All Topics

Top

All Topics

HI - From one button. I am looking to launch a URL (working) and reset a token "comment_token" to * with javascript (not working).. any help would be wonderful, please.   <form theme="dark" scr... See more...
HI - From one button. I am looking to launch a URL (working) and reset a token "comment_token" to * with javascript (not working).. any help would be wonderful, please.   <form theme="dark" script="someJsCode.js"> <input type="text" token="comment_token" searchWhenChanged="true"> <label>Comment</label> <default>*</default> <initialValue>*</initialValue> </input> <html> <style>.btn-primary { margin: 5px 10px 5px 0; }</style> <a href="http://$mte_machine$:4444/executeScript/envMonitoring@@qcst_processingScriptsChecks.sh/-updateComment/$runid_token$/$script_token$/$npid_token$/%22$comment_token$%22" id="buttonId" target="_blank" class="btn btn-primary" style="height:25px;width:250px;">Submit</a> </html>     Java script require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function ($, mvc) { var tokens = mvc.Components.get("default"); $('#buttonId').on("click", function (e){ tokens.set("form.comment_token", "*"); }); });   I think its this line - tokens.set("form.comment_token", "*"); but i cant be sure   
Can you please help, how to construct stats  metrics for the below docker logs. ThreadID=124;ThreadIDHex=0000007c;ThreadName=[XNIO-2 task-32];Node=XXXXXX;TransID=;ConsumerSenderID=NA;URI=/getBaselin... See more...
Can you please help, how to construct stats  metrics for the below docker logs. ThreadID=124;ThreadIDHex=0000007c;ThreadName=[XNIO-2 task-32];Node=XXXXXX;TransID=;ConsumerSenderID=NA;URI=/getBaselinedcategorylist;ServiceName=findXXXX;TranasactionStartTime=;TransactionEndTime=2021-11-05 05:34:34.366;TotalResponseTime=;TransactionStatus=SUCCESS;Method=GET;StatusCode=200;ErrorMsg=;CaptureLocation=MicroserviceResponse; ThreadID=124;ThreadIDHex=0000007c;ThreadName=[XNIO-2 task-32];Node=XXXXXX;TransID=;ConsumerSenderID=NA;URI=/getBaselinedcategorylist;ServiceName=findXXXX;TranasactionStartTime=2021-11-05 05:34:34.264;TransactionEndTime=;TotalResponseTime=;TransactionStatus=;Method=GET;StatusCode=;ErrorMsg=;CaptureLocation=MicroserviceRequest; status should give transactioncount , transactionstatus, average, 90thP URI Method.
Hi Folks, so I have below code but for some reason my css code not rendering, what am I missing? <dashboard> <label>Processing_Step_Clone_2</label> <row> <panel id="PStitle"> <title>Processin... See more...
Hi Folks, so I have below code but for some reason my css code not rendering, what am I missing? <dashboard> <label>Processing_Step_Clone_2</label> <row> <panel id="PStitle"> <title>Processing Steps for Source$form.Source$ - $form.earliest_date$ - $form.time$</title> <html> <style> .dashboard-row #PStitle .dashboard-panel panel-title { font-size: 40px !important; color: #7FFF00; } </style> </html>
Hi all, Maybe a dummy question, do I need to setup Universal Forwarder on Splunk server to monitor and index data? (so it's like the server is forwarding data to itself) I tested setup an app in et... See more...
Hi all, Maybe a dummy question, do I need to setup Universal Forwarder on Splunk server to monitor and index data? (so it's like the server is forwarding data to itself) I tested setup an app in etc/apps/ with below config but it doesn't work. inputs.conf   [batch:///opt/splunk/temp/test_forward/*] move_policy = sinkhole disabled = 0 index = test sourcetype = test crcSalt = test _TCP_ROUTING = test   outputs.conf   [indexAndForward] index = false [tcpout] indexAndForward = false maxQueueSize = 200MB [tcpout:test] server = <server IP>:9997   Thanks
Reviewing some docs to use Splunk Cloud (trial version) with a Java App with log4j2 I need to configure a Http Event Collector to get a Token (I did this part). But in the log4j2.xml file I need to s... See more...
