All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Folks, I've tried to implement a custom timerange picker with JS but encounter some unconsitent behaviour... Indeed I have tried both to render the input with js and get the instance in js an... See more...
Hello Folks, I've tried to implement a custom timerange picker with JS but encounter some unconsitent behaviour... Indeed I have tried both to render the input with js and get the instance in js and modify the settings. In the first case, i achieved to modify the presets values, but dialogOptions settings is not taken into account. In the second case, i can't either change dialogOptions and presets settings. See bellow sample of code: dashboard.xml   ... <fieldset submitButton="true" autoRun="false"> <html> <div id="mytimerangeview_custom"/> </html> <input id="in_timerangepicker" type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="tkn_scope"> <label>Scope</label> <fieldForLabel>key_text</fieldForLabel> <fieldForValue>key_value</fieldForValue> <search> <query>| savedsearch "Super saved search"</query> <earliest>-15m</earliest> <latest>now</latest> </search> </input> </fieldset> ...      and script.js     require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/timerangeview', 'splunkjs/mvc/simplexml/ready!' ], function ( _, $, mvc, TimeRangeView ) { console.log("JS LOADED"); // Get timerangeview object var timerangepicker_input = mvc.Components.get('in_timerangepicker'); console.log(timerangepicker_input); // Show the Presets panel, hide the Real-time and Advanced panels var mypresetsettings = { showPresets: true, showCustomRealTime: false, showCustomAdvanced: false, }; // Define custom preset values var mypresetvalues = [ {label: 'Last 13 minutes', earliest_time: '-13m', latest_time: 'now'}, {label: 'Last 42 minutes', earliest_time: '-42m', latest_time: 'now'} ]; // Instantiate a view using the custom time range picker //timerangepicker_input.settings.set('dialogOptions', mypresetsettings); timerangepicker_input.settings.set('presets', mypresetvalues); // Create a custom time range picker // Instantiate a view using the custom time range picker var mytimerange_custom = new TimeRangeView({ id: "mytimerangeview_custom", managerid: "example-search", presets: mypresetvalues, dialogOptions: mypresetsettings, el: $("#mytimerangeview_custom") }).render(); });     mytimerangeview_custom looks like:   and in_timerangepicker looks like:   This goes without saying that I have tried all the possible combination for the dialogOptions dict. Playing with the stylesheet.css allows me to hide the input section but i would rather go with the correct approach and more specificaly the one that just get the instance and modify the settings (allowing me to keep native splunk displaying). Thank you all for your help R.
Hi,  I am a beginner of SPLUNK and SPL.  Recently I am asked to replace my statistic table from excel  into SPLUNK to control windows server status.  Below is my brief raw data in csv format s... See more...
Hi,  I am a beginner of SPLUNK and SPL.  Recently I am asked to replace my statistic table from excel  into SPLUNK to control windows server status.  