator for the format option to pick up and change the background colour. For the indicator in your case, you could check whether the previous date is different i.e. it is the first in a series of copied dates. You can use streamstats to do this, something like this | streamstats values(catchup_updated_time) as previous_catchup_updated_time window=1 current=f
| eval catchup_updated_time=if(isnull(previous_catchup_updated_time) OR catchup_updated_time != previous_catchup_updated_time, mvappend(catchup_updated_time,"RED"), catchup_updated_time) You then use CSS to hide (display: none) the second value in the multi-value field. See this answer (and similar) for clues https://community.splunk.com/t5/Splunk-Search/How-to-color-the-columns-based-on-previous-column-valu...
Looking at our inputs.conf setup via a "splunk btool inputs list --debug", I can't see that we have the useack=true set (if that's where you are referring to). We are capturing a range of Event ID's ...
See more...
Looking at our inputs.conf setup via a "splunk btool inputs list --debug", I can't see that we have the useack=true set (if that's where you are referring to). We are capturing a range of Event ID's for reporting as below. It all works fine however after restarting the Splunk UF when the issue occurs \etc\apps\inputs_oswin_secevtlog\local\inputs.conf [WinEventLog://Security] \etc\apps\Splunk_TA_windows\default\inputs.conf blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" \etc\apps\Splunk_TA_windows\default\inputs.conf blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" \etc\apps\inputs_oswin_secevtlog\local\inputs.conf checkpointInterval = 5 \etc\apps\Splunk_TA_windows\default\inputs.conf current_only = 0 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf disabled = 0 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf evt_resolve_ad_obj = 1 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf index = win-securityeventlog \etc\system\default\inputs.conf interval = 60 \etc\apps\Splunk_TA_windows\default\inputs.conf renderXml = true \etc\apps\Splunk_TA_windows\default\inputs.conf start_from = oldest \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist1 = EventCode=%^(104|1102)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist2 = EventCode=%^(2004|2006|2033)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist3 = EventCode=%^(33205)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist4 = EventCode=%^(4170|4624|4625|4634|4647|4648|4663|4673|4688|4719|4720|4722|4723|4724|4725|4726|4728|4732|4735|4738|4740|4742|4743|4756|4767|4768|4771|4778|4779|4781|4820)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist5 = EventCode=%^(517|528|529|538|540|551|552|592|5152|5157)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist6 = EventCode=%^(624|627|628|642|644|680|6279)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist7 = EventCode=%^(7045)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist8 = TaskCategory=%^Network Policy Server$%
Morning Giuseppe Thanks for a quick reply. My problem with this solution is that I somehow need to ensure that 1 The Full Splunk admin can't login the SH (since the SH is managed by 3 party inclu...
See more...
Morning Giuseppe Thanks for a quick reply. My problem with this solution is that I somehow need to ensure that 1 The Full Splunk admin can't login the SH (since the SH is managed by 3 party including custom TA's) 2 The 3 party managed SH must not be able to alter the roles (so no access to the Full Admin) Hence the need for a isolated setup where the roles are set on the Peer site.
Hi @aab1 , you have to create a custom role, cloning the admin role (don't use inheritance), removing the feature you want and also the features to change user capabilities (otherwise the customizat...
See more...
Hi @aab1 , you have to create a custom role, cloning the admin role (don't use inheritance), removing the feature you want and also the features to change user capabilities (otherwise the customization isn't useful!). Then, you give to this role the grants to see only a part of indexes. Ciao. Giuseppe
Hi @Mark_Heimer , did you modified only the Correlation Search name or also the Notable name? in the Incident Review name you see the Notable name not the Correlations Search name. In addition, I ...
See more...
Hi @Mark_Heimer , did you modified only the Correlation Search name or also the Notable name? in the Incident Review name you see the Notable name not the Correlations Search name. In addition, I always prefer, when I clone a CS, move it in a custom app and don't release it in the Enterprise Security apps, in this way, I have all the customizations in a custom app, it isn't mandatory but you have a cleaner and more ordered situation. Ciao. Giuseppe
Hi I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head ca...