Reviewing some docs to use Splunk Cloud (trial version) with a Java App with log4j2 I need to configure a Http Event Collector to get a Token (I did this part). But in the log4j2.xml file I need to set the token and the URL, where or how can I get the URL? Thanks
Hi team, I have such event in splunk that log the employee number in each online meeting. I want to  find and sats the employee number distribution and percentage% I have below query that the bin ... See more...
Hi team, I have such event in splunk that log the employee number in each online meeting. I want to  find and sats the employee number distribution and percentage% I have below query that the bin span is continuous number 100. <baseQuery> |bin empNumber span=100 |stats count by empNumber |eventstats sum(count) as total |eval ratio%=round(empNumber/total*100,2) |fields - total,empNumber |sort - ratio%   But now the stats requirement is changed. Because 90% online meeting has employee number less than 100, so I want to set such not continuous bins in one query 1) for online meeting that  employee number less than 100, I want to set the bin value to 10 2)for online meeting that employee number greater than 100, I want to set the bin value to 100 And I don't want to query two times, stats by binvalue=100 first, then stats binvalue=10 again. I want to make it happen in one query. Questions: how to change  my existing query to meet the query requirement.  
Howdy All, I am looking for some assistance with a SEDCMD.  I am trying to clean up some XmlWineventlog:security events, particularly the 4688 Event, where we are capturing command line for processe... See more...
Howdy All, I am looking for some assistance with a SEDCMD.  I am trying to clean up some XmlWineventlog:security events, particularly the 4688 Event, where we are capturing command line for processes running.  We are finding that this is causing us some ingestion woes at the moment, with some _raw event sizes being over 5kb each.  So we are trying to clean up  some of the Normal Noise in this <data> Name='CommandLine'> ...... </data> for certain processes. These are currently being collected by the Windows TA on Universal Forwarders on each desktop, so will be added to the local/props.conf The first one I have looked at, is something our Citrix VPN client does, which is spawn some powershell. the event is rather large, so looking to strip out the content and replace it with some meaningful text.  I have confirmed the regex works, I am just wanting advise on the actual SEDCMD. Does this appear correct?     SEDCMD-cleanxmlcitrixcommandprocess = s/("powershell\.exe" "-Command\s{6})((\$version='1\.0\.0\.0'\s\$application='CitrixVPN')[\S\s\r\n]+("))/gm /Citrix Command process/     And in the props.conf file, should this be under: [source::WinEventLog:Security] or [source::XmlWinEventLog:Security] - which is the current sourcetype of the event when searching on the indexer.   Any assistance would be greatly appreciated.
I need general direction to upgrade from 7.x to 8.2.3 (latest). I have Splunk Ent. & ES plus many Apps & TAs (Multi cluster, SH cluster, AWS is where Splunk resides. I have learned that need to upg. ... See more...
I need general direction to upgrade from 7.x to 8.2.3 (latest). I have Splunk Ent. & ES plus many Apps & TAs (Multi cluster, SH cluster, AWS is where Splunk resides. I have learned that need to upg. from 7.x to 8.0 / 8.1 And then from 8.0 / 8.1 to 8.2.3. The question is do I need to upgrade python once during upgrading to 8.0 / 8.1 and the upgrade Python when upgrading from 8.0 / 8.1 to 8.2.3 ? I could use any valuable advices you might have in this process as well.
Good afternoon i'm wondering if I may be able to get a bit of help with this one as I'm struggling on trying to achieve what I want.  I would like to query my 3 servers about their hardware status s... See more...
