All Topics

Top

All Topics

Hi everyone, I’m working on a dashboard in Dashboard Studio and need some guidance on exporting it as a PDF. Specifically, I would like to know how to split a multi-panel dashboard into several page... See more...
Hi everyone, I’m working on a dashboard in Dashboard Studio and need some guidance on exporting it as a PDF. Specifically, I would like to know how to split a multi-panel dashboard into several pages when downloading it as a PDF. Is there a way to configure the layout or settings to achieve this? Any tips or best practices for organizing content in Dashboard Studio to ensure each section appears on a separate PDF page would be greatly appreciated! Thanks in advance for your help!
Using windows 10, I installed splunk onto the drive folder itself (not the drive where windows was installed) and then I wasn't able to access the drive. Properties showed it had 0 storage and the de... See more...
Using windows 10, I installed splunk onto the drive folder itself (not the drive where windows was installed) and then I wasn't able to access the drive. Properties showed it had 0 storage and the default name of the drive in "My PC" was NFTS drive or something. Could not find the uninstall button in the apps settings, nor could I find any services related to splunk in windows services or task manager. I couldn't use the splunk application itself either. Couln't find a splunk folder in C drive either. I tried to run: chkdsk X: /f /r in CMD and I got the error "Chkdsk cannot dismount the volume because it is a system drive or there is an active paging file on it". I couldn't format the drive because it said it was in use. I ended up booting safe mode and formatted the drive there which has solved all my issues, but anyone know what the issue was?
Here is a really simple dashboard:   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="tr... See more...
Here is a really simple dashboard:   <form version="1.1" theme="light"> <label>Simple input</label> <fieldset submitButton="false"> <input type="text" token="text_tok" searchWhenChanged="true"> <label></label> <default></default> </input> </fieldset> <row> <panel> <event> <search> <query>| makeresults | eval INPUT = if(len("$text_tok$") &gt;0, "$text_tok$", "(none)")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>   Its function is really simple: When nothing is entered into the text input, display something like INPUT _time (none) 2024-09-28 17:33:54 Indeed, when I click the magnifying glass ("Open in search"), that's what I get If any string is entered, that string will be displayed.  For example, if a single letter "a" is entered, it should display INPUT _time a 2024-09-28 17:31:31 Just as well, "Open in search" gives this output However, no matter what is entered or not entered, the dashboard panel always says "Search did not return any events."   Test is done in Splunk 9.3.0. 
I have a KPI alert using adhoc search which outputs custom fields and then custom alert action is configured on Notable aggregation policies ( NEAP) action rules which trigger the action on KPI notab... See more...
I have a KPI alert using adhoc search which outputs custom fields and then custom alert action is configured on Notable aggregation policies ( NEAP) action rules which trigger the action on KPI notable event . alert_actions.conf has all the params defined. But $results.fieldname$ is always blank on the script.  results_file only have ITSI /KPI specific fields but do not have the custom fields.   How   
Hi All I am using Office365,  i have an office365 unified group and users are getting removed from this office365 group automatically everyday.  I want to get the data who has removed or added the us... See more...
Hi All I am using Office365,  i have an office365 unified group and users are getting removed from this office365 group automatically everyday.  I want to get the data who has removed or added the users to this group. When i use the below query, I am not getting any output please guide me. Lets say my group name is MyGroup1 and its email address is MyGroup1@contoso.com sourcetype=o365:management:activity (Operation="*group*") unifiedgroup="*MyGroup1*" | rename ModifiedProperties{}.NewValue AS ModAdd | rename ModifiedProperties{}.OldValue AS ModRem | rename UserId AS "Actioned By" | rename Operation AS "Action" | rename ObjectId AS "Member" | rename TargetUserOrGroupName as modifiedUser | table _time, ModAdd, ModRem, "Action", Member, "Actioned By" "modifiedUser" | stats dc values("modifiedUser") by Action "Actioned By"
I was working with DataModels and I came across something strange about them when they are accelerated vs when they are not.   I created 2 DataModels, TestAccelerated and TestNotAccelerated. They ... See more...
I was working with DataModels and I came across something strange about them when they are accelerated vs when they are not.   I created 2 DataModels, TestAccelerated and TestNotAccelerated. They are a copy of each other with a few differences. The name/id, and one is accelerated and the other is not.   When I run a query to get the count of "MyValue" inside of field "MyID", I get different results. The Accelerated Data Model returns less records, with different grouping of _time than the Non-Accelerated DataModel.   I'm curious if anyone knows what the seach difference really is for both accelerated and non accelerated data models.   The count ends up being the same, so no issue finding out the count of "MyValue".   I see an issue if we are piping the output into a different command that uses the rows for information and not the count in each row, such as `|  geostats`.   Query to a non-accelerated data model: Query to an accelerated data model:    
Hi,  I'm having a hard time trying to narrow down my search results.  I would like to return only the results that contain the following string on the message: "progress":"COMPLETED","subtopics":"C... See more...