See more...
Hi I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do" Do anybody know if this is somehow available or doable in 2024? My case is that I need a Standalone Searchhead with access to a subset of all indexes in the Cluster. But at the same time full control of the Searchhead (Splunk Admin capabilities except changes to the searchable index list) The aim is to separate the SH to be managed by a 3 party.
Question 1: The last column is longer than the others, it's not aesthetic. I know I can adjust the height by editing "<option name="height">" this label, but the return data would be changed all t...
See more...
Question 1: The last column is longer than the others, it's not aesthetic. I know I can adjust the height by editing "<option name="height">" this label, but the return data would be changed all the time. If I set "too high", it would seem weird. I want to solve two problem. 1. Don't show the "web scroll", meaning that can have a automatic size to accommodate my column data no matter how much data I have. 2. I want my every column averagely share the space. Question 2 : If my event exists too short, it seems like too small and narrow. It's also not aesthetic. Can I make a "minimum bar chart or a circle" defined by myself. (like what I draw on the image)
@ITWhisperer is asking which paradigm is used in your dashboard. Splunk has two very different ones. "Simple XML" is also called "Classic Dashboard" or "Dashboard Classic". If you click "Dashboards...
See more...
@ITWhisperer is asking which paradigm is used in your dashboard. Splunk has two very different ones. "Simple XML" is also called "Classic Dashboard" or "Dashboard Classic". If you click "Dashboards" tab in search app in 9.3, you'll see three panels like these Examples for Dashboard Studio Browse examples of dashboards & visualizations. Visit Example Hub Intro to Dashboard Studio Learn how to build dashboards with Dashboard Studio. Learn More Intro to Classic Dashboards Learn how to build traditional Simple XML dashboards. Learn More Follow the links to learn about their respective capabilities and programming/learning costs. (Both provide some visual design tools, although some advanced features still require editing underlying codes.) If you are modifying an existing dashboard, search for your dashboard in this tab and look at "Type" column.
As I said above, the answer is no. Splunk's interactions (better known in dashboard classic as "drilldowns") are based on selected row only. If a transposed table suits your need, you can transpose...
See more...
As I said above, the answer is no. Splunk's interactions (better known in dashboard classic as "drilldowns") are based on selected row only. If a transposed table suits your need, you can transpose, then interact with row.
Hi
Can anyone please advice the search query to find out overall health status of VMware using metric log.
index - vmware_metric
SPL - | mstats avg("vsphere.usage") prestats=true WHERE "index"=...
See more...
Hi
Can anyone please advice the search query to find out overall health status of VMware using metric log.
index - vmware_metric
SPL - | mstats avg("vsphere.usage") prestats=true WHERE "index"="vmware-metrics" AND "host"="system1.local" AND ("host"="system2" OR "uuid"="12457896) span=10s
| timechart avg("vsphere.vm.cpu.usage") AS Avg span=10s
| fields - _span*
Hi @Redwood ( https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Data/UsetheHTTPEventCollector) may i know why do you use the 8.0.2007 documentation pls. unless you want a particular doc...
See more...
Hi @Redwood ( https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Data/UsetheHTTPEventCollector) may i know why do you use the 8.0.2007 documentation pls. unless you want a particular doc version, maybe pls use - "latest" instead of that version number, so you will get the right documentation https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_Splunk_Cloud_Platform Regarding the error, pls check the previous reply and let us know if its working or not, then we can troubleshoot further, thanks. Best Regards Sekar
sorry for the lack of clarity. I mean, for example in the display there is a table with 3 columns. from there I can display certain information below the table depending on which table column I click...
See more...
sorry for the lack of clarity. I mean, for example in the display there is a table with 3 columns. from there I can display certain information below the table depending on which table column I click. Is it possible?