Good afternoon i'm wondering if I may be able to get a bit of help with this one as I'm struggling on trying to achieve what I want.  I would like to query my 3 servers about their hardware status such as how much space is on the HDD etc etc however i'm really struggling to get my head around how to go about achieving this.  I've seen a few posts on here which refer to making changes to the input.conf file by adding perfmon but firstly i'm not 100% sure on which input.conf i should be doing this on  (i'm presuming the forwarder) if this is at all the case, and secondly i'm not sure where and how this information in gleamed from.  If anyone would be able to point my in the right direction to a resource that is a step by step guide (or there abouts) i would be very grateful. TIA
Hello Can I get the searchid for the search that is triggered by a dashboard? What is the syntax to use this searchid to create an alert? Will this searchid trigger the search of the same dashboar... See more...
Hello Can I get the searchid for the search that is triggered by a dashboard? What is the syntax to use this searchid to create an alert? Will this searchid trigger the search of the same dashboard even if the underlying search code of the dashboard changes? Thanks!
Hi, I am unable to access Web Interface of a Splunk Indexer server. When Try access using the url  https://splunkindexerservr:8000 getting  can't reach this page error   Thank you for your sugges... See more...
Hi, I am unable to access Web Interface of a Splunk Indexer server. When Try access using the url  https://splunkindexerservr:8000 getting  can't reach this page error   Thank you for your suggestion
Hello, I have a timezone issue that I don't understand. I have two set of indexed logs in different indexes, indexed by the same indexer. The sourcetype is the same for both. I don't explicitly mod... See more...
Hello, I have a timezone issue that I don't understand. I have two set of indexed logs in different indexes, indexed by the same indexer. The sourcetype is the same for both. I don't explicitly modify the timezone anywhere. For the first index the _time shown is the right one (same as the one in the log itself). Server 1 - _time OK For the second index the _time is 1 hour behind since the daylight saving time a few days ago. If I look at the _time field, it has however the right date_hour but it shows something different. Server2 - _time wrong I checked on the servers where the logs are generated but they are running the same (and right) timezone: CET. I am lost about this issue, any suggestions on where I should look?
when clicking on Register for Splunk Fundamentals 1 it direct me to Splunk Single-Subject Courses some are videos with no quizzes or final exam or labs as it show in previous7.xxx(from youtube). is t... See more...
when clicking on Register for Splunk Fundamentals 1 it direct me to Splunk Single-Subject Courses some are videos with no quizzes or final exam or labs as it show in previous7.xxx(from youtube). is that mean the Fundamentals 1 isnt free anymore
We have multisite indexer cluster spanning across 2 DCs, one on west coast and another on east coast. I am now working on the project to move from a single search head to multisite search head clust... See more...
We have multisite indexer cluster spanning across 2 DCs, one on west coast and another on east coast. I am now working on the project to move from a single search head to multisite search head cluster setup. I have trouble understanding what the benefit of turning off the search affinity in the SHC really is. My understanding is that search affinity reduces traffic between sites because search heads only get results from indexers on their local site, meaning searches can run faster? (Ref: https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Multisitesearchaffinity) However, this SHC documents, https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/DeploymultisiteSHC, recommends turning search affinity off so that: Search heads run searches across indexers spanning all sites If, instead, you set different search heads to different sites, the end user might notice lag time in getting some results, depending on which search head happens to run a particular search. Well, wouldn't turning off search affinity make searches run slower if a search head gets results it needs from an indexer from another site? It sounds to me like these 2 documentations contradict each other, unless I'm missing something.
from checkbox value, if i choose multiple sites, i would like to show all sites separate line chart for average trackout time. now the problem if i choose multiple sites, it only show one line chart ... See more...
from checkbox value, if i choose multiple sites, i would like to show all sites separate line chart for average trackout time. now the problem if i choose multiple sites, it only show one line chart by coming all sites average trackout value. query: MicronSite IN($site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h avg(command_time) For example: from check box list i choose "F10N" and "F10W". but in chart, only show one line by combing those two site's average trackout time values and show one chart. i would like to show two separate line , one line for F10N's average trackout time and another line for F10W's average trackout time.  please help to suggest for this issue
Hi,    I have a log file looks like below. In first block of logs i need to extract x value1 and in second block of logs i need to extract the x value2. If both the values matches i need to run anot... See more...