Below is my brief raw data in csv format systemName Department osVersion patches DiskD_total_size_TB DiskD_free_size_TB Lincense_end HOST00001 A Windows 2012 R2 KB56:KB59:KB94:KB98:KB113:KB118 41.8125 0.831054688 2023/7/25 HOST00002 A Windows 2016 KB107KB131:KB135 40.578125 3.034179688 2023/8/2 HOST00003 X Windows 2012 R2 KB56:KB59:KB94:KB98:KB113 41.8125 0.538085938 2020/10/15 HOST00004 X Windows 2012 R2 KB56:KB59:KB94:KB98:KB113:KB118 41.8125 10.32324219 2022/12/25 HOST00005 X Windows 2016 KB107KB131:KB135 41.8125 1.803710938 2023/7/25 HOST00006 A Windows 2019 KB36:KB37:KB39:KB40:KB41 40.578125 2.682617188 2022/12/25 HOST00007 Y Windows 2019 KB36:KB37:KB39:KB40:KB41:KN50 40.578125 6.948242188 2023/1/25 HOST00008 Y Windows 2016 KB107KB131:KB135 41.8125 0.034179688 2023/1/25 HOST00009 Y Windows 2016 KB107KB131 41.8125 0.034179688 2022/12/25 HOST00010 A Windows 2016 KB107KB131:KB135 41.8125 6.631835938 2019/5/17   And  I want to summarize the data to a table like this, the key is to judge server is deployed the target patch or not of each version.   Windows 2012 R2 Windows 2012 R2 Windows 2016 Windows 2016 Windows 2019 Windows 2019 Total Department non-patched KB118 non-patched KB135 non-patched KB41   A 0 1 0 2 0 1 4 X 1 1 0 1 0 0 3 Y 0 0 1 1 0 1 3 Total 1 2 1 4 0 2 10 And another table to check license duration is less than one year or not. systemName Department Lincense_end License_life < 1 year License_expired HOST00001 A 2023/7/25 N N HOST00002 A 2023/8/2 N N HOST00003 X 2020/10/15 Y N HOST00004 X 2022/12/25 N N HOST00005 X 2023/7/25 N N HOST00006 A 2022/12/25 N N HOST00007 Y 2023/1/25 N N HOST00008 Y 2023/1/25 N N HOST00009 Y 2022/12/25 N N HOST00010 A 2019/5/17 Y Y   I am not familiar with SQL and SPL, could anyone provide some hint or example resouce to me , please help~ I can merely have a SPL to count total of each osVersion and Dept like this , but have no ieda to divide into patched or not and join the sub-search.... index=windows sourcetype=csv search Department In("A", "X", "Y") | stats count(osVersion) by Department patches    
When you create notes in Splunk ES you can format the notes with tabs and carriage returns.  When the note saves and is shown in a slide or expanded on the timeline the text is all mashed together.  ... See more...
When you create notes in Splunk ES you can format the notes with tabs and carriage returns.  When the note saves and is shown in a slide or expanded on the timeline the text is all mashed together.  Is there a way to retain the note formatting in the slides/timeline?
I'm wondering if it's possible to configure the Palo Alto log forwarding profile so that the PA logs are directly sent to the Splunk indexers, or if we need to follow the traditional route of Palo Al... See more...
I'm wondering if it's possible to configure the Palo Alto log forwarding profile so that the PA logs are directly sent to the Splunk indexers, or if we need to follow the traditional route of Palo Alto ---> syslog server (w/ Splunk Universal Forwarder) ---> Splunk indexers.
I was trying to import Service Entities values through an ad-hoc search, however the import never completes. The search results have 1 Service and 9000 Entities associated to this. I tried a differ... See more...
I was trying to import Service Entities values through an ad-hoc search, however the import never completes. The search results have 1 Service and 9000 Entities associated to this. I tried a different way of simply uploading the entities alone, the upload completes and then I try to create the service separately. I try to map entities to that service using conditions and it shows me 9000 entities matched and I save it, but again in the entities listed I am not able to see Service tagged to these entities.  I did check in the itsi_entities lookup file too. The KPIs for this service don't show up as well for some reason.    
my Requmient is After entering the URL details in the text box, if the user selects the plus button(right side +) it ll update in the below table. Users have the option to enter URL up to 5 times. ... See more...
