Hi guys,   I'm a splunk noob here and I'm going nuts. I know this is an extremely simple search and I can't get it right. I'm trying to create a search for remote access applications based on our firewall index. IP cidr will be pulled from a lookup file (network_assets.csv) and matching to the source ip from my events. There's fields from the lookup file that do not exist in the events. I'm particullarly interested in adding this field called usertags (which is included in the lookup).  I am using these links as a reference and I can't get it to work. https://community.splunk.com/t5/Splunk-Search/How-do-I-append-columns-to-a-search-via-inputlookup-where-the/m-p/402136 index=fw | search appcat=Remote.Access | search app!="RDP" AND app!="WMI.DCERPC" | lookup network_assets.csv cidr | eval cidr=src | search usertags="*server*" | table src dest app url appcat usertags My search currently does not give me any results. Any help would be much appreciated

Hi, I have a Splunk Cloud trial instance. I am using a Sprint Boot application to make a simple HttpPost call to the HEC in Batch mode.  The format of the event is JSON and I am not adding line breaks between two events.  Splunk is receiving the requests and adding them as events. However, each of my events is getting truncated and is not showing up as a well formed JSON. I can see that the entire event is not being added, and when I measured the size of each event, it was coming up to 10kb. I then found this: https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking Specifically, I think I'm being impacted by this: The Splunk platform uses the LINE_BREAKER and TRUNCATE settings to evaluate and break events over 10kB into multiple lines of 10kB each. Questions 1. Is there no way to send events to Splunk Cloud larger than 10 kb? 2. If it is indeed supported, what configuration do we need which can be performed via Splunk Web, since we don't have access to config files etc in Splunk Cloud? Is it something related to Source Types (Advanced config)?

I am trying to Install the Cluster Agent with the Kubernetes CLI I am getting the below error  #kubectl create -f cluster-agent.yaml error: error validating "cluster-agent.yaml": error validating data: [ValidationError(Clusteragent.spec): unknown field "account" in com.appdynamics.v1alpha1.Clusteragent.spec, ValidationError(Clusteragent.spec): unknown field "appName" in com.appdynamics.v1alpha1.Clusteragent.spec, ValidationError(Clusteragent.spec): unknown field "controllerUrl" in com.appdynamics.v1alpha1.Clusteragent.spec, ValidationError(Clusteragent.spec): unknown field "serviceAccountName" in com.appdynamics.v1alpha1.Clusteragent.spec]; if you choose to ignore these errors, turn validation off with --validate=false When i change the apiVersion: appdynamics.com/v1 kubectl create -f cluster-agent.yaml error: resource mapping not found for name: "k8s-cluster-agent" namespace: "appdynamics" from "cluster-agent.yaml": no matches for kind "Clusteragent" in version "appdynamics.com/v1" ensure CRDs are installed first Please help me to resolve this kubectl version Client Version: v1.24.0 Kustomize Version: v4.5.4 Server Version: v1.22.6