Hi,    I have a log file looks like below. In first block of logs i need to extract x value1 and in second block of logs i need to extract the x value2. If both the values matches i need to run another query to get the output of proj_id.   Logs: Code=Info words=check text=Checking for messages... received \x1B[0;m job\x1B[0;x=value1 proj_id=edcbidh Code=Info words=check text=\x1B[0;33mwarning:  failed \x1B[0;m \x1B[0;33mduration\x1B[0;m=00.0006ms \x1B[0;33mjob\x1B[0;x=value2 \x1B[0;   Any help is appreciated.   Thanks.
Configured a CloudWatch Logs input using Splunk Web using Splunk addon for aws  Create New Input -> VPC Flow Logs -> CloudWatch Logs  validation error Value '*' at 'logGroupName' failed to satisfy ... See more...
Configured a CloudWatch Logs input using Splunk Web using Splunk addon for aws  Create New Input -> VPC Flow Logs -> CloudWatch Logs  validation error Value '*' at 'logGroupName' failed to satisfy constraint and Member must satisfy regular expression pattern: [\\.\\-_/#A-Za-z0-9]+"} Even I tried with comma, It could not work out  So tried with group value "AWS/VPCFLOWLOGS" exceptions.ResourceNotFoundException: ResourceNotFoundException: 400 Bad Request {'__type': 'ResourceNotFoundException', 'message': 'The specified log group does not exist.' Any solution to get the logs to splunk ?    
Hi All I need to save this editable table with its values into a KV Store. I want to click on a submit button and store it into a KV   Values on text field are editable, it means that i could ... See more...
Hi All I need to save this editable table with its values into a KV Store. I want to click on a submit button and store it into a KV   Values on text field are editable, it means that i could write any value and save it to the lookup. This is my XML and JS script XML <form script="dinamicTable.js"> <init> <set token="read_table">*</set> <unset token="edit_table"></unset> </init> <label>Data Entry Test Clone</label> <fieldset submitButton="false"> <input type="dropdown" token="tok_crq_id"> <label>CRQ ID</label> <fieldForLabel>number</fieldForLabel> <fieldForValue>number</fieldForValue> <search> <query>index=data_entry | stats count by number</query> </search> </input> <input type="checkbox" token="tok_operation"> <label>Operation</label> <choice value="*">Add</choice> <change> <condition label="Add"> <unset token="read_table"></unset> <set token="edit_table">*</set> </condition> <condition> <unset token="edit_table"></unset> <set token="read_table">*</set> </condition> </change> <delimiter> </delimiter> </input> </fieldset> <row depends="$read_table$"> <panel> <table id="tableVizualization"> <search id="number_of_events"> <query>index=data_entry | rex field=impacted_systems mode=sed "s/\|yes\|no//g" | table number impacted_systems | makemv delim=" " impacted_systems | where number="$tok_crq_id$" | mvexpand impacted_systems | eval "Feedback"= " " | table impacted_systems Feedback | rename impacted_systems as "Impacted Systems"</query> <finalized> <set token="tok_job_sid">$job.sid$</set> </finalized> <earliest>0</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row depends="$edit_table$"> <panel> <title></title> <table> <search> <query>| loadjob $tok_job_sid$ | append [ | makeresults | eval "Impacted Systems" = "New system" | table "Impacted Systems" Feedback ]</query> <earliest>0</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>   dinamicTable.js require([      'underscore',      'jquery',      'splunkjs/mvc',      'splunkjs/mvc/tableview',      'splunkjs/mvc/simplexml/ready!'  ], function(_, $, mvc, TableView) {      var CustomRangeRenderer = TableView.BaseCellRenderer.extend({          canRender: function(cell) {              // Enable this custom cell renderer for Person field              console.log(cell)              return _(["Impacted Systems"]).contains(cell.field) || _(["Feedback"]).contains(cell.field) || _(["Action"]).contains(cell.field);          },          render: function($td, $tr, cell) {              // Add a class to the cell based on the returned value              var strCellValue = cell.value;              console.log($td)              if (cell.field === "Impacted Systems") {                  var strHtmlInput="<input type='text' class='table-text-box' value='"+strCellValue+"'></input>";                  //Add TextBox With Specific Style                 $td.append(strHtmlInput);              }              if (cell.field === "Feedback") {                  var strHtmlInput="<select><option value=\"No\">No</option><option value=\"Yes\">Yes</option></select>";                  //Add TextBox With Specific Style                 $td.append(strHtmlInput);              }              if (cell.field === "Action") {                  var strHtmlInput="<input type='button' class='btn btn-primary'></input>"         });              }          }      });      mvc.Components.get('tableVizualization').getVisualization(function(tableView) {          // Add custom cell renderer, the table will re-render automatically.          tableView.addCellRenderer(new CustomRangeRenderer());      });  });   Anyone could please help me? Thanks!  