my Requmient is After entering the URL details in the text box, if the user selects the plus button(right side +) it ll update in the below table. Users have the option to enter URL up to 5 times. Can anyone pls suggest some solution. Below is the code what I am using <form theme="dark"> <label>Text Box Validation</label> <search> <query>| makeresults | eval url="$url$" | eval url_count=split(trim(url),",") | rex field=url "(?&lt;url_type&gt;(https|http))" max_match=0 | eval boolValidationURLCount=case(mvcount(url_count)&lt;=5,"true",true(),"false") | eval boolValidationURLCondition=case(url_type="https" AND url_type!="http","true",true(),"false")</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> <done> <condition match="$result.boolValidationURLCount$==&quot;true&quot; AND $result.boolValidationURLCondition$==&quot;true&quot;"> <set token="tokValidURLs">$result.url$</set> </condition> <condition match="$result.boolValidationURLCount$==&quot;false&quot; AND $result.boolValidationURLCondition$==&quot;false&quot;"> <set token="tokValidationError">Only upto 5 URLs allowed. URL must start with https</set> <unset token="tokValidURLs"></unset> </condition> <condition match="$result.boolValidationURLCount$==&quot;false&quot; AND $result.boolValidationURLCondition$==&quot;true&quot;"> <set token="tokValidationError">Only upto 5 URLs allowed.</set> <unset token="tokValidURLs"></unset> </condition> <condition match="$result.boolValidationURLCount$==&quot;true&quot; AND $result.boolValidationURLCondition$==&quot;false&quot;"> <set token="tokValidationError">URLs must start with https</set> <unset token="tokValidURLs"></unset> </condition> </done> </search> <fieldset submitButton="false"></fieldset> <row> <panel> <!-- <html> <a class="btn btn-primary" align="right" role="button" style="position:absoluate; left:0.0%;">+</a> </html>--> <input id="splunk_input_text_url" type="text" token="url" searchWhenChanged="true"> <label>Enter Upto 5 URLs (https ONLY)</label> <default>https://www.facebook.com</default> </input> <input type="link" id="buton" token="plusbutton"> <label></label> <choice value="+">+</choice> </input> </panel> </row> <row> <panel> <html rejects="$tokValidURLs$"> <style> #splunk_input_text_url{ width: 1220px !important; } #buton{ width: 50px !important; } </style> <div> <b style="color:red">$tokValidationError$.</b> </div> <div> Please validate input <b style="color:red">$url$</b>!!! </div> </html> <table depends="$tokValidURLs$"> <title>Table with valid URLs</title> <search depends="$tokValidURLs$"> <query>| makeresults | fields - _time | eval URL="$tokValidURLs$" | makemv URL delim="," | mvexpand URL | rex field=URL "(?&lt;URL_Type&gt;(https|http))" | table URL, URL_Type</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> </table> </panel> </row> </form>  
Hi, I am using below code to send email with color alert feature added depending on the thresholds . So here are two columns where i want this to be implemented but it works only for one column not... See more...
Hi, I am using below code to send email with color alert feature added depending on the thresholds . So here are two columns where i want this to be implemented but it works only for one column not both. Can someone help me how to add more than one column and still make the color threshold work.  bla bla ... | eval Column1-class=case(('Column1'<50), "alert", ('Column1'>70), "normal", ('Column1'>50 AND 'Column1'<70), "warning", true(), "N/A") | eval Column2-class=case(('Column2'<50), "alert", ('Column2'>70), "normal", ('Column2'>50 AND 'Column2'<70), "warning", true(), "N/A") | sendresults content_type=html subject="Monthly Report" showsubj=false msgstyle="table {font-family:Arial;font-size:12px;border: 1px solid black;padding:3px}th {background-color:#4F81BD;color:#fff;border-left: solid 1px #e9e9e9} td {border:solid 1px #e9e9e9} .alert {background-color:red;} .normal {background-color:green;} .warning {background-color:orange;}" format_columns="Column1"  format_columns="Column2"   Thanks
I want to display earliest invested amount based on type (stock,fd,mutual fund,etc) over a month and want to keep number as unique.  invested amount number amount number type date 100 1 ... See more...
I want to display earliest invested amount based on type (stock,fd,mutual fund,etc) over a month and want to keep number as unique.  invested amount number amount number type date 100 1 Stock 2/12/2020 50 10 Stock 7/5/2020 200 2 Stock 4/15/2020 300 3 Mutual Fund 3/13/2020 400 4 Fix deposit 3/14/2020 300 5 Mutual Fund 4/01/2020 200 6 Stock 4/15/5050 660 7 Mutual Fund 5/1/2020 1000 8 Fix deposit 5/10/2020 800 9 Mutual Fund 6/20/2020 I want the output as sum based on per month by asset_type.  example: stock = 300 for feb month have tries timechart but no results found is displaying. 
