All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Problem from dashboard, this dashboard comes with default package of ITSI which i am trying to do reverse engineering fixing the dashboard How do i fix this issue    What is ldapfilter command... See more...
Problem from dashboard, this dashboard comes with default package of ITSI which i am trying to do reverse engineering fixing the dashboard How do i fix this issue    What is ldapfilter command ? and how do i fix the token issue    
Can I ask a question about Splunk? I am using the feature that allows me to embed report jobs into HTML using iFrame. However, even though I have 140 job results in Splunk, only 20 are being displa... See more...
Can I ask a question about Splunk? I am using the feature that allows me to embed report jobs into HTML using iFrame. However, even though I have 140 job results in Splunk, only 20 are being displayed on the embedded HTML. Does anyone know how to solve this issue?
Is your problem from a search in a dashboard or a raw search in the search bar? I suspect this is two issues - the first dashboard issue is a token issue and this is missing the ldapfilter command. ... See more...
Is your problem from a search in a dashboard or a raw search in the search bar? I suspect this is two issues - the first dashboard issue is a token issue and this is missing the ldapfilter command. Is this your dashboard - if you do not have access to the ldapfilter command then even if you fix the token you make not get your search working.
Those are different tokens. Things in your SPL that have $xxx$ are dashboard tokens and are set by logic in the dashboard, either through an input or through some drilldown.
and from a purely SPL point of view, technically you could do any of these to fill the null values. | foreach domain_id domain_name group non_tier_zero_principal path_id path_title principal tier_ze... See more...
and from a purely SPL point of view, technically you could do any of these to fill the null values. | foreach domain_id domain_name group non_tier_zero_principal path_id path_title principal tier_zero_principal user [ | fillnull "<<FIELD>>" value="NULL_<<FIELD>>" ] OR | foreach domain_id domain_name group non_tier_zero_principal path_id path_title principal tier_zero_principal user [ | eval <<FIELD>>=if(isnull('<<FIELD>>'), "NULL_<<FIELD>>", '<<FIELD>>') ] OR | fillnull domain_id domain_name group non_tier_zero_principal path_id path_title principal tier_zero_principal user value="NULL"  
When i navigate to check the token, i find the below    However i am not sure , is token existing or do i need to create new one.  1 - If i want to create a new token how should i map the spl ... See more...
When i navigate to check the token, i find the below    However i am not sure , is token existing or do i need to create new one.  1 - If i want to create a new token how should i map the spl query to this token ??
When i am trying to expand the macro, i am getting the below error message   
Sorry the "" its my post 
Do you understand WHY you are getting duplicates from the API? At what point would you want a 'new' event not to be treated as a duplicate? Forever? Last 60 minutes? Depending on that, you could ma... See more...
Do you understand WHY you are getting duplicates from the API? At what point would you want a 'new' event not to be treated as a duplicate? Forever? Last 60 minutes? Depending on that, you could make your alert look back at a longer time window and aggregate common events together with first and last timers and then ignore any 'new' events in the window you are interested in that have a count > 1 in the larger window.  
If this is in a dashboard, then that $select321$ looks to be a token and if that token has not been set you will get the message you are seeing. On a separate point, are the double quotes surroundin... See more...
If this is in a dashboard, then that $select321$ looks to be a token and if that token has not been set you will get the message you are seeing. On a separate point, are the double quotes surrounding the SPL or is that your post? Because it looks like it is a macro, but if the double quotes are really surrounding the macro, then it's not a macro, but a string. Anyway, the token is your problem.
The developer made a release available and gave a talk on it some months ago at one of the user groups. I tried it then and it generally worked OK, but didn't give it some hard problems to look at. ... See more...
The developer made a release available and gave a talk on it some months ago at one of the user groups. I tried it then and it generally worked OK, but didn't give it some hard problems to look at. It's running in a Cloud instance I have access to.
Missing indexes Any one have a way to investigate what causes indexes to suddenly disappear? Running a btool and indexes list… my primary indexes with all my security logs are just not there. I also... See more...
Missing indexes Any one have a way to investigate what causes indexes to suddenly disappear? Running a btool and indexes list… my primary indexes with all my security logs are just not there. I also have a NFS mount for archival and the logs are missing from there too. Going to the /opt/splunk/var/lib/splunk directory I see the last hot bucket was collected around 9am. I am trying to parse through whatever logs to find out what happened and how to recover.
We you'll have to look on a case by case basis - there are some use cases where objects are defined in first JS load and then they can be reloaded, but the same object already exists the second time ... See more...
We you'll have to look on a case by case basis - there are some use cases where objects are defined in first JS load and then they can be reloaded, but the same object already exists the second time around.
That's so true. turning on option " ON" for showing data looks pretty bad on graph. 
Mine was caused by browser cache it can impact you in the same browser in both normal and in private /incognito session I've validated by using a different browser and the view appeared in the navig... See more...
Mine was caused by browser cache it can impact you in the same browser in both normal and in private /incognito session I've validated by using a different browser and the view appeared in the navigation. Clearing all browser cache and restarting the affected browser fixed this issue.
Hi @Paul.Mateos , Kindly raise case ticket with Support team to share this extension. 
I enabled netstsat in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf I see Send_Q and Recv_Q (from "netstat -a"?) , but those look like the corresponding queue sizes in bytes. I think the Wi... See more...
I enabled netstsat in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf I see Send_Q and Recv_Q (from "netstat -a"?) , but those look like the corresponding queue sizes in bytes. I think the Windows/wmi equivalent reports traffic (bytes/sec) through the network adapter.
On Splunk Enterprise 9.2 and  DBConnect 3.17.2 I'm in the process of replacing our old Splunk instance, and with the new version of DBConnect, I seem to be unable to disable SSL ecryption on connect... See more...
On Splunk Enterprise 9.2 and  DBConnect 3.17.2 I'm in the process of replacing our old Splunk instance, and with the new version of DBConnect, I seem to be unable to disable SSL ecryption on connection to the database. It's a Microsoft MS-SQL database. I connect using the generic MS SQL driver. I do not have "Enable SSL" checked, I have encrypt=false in the jdbc URL:       jdbc:sqlserver://phmcmdb01:1433;databaseName=CM_PHE;selectMethod=cursor;encrypt=false       and yet, it cannot connect, throwing the error       "encrypt" property is set to "false" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: SQL Server did not return a response.       The old system running DBConnect 3.1.4 on Splunk Enterprise 7.3.2 can connect just fine without ssl enabled.  Why is DBConnect insisting on attempting an SSL connection? The SQL server is obviously not requiring it, or the old server would not work. Or is this a false error message and diverting me from some other problem?
 
Hi Team  Could you please advice why the below query is not showing any data  " `secrpt-active-users($select321$)`"   Thanks