All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hey @meng, You can also check the latest status of your search head cluster using REST endpoint as mentioned here - https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference... See more...
Hey @meng, You can also check the latest status of your search head cluster using REST endpoint as mentioned here - https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference/9.4/cluster-endpoints/cluster-endpoint-descriptions#get-38 It'll always fetch the latest information for your cluster. And as for getting inaccurate information from metadata, as @gcusello mentioned, open up a support case with Splunk. Thanks, Tejas.  
well, im using splunk cloud so JS is not an option and  i've tries the second option but its not working maybe something in the copy paste became wrong ?  <input type="multiselect" token="cat... See more...
well, im using splunk cloud so JS is not an option and  i've tries the second option but its not working maybe something in the copy paste became wrong ?  <input type="multiselect" token="categories"> <label>Categories</label> <choice value="*">ALL</choice> <fieldForLabel>testCategories</fieldForLabel> <fieldForValue>testCategories</fieldForValue> <search> <query>index="stg_observability_s" sourcetype=SplunkQuality earliest=$time.earliest$ latest=$time.latest$ | search AdditionalData.domain="$domain$" AdditionalData.pipelineName="$pipelineName$" AdditionalData.buildId="$jobid$" AdditionalData.repoUrl="$repo$" | stats count by testCategories</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <default>*</default> <initialValue>*</initialValue> <delimiter> AND </delimiter> <valuePrefix>testCategories="</valuePrefix> <valueSuffix>"</valueSuffix> <change> <eval token="form.categories">case(mvcount('form.categories')=0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")&gt;0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")=0,mvfilter('form.categories'!="All"),1==1,'form.categories')</eval> <eval token="categories_choice">if('form.categories'=="All","categories=\"*\"",'categories')</eval> </change> </input>
@sarit_s6 - That one requires Javascript to be written to remove "All" option. Reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-quot-All-quot-from-Multiselect-Input-in-Da... See more...
@sarit_s6 - That one requires Javascript to be written to remove "All" option. Reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-quot-All-quot-from-Multiselect-Input-in-Dashboard/m-p/301375   OR you can opt for complex XML editing suggested in this reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-ALL-from-multi-select-input-once-any-value-is-selected/m-p/711199   I hope this helps!!! Kindly upvote if it does!!!
@Macedovin - Great that you join the Splunk community here. And I'm glad that you were able to resolve the issue you had and even updated that details here.   It would be amazing if you can answer ... See more...
@Macedovin - Great that you join the Splunk community here. And I'm glad that you were able to resolve the issue you had and even updated that details here.   It would be amazing if you can answer your own question here with the details that you added in your question instead currently (UPDATE). So that future Splunk community users can clearly see your question & answer and can get help from it. Once you add your answer, also please mart it as "Accepted".   Community Moderator, Vatsal
thanks its working is it also possible to set it like that so when object is selected it will remove the "ALL" automatically ?
Hi @sarit_s6 , yes, you can use the IN operator and comma as separator. Ciao. Giuseppe
@Alan_Chan - Are you sure your Splunk port is 8443??  
@vader13 - You did not included the reference which mention supported and not supported. Also, I'm not sure what you are referring to with HTTPOUT.  
Yes you can do that. @sarit_s6    You can make use of  <delimiter> text   A string that will be placed between each selected value. Typically, you specify " OR " or " AND " using upper case ... See more...
Yes you can do that. @sarit_s6    You can make use of  <delimiter> text   A string that will be placed between each selected value. Typically, you specify " OR " or " AND " using upper case – do not specify the quote marks, but specify a space character before and after the text. <valuePrefix> text   String prefixed to the value of the input element. Can be a regular expression. <valueSuffix> text   String appended to the value of the input element. Can be a regular expression.   delimiter -> AND valuePrefix -> key=" valueSuffix -> "   This will prepare something like -> key="A" AND key="B" ....   I hope this helps!!!!
@tommasoscarpa1 - I prefer to put the logs in a custom log files always. Which will come into custom sourcetype as well on Splunk. Inside _internal index of Splunk so no Splunk license will be used ... See more...