Hi All! I'm trying the  new "Smart Outlier Detection" experiment  in MLTK 5.2.0 but after selecting the data to use,  the "Learning" phase get stuck when I click on the "Detect Outliers" button the ... See more...
Hi All! I'm trying the  new "Smart Outlier Detection" experiment  in MLTK 5.2.0 but after selecting the data to use,  the "Learning" phase get stuck when I click on the "Detect Outliers" button the Web interface get stuck. The same search, ran from the search dashbaord, completes in a relative fast time (few minutes). I've tried bot with Chrome and Firefox but I have the same result. Thanks for support, Marco
Hi  I have log files on this path /opt/logs/* add them to splunk and create index for this path, but when I  search with source=“/opt/logs/*” no result return. when i use index=“My-indexname” retu... See more...
Hi  I have log files on this path /opt/logs/* add them to splunk and create index for this path, but when I  search with source=“/opt/logs/*” no result return. when i use index=“My-indexname” return result.   any idea? Thanks,
Hi all, I have a challenge, that i have been struggling for the past few days, and can't find the correct solution. I have read https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-ch... See more...
Hi all, I have a challenge, that i have been struggling for the past few days, and can't find the correct solution. I have read https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/94513 and done pretty much exactly the same thing, but it doesn't work for me. So here are the details. I have a simple lookup csv file (2 columns ), first one with starting digits prefix, state 23401*, log1 23402*,log2 34602*,log5 ....etc I have used the GUI to create the lookup definitions, but i have also double-cheked transformes.conf and props.conf. It is exactly as in the example in the link. I can't make the wildcard work for me. Here is a simple search line just to illustrate source="log2.log" host="prod-splunk-indexer" sourcetype="testsource" | lookup prefixlookup.csv prefix OUTPUT state | table prefix state If i create lookup with exact matches, it works for the match everytime, however, my client requires only prefixchecks, and to me WILDCARD is the only solution. Any ideas? PS. I have actually created exact replica of the case(user,username, userlookup, etc) in the linked example, still doesn't work Have a great day!    
HI, I need to get the count of all the packages from the json body and display the total no of packages available for that transaction ["143","144","172","205","241","350","364","365","385","449","4... See more...
HI, I need to get the count of all the packages from the json body and display the total no of packages available for that transaction ["143","144","172","205","241","350","364","365","385","449","486","683","764","1043","1220","1241","1287","1309","1381","1432","1456","1509","1578","1641","1727","1753","2835","3299","3309","3566","3626","3897","4127","4349","4456","4805","4835","4870","4872","4890","4954","5254","5485","5486","5487","5488","5489","5490","5491","5492","5493","5494","5495","5496"] Log: [2020-07-31 07:58:47,906] [INFO ] [http-nio-8080-exec-31] [txnId=1596182327895-1558302899] [clientIp=172.27.159.170] [accountNumber=] [charterId=] [sessionHashCode=] [methodPath=/services/v2/entitlements/packages/{macAddress}:GET] TxnLogging - [txnmarker=TXNEnd] [timestamp=Fri Jul 31 07:58:47 UTC 2020] [application=/lrmmiddle/] [methodPath=/services/v2/entitlements/packages/{macAddress}:GET] [duration=11] [clientIp=172.27.159.170] [entity=Response Status:200] [txnId=1596182327895-1558302899] [status=200] [responseJson={"macAddress":"3438B79C5638","blockAll":false,"packages":["143","144","172","205","241","350","364","365","385","449","486","683","764","1043","1220","1241","1287","1309","1381","1432","1456","1509","1578","1641","1727","1753","2835","3299","3309","3566","3626","3897","4127","4349","4456","4805","4835","4870","4872","4890","4954","5254","5485","5486","5487","5488","5489","5490","5491","5492","5493","5494","5495","5496"],"statusCode":null,"header":{"status":"SUCCESS","transaction":{"statusMessage":"0","returnCode":"0","returnMessage":"0","exception":null,"id":"1596182327895-1558302899","dateTime":"2020-07-31T07:58:47.906Z","duration":11,"hostname":"lrmmiddle-f56fd7d48-s2r4l"},"sourceTransaction":null}}]
Hi, I just enrolled in Splunk Fundamentals 1. I was able to install and use Splunk to perform labs as per the course. I logged back in after a week and tried to continue with my course, but now I c... See more...