Hello, I'm having a problem with Dashboard Studio in Splunk Enterprise (version 8.2.5). I would like to create a visualization with a drilldown that lets the user click on a given data point (for example a bar in a bar chart) or a given record of a table and open a new dashboard that contains more detailed visualizations. As far as I know this is possibile by adding a Link to custom URL drilldown and providing the URL of the dashboard in the configuration. Now I would like to drill down to a "details" dashboard but setting the value of a token, so that the visualizations in this "details" dashboard are already filtered by a value in a given field, e.g. /app/search/my_destination_dashboard?form.my_field=$passed_token|u$ However the value that should be assigned to the token is dynamic, i.e. it should depends on the particular data point that the user clicked. For example, If I click on a particular record of a table the value of the token (passed_token) should be set to clicked cell value. It seems this is possibile with Dashboard Studio in Splunk Cloud Platform (see here). But I was not able to reproduce it in Splunk Enterprise. Here it is an example. The following is the JSON definition of the "source" dashboard (made with Studio) where the table visualization has a Link to custom URL drilldown:   { "visualizations": { "viz_aWKTkUpc": { "type": "splunk.table", "dataSources": { "primary": "ds_e3l7tAe8" }, "title": "Number of events per item", "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "/app/search/test__target_1?form.item_name=$item_name|u$", "newTab": true } } ], "description": "Selected item: $item_name$" } }, "dataSources": { "ds_vW29Fvqp": { "type": "ds.search", "options": { "query": "| makeresults count=100 \n| eval _items=\"banana,apple,grapefruit,lemon,orange\" \n| makemv delim=\",\" _items \n| eval _a=10 \n| eval _rand_i = random() % _a \n| eval _n=mvcount(_items) \n| eval _j = _rand_i % _n \n| eval item = mvindex(_items, _j) " }, "name": "base" }, "ds_e3l7tAe8": { "type": "ds.chain", "options": { "extend": "ds_vW29Fvqp", "query": "| stats count by item" }, "name": "table" }, "ds_1FI28nVT": { "type": "ds.chain", "options": { "query": "| stats count by item \n| table item", "extend": "ds_vW29Fvqp" }, "name": "item_list" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "0," }, "title": "Global Time Range" }, "input_Sc6kQbF9": { "options": { "items": [ { "label": "All", "value": "*" } ], "defaultValue": "*", "token": "item_name" }, "title": "Select item", "type": "input.dropdown", "dataSources": { "primary": "ds_1FI28nVT" }, "encoding": { "label": "primary[0]", "value": "primary[0]" } } }, "layout": { "type": "grid", "options": {}, "structure": [ { "item": "viz_aWKTkUpc", "type": "block", "position": { "x": 0, "y": 0, "w": 1200, "h": 282 } } ], "globalInputs": [ "input_global_trp", "input_Sc6kQbF9" ] }, "description": "", "title": "Test - source" }   The following is the XML definition of the "target" dashboard (where I want to land):   <dashboard> <label>Test - target 1</label> <search id="base"> <query> | makeresults count=100 | eval _items="banana,apple,grapefruit,lemon,orange" | makemv delim="," _items | eval _a=10 | eval _rand_i = random() % _a | eval _n=mvcount(_items) | eval _j = _rand_i % _n | eval item = mvindex(_items, _j) </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <search id="sel_search" base="base"> <query> | search item=$form.item_name|s$ </query> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="time" searchWhenChanged="true"> <label>Time</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <input type="dropdown" token="item_name" searchWhenChanged="true"> <label>Select item</label> <search base="base"> <query> | stats count by item | table item </query> </search> <fieldForLabel>item</fieldForLabel> <fieldForValue>item</fieldForValue> <initialValue>*</initialValue> <default>*</default> <choice value="*">All</choice> </input> </fieldset> <row> <panel id="selected_item"> <html> <style> #selected_item { text-align: left; } </style> <p>Selected item name: <b>$form.item_name$</b> </p> </html> </panel> </row> <row> <panel> <title>Events</title> <table> <search id="table_events" base="sel_search"> <query> | table _time, item </query> </search> <option name="drilldown">none</option> </table> </panel> </row> </dashboard>   The drilldown works but you must first set the token value by using the dropdown input and then you can click on the table. II tried to modify the JSON definitio of the "source" dashboard" as shown in the example in the doc for the Splunk Cloud Dashboard Studio:   { "visualizations": { "viz_aWKTkUpc": { "type": "splunk.table", "dataSources": { "primary": "ds_e3l7tAe8" }, "title": "Number of events per item", "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "item_name", "key": "row.item.value" } ] } } ], "description": "Selected item: $item_name$" } }, "dataSources": { "ds_vW29Fvqp": { "type": "ds.search", "options": { "query": "| makeresults count=100 \n| eval _items=\"banana,apple,grapefruit,lemon,orange\" \n| makemv delim=\",\" _items \n| eval _a=10 \n| eval _rand_i = random() % _a \n| eval _n=mvcount(_items) \n| eval _j = _rand_i % _n \n| eval item = mvindex(_items, _j) " }, "name": "base" }, "ds_e3l7tAe8": { "type": "ds.chain", "options": { "extend": "ds_vW29Fvqp", "query": "| stats count by item" }, "name": "table" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } }, "tokens": { "default": { "item_name": { "value": "*" } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "0," }, "title": "Global Time Range" } }, "layout": { "type": "grid", "options": {}, "structure": [ { "item": "viz_aWKTkUpc", "type": "block", "position": { "x": 0, "y": 0, "w": 1200, "h": 300 } } ], "globalInputs": [ "input_global_trp" ] }, "description": "", "title": "Test - source - mod" }   i.e. removing the dropdown input, changing the eventHandlers type property to drilldown.setToken and adding a default value to the token item_name in the defaults section. Whenever I click on a row of the table, the token item_name should be assigned the value of the cell under the "item" column and the table description "Selected item name: ..." should be updated. But it seems not to work in Splunk Enterprise Dashboard Studio. However, even if it worked, the Set Token drilldown would only set the token value for the current dashboard and not redirect to an external URL. I need the drilldown to do both: set the token value and then open an URL where I pass the token value as a query parameter to land onto a "filtered" dashboad. Does anyone know if this type of drilldown is possibile with Dashboard Studio in Splunk Enterprise and how to do it?

Dear Sir or Madam, Could you please advise me about transferring logs to the Splunk server when there is no open port for listening? The only open port is 80 which is reversed proxied to 8000 through Apache configurations for Splunk web UI as shown below: <VirtualHost *:80> ProxyPass         /  http://localhost:8000/                                                                                                ProxyPassReverse  /  http://localhost:8000/                                                                                                                </VirtualHost> I Will be so grateful if you advise me about the best solution for transferring logs without opening an additional port? I really appreciate your help and support. Kind Regards, Farid

Hi, I am creating a dashboard where the data is provided via CSV. So, I am using the inputlookup command.  However, I need to search on one specific field (or column) on the CSV and I am currently using this but it is not working:   | inputlookup ABC | search Device Name = "sdf"   Can you please help?