All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm attempting to call a REST API with a button click and display its JSON response on the dashboard. I'm using the following code as a reference. However, I'm not getting any results, and I can see ... See more...
I'm attempting to call a REST API with a button click and display its JSON response on the dashboard. I'm using the following code as a reference. However, I'm not getting any results, and I can see this message in the developer tools console tab: "Error handling response: TypeError: Cannot read properties of undefined (reading 'mmrConsoleLoggingEnabled')"
Hey @kvm ,  Not an Dynatrace SSL, but from ERRORs you added it looks like at network level its causing some issue, if you have CACert chain configured at Splunk level then you should add same Cert... See more...
Hey @kvm ,  Not an Dynatrace SSL, but from ERRORs you added it looks like at network level its causing some issue, if you have CACert chain configured at Splunk level then you should add same Cert to locations i mentioned.
Hi @Meett ,   Can you try to add SSL CA Chain to below location  - By this do you mean Dynatrace SSL certificate to update in the Splunk Add-on ? Please confirm.
Sorry its not complete. Can you help me with complete query to achieve above result. First need to get Final status then display the final status count based on dropdown selection like department, Lo... See more...
Sorry its not complete. Can you help me with complete query to achieve above result. First need to get Final status then display the final status count based on dropdown selection like department, Location, Company.    I have given the sample.csv raw data. Can you give me single value count query to  get the final status count for servers and then again display the the count based on department, location or company dropdown selection.    
Hi Community, I got trouble when want to activate Use Case "User Login to Unauthorized Geo" it said Error because it said i don't have "sse_host_to_country" and "gdpr_user_category" lookup data.  ... See more...
Hi Community, I got trouble when want to activate Use Case "User Login to Unauthorized Geo" it said Error because it said i don't have "sse_host_to_country" and "gdpr_user_category" lookup data.  In this case im using ES Content Updates v 4.0.0 but i have my labs with ES Content Updates 4.38.0 but when i check it it don't have any sse_host_to_country OR gdpr_user_category lookup files. Already searching it in google and i don't have any answer. Maybe this community have enough experience about this.  Thanks     
Thanks... but already tried that.  This was an upgrade from 9.2 to 9.3 so shouldn't have been necessary, but tried it anyway.   No affect.  Splunk support has been working on this for 3 weeks now.  O... See more...
Thanks... but already tried that.  This was an upgrade from 9.2 to 9.3 so shouldn't have been necessary, but tried it anyway.   No affect.  Splunk support has been working on this for 3 weeks now.  Only having the problem on 1 of 4 Deployment Servers
Hi regarza, What was the outcome of this issue?
Your search (mentioned in the initial post) | search department="$department$" Company="$Company$" Location="$Location$" will filter the events as you require, however, these tokens need a value, o... See more...
Your search (mentioned in the initial post) | search department="$department$" Company="$Company$" Location="$Location$" will filter the events as you require, however, these tokens need a value, otherwise your search will be waiting for input. The value (if not otherwise selected) should be "*". This is what I mean about adding this to your dynamic list of options for your dropdowns. Your dropdowns need unique values for location, department and company. This is what the dedup is doing for each of the dropdowns. How is it that this is not satisfying your requirement?
@PickleRick  Thanks for your kind reply.  I'll try to fix the points you mentioned. If you think there's anything else that needs fixing, just let me know—I’d appreciate any feedback
Is it just one index you're not seeing data from or are there more of them? Does your role have access to this index? Did you verify (like tstats count over"all time") that there is any data in the... See more...
Is it just one index you're not seeing data from or are there more of them? Does your role have access to this index? Did you verify (like tstats count over"all time") that there is any data in the index at all? Does your SH even search from the indexers (read - is your environment properly configured regarding distributed searching).
Thanks @PickleRick  for information. I will try use options you menioned as well 
Hi @tlmayes  seems there is know in issue on latest version for Splunk 9.2 and after. can you follow this link and try fixit  https://docs.splunk.com/Documentation/Splunk/9.3.0/Updating/Upgrad... See more...
Hi @tlmayes  seems there is know in issue on latest version for Splunk 9.2 and after. can you follow this link and try fixit  https://docs.splunk.com/Documentation/Splunk/9.3.0/Updating/Upgradepre-9.2deploymentservers Possible issues with upgrade Data not appearing in forwarder management UI following upgrade This problem can occur if your deployment server forwards its data to a standalone indexer or to the peer nodes of an indexer cluster. To rectify, add these settings to outputs.conf on the deployment server: [indexAndForward] index = true selectiveIndexing = true If you add these settings post-upgrade, you might need to restart the deployment server.