Hi, I just enrolled in Splunk Fundamentals 1. I was able to install and use Splunk to perform labs as per the course. I logged back in after a week and tried to continue with my course, but now I can't log in to Splunk enterprise to do my labs. Can someone help me find the link to the labs? Thanks.
Hi I am trying to adjust the table col width size , currently for few values of the cell , it takes long width and i have to scroll to check all values. Col1 col2 col3 aaaaaaaaaaaaaaaaaaaaaa... See more...
Hi I am trying to adjust the table col width size , currently for few values of the cell , it takes long width and i have to scroll to check all values. Col1 col2 col3 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 20 40 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 45 20    
Hi, I have the following simple query      searchQuery | stats count, p50(duration), p99(duration) by uri_path     and we query against the last 7 days to get the p99 of the response times f... See more...
Hi, I have the following simple query      searchQuery | stats count, p50(duration), p99(duration) by uri_path     and we query against the last 7 days to get the p99 of the response times for each uri_path.  Im trying to include the another column called `p99(lastWeekDuration)`.  
Hi All, It's already been determined that alarms/reports modifications are not being audited in _audit and _internal indexes. Reference to the links below.  @richgalloway can you recall the topic yo... See more...
Hi All, It's already been determined that alarms/reports modifications are not being audited in _audit and _internal indexes. Reference to the links below.  @richgalloway can you recall the topic you gave me an answer to last week (second link below)?  https://ideas.splunk.com/ideas/E-I-49  https://community.splunk.com/t5/Alerting/Audit-changes-modifications-to-Alerts-Reports-using-REST-API/m-p/510793#M9352  Apart from keeping alerts/reports confs in Change Management System, the only option is (please correct me if i'm wrong) to use the bellow search that utilizes REST API and this is going to give us 1) time of modification 2) name of the alert/report in the form of uri and we can play further to extract this as a separate field and 3) who done it.    index="_internal" sourcetype="splunkd_ui_access" servicesNS file!="notify" method=POST   As you can see from above this would pick up changes made ONLY through the GUI but how about the CLI. If someone tampered with the savedsearches.conf file I'd like to audit those changes somewhere. Is there a straightforward way? I was thinking of file monitor of the file in Splunk and raise an alarm when something is changed but can't think of how I'll write the search query for the alarm. As am I novice to Splunk I read an article about diff command but found the documentation not clear and couldn't fully grasp how should I use it and if it's appropriate for my goal here? Also I read somewhere about putting the file in version control and monitor the changes but I hihgly doupt it that our customer would agree to that approach (don't ask). Any suggestions would be much appreciated. Thank you in advance. 
I am trying to use the results of dnslookup to pivot the results to query my index. | makeresults | eval domain="google.com" | lookup dnslookup clienthost as domain OUTPUT clientip | search index... See more...
I am trying to use the results of dnslookup to pivot the results to query my index. | makeresults | eval domain="google.com" | lookup dnslookup clienthost as domain OUTPUT clientip | search index=myindex ip=clientip The end goal would be to create a text token for a dashboard so any domain could be entered where "google.com" is. Then i want to see if the ip is in my index under the ip field.    
I'll start out by saying the collection of logs from eventhub via this add-on works fine. I am seeing events in the azure index and they seem to be coming in just fine, however there is a significant... See more...
