Hi guys, Does anyone know whether it is possible to have Splunk show an actual value of an episode's field variable instead of showing the variable itself? I am trying to essentially prefill a custom send email action with data that already comes inside each episode (these are referred to as common fields by Splunk). I have tried various ways, including passing the variable to alert_actions.conf and editing the HTML, but clearly the data from alert_actions.conf is passed as a pure string to some other script (I'm assuming it's Splunk's JavaScript which then processes the data further). Also, I know that the variable that is displayed is processed by a Python script upon pressing the "Done" button and it indeed takes the correct data, however, my problem is to have the variable's value already prefilled inside the inputboxes prior to clicking the done button. I am also attaching a screenshot for a better understanding of my situation. Note: %email_address% and %message% would be example of fields that are already contained within each episode  

Hello. I am using the following Jamf Pro Add-on for Splunk (Version 2.10.4) to import Jamf data. https://splunkbase.splunk.com/app/4729/ Here, the following error may occur. <Error><error>The XML was too long</error></Error> Is there any way to resolve this error?   The following is a detailed description. The inputs are set up as follows. API Call Name       custom Search Name        /JSSResource/mobiledevices The number of records is about 60,000, but about 200 of them have the above error. According to the information on the following site, records with more than 10,000 characters seem to cause the above error. https://community.jamf.com/t5/jamf-pro/splunk-jamfpro-api-getting-started/m-p/169054            There is also information that Splunk does not capture data longer than 10,000 characters by default, but Splunk does not make that setting.

Hello all, after upgrading splunk to 8.1.0 , we have observed some issues with LDAP authentication. The uers are not able to login for sometime and after 10-15 mins the credentials work. Once we disabled ldap authentication on couple of servers, nowits working. We dont see any error/ warnings related to LDAP in splunk. Can someone please help and let em know if there is any known issue in this. THanks

Hi there, I have created a dozen of statistics dashboard with search / filtering and drilldown for customers using a production voice platform. Each of those dashboards includes multiple panels, each delivering 10+ metrics which are consistent in naming accross the different dashboards. Just for the example there can be "Offered calls" "picked up calls" "lost calls" "waiting time"....etc. Those reports are today in french with rename commands in the query so that it looks nice reading the data for the french users as the source is in english.   I'd like to have those dashboards to be available in other languages, so there is the basic option to clone all those reports and suffix their names with a language code but that would be tedious and would not offer some dynamic option for users to switch language.   I would like to have some dynamic option using a language input form or detecting language of the Splunk user so that all the fields / metrics used in those dashboard are being translated. Basically have a translation table I could maintain while new fields / metrics are added and new language is required. Is that something possible ? I couldn't find the beginning of an idea of how to achieve this frankly.

Hi Team,   I have a dashboard, where when I click on a row, it drills down to another URL for a different dashboard.  Now I want to capture this URL that it's using in drilldown and store it in a token. How do I do it?    My sample code :        <row> <panel depends="$drilldown_display$"> <table> <title>Top RequestIds for $eptok$</title> <search> <query>$instance_select$ organizationId=CASE($organizationId$) earliest=$earliest$ latest=$latest$ sourcetype=CASE(applog*:axapx) [search $instance_select$ organizationId=CASE($organizationId$) earliest=$earliest$ latest=$latest$ sourcetype=CASE(applog*:gslog) "CPU_ENFORCED"| stats count by requestId | fields requestId | format ] entryPoint="$eptok$" | table requestId runTime | sort -runTime</query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> <drilldown> <set token="drilldown_display1">block</set> <set token="reqtok">$row.requestId$</set> <link target="_blank">https://splunk-web.monitoring.com/en-US/app/publicSharing/Dashboard_second?form.instance=$instance$&amp;form.orgId=$organizationId$&amp;form.requestId=$reqtok$</link> </drilldown> </table> </panel> </row> <row>     IF you see the above code, I am drilling to Dashboard_second based on the row I click.  I want to capture this URL for  Dashboard_second in a token and display it in my HTML Panel.  How do we achieve this ? My HTML Panel code :      <panel> <html> <h1 class="SectionHeader">Panel to display drilldown URL </h1> <div style="float:left; width:calc(95% - 60px);" class="pageInfo"> <pre> ===========INTERNAL============== <b>DrillDown URL : </b> $MyUrl$ ===========INTERNAL============== </pre> </div> </html> </panel>      

Hi All, We are using Splunk Add-on for Box to get Box logs. With this Add-on, it appears that only [Events, Users, Folders, Groups] of the Box API endpoints is available. Furthermore, it seems that only "Standard" columnscan be retrieved for each API. (API Reference - Box Developer Documentation) 1. Is there any way to get logs from other endpoints like COLLABORATIONS or DOWNLOADS? 2. is it possible to retrieve all available columns, for example FILES(FULL)? Best Regards,

Hello, I'd ask for a help on how to write a query where I need to get an alert "when there's a user added to a specific group and then removed from the group within 1 Hour time." I'm new to Splunk, any help appreciated.

I am using Splunk DB Connect V3.7.0 and there seems to be a major security hole? I want to give some users access to some of the connections/identities. I set the permissions of what they can see, and that works. BUT If a user explicitly asks for a connection that they cannot see, they are still allowed to access it?! This cannot be correct?

I need help on development .  I have a requirement to capture the logs of a file path "care\outbound\prod" and "care\outbound\Test", Both the file names are same one will go to Test folder and other will go to Prod folder. As per the initial requirement I want capture the test data that is coming to "care\outbound\Test" path. Need help on coding part. code:   index=*** doc_name= ***** "*care*"   I have choose "care" as a key point, What ever the files cross through "care" folder it captures. But I need to capture the files which are coming to  "care\outbound\Test" . Please let me know if you need more clarification.

It looks like Splunk Universal Forwarder service on Linux enables CPU accounting or CPU shares. If this is enabled another program cannot manually assign scheduling. Does Splunk Service need CPU accounting and can this be disabled when Splunk starts. We want to determine if this CPUShares= setting is absolutely necessary for the service or if you have workarounds for setting CPU scheduling for the service in the legacy style.