@tommasoscarpa1 - I prefer to put the logs in a custom log files always. Which will come into custom sourcetype as well on Splunk. Inside _internal index of Splunk so no Splunk license will be used for that as well.   Here is the reference code for some other App's custom command. * https://github.com/CrossRealms/Splunk-App-Auto-Update-MaxMind-Database/blob/master/bin/maxmind_db_update_command.py (Custom search command) * https://github.com/CrossRealms/Splunk-App-Auto-Update-MaxMind-Database/blob/master/bin/logger_manager.py (Custom logger manager file) * https://github.com/CrossRealms/Splunk-App-Auto-Update-MaxMind-Database/blob/master/default/props.conf (For assigning the custom sourcetype)   You can search the data in the index=_internal sourcetype=<sourcetype-you-asssign-in-props.conf> Also, just FYI, you can use the same the same code for custom rest-endpoints, python modular inputs, or anything else.   I hope this helps!!! Kindly upload the answer if you like the solution.
Hello is it possible to use multiselect input in classic dashboard so the selected objects there will be  key=value AND key=value1 ? if im using IN its acts like OR   Thanks
I can't see editing menu on lookup editor app , please guide me. Karn
Hey @Karthikeya, What @ITWhisperer mentioned is correct. I have currently modified that source code of the dashboard to open the same search in a new tab based on the clicked selection. Paste the fo... See more...
Hey @Karthikeya, What @ITWhisperer mentioned is correct. I have currently modified that source code of the dashboard to open the same search in a new tab based on the clicked selection. Paste the following code in your dashboard and it should work as per your requirement.  <form version="1.1" theme="light"> <label>Akamai WAF Dashboard</label> <search id="base_search"> <query>index="waf_app_*" sourcetype=akamai_waf |fields * |search attackData.configId=$configid$ source=$source$ </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <description></description> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="configid" searchWhenChanged="true"> <label>Security Configuration ID</label> <choice value="*">All</choice> <fieldForLabel>attackData.configId</fieldForLabel> <fieldForValue>attackData.configId</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf source=$source$ | stats count by attackData.configId</query> <earliest>-5m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="source" searchWhenChanged="true"> <label>Service Name</label> <choice value="*">All</choice> <fieldForLabel>source</fieldForLabel> <fieldForValue>source</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf attackData.configId=$configid$ |stats count by source</query> <earliest>-5m@m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="time" token="time"> <label>Select Time Range</label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Top 10 Attack Rule IDs</title> <chart> <search base="base_search"> <query> | top limit=10 attackData.rules{}.id | rename attackData.rules{}.id as "Rule ID"</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 Attack Rule Tags</title> <chart> <search base="base_search"> <query> |stats count by attackData.rules{}.tag |sort - count |head 10</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Rule Messages</title> <table> <search base="base_search"> <query>| stats count by attackData.rules{}.message |sort - count |head 10</query> </search> <option name="dataOverlayMode">heatmap</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table> </panel> <panel> <title>Rule Action by Count</title> <chart> <search base="base_search"> <query> | stats count by attackData.rules{}.action |sort - count</query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.sliceCollapsingThreshold">0.05</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="clicked_value">$click.value2$</set> <link target="_blank">search?q=index%3D%22waf_app_*%22%20sourcetype%3Dakamai_waf%20%7Cfields%20*%20|search%20attackData.configId%3D$configid$%20source%3D$source$%20%7C%20stats%20count%20by%20attackData.rules%7B%7D.action%20|sort%20-%20count%0A%7C%20search%20attackData.rules%7B%7D.action%3D%22$clicked_value$%22&amp;earliest=$time.earliest$&amp;latest=$time.latest$</link> </drilldown> </chart> </panel> </row> <row> <panel> <title>Rule IDs Trend (5 min)</title> <chart> <search base="base_search"> <query> | timechart count(attackData.rules{}.id) span=5min</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Status Code Trend</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.status</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 IP Addresses</title> <chart> <search base="base_search"> <query> | stats count by attackData.clientIP |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Top 10 HTTP Path Details</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.path |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>HTTP Method Count</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.method |sort - count </query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> </chart> </panel> </row> </form>   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!!
