All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I'm using the Splunk App for VMware version 3.4.5 and facing an issue with the Virtual Maschine Snapshot dashboard. There are only some of the snapshots listed. So I'm missing snapshots for mos... See more...
Hi, I'm using the Splunk App for VMware version 3.4.5 and facing an issue with the Virtual Maschine Snapshot dashboard. There are only some of the snapshots listed. So I'm missing snapshots for most of my virtual machines. If I expand the time range (e.g. 7 Days) there are still not all snapshots listed. Is someone dealing with the same problem? Best, Sebastian
I am trying to make an overview with different counts. The message always starts with : logger="blahblah-main.Start*" Some will go in error and then they will apear with: logger="blahblah.Excep... See more...
I am trying to make an overview with different counts. The message always starts with : logger="blahblah-main.Start*" Some will go in error and then they will apear with: logger="blahblah.Exception" The difficult thing is that I want the unique ID's, so some messages will have an retry in both loggers.I tried to use dedup but then I will miss messages when they are in both loggers. I hope someone can make sense of my question.... search.... logger="blahblah-main.Start*" OR logger="blahblah.Exception" |dedup message.MessagId|dedup message.BusinessId |chart count by logger
Hi Guys, Can anyone please help me with line braking for the below json log, { "totalSize" : 473, "done" : true, "records" : [ { "attributes" : { "type" : "SetupAuditTrail", "url" : "/servi... See more...
Hi Guys, Can anyone please help me with line braking for the below json log, { "totalSize" : 473, "done" : true, "records" : [ { "attributes" : { "type" : "SetupAuditTrail", "url" : "/services/data/v48.0/sobjects/SetupAuditTrail/0" }, "Action" : "deactivateduser", "CreatedByContext" : null, "CreatedById" : "0052v00000", "CreatedByIssuer" : null, "CreatedDate" : "2020-05-18T03:35:57.000+0000", "DelegateUser" : null, "Display" : "Deactivated user xyz", "Id" : "0Ym2j0000012ACtCAM", "Section" : "Manage Users", "ResponsibleNamespacePrefix" : null }, { "attributes" : { "type" : "SetupAuditTrail", "url" : "/services/data/v48.0/sobjects/SetupAuditTrail/0Ym2j00000" }, "Action" : "changedUserEmailVerifiedStatusVerified", "CreatedByContext" : null, "CreatedById" : "0052v00000", "CreatedByIssuer" : null, "CreatedDate" : "2020-05-18T05:51:45.000+0000", "DelegateUser" : null, "Display" : "For user xyz@xyz.com, the User Verified Email status changed to verified", "Id" : "0Ym2j00000", "Section" : "Manage Users", "ResponsibleNamespacePrefix" : null }, { "attributes" : { "type" : "SetupAuditTrail", "url" : "/services/data/v48.0/sobjects/SetupAuditTrail/0Ym2j00" }, "Action" : "changeApplicationContactEmail", "CreatedByContext" : null, "CreatedById" : "00000", "CreatedByIssuer" : null, "CreatedDate" : "2020-05-18T06:08:08.000+0000", "DelegateUser" : null, "Display" : "Changed Connected App Contact Email from none to xyz@xyz.com", "Id" : "0Ym2j0", "Section" : "Application", "ResponsibleNamespacePrefix" : null }, {
How can i customize and style to move my Navigation Bar from Top to the left with a Hamburger option to expand and see the navigation views and with an option to Collapse it ? What I mean is: Click... See more...
How can i customize and style to move my Navigation Bar from Top to the left with a Hamburger option to expand and see the navigation views and with an option to Collapse it ? What I mean is: Click on the Hamburger Icon, the nav bar slides in from the left to right. Click on the Collapse button, the nav bar slides back in from right to left. Is there a model using Javascript & CSS to achieve this? - I couldn't find any in the community.
Hi, I am having some problem to understand the usage of "(?msi)" with rex command,please help me regarding that?
Hello Splunk TEAM, I have a question. I have this data: { "@odata.context":"https://app.inlooxnow.de/odata/$metadata#workpackageview","value":[ { "PlanningReservationId":"5345345... See more...
Hello Splunk TEAM, I have a question. I have this data: { "@odata.context":"https://app.inlooxnow.de/odata/$metadata#workpackageview","value":[ { "PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation" },{ PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation" },{ PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation" },{ PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation" },{ But When I Download this data from the Rest API with JSON format and sourcetype _JSON I got all the events in one event. I need to break this event in multiple events and extract the fields. I try to use this: props.conf pulldown_type = true LINE_BREAKER = (},{) KV_MODE = none category = Structured SHOULD_LINEMERGE = false And the data breaks correctly with (},{) but no one value is extracted to a field. And when I try to extract data from the events I cant because never pass pass when I check regular expression and click in the event which I need to extract, after that it looking stuck. I try to use INDEXED_EXTRACTIONS = json But nothing works. Please I need a hand please!!