I'll start out by saying the collection of logs from eventhub via this add-on works fine. I am seeing events in the azure index and they seem to be coming in just fine, however there is a significant amount of errors in splunkd.log around the TA-MS-AAD app. Errors:   07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" File "/opt/splunk/etc/apps/TA-MS-AAD/bin/uamqp/async_ops/client_async.py", line 835, in _client_run_async 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" await self._connection.work_async() 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" File "/opt/splunk/etc/apps/TA-MS-AAD/bin/uamqp/async_ops/connection_async.py", line 139, in work_async 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" self._conn.do_work() 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" File "/opt/splunk/etc/apps/TA-MS-AAD/bin/uamqp/receiver.py", line 239, in _message_received 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" delivery_no=message_number) 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" File "/opt/splunk/etc/apps/TA-MS-AAD/bin/uamqp/message.py", line 99, in __init__ 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" self._parse_message_body(message) 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" Message: 'Deallocating %r' 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" Arguments: ('ArrayValue',) 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" --- Logging error --- 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" Traceback (most recent call last): 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" File "/opt/splunk/lib/python3.7/logging/handlers.py", line 69, in emit 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" if self.shouldRollover(record): 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" File "/opt/splunk/lib/python3.7/logging/handlers.py", line 186, in shouldRollover 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" self.stream.seek(0, 2) #due to non-posix-compliant Windows feature 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" RuntimeError: reentrant call inside <_io.BufferedWriter name='/opt/splunk/var/log/splunk/ta_ms_aad_azure_event_hub.log'> 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" Call stack: 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" File "/opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py", line 4, in <module> 07-30-2020 20:22:39.836 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" import azure_event_hub_core   I can't really pin-point what the errors may be, but this is driving up the amount of logs we're ingesting significantly, up to the point where its actually affecting out licenses.   Any idea?
I have testing dashboard like below, where user can specify the search time range,         <fieldset autoRun="true" submitButton="false"> <input type="time" searchWhenChanged="true"> ... See more...
I have testing dashboard like below, where user can specify the search time range,         <fieldset autoRun="true" submitButton="false"> <input type="time" searchWhenChanged="true"> <label>Select display time range</label> <default> <earliest>-5d</earliest> <latest>now</latest> </default> </input> </fieldset> ... ... ... <panel> <title>Test Table</title> <event> <search> <query>eventtype="test_eventtype" | fields testColumnA, testColumnB, testColumnC | table testColumnA, testColumnB, testColumnC, eventtype | sort </query> <earliest>$earliest$</earliest> <latest>$latest$</latest> <refresh>30m</refresh> <refreshType>delay</refreshType> </search> <fields>testColumnA, testColumnB, testColumnC</fields> <option name="count">10</option> <option name="rowNumbers">1</option> <option name="type">table</option> </event> </panel>           the panel display and time range selection work as expected.  But whenever i click on the column value link in the panel to jump to search page, it fails with the "Invalid earliest_time.". For the URL: https://test/en-US/search?q=eventtype%3D%22test_eventtype%22%......&earliest=%24earliest%24&latest=%24latest%24 Which indicates the earliest and latest time is not using the actual values but '$earliest$', '$latest$'.   So, what is the right way make this working?
Hello splunk community, There might be some configuration issues in our environment, but I could not find anything standing out even after I turned on all logging to "DEBUG" mode. Following are the ... See more...
Hello splunk community, There might be some configuration issues in our environment, but I could not find anything standing out even after I turned on all logging to "DEBUG" mode. Following are the symptoms of the issue: 1. On the "New Input" left manual: I am able to pick a connection; a Catalog ("TE"), but then "Schema" section turns red and shows "Cannot get schemas". < the user has full admin right on the server> 2. On the "SQLEditor": If I type in SELECT * from TE.dbo.Node, and execute the query, the correct results will be returned. So it seems that on the same splunk page, the results are contradicting each other, can anyone help to point me to the right direction on how to resolve this. The DB connect version is 3.2.0; and I am using connection type MS-SQL Server Generic Driver (Ver. 3.0), SQL server itself is SQL2016. Also, please also note that the same connection and user setup is able to get the other schemas on the same SQL instance without any issues; only failed in one particular database, and even after I tried to restore the troublesome db to a different name. Thank you very much in advance.