You don't have any specific drilldown action configured which means you will just get a basic search. If you want something more tailored, you should define a panel or other dashboard with the search... See more...
You don't have any specific drilldown action configured which means you will just get a basic search. If you want something more tailored, you should define a panel or other dashboard with the search that you want executed when the drilldown is triggered, and then configure the drilldown to activate this panel.
Hi @meng , I never experienced this issue, opena a case to Splunk Support, for your case and also for the other Splunk Customer. Ciao. Giuseppe
Hi @karn , you could add a columns to a lookup using the Lookup Editor app, but remember to modify also the Lookup Definition. With a csv lookup, you don't need to modify the Lookup Definition, but... See more...
Hi @karn , you could add a columns to a lookup using the Lookup Editor app, but remember to modify also the Lookup Definition. With a csv lookup, you don't need to modify the Lookup Definition, but it's required for KV-Store lookups. Ciao. Giuseppe
Have you tried to use the API to add the field? KV store endpoint descriptions - Splunk Documentation
<form version="1.1" theme="light"> <label>Akamai WAF Dashboard</label> <search id="base_search"> <query>index="waf_app_*" sourcetype=akamai_waf |fields * |search attackData.configId=$configid... See more...
<form version="1.1" theme="light"> <label>Akamai WAF Dashboard</label> <search id="base_search"> <query>index="waf_app_*" sourcetype=akamai_waf |fields * |search attackData.configId=$configid$ source=$source$ </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <description></description> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="configid" searchWhenChanged="true"> <label>Security Configuration ID</label> <choice value="*">All</choice> <fieldForLabel>attackData.configId</fieldForLabel> <fieldForValue>attackData.configId</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf source=$source$ | stats count by attackData.configId</query> <earliest>-5m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="source" searchWhenChanged="true"> <label>Service Name</label> <choice value="*">All</choice> <fieldForLabel>source</fieldForLabel> <fieldForValue>source</fieldForValue> <search> <query>index="waf_app_*" sourcetype=akamai_waf attackData.configId=$configid$ |stats count by source</query> <earliest>-5m@m</earliest> <latest>now</latest> </search> <default>*</default> <initialValue>*</initialValue> </input> <input type="time" token="time"> <label>Select Time Range</label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Top 10 Attack Rule IDs</title> <chart> <search base="base_search"> <query> | top limit=10 attackData.rules{}.id | rename attackData.rules{}.id as "Rule ID"</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 Attack Rule Tags</title> <chart> <search base="base_search"> <query> |stats count by attackData.rules{}.tag |sort - count |head 10</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Rule Messages</title> <table> <search base="base_search"> <query>| stats count by attackData.rules{}.message |sort - count |head 10</query> </search> <option name="dataOverlayMode">heatmap</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table> </panel> <panel> <title>Rule Action by Count</title> <chart> <search base="base_search"> <query> | stats count by attackData.rules{}.action |sort - count</query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.sliceCollapsingThreshold">0.05</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Rule IDs Trend (5 min)</title> <chart> <search base="base_search"> <query> | timechart count(attackData.rules{}.id) span=5min</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Status Code Trend</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.status</query> </search> <option name="charting.chart">pie</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Top 10 IP Addresses</title> <chart> <search base="base_search"> <query> | stats count by attackData.clientIP |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <title>Top 10 HTTP Path Details</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.path |sort - count |head 10</query> </search> <option name="charting.chart">bar</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>HTTP Method Count</title> <chart> <search base="base_search"> <query> | stats count by httpMessage.method |sort - count </query> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> </chart> </panel> </row> </form>
Hey @Karthikeya, The other data is coming because of improper drilldown configuration. Can you share the dashboard source code here? Make sure to share it in code block for better visibility.  Than... See more...
Hey @Karthikeya, The other data is coming because of improper drilldown configuration. Can you share the dashboard source code here? Make sure to share it in code block for better visibility.  Thanks, Tejas. 
raw data