I am unable to whitelist input, I do not understand why, my Splunk is ingesting data from a c-icap server logfile and I only want to keep these logs (the ones with Anti-Virus Hit's), here is my input... See more...
I am unable to whitelist input, I do not understand why, my Splunk is ingesting data from a c-icap server logfile and I only want to keep these logs (the ones with Anti-Virus Hit's), here is my inputs.conf file: [monitor:///var/log/c-icap/server.log] disabled = false sourcetype = c-icap whitelist= Message = ".*DEBUG.*Clamd.*FOUND.*" This is the type of log I want to allow into Splunk, my regex works fine, I have tested it, it is unclear what key/field name I should be using, I also tried "Event" instead of "Message" without success: Wed Jun 3 17:04:06 2020, 24488/1744570112, squidclamav.c(861) squidclamav_end_of_data_handler: Wed Jun 3 17:04:06 2020, 24488/1744570112, DEBUG received from Clamd: stream: Win.Trojan.Powershell-7007230-0 FOUND PS: I am using the free version of Splunk.
I have added Splunk mint SDK 5.2.7 into our mobile project and tried to submit a build to iOS appStore but it's throwing an error ITMS-90809: Deprecated API Usage - New apps that use UIWebView are no... See more...
I have added Splunk mint SDK 5.2.7 into our mobile project and tried to submit a build to iOS appStore but it's throwing an error ITMS-90809: Deprecated API Usage - New apps that use UIWebView are no longer accepted. Instead, use WKWebView for improved security and reliability.
Hi Folks, Can anyone please help in forming the query for internal splunk components up and downtime reporting, i found a similar but this gives only uptime, | rest /services/server/info | eva... See more...
Hi Folks, Can anyone please help in forming the query for internal splunk components up and downtime reporting, i found a similar but this gives only uptime, | rest /services/server/info | eval LastStartupTime=strftime(startup_time, "%Y/%m/%d %H:%M:%S") | eval timenow=now() | eval daysup = round((timenow - startup_time) / 86400,0) | eval Uptime = tostring(daysup) + " Days" | table splunk_server LastStartupTime Uptime
I am trying to create a bubblechart based on the search below. I have tried different methods to create something similar to the edited bubblechart image below, but with no success so far. I hope som... See more...
I am trying to create a bubblechart based on the search below. I have tried different methods to create something similar to the edited bubblechart image below, but with no success so far. I hope someone here can possibly help me achieve this, if it is even possible? I can see that i probably would need to get the eventcodes in a own columns, and same with the count...but how?
i need to convert my sql query into splunk by dbx query could some one help me ? here is my query. SELECT * FROM [Systems] AS D RIGHT JOIN (SELECT * FROM [Users] WHERE ProductName = 'Platform'... See more...
i need to convert my sql query into splunk by dbx query could some one help me ? here is my query. SELECT * FROM [Systems] AS D RIGHT JOIN (SELECT * FROM [Users] WHERE ProductName = 'Platform' ) AS C ON D.ComputerName = C.ComputerName Thnaks in advance
I cannot download Splunk License from Web support portal. show error "You do not have the level of access necessary to perform the operation you requested."
I am getting error as ** "The external search command 'xmlkv' did not return events in descending time order, as expected"** along with my search results. Dashboard functionality works as expected ... See more...
I am getting error as ** "The external search command 'xmlkv' did not return events in descending time order, as expected"** along with my search results. Dashboard functionality works as expected and search results are getting displayed. Please find the code snippet for one panel for reference and suggest. There are 6 panels altogether with different queries. <form script="SBT.js" refresh="320"> <label>SBT </label> <search id="baseSearch"> <query> source="log.2020-05-08" | rex field=_raw "((?<LogType>(\w*))\s(?<MsgCode>(\d+))\s((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))\s(?<TimeStamp>(\d{8}\s\d{6}))\s(?<TextMsg>([\w\s.:,/()]*)))" | rex field=number "(?<Number>([\d]*))/\d" | xmlkv maxinputs=10000 | rename "SBT-type" as Mtracktype "SBT-exception-code" as MTrackECode | eval LogTimeStamp=strftime(strptime(TimeStamp,"%Y%m%d%H%M%S"),"%m/%d/%Y %H:%M:%S %p") | sort -LogTimeStamp </query> </search> <fieldset submitButton="true" autoRun="false"> <input type="text" token="SBTNo" depends="$tknNoPanel$" searchWhenChanged="false"> <label>SBT Number</label> <default></default> <change> <condition value=""> <set token="SBTNo">*</set> </condition> </change> </input> </fieldset> <row> <panel depends="$tknNoPanel$"> <title> Results </title> <html depends="$export_button$"> <a class="btn btn-primary" role="button" href="/api/search/jobs/$export_sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=input_CSVExport&amp;outputMode=csv">Export</a> </html> <table id="table1"> <search base="baseSearch"> <query> search (SBTnumber=$SBTNo$ OR Number=$SBTNo$ OR type=$SBTNo$ OR AWB=$SBTNo$) | table LogType LogTimeStamp Msg SBTtype SBTnumber </query> <done> <set token="export_sid">$job.sid$</set> <set token="export_button">1</set> </done> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>
Hi All, Actually I have conflict while sending the alert, Please consider below scenario, detecting and sending alert for when ever server gets disconnected from the network. after server get... See more...