Hi,  I'm having a hard time trying to narrow down my search results.  I would like to return only the results that contain the following string on the message: "progress":"COMPLETED","subtopics":"COMPLETED" The text must be all together, in the sequence above.  I tried to add a string like the one below in my search but it didn't work: message="*\"progress\":\"COMPLETED\",\"subtopics\":\"COMPLETED\"*" Does anyone have suggestions on how to do that?  I appreciate any help you can provide.  
My linux_audit logs increased after updating apps and causing license manager to go over limit. Anyone know a fix for this, I have looked for the stanzas on the backend but not able to find out where... See more...
My linux_audit logs increased after updating apps and causing license manager to go over limit. Anyone know a fix for this, I have looked for the stanzas on the backend but not able to find out where these logs are coming from. 
I would like to compare specific response status stats vertically and not horizontally so that the values line up and do not rely on the appendcols command. My search: | multisearch [search NOT ... See more...
I would like to compare specific response status stats vertically and not horizontally so that the values line up and do not rely on the appendcols command. My search: | multisearch [search NOT status IN ( 200, 203, 204, 302, 201, 202, 206, 301, 304, 404, 500, 400, 401, 403, 502, 504 ) earliest=-4h@m latest=@m | eval date="Today"] [search NOT status IN (200, 203, 204, 302, 201, 202, 206, 301, 304, 404, 500, 400, 401, 403, 502, 504 ) earliest=-4h@m-1w latest=@m-1w | eval date="LastWeek"] | timechart span=1d count by status Example display of current results Desired results Status Today LastWeek 412 1 0 413 1 0 415 0 1 418 0 2 422 6 7
The default value of the product selection should be 'latest'. The token for the default value is determined by a hidden search for the latest product. This is dependent on the selected device. If th... See more...
The default value of the product selection should be 'latest'. The token for the default value is determined by a hidden search for the latest product. This is dependent on the selected device. If the device selection changes, the product selection should revert to the default value, which is the latest product ID for the newly selected device. Currently, setting the latest product ID upon device change is not functioning. How can I resolve this issue?   <search id="base_search"> <query> | mpreview index="my_index" | search key IN $token_device$ </query> <earliest>$token_time.earliest$</earliest> <latest>$token_time.latest$</latest> <refresh>300</refresh> </search> <input id="select_device" type="dropdown" token="token_device" searchWhenChanged="true"> <label>Device</label> <selectFirstChoice>true</selectFirstChoice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <search> <query> | mpreview index="my_index" | stats count by key | fields key | lookup device-mapping.csv ... | fields key full_name </query> </search> <fieldForLabel>full_name</fieldForLabel> <fieldForValue>key</fieldForValue> <delimiter>,</delimiter> <change> <unset token="token_product"></unset> <unset token="form.token_product"></unset> </change> </input> <search> <query> | mpreview index="my_index" | search key IN $token_device$ | stats latest(_time) as latest_time by product_id | sort -latest_time | head 1 | fields product_id </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <condition match="$job.resultCount$ != 0"> <set token="latest_product_id">$result.product_id$</set> </condition> <condition match="$job.resultCount$ == 0"> <set token="latest_product_id">*</set> </condition> </done> </search> <input id="select_product" type="multiselect" token="token_product" searchWhenChanged="true"> <label>Product</label> <default>$latest_product_id$</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <choice value="*">All</choice> <search base="base_search"> <query> | stats latest(_time) as latest_time by product_id | eventstats max(latest_time) as max_time | eval label=if(latest_time == max_time, "latest", product_id) | sort - latest_time | fields label, product_id </query> </search> <fieldForLabel>label</fieldForLabel> <fieldForValue>product_id</fieldForValue> <delimiter>,</delimiter> <change> <condition label="All"> <set token="token_product">("*") AND product_id != "LoremIpsum"</set> </condition> </change> </input>  
Hi It is possible to convert enterprise command line      bin/splunk btool limits list --app=MX.3_MONITORING_v3 --debug     To a rest command to be run from SPL in the cloud, please?   Thank... See more...
Hi It is possible to convert enterprise command line      bin/splunk btool limits list --app=MX.3_MONITORING_v3 --debug     To a rest command to be run from SPL in the cloud, please?   Thanks in advance
Hello, I am confused about the "Expires" thing when setting an alert. I have my alert scheduled every day and the expires = 24 hours, does that mean after 24 hours the alert will NOT run no more? Tha... See more...
Hello, I am confused about the "Expires" thing when setting an alert. I have my alert scheduled every day and the expires = 24 hours, does that mean after 24 hours the alert will NOT run no more? Thank you.
Hello, I am confused about the "Expires" thing when setting an alert. I have my alert scheduled every day and the expires = 24 hours, does that mean after 24 hours the alert will NOT run no more? Tha... See more...
