All Topics

Top

All Topics

Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development ... See more...
Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development purposes. Now that the development is nearly complete, I need to make the URL dynamic. It should retrieve the REST API server URL and the currently logged-in user’s information and use it in the Splunk React app. How can I achieve this? Here is the current hardcoded code: const fetchAllUsers = async () => { try { const response = await axios.get('https://mymachine:8089/services/authentication/users', { auth: { username: 'admin', password: 'admin123' }, headers: { 'Content-Type': 'application/xml' } }); } catch (error) { console.error('Error fetching users:', error); } }; #restapi  #createuser #react #reactapp thanks in advance
Might be a silly question but does anyone possibly know where I can locate lines with pointing arrows at the end? I wanted to use them to point to each panel I had to show a flow diagram of some sort.
I am using the multiselect input definition below: The issue is that it is not setting the token named "app_net_fm_entity_id" properly. The desired behavior is, if the user selects "All" label ... See more...
I am using the multiselect input definition below: The issue is that it is not setting the token named "app_net_fm_entity_id" properly. The desired behavior is, if the user selects "All" label (value=*) then the condition should detect the "*" value and set the "app_net_fm_entity_id" token to "_all" If the user selects anything else other than just the "All" label then the "app_net_fm_entity_id" token should be set to the contents of the selected values. I am using Splunk Enterprise 9.2.1 This is a simple xml dashoard, aka classic dashboard. I am 1month into splunk and learning feverishly but I surely need some help on this.  I've tried using JS to get the desired behavior for this multi, but couldn't get that to work either     <input id="app_nodes_multiselect" type="multiselect" depends="$app_fm_app_id$" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | inputlookup aix_kv_apm_comps WHERE entity_type!=$app_fm_group_nodes$ | search [| makeresults | eval search="internal_parent_id=(".mvjoin($app_fm_app_id$, " OR internal_parent_id=").")" | return $search] | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition> <eval>len($value$) == 1</eval> <set token="app_net_fm_entity_id">_all</set> </condition> <condition> <eval>len($value$) > 1</eval> <set token="app_net_fm_entity_id">$value$</set> </condition> </change> </input>                
Here is the raw text -  com.companyname.package: stringstart e-38049e11-72b7-4968-b575-ecaa86f54e02 stringend for some.datahere with status FAILED, Yarn appId application_687987, Yarn state FINISH... See more...
Here is the raw text -  com.companyname.package: stringstart e-38049e11-72b7-4968-b575-ecaa86f54e02 stringend for some.datahere with status FAILED, Yarn appId application_687987, Yarn state FINISHED, and Yarn finalStatus FAILED with root cause: samppleDatahere: com.packagenamehere: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: sjhdjksdn;  Need to list down the uuid which is in between stringstart and stringend 
Hello - I realize this question has been asked several times before and I've tried to implement every solution I've found, but nothing seems to be working. I simply want to update a single value v... See more...
Hello - I realize this question has been asked several times before and I've tried to implement every solution I've found, but nothing seems to be working. I simply want to update a single value visualization based on the text. If "Yes", then green, and if "No", red.  I've tried using older solutions involving rangemap and changing some of the charting options, but I'm not having any luck in v9.3.0.  | inputlookup mylookup.csv | search $time_tok$ $field_tok$=Y | stats max(Distance) AS GuideMiles | appendcols [| mylookup.csv | search $month_tok$ | stats max(TargetMiles)] | rename max(TargetMiles) AS TargetMiles | eval OnTarget=case(GuideMiles>=TargetMiles,"Yes", true(), "No") | table OnTarget  
Hello, I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below: [myprops] SHUOLD_LINEMERGE=false LINE_BREAK=(... See more...
Hello, I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below: [myprops] SHUOLD_LINEMERGE=false LINE_BREAK=([\r\n]+) TIME_PREFIX="timestamp": TIME_FORMAT=%s%3N Sample Events: {"id":"A303", "timestamp":1723933920339","message":"average time to transfer file"} {"id":"A307", "timestamp":1723933915610","message":"average time to hold process"} {"id":"A309", "timestamp":1723933735652","message":"average time to transfer file"} Extracted time should be: YYYY-mm-ddTHH:MM:SS.3N       
Dear Splunkers...  As i was checking about the fishbuckets at the splexicon https://docs.splunk.com/Splexicon:Fishbucket this page got a link - See the detailed Splunk blog topic but that blog li... See more...
Dear Splunkers...  As i was checking about the fishbuckets at the splexicon https://docs.splunk.com/Splexicon:Fishbucket this page got a link - See the detailed Splunk blog topic but that blog link is a broken link.  (PS - on Splunk docs, at lower page, there is a comment input box to give feedbacks, but on splexicon page, no feedbacks input box !)   many of us are aware of wiki.splunk links are broken too.    shouldn't splunk do something about these broken links? shouldn't splunk do splunking on its own.. suggestions pls.  have a great weekend, best regards Sekar
Hello everyone, I hope you’re doing well. I need assistance with integrating Splunk with Elasticsearch. My goal is to pull data from Elasticsearch and send it to Splunk for analysis. I have a few q... See more...
Hello everyone, I hope you’re doing well. I need assistance with integrating Splunk with Elasticsearch. My goal is to pull data from Elasticsearch and send it to Splunk for analysis. I have a few questions on how to achieve this effectively: 1. **Integration Methods:** Are there recommended methods for integrating Splunk with Elasticsearch? 2. **Tools and Add-ons:** What tools or add-ons can be used to facilitate this integration? 3. **Setup and Configuration:** Are there specific steps or guidelines to follow for setting up this integration correctly? 4. **Examples and Guidance:** Could you provide any examples or guidance on how to configure Splunk to pull data from Elasