All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a dashboard where I tried adding <caption> tag to the table visualization through source code xml , but it says " unknown node <caption>  Node <caption> is not allowed here" hence it isn't ide... See more...
I have a dashboard where I tried adding <caption> tag to the table visualization through source code xml , but it says " unknown node <caption>  Node <caption> is not allowed here" hence it isn't identified in dashboard xml . For example, adding caption to a table with title "Builds"   But I need to add captions for Screen reader purposes, Is there any way to add it via Javascript ; like manipulating using {table-id}? 
Hi,Splunkers, I have a dashboard with 2 Panels, which share one droplist  input. droplist has  name/values  as  ALL/*,     a/a, b/b, c/c, etc. for panel 1, whatever is selected,      | search  fie... See more...
Hi,Splunkers, I have a dashboard with 2 Panels, which share one droplist  input. droplist has  name/values  as  ALL/*,     a/a, b/b, c/c, etc. for panel 1, whatever is selected,      | search  fieldname = $tokename$,  but for panel 2, when ALL/* selected,   |search fieldname = $tokenname$ as panel1, but when other values are selected,  Iwant a  suffix  _CB  to be added at the end, for example, when   a/a selected,   search should be built like |search fieldname=a_CB. thx in advance.   Kevin  
The current versions of each App are listed below. Splunk App for AWS: 6.0.3 (latest version) Splunk Add-on for AWS: 5.2.0 (latest version) The release notes for 6.0.3 (latest version) of "Splunk ... See more...
The current versions of each App are listed below. Splunk App for AWS: 6.0.3 (latest version) Splunk Add-on for AWS: 5.2.0 (latest version) The release notes for 6.0.3 (latest version) of "Splunk App for AWS" state that it is possible with 5.0.0-5.0.4 of "Splunk Add-on for AWS". Is it compatible with the latest version (5.2.0) of "Splunk Add-on for AWS"? If we want to use the latest versions of both, do I have to use the following combinations? Splunk App for AWS: 6.0.3 (latest version) Splunk add-on for AWS: 5.0.4 We know that support will end on 2022/7. We are filled with sorrow still now. Best Regards.
On ES am getting warning messages the " two assets are exceeding the field limits set in the asset & identity management page". It says that this might cause performance issues & the field limits nee... See more...
On ES am getting warning messages the " two assets are exceeding the field limits set in the asset & identity management page". It says that this might cause performance issues & the field limits need to be increased. How do I increase the field limits please? Thx a million for your help in advance.
Can someone help me to get ServiceNow to create an event ticket every time my Splunk alert gets triggered? I had followed these steps below in this screenshot but I have not been able to get anywhere... See more...
Can someone help me to get ServiceNow to create an event ticket every time my Splunk alert gets triggered? I had followed these steps below in this screenshot but I have not been able to get anywhere with this.  Im getting the Splunk alerts when the alert is triggered. However, ServiceNow is not creating an event when this is happening.  That is the issue.  If anyone can point me in the right direction I would really appreciate it!    
Please, how do I set up Azure nsg logs on Splunk clouds? Please, does anyone have any material on that?
Hi all, I'm trying to create a blacklist for an event after checking 2 different fields on different lines. I can get them filtered individually, but without an "AND" operator, like OR has "|", I'... See more...
Hi all, I'm trying to create a blacklist for an event after checking 2 different fields on different lines. I can get them filtered individually, but without an "AND" operator, like OR has "|", I'm struggling.     Sample Event     An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Account Name: COMPUTER$ Account Domain: XXXX.NET Logon ID: 0x6C6C65F09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {970e0bf8-ccc7-18fd-7be9-d5efe2ab8b22} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0       So what I'm trying to do is filter on Logon Type=3 AND Account Name: xxx$   I have tried stuff that works on regex101, etc.  And it will work there, but Splunk doesn't seem to recognize it.     (?=.*?(Logon\sType:[\s]*3))(?=.*?(Account\sName:[\s]*.*\$))     Any help is appreciated  
I have been trying to figure out why this doesn't work. |inputlookup ioc_domain.csv | table query | search NOT [inputlookup ioc_domain.csv | table query]   Obviously the above is a useless query b... See more...
I have been trying to figure out why this doesn't work. |inputlookup ioc_domain.csv | table query | search NOT [inputlookup ioc_domain.csv | table query]   Obviously the above is a useless query but I think the reason it won't work is the same reason my query wont' work which is basically |tstats count where index=dns by PREFIX(query=) PREFIX(srcip=) | rename *= AS * | search NOT [inputlookup ioc_domain.csv | table query] It's not that exactly but close enough. The main part of the search works fine, if I search without the exclusion everything goes as expected. If I try and use a set of values from a field in a lookup table to act as a filter of events not to include it doesn't work no matter what I try. I've tried in the subsearch piping to: | rename field AS search | format], I 've tried just | table field], I've tried using return. Nothing seems to work.  Although it seems to work if the subsearch before any other pipe command, but I'm not interested in that I'm trying to convert some alerts to using tstats and need to be able to scrub against a lookup table. For more info, I'm not using tstats against datasets or datamodels, this is against indexes. Anyone have any ideas
Im trying to test a Splunk Cloud integration my company has written with a Splunk Cloud free trial. The trial uses a self signed cert, which is not allowed in a down stream service. Is it possible t... See more...
Im trying to test a Splunk Cloud integration my company has written with a Splunk Cloud free trial. The trial uses a self signed cert, which is not allowed in a down stream service. Is it possible to update the cert on the trial account? I can only find docs for Enterprise.  If not does the paid cloud service use a self signed cert?   Thank you.
I'm creating an Ansible playbook for installing the UF in our org, and I discovered being able to use user_seed.conf for the initial --accept-license call, but now I am wanting something similar when... See more...
I'm creating an Ansible playbook for installing the UF in our org, and I discovered being able to use user_seed.conf for the initial --accept-license call, but now I am wanting something similar when running a subsequent ./splunk install app <path to SPL file> -auth <username:passwd> Can I use the hashed password value here or maybe call the user_seed.conf file again?   Thanks!
I am trying to route metric type events to a null queue to avoid indexing them but they are still coming through.  Any ideas if there is a special way to do this?   props.conf: [azr_proda_metrics]... See more...
I am trying to route metric type events to a null queue to avoid indexing them but they are still coming through.  Any ideas if there is a special way to do this?   props.conf: [azr_proda_metrics] TRANSFORMS-set= kubenullmetrics   transforms.conf: [kubenullmetrics] REGEX=metric_name=kube.cluster.cpu.request| metric_name=kube.cluster.memory.request DEST_KEY=queue FORMAT=nullQueue
Previously, I added user in controller and the role is automatically assigned as "tenant role". I tried to add another one but this time it's "tenant role" is not automatically assigned. Can I add mu... See more...
Previously, I added user in controller and the role is automatically assigned as "tenant role". I tried to add another one but this time it's "tenant role" is not automatically assigned. Can I add multiple users w/ tenant role?
Hi Guys ,    I have a query running in this job ID on databricks:   And , everytime when I try to transport these 5 rows from Databricks into Splunk running in this job 18363943 , it only ret... See more...
Hi Guys ,    I have a query running in this job ID on databricks:   And , everytime when I try to transport these 5 rows from Databricks into Splunk running in this job 18363943 , it only returns just 1 one row at all: SPL to transport data from Databricks: | databricksjob job_id="18363943" | eval event_name = "Fraude - risco na selfie", severity="High", source = "DataBricks", jira_update_comment = " " | table-result  event_name , severity, consumer_id,biometric_origin,score, source, jira_update_comment Results with only one row: Could you guys help me with this solution or show me where I'm making mistakes writting the code? I need a script that returns these 5 rows. Thanks for advance.
Hi, I was wondering if anyone is auto-blocking malicious IPs using the 'Alert Action' or using any other method. We have Cisco FMC and are thinking of using the REST API to block the IPs. I would a... See more...
Hi, I was wondering if anyone is auto-blocking malicious IPs using the 'Alert Action' or using any other method. We have Cisco FMC and are thinking of using the REST API to block the IPs. I would appreciate it if anyone has achieved this and can share how you are doing this. Thanks!
Hello there, Can someone explain to me why there is a second "average" when I hover one slice of the pie chart? The first "average" is my calculation, the second with the % ("average%") came ou... See more...
Hello there, Can someone explain to me why there is a second "average" when I hover one slice of the pie chart? The first "average" is my calculation, the second with the % ("average%") came out of nowhere and I don't know why they have different results. Can i get rid of it? In case you need my search :     index=blabla | stats count by category | eventstats sum(count) as total | eval average=round((count/total)*100,2) | sort 10 - average | fields category average     Thanks.
We have several servers succesfully forwarding eventlogs to our on prem splunk server. No one can remember the credentials when installing the forwarder. What is the best way to handle this problem w... See more...
We have several servers succesfully forwarding eventlogs to our on prem splunk server. No one can remember the credentials when installing the forwarder. What is the best way to handle this problem without breaking forwarding on the other servers? Thanks    
Hi All I am using an app called Murex, I am Admin on the environment but i cant see the Sharing (permissions) column on this app. On all other apps I can see the permissions, but not on this one? An... See more...
Hi All I am using an app called Murex, I am Admin on the environment but i cant see the Sharing (permissions) column on this app. On all other apps I can see the permissions, but not on this one? Any ideas anyone? for example in another app with the same user.    
 In above image i couldn’t able to access the date input,It’s actually a client server as user I couldn’t able access it.please let me know how to enable the input field that user can access   ... See more...
 In above image i couldn’t able to access the date input,It’s actually a client server as user I couldn’t able access it.please let me know how to enable the input field that user can access   thank you veeru
Hello,  This is regarding https://splunkbase.splunk.com/app/4283/#/details  Can someone pls advise how to configure the Auto cache update ?   Where in ES should i enable "Cache auto update" and what... See more...
Hello,  This is regarding https://splunkbase.splunk.com/app/4283/#/details  Can someone pls advise how to configure the Auto cache update ?   Where in ES should i enable "Cache auto update" and whatever has been mentioned in the below steps ?
My data is like this illustration purposes only: LocalIp  aip 10.10.10.1 192.168.1.1 10.10.10.2 172.58.100.41 10.10.12.3 8.8.8.8 192.168.3.1 8.8.8.8   I am trying to search ... See more...
My data is like this illustration purposes only: LocalIp  aip 10.10.10.1 192.168.1.1 10.10.10.2 172.58.100.41 10.10.12.3 8.8.8.8 192.168.3.1 8.8.8.8   I am trying to search for any hits where LocalIP contains the aip address. In this example there is one hit This is what I have but stuck at trying contains | eval result=if(like(LocalIP, "%".aip."%"),"Match","")