Hi Team, We build dashboard with 20+ Single Value Panels. We do different in the FONT size when large count of results is displayed.  For example,  when result count is 5 digit, FONT size looks okay.. but when count is 6 digit number FONT size looks smaller for that Panel and looks ODD in dashboard.  Can you suggest way forward to address this.. We use Splunk Cloud Enterprise and latest version of Splunk.

Hello Splunker!   Sometimes my searches on Splunk Enterprise Security Search Head ran into following error (mostly) without any results, sometimes there are only a view results :   [idx1, idx4 ...] Streamed search execute failed because: Error in 'lookup' command: Failed to re-open lookup file: '/opt/splunk/var/run/searchpeers/splunksearchhead-1631016538/kvstore_s_SA-IdeRjww0FotymhlCIaS1cqkc05a_identix3UXVbINERGdyPwDBuI5US7E'.   Sometimes the searches work, somtimes they not. There is also a "normal" Splunk Search Head, the same search works all the time. If the error appears also the Incident Review needs about  I already checked the bundle size of both Search Heads and the ES bundle is about 800mb. The "normal" Search Head bundle is  about 1,1gb.   Splunk Enterprise 8.2.1 Splunk Enterprise Security 6.6.0 Splunk Cluster with 2 sites, each site 8 idx.   I would greatly appreciate any help      

Hello everyone, I have created a Splunk form which has some html form inputs to update a lookup for me. To get the values from the html form inputs I'm using a Javascript code, such as the one bellow: require(["splunkjs/mvc", "jquery", "splunkjs/ready!", "splunkjs/mvc/simplexml/ready!" ], function( mvc, $){ var tokens = mvc.Components.get("default"); $('#addentry').on("click", function (e){ var field1 = $("input[name=field1]").val(); tokens.set("tok_add_field1", field1); }) }); Once addentry button is clicked the token is filled by the Javascript and a base search should run to update the value in a lookup. Problem is, after the token which the search needs is filled it still doesn't run (It runs if I go to Edit -> Source -> Cancel).   Search: <search id="add_results"> <query> | inputlookup example.csv | append [ makeresults | eval field1="$tok_add_field1$"] | outputlookup example.csv </query> <finalized> <set token="confirmation">Search executed!</set> </finalized> </search> Could someone please tell me what is missing in my search so that it is automatically executed once the tokens are filled?  Thanks a lot! Additionally: I have noticed that once a Splunk input is filled, adding "?" to the URL, javascript will no longer update the tokens. Maybe a problem with the interaction between JS and browser.

Hi, I have a requirement where my search displays the below result and the out is stored in CSV Now in another query I am inputting the CSV from the first search and trying to send an email for each filed value of "email_ID" with 20 line email body content, I have tried with the below query (without a email body as I don't know how to insert 20line email body ) but it is giving me an error. Also, please help me with how to insert 20line email body Search result :      email_ID                    Head_ID ----------------------------------------- abc@abc.com           abc_head@abc.com shri@abc.com           shri_head@abc.com xyz@abc.com           xyz_head@abc.com   query : | inputlookup email_ID.csv append=t | fields email_ID Head_ID  | sendemail from="emailaddress@abc.com" to="$email_ID$" cc="$Head_ID $" subject="emailtest" sendresults=true inline=true query  error:  command="sendemail", {} while sending mail to:

I have a json formatted output, which according to jsonlint.com is valid JSON.... but, am having problems extracting out the data into relevant "fields", for indexing... { "code": null, "msg": null, "success": true, "requestId": "XXX", "deviceSn": "XXX", "deviceId": "XXX", "deviceType": "INVERTER", "deviceState": 1, "dataList": [{ "key": "SN1", "value": "XXX", "unit": null, "name": "SN" }, { "key": "PM1", "value": "F6", "unit": null, "name": "Product Type" }, { "key": "SS_CY1", "value": "G99", "unit": null, "name": "Production Compliance Country" }, { "key": "P_CURVv1", "value": "0", "unit": null, "name": "Power Curve Version" }, { "key": "Pr1", "value": "4000", "unit": "W", "name": "Rated Power" }, { "key": "B_PTC1", "value": "1", "unit": null, "name": "Battery Protocol" }, { "key": "PTCv1", "value": "0001", "unit": null, "name": "Protocol Version" }, { "key": "HCIv1", "value": "0033", "unit": null, "name": "HMI Version" }, { "key": "DSPv1", "value": "0022", "unit": null, "name": "DSP Version" }, { "key": "DV1", "value": "290.30", "unit": "V", "name": "DC Voltage PV1" }, { "key": "DV2", "value": "301.60", "unit": "V", "name": "DC Voltage PV2" }, { "key": "DV3", "value": "0.00", "unit": "V", "name": "DC Voltage PV3" }, { "key": "DV4", "value": "0.00", "unit": "V", "name": "DC Voltage PV4" }, { "key": "DC1", "value": "8.00", "unit": "A", "name": "DC Current PV1" }, { "key": "DC2", "value": "7.60", "unit": "A", "name": "DC Current PV2" }, { "key": "DC3", "value": "0.00", "unit": "A", "name": "DC Current PV3" }, { "key": "DC4", "value": "0.00", "unit": "A", "name": "DC Current PV4" }, { "key": "DP1", "value": "2322.40", "unit": "W", "name": "DC Power PV1" }, { "key": "DP2", "value": "2292.16", "unit": "W", "name": "DC Power PV2" }, { "key": "DP3", "value": "0", "unit": "W", "name": "DC Power PV3" }, { "key": "DP4", "value": "0", "unit": "W", "name": "DC Power PV4" }, { "key": "AV1", "value": "238.60", "unit": "V", "name": "AC Voltage R/U/A" }, { "key": "AV2", "value": "0.00", "unit": "V", "name": "AC Voltage S/V/B" }, { "key": "AV3", "value": "0.00", "unit": "V", "name": "AC Voltage T/W/C" }, { "key": "AC1", "value": "12.10", "unit": "A", "name": "AC Current R/U/A" }, { "key": "AC2", "value": "0.00", "unit": "A", "name": "AC Current S/V/B" }, { "key": "AC3", "value": "0.00", "unit": "A", "name": "AC Current T/W/C" }, { "key": "APo_t1", "value": "4610", "unit": "W", "name": "Total AC Output Power (Active)" }, { "key": "PI_AC", "value": "0.00", "unit": "A", "name": "Paralleling Inverter AC Current" }, { "key": "PI_AV", "value": "0.00", "unit": "V", "name": "Paralleling Inverter AC Voltage" }, { "key": "PI_p", "value": "0.00", "unit": "W", "name": "Paralleling Inverter Power" }, { "key": "PI_CTS", "value": "0", "unit": null, "name": "Paralleling Inverter CT Test Switch" }, { "key": "A_Fo1", "value": "50.04", "unit": "Hz", "name": "AC Output Frequency R" }, { "key": "Eydy1", "value": "7.30", "unit": "kWh", "name": "Yesterday Production" }, { "key": "Et_ge0", "value": "891.00", "unit": "kWh", "name": "Cumulative Production (Active)" }, { "key": "Elast_mon1", "value": "728", "unit": "kWh", "name": "Production Last Month (Active)" }, { "key": "Etdy_ge1", "value": "8.70", "unit": "kWh", "name": "Daily Production (Active)" }, { "key": "Emon1", "value": "86", "unit": "kWh", "name": "Monthly Production (Active)" }, { "key": "Eyr1", "value": "891", "unit": "kWh", "name": "Yearly Production (Active)" }, { "key": "ST_PG1", "value": "Grid connected", "unit": null, "name": "Grid Status" }, { "key": "PG_V1", "value": "239.60", "unit": "V", "name": "Grid