Hello, I am confused about the "Expires" thing when setting an alert. I have my alert scheduled every day and the expires = 24 hours, does that mean after 24 hours the alert will NOT run no more? Thank you.
Is there a native way to run scripts in pwsh.exe managed environment? It's not mentioned in docs so I believe not: https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/Inputsconf   We all know... See more...
Is there a native way to run scripts in pwsh.exe managed environment? It's not mentioned in docs so I believe not: https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/Inputsconf   We all know there is [powershell://<name>] in inputs.conf to run "classic" powershell scripts. Actually, it runs script in "classic" PowerShell environment. Depending on which Windows version/build Universal Forwarder is installed on, it will be PS version up to 5.1 (which is managed by powershell.exe binary btw). But now we have a brand-new PowerShell Core (managed by a different binary: pwsh.exe). PowerShell Core have new features, not available in "classic" PowerShell and they're not 100% compatible. Additionally, PowerShell Core is platform agnostic - so we can install it on Linux and run PowerShell Core based scripts there (don't ask me why anyone would do that, but it's possible). Currently I'm running PowerShell Core scripts, by starting batch script in cmd environment, then cmd starts pwsh.exe with defined parameter to run my PowerShell Core based script - not elegant at all.
I would also like to check my .crt certificates from my own Microsoft CA, is that possible?
Hello, Friends! So, I tried to change the height of the gap between these components:  But in the Edit Dashboard I didn't find anything to change this: Thank you, guys
My splunk has a problem: some jobs have a status of done but 100 days later they expire and disappear. This causes reduced performance. I had to manually delete jobs on the web interface, but this to... See more...
My splunk has a problem: some jobs have a status of done but 100 days later they expire and disappear. This causes reduced performance. I had to manually delete jobs on the web interface, but this took a lot of time, because in just a month, there are up to 12000 jobs with done status. Is there any way I can configure jobs to expire 10 days after entering the done status ? Thanks
Addon worked fine until upgrade to 9.3.1, exports to azure now is halted with an error message CRITICAL Could not connect to Azure Blob: NameError("name 'BlobServiceClient' is not defined") We've d... See more...
Addon worked fine until upgrade to 9.3.1, exports to azure now is halted with an error message CRITICAL Could not connect to Azure Blob: NameError("name 'BlobServiceClient' is not defined") We've deployed the latest 2.4.0 version available from splunkbase
Hi Team,   I am looking to create splunk app in which in setup page there will drop down which will ask for select splunk index. and with that index I want to update my savedsearches.config which... See more...
Hi Team,   I am looking to create splunk app in which in setup page there will drop down which will ask for select splunk index. and with that index I want to update my savedsearches.config which I am using to trigger alert. I have create this page like <form version="1.1" theme="light"> <label>App Setup</label> <fieldset submitButton="true"> <input type="dropdown" token="selected_index" searchWhenChanged="true"> <label>Select Index</label> <search> <query>| eventcount summarize=false index=* | dedup index | table index</query> </search> <default>ibm_defender</default> <fieldForLabel>index</fieldForLabel> <fieldForValue>index</fieldForValue> </input> </fieldset> <!-- Button Row --> <row> <button label="Submit"> <set token="form_submit">1</set> <redirect> <uri>/app/ibm_storage_defender/ibm_storage_defender_events</uri> </redirect> </button> </row> </form> but here submit button is not working setup page stay there on reload is working  also is my approach correct in my savesarches config I have configure query like #search = index="$selected_index$" source=mp-defender message="Potential threat detected" | eval rule_title="High severity alert for Potential threat events", urgency="High. Also please suggest if there is any better option for this       
Good morning fellow splunkers. I have a challenge and was wondering if anyone could help me. In some logs with multiple fields with the same label, we use eval mvindex to assign different label for ... See more...
Good morning fellow splunkers. I have a challenge and was wondering if anyone could help me. In some logs with multiple fields with the same label, we use eval mvindex to assign different label for those fields. For example, In a log, we have two fields labelled "Account Name", first one corresponding to computer account and second to user account. We use mvindex to assign labels appropriately. This works well for a known number of fields. Now, we also have logs, with groups of fields: action, module and rule:          action: quarantine          module: access          rule: verified              action: execute          module: access          rule: verified              action: continue          module: access          rule: verified                 action: reject          isFinal: true          module: pdr          rule: reject I would like to use mvindex to label those so I can use those fileds more easily. In the example above, we have four groups of those fileds, thefore I wold have: action1, action2 etc (same for module and rule). However, the number of groups changes. It could be one, two, three or more. Is there any way to use mvindex dynamically somehow? I imagine, we would have to first evaluate number of those fields (or group of fields) and then use mvindex to assign different labels? Unless there is a different way to achieve our goal. Many thnaks in advance for any advise. Kind Regards, Mike.