Hi All, I'm trying to create a table with option to expand and collapse row data using 'custom row expansion'. I managed to apply the js to enable row expansion but unable to manage text wrap on col... See more...
Hi All, I'm trying to create a table with option to expand and collapse row data using 'custom row expansion'. I managed to apply the js to enable row expansion but unable to manage text wrap on collapse. I'd like to disable text wrap and show only one line of cell data when row is collapsed. I saw the similar functionality in Splunk Search History view but not sure how to apply it in normal table. Please can someone help me with this? My Table: Search History View: xml:   <dashboard script="expand_table.js"> <label>Test Dashboard</label> <row> <panel> <table id="test_table"> <title>Search View</title> <search> <query>index=_audit info=granted search_id=* search=* | table _time info search search_id</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$alwaysHideCSSPanel$"> <html> <style> #test_table th:nth-child(5), #test_table td:nth-child(5), #test_table th:nth-child(2), #test_table td:nth-child(2), #test_table th:nth-child(3), #test_table td:nth-child(3), #test_table th:nth-child(4), #test_table td:nth-child(4){ width: 25% !important; overflow: hidden !important; text-overflow: ellipsis !important; } </style> </html> </panel> </row> </dashboard>     js:   require([ "underscore", "splunkjs/mvc", "splunkjs/mvc/searchmanager", "splunkjs/mvc/tableview", "splunkjs/mvc/simplexml/ready!" ], function( _, mvc, SearchManager, TableView ) { // Create a table // Create a basic custom row renderer var BasicRowRenderer = TableView.BaseRowExpansionRenderer.extend({ canRender: function(rowData) { console.log("RowData: ", rowData); return true; }, render: function($container, rowData) { // Print the rowData object to the console console.log("RowData: ", rowData); // Display some of the rowData in the expanded row $container.append('<div>' + '<b>rowIndex</b>: ' + rowData.rowIndex + '<br>' + '<b>colspan</b>: ' + rowData.colspan + '<br>' + '<b>fields</b>: ' + rowData.fields + '<br>' + '<b>values</b>: ' + rowData.values + '</div>'); } }); var tableElement = mvc.Components.getInstance("test_table"); tableElement.getVisualization(function(tableView) { // Add custom cell renderer, the table will re-render automatically. tableView.addRowExpansionRenderer(new BasicRowRenderer()); }); });     Thank you
Hi, I'm testing the Security Essentials app with just onboarding Linux logs. Nevertheless the Content Overview shows "available content" for multiple sources, e.g. Windows. Within the dashboard S... See more...
Hi, I'm testing the Security Essentials app with just onboarding Linux logs. Nevertheless the Content Overview shows "available content" for multiple sources, e.g. Windows. Within the dashboard Security Content windows content is listed as well, when I select data availability "good". When I open such a windows detection rule, the status under perequisites is red (as expected). Why is so much content marked as available without data? Cheers