Hi All, Actually I have conflict while sending the alert, Please consider below scenario, detecting and sending alert for when ever server gets disconnected from the network. after server gets connected to network and then I have configured one more alert condition for successful connection. Now I want merge these two alerts into one alert condition like below, for example : First server gets disconnected for 30 mins and Splunk will send the alert. and after successful reconnection then using alert has to be sent to user by using one alert condition. Can you please help me out that how do I merge two alerts conditions into one condition. Thanks. Kishore
Hello all I'm having difficulties figuring out how to output 2 seperate counts for 2 seperate fields. index=email spf="fail*" OR dkim="fail*" | dedup message_id | stats count BY spf, dkim A... See more...
Hello all I'm having difficulties figuring out how to output 2 seperate counts for 2 seperate fields. index=email spf="fail*" OR dkim="fail*" | dedup message_id | stats count BY spf, dkim Atttempting to return a single count of the unique logs that contain spf="fail" and a single count of unique logs that contain dkim="fail" : spf dkim 14 75
I would like to search for AWS non-active users, who have not logged in or using their Access Key ID for more than 60 days, but have active Access Key ID. I am very new to Splunk. Please help. Thanks.
Hi, I'm trying to upload raw SAR text files to Splunk, is it possible? Is there an add-on or other method to do this directly into Splunk? Or is the only way to use sysstat, then the add-on for L... See more...
Hi, I'm trying to upload raw SAR text files to Splunk, is it possible? Is there an add-on or other method to do this directly into Splunk? Or is the only way to use sysstat, then the add-on for Linux (on the forwarder) and the GUI for SysStat? Thanks.
Hi, In order to automate the deployment pipeline of Splunk Apps into different instances, our team has the requirement of uploading the lookups in our development environment (Splunk enterprise on-... See more...
Hi, In order to automate the deployment pipeline of Splunk Apps into different instances, our team has the requirement of uploading the lookups in our development environment (Splunk enterprise on-premise) to our production environment (Splunk Cloud) automatically. After reading the Splunk REST API documentation, we encountered a way to move any file from a staging area to the lookups stored in the apps as follows: https://host:mPort/services/data/lookup-table-files/{name} POST Modify a lookup table file by replacing it with a file from the upload staging area. In order to get this type of automation, is there any way to upload a file to a Splunk Cloud "staging area", or is there any possibility to upload lookup via REST API to Splunk Cloud? Thanks.
Hello, Excellent app by the way. Is there a way to change the order of the columns for the data host availability alert? Ideally, I would like to have the data_sourcetype column right next to t... See more...
Hello, Excellent app by the way. Is there a way to change the order of the columns for the data host availability alert? Ideally, I would like to have the data_sourcetype column right next to the data_host field. Would it be possible to modify the search to accommodate that? Thanks in advance.
Splunk is 8.0.2.1. Somewhat similar to https://answers.splunk.com/answers/48050/strange-behaviour-with-count-in-stats-when-using-macros.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign... See more...
Splunk is 8.0.2.1. Somewhat similar to https://answers.splunk.com/answers/48050/strange-behaviour-with-count-in-stats-when-using-macros.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev My query ends in | stats count and works fine when run from Search (selecting the single value visualization). It also worked fine as a dashboard, until I turned it into a macro. Now, it shows count of 1, like it's counting the number of fields returned. Tables work just fine. Also using this app, to have dropdowns, however, panel in question is not the dropdown: https://splunkbase.splunk.com/app/3689/ Snippet from my dashboard: <row> <panel id="pn03"> <single> <title>Location</title> <search> <query>`getactiveuserscount(192.168.0.%)`</query> <earliest>-11m@m</earliest> <latest>now</latest> <refresh>2m</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="height">50</option> <option name="rangeColors">["0xcccccc","0x53a051","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,5,10,20]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <link target="_blank">/app/TA-myapp-it/dashboard__active_users</link> </drilldown> </single> </panel> </row> Macro: index="main" source="C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\default_app\\bin\\Get-Active-Users.bat" | eval Status=mvindex(split(_raw,","), 1) | eval Status=case(Status="unsure", "Multiple User Sessions", 1=1, Status) | search Status="unlocked" | dedup host | eval Username=mvindex(split(_raw,","), 0) | eval ipaddr=mvindex(split(_raw,","), 2) | eval IP_Address=mvindex(split(ipaddr,"."), 0). ".". mvindex(split(ipaddr,"."), 1). ".". mvindex(split(ipaddr,"."), 2). ".1" | where like(IP_Address,"$ip$") | stats count