Hi! I have a dropdown with one of the values being "Unknown", and I would like to have an option in the dropdown to show each value,  All, and also include an option to show "All except for Unknown".  Has anyone been able to do so? Thank you very much!

Hi Team,   Wanted to enable SMB server audit logs in Splunk from UF or inputs.conf etc, can anyone please help with the configuration steps or any splunk docs for reference. Thanks in advance!! Thanks, Sharada Pandilla

Hi - I have a command to clean fish buckets in a forwarder - if i want to take back in data for testing etc... cd var/lib/splunk/ rm -r fishbucket/ bin/splunk stop; cd var/lib/splunk/ ; rm -r fishbucket/ ;cd - ; rm -r var/ ; bin/splunk start But is there any way to clean fish buckets for only one source type?

We have Splunk Ent. (8.0) & ES.(6.4). What is a proper procedure to upgrade to Splunk Enterprise 8.2.2.1 to retain the settings & configurations we have done to ES (Enterprise Security)? What about Security Essentials we have installed. Any directions are much appreciated. Thanks a million.

https://docs.splunk.com/Documentation/SCS/current/Search/Comments says that we may use block comments or line comments in SPL2. When trying to learn how to count the number of objects in a JSON array returned from json_extract, I came across this post, which has an extended multiline splunk query. I wanted to see how the command worked, so I tried using both block and line comments to comment out the end of the query and replace it with a comand to view the intermediate output, e.g.     index=_internal | head 1 | fields _raw _time | eval _raw="{ \"cities\": [ { \"name\": \"London\", \"Bridges\": [ { \"name\": \"Tower Bridge\", \"length\": 801 }, { \"name\": \"Millennium Bridge\", \"length\": 1066 } ] }, { \"name\": \"Venice\", \"Bridges\": [ { \"name\": \"Rialto Bridge\", \"length\": 157 }, { \"name\": \"Bridge of Sighs\", \"length\": 36 }, { \"name\": \"Ponte della Paglia\" } ] }, { \"name\": \"San Francisco\", \"Bridges\": [ { \"name\": \"Golden Gate Bridge\", \"length\": 8981 }, { \"name\": \"Bay Bridge\", \"length\": 23556 } ] } ] }" | rename COMMENT as "the logic" | spath cities{} output=cities /* | stats count by cities | spath input=cities Bridges{} output=Bridges | mvexpand Bridges | spath input=cities name output=city | spath input=Bridges | table city name length */ | table cities     Both commenting schemes generate an error: Error in 'spath' command: Invalid argument: '/*'   This error occurs no matter which step I try to introspect.   The error is prevented by cutting the commented code out.  For now, my workaround is to keep another text editor open, and gradually copy and paste in the lines I want. This works, but it's slower than it needs to be, relative to other programming and query languages.   Key question: How can I use block or line comments to test the intermediate output of a multiline splunk query?

Hello everyone,  I have installed Splunk Stream on a distributed environment. All stream forwarders talk to the deployment server and have the "es" template applied/enabled as I use Enterprise Security. Streams are normally populated (tcp, http, dns and many more). I have added on my correlation searches a Stream Capture as an adaptive response action (a 15min capture for dest_ip). A notable event is triggered and under Adaptive Responses, I see mode:saved and status:success. When I click though on the "Stream Capture" link, I get zero results. I followed this answer  and I saw that there was already an event_type modmakestreams_results tagged as modaction_result as it was expected. My final search is like: tag=modaction_result orig_sid=scheduler__admin_REE.................... orig_rid=2 orig_action_name=makestreams I see though that the event type of interest:   source=stream:makestreams_* orig_sid=* brings no results. If I remove the orig_sid=* part I get results related to notable but not related to a stream capture. As last information, stream capture on demand is working fine and pcaps are stored in the created NFS being able to download them. Any help would be appreciated. With kind regards, Chris

Work in a large environment including Splunk Ent. & ES. Planning to upgrade from 7.x.x to 8.2.2.1. Any optimizations to perform ? Any best practices to follow? Should we upgrade the ES (Enterprise Security 6.4) before or after the Splunk Enterprise upgrade. Thanks a million for your help in advance.

Hi, I have logs coming with server names listed into it and my requirement is to the distinct count of server by assigning region to them. for example. entries are like  {"server":"abc.uk" "details": xxxx"} {"server":"abc.uk" "details": yyyy"} {"server":"xyz.uk" "details": xxxx"} {"server":"abc.us" "details": xxxx"} {"server":"xyz.us" "details": xxxx"} {"server":"xyz.us" "details": yyyy"} {"server":"abc.hk" "details": xxxx"}   so now from the above list we have 2 unique servers from UK, 2 unique servers from US and 1 from HK, so i need them to be show as per below. North America : 2 Europe : 2 Asia : 1 i have tried search as <count(eval(searchmatch("*.us*")))> AS North America but this will not give me the count of unique server

Hey all, I am starting to work with dashboards and I have a table that I would like to display that has a bunch of data on it. Unfortunately it seems like in the Dashboard Studio there isn't a really clear cut way in changing the font size for the table. I've tried a number of different things within the JSON source, but nothing I am doing seems to manipulate the font size in the table.  Is there a way to do this? I would like to reduce the font size so some longer objects appear without forcing multiple carriage returns in the row.    Thanks in advance!

I have an instance of java application running on my local machine under the URL: http://localhost:8080. Since its local instance, the java application can be seen running in the CMD, and if I perform some functionality(ex. download a file), I can see the live logs in the CMD(ex. Starting download of file... Download Completed...). I want to know if Splunk can monitor this localhost URL, and I see these live logs in the splunk enterprise application(Or website monitoring app). I have tried website monitoring app, but splunk returns a 404 for localhost. Kindly help on this issue.

Hi experts, i have below table.. how do i change background colour of the row where error Categories = Total_error_rate Error_categories                       Percentage% error_rate_Error                        0.1138498 error_rate_Warning                 0.0011737 error_rate_Critical                   0.0000000 error_rate_HTTP                       6.5950704 Total_error_rate                        6.7100939   Thank you

Hello Everyone, I am in situation where in I will send the results to one lookup file and from there again I need to take tail 2 two rows to display as a summary in my Dashboard. Below is the exact scenario.   I have a search which compares last week and this week data and produces the results something like below. Date Active  Inactive Deleted Added 10/25/2021 80 20 10 15   I need to send the results calculated in above search to one lookup file . Like that I will keep on sending  every week. It will be like below after some weeks say 3 weeks. Date Active  Inactive Deleted Added 10/25/2021 80 20 10 15 11/1/2021 78 22 8 11 11/8/2021 83 18 9 6   so above is the lookup file,  then I need to use the the created lookup as input in the same query to perform some calculations (i.e,. I need to take tail 2 and display it as summary of last 2 weeks). Tried something like below. But it didn't worked. Could someone help me on this. <search > | outputlookup  test1.csv | search inputlookup test1.csv | tail 2