Hi @splunktup1  I would recomend using AWS/AZure/GCP and try creating windows/linux machines and install splunk on them, instead of using VM on Laptop. it might take up lot of resources on lapt... See more...
Hi @splunktup1  I would recomend using AWS/AZure/GCP and try creating windows/linux machines and install splunk on them, instead of using VM on Laptop. it might take up lot of resources on laptop. or install splunk directly on laptop 
My suspicion would be that you're using mixed terminology the master/slave terms have been obsoleted several big versions ago. Now it's manager/peer so you should use clustermanager stanza and manage... See more...
My suspicion would be that you're using mixed terminology the master/slave terms have been obsoleted several big versions ago. Now it's manager/peer so you should use clustermanager stanza and manager_uri setting.
Hi Mohammad. I wanted to take look at your scripts but it seems you're not providing the scripts on github. You've uploaded a tgz archive which makes it impossible to both see the source as well as ... See more...
Hi Mohammad. I wanted to take look at your scripts but it seems you're not providing the scripts on github. You've uploaded a tgz archive which makes it impossible to both see the source as well as doing pull requests or seeing diffs on commits. That's not how you host your project on git. You also provide an inputs.conf file which references some unknown sourcetype. It's not how you normally do. Normally you do an addon containing inputs, props, transforms (if needed) and metadata. The inputs are disabled by default so that the user can enable them if needed. Also, instructing people to run a script as root by default is a big no-no for me. I don't mean do discourage you since I'm sure you put some real effort into this. It's just something worth considering if you want to make your "product" better.
Hi @Sathish28  Can you please run following comand in CLI of the server , where you are seeing in message and share the output. /opt/splunk/bin/splunk btool server list  --debug | grep -i local... See more...
Hi @Sathish28  Can you please run following comand in CLI of the server , where you are seeing in message and share the output. /opt/splunk/bin/splunk btool server list  --debug | grep -i local 
Hi @KhalidAlharthi  If you able to view the index name incluster manager page.it means it has searchable data howerver when you try searhcing with same index name, what was time range you are l... See more...
Hi @KhalidAlharthi  If you able to view the index name incluster manager page.it means it has searchable data howerver when you try searhcing with same index name, what was time range you are looking for. try run for longer timeframe. or you need to have the permission to view the index data in Splunk. can you please confirm is indexname you are searching has present in allowed list for your role?
There is no default solution in Splunk for managing the Frozen Bucket (Path). I wrote a script where you provide a config file specifying the volume or time limit for logs in the Frozen Path for each... See more...
There is no default solution in Splunk for managing the Frozen Bucket (Path). I wrote a script where you provide a config file specifying the volume or time limit for logs in the Frozen Path for each index. If the policy is violated, the oldest log is deleted. The script also provides detailed logs of the deletion process, including how much data and time remains in the Frozen Path for each index and how long the deletion process took. The entire script runs as a service and executes once every 24 hours. I’ve explained the implementation details and all necessary information in the link below.   Mohammad-Mirasadollahi/Splunk-Frozen-Retention-Policy: This repository provides a set of Bash scripts designed to manage frozen data in Splunk environments. (github.com)   FrozenFreeUp 
Thank you. But this is not my requirement. My requirement is when i select a dropdown like Location Bangalore, I need to get the Final Status count of servers for Bangalore.  If i select Company DRDO... See more...
Thank you. But this is not my requirement. My requirement is when i select a dropdown like Location Bangalore, I need to get the Final Status count of servers for Bangalore.  If i select Company DRDO, I need to get final Status count for all servers that are DRDO company. same applies for department drop down. The Final Status of the server is derived from second column of the smaple.csv. Where, if any of the second column status value is No, then Final status is No. If all the status column value is Yes, then Yes for given server. So final status depends on status column values for that particular server. same applies for other servers also. I need to display total final status count as default. When someone select drop down like Location, then final Status count shoudl refresh based on Location selected. or Department selected or Company selected.   Please help me with splunk query to achieve this.
Hi, thanks for posting! This is definitely the plan, as we want to achieve widely understood parity between DM and AWS TA. This year, we plan to go live with AWS Org support. Next will be availabilit... See more...
Hi, thanks for posting! This is definitely the plan, as we want to achieve widely understood parity between DM and AWS TA. This year, we plan to go live with AWS Org support. Next will be availability on CMP and custom source types for S3. After that, we'll take on more items to create full parity.