Voltage R/U/A" }, { "key": "PG_C1", "value": "1.92", "unit": "A", "name": "Grid Current R/U/A" }, { "key": "PG_Pt1", "value": "210", "unit": "W", "name": "Total Grid Power" }, { "key": "Q_PG1", "value": "655340", "unit": "Var", "name": "Total Grid Reactive Power" }, { "key": "PG_PF1", "value": "1.00", "unit": null, "name": "Grid Power Factor" }, { "key": "t_gc1", "value": "271", "unit": "kWh", "name": "Cumulative Grid Feed-in" }, { "key": "Et_pu1", "value": "752", "unit": "kWh", "name": "Cumulative Energy Purchased" }, { "key": "t_gc_tdy1", "value": "0.00", "unit": "kWh", "name": "Daily Grid Feed-in" }, { "key": "Etdy_pu1", "value": "0.10", "unit": "kWh", "name": "Daily Energy Purchased" }, { "key": "P_METER0", "value": "210", "unit": "W", "name": "Meter Power" }, { "key": "Pgc1", "value": "213", "unit": "W", "name": "Grid-tied Power" }, { "key": "Pog1", "value": "0", "unit": "W", "name": "Purchased Power" }, { "key": "S_PGt1", "value": "2910", "unit": "VA", "name": "Total Grid Apparent Power" }, { "key": "E_Puse_t1", "value": "2650", "unit": "W", "name": "Total Consumption Power" }, { "key": "Et_use1", "value": "1371", "unit": "kWh", "name": "Cumulative Consumption" }, { "key": "Eydy_ge1", "value": "57.10", "unit": "kWh", "name": "Yesterday Consumption" }, { "key": "Etdy_use1", "value": "8.60", "unit": "kWh", "name": "Daily Consumption" }, { "key": "B_ST1", "value": "Charging", "unit": null, "name": "Battery Status" }, { "key": "B_V1", "value": "51.90", "unit": "V", "name": "Battery Voltage" }, { "key": "B_C1", "value": "28.00", "unit": "A", "name": "Battery Current" }, { "key": "B_left_cap1", "value": "96", "unit": "%", "name": "SoC" }, { "key": "B_HLT_EXP1", "value": "100", "unit": "%", "name": "SoH" }, { "key": "t_cg_n1", "value": "304", "unit": "kWh", "name": "Total Charging Energy" }, { "key": "t_dcg_n1", "value": "301", "unit": "kWh", "name": "Total Discharging Energy" }, { "key": "ydy_cg1", "value": "6.70", "unit": "kWh", "name": "Yesterday Charging Energy" }, { "key": "ydy_dcg1", "value": "7.20", "unit": "kWh", "name": "Yesterday Discharging Energy" }, { "key": "Etdy_cg1", "value": "5.40", "unit": "kWh", "name": "Daily Charging Energy" }, { "key": "Etdy_dcg1", "value": "5.20", "unit": "kWh", "name": "Daily Discharging Energy" }, { "key": "BMS_B_V1", "value": "51.14", "unit": "V", "name": "BMS Voltage" }, { "key": "BMS_B_C1", "value": "27.80", "unit": "A", "name": "BMS Current" }, { "key": "BMS_B_Ccg_thd1", "value": "29.60", "unit": "A", "name": "BMS Battery Current Limiting Charging" }, { "key": "BMS_B_Cdcg_thd1", "value": "74.00", "unit": "A", "name": "BMS Battery Current Limiting Discharging" }, { "key": "INV_T0", "value": "52.10", "unit": "℃", "name": "Temperature- Inverter" }, { "key": "SYSTIM1", "value": "21-09-07 12:25:19", "unit": null, "name": "System Time" }, { "key": "MODE_E_MNG1", "value": "35", "unit": null, "name": "Energy Management Mode" }, { "key": "AVb1", "value": "238.70", "unit": "V", "name": "Bypass AC Voltage" }, { "key": "Pb_lo1", "value": "20", "unit": "W", "name": "Bypass Load Power" }] } For each key in the data list, I'd like to parse it out into an indexable/reportable field... and, if I was really lucky, the extraction routine would use the name field from each key.. "key": "DP3", "value": "0", "unit": "W", "name": "DC Power PV3" Am reasonably comfortable with field extractions usually, and have searched various existing posts, but I don't seem to have come across a solution for this specific scenario. Any/all help really appreciated. Thanks  

Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the event has one IP ---> then extract that IP If the event has more than one IP ---> then extract the last IP Thanks!

Hi all,     I have two indexes,  and I want to check whether the data from one index=a exists in the other index=b, and extract the data from the other index=a     index=a id 1 1 2 3 3 index=b id,name1,name2 1,10,a1 1,9,a2 3,9,a1 4,10,a1 4,12,a2 i want the result= id,name1,name2 1,10,a1 1,9,a2 3,9,a1             Anyone, have a good way to guide        Thank you!

Hello!   is it possible to search a field value and then count it for example first the current week and then add the count of the same search from the week before ?  something like:  index=indexa action=allowed app=DNS dest="8.8.8.8" earliest=-14d latest=-7d | eval flag="count1" | append [search index=indexa action=allowed app=DNS dest="8.8.8.8" earliest=-7d latest=now() | eval flag="count2"] | stats count(eval(flag="count1")) as count1 count(eval(flag="count2")) as count2 | eval count = count1+count2 Something in my use of the earliest/latest doesn't seem to work. what am I doing wrong? 

Many rules in Splunk Security Content Repo (ESCU) use this macro "read_ssa_enriched_events",  but no macro with this name has been developed in ESCU app or Splunk Security Essentials. So many rules are not ready to deploy on Splunk Environment. I leave here an example of rule using this macro: https://github.com/splunk/security_content/blob/develop/detections/endpoint/ssa___applying_stolen_credentials_via_mimikatz_modules.yml Someone helps?

Hi ,   I'm trying to add a table right side of the dashboard. But not able to achieve. Can anyone suggest? not using Html dashboard, using XML dashboard. Exisiting  new   New one - expecting new 

Hi, In order to parametrize the search, I created a lookup with a couple of numerical values that I would like to easily change when necessary. the format of the csv file (test.csv) is the following (this format could be changed based on the answers to this post) Threshold Value name1 value1 name2 value2 the only way to do what I want is the following query | eval tempField="name1" | lookup test.csv Threshold as tempField OUTPUT Value as test1value   any better or more efficient way of doing this? I was imagining something like the line below but it didnt manage to make it work. | lookup test.csv Threshold as "name1" OUTPUT Value as test1value thanks!  

Hello everyone! I struggle to find a way to add a value (for example 1) to a fieldvalue in case a certain field exists. Let's say this certain field is fieldx and it only exists and has a value, when you specifically block a port. After you've unblocked it, the field disappears. what I'm currently looking at is a maxvalue of a field (for example the highest destination port number) so I go  index=firewall destport=* |stats max(destport) as max_port now I have my highest destination port. let's say it's 65000    what I'm now trying to accomplish is, that, if this port is currently blocked and the fieldx=blocked appears, I want to add a 1 to the max_port value -> 65001 and otherwise leave it be. I've tried an eval if  like that: |eval maxport=if(isnotnull(fieldx),max_port+1,max_port)   but it doesn't work. do I have something wrong?  ps: in reality I don't know what the value of the fieldx is, so I can't just if(fieldx==blocked,...). but since the field only appears if there is a value in it to begin with, I would use that to my advantage.   also, is it possible to add the +1 only for a certain period of time ? for example add +1 to the value as long as it is in a two week frame ?   

Hello All, I have several alerts which send email notifications. I know it might be very basic, but I need your help. One alert is to specify if a local host has accessed a blacklisted IP. So I expect to have a table with: Src, Dest, Port  The search returns table, but I do not understand why does it attach a Line-Chart diagram! I want it as Static table. In Visualization tab, it does not show me static table. I even tried to create a new alert without even going to the visualization tab, but I got same result. I have even changed the search and used Table instead of stats. Please advise. Thank you

Hi, I have to get % of 2 and 3 values in a same field . Status count  True       200 False       50 Error      10 exc          5 temp      6 Total   271 I need to get true% by  true+error /Total * 100 and False% by False+exc+temp/Total*100. Please help me with the solution .    

https://community.splunk.com/t5/Splunk-Search/Why-am-I-only-getting-a-maximum-of-100-events-returned-through-a/m-p/207639/thread-id/60523 In my case even after setting the setCount to 0, I am unable to read it via ResultsReaderJson (Is it again possible if ResultsReaderJson reads only first 100 entries) I have confirmed that stream contains all entries by printing it String result = IOUtils.toString(stream, StandardCharsets.UTF_8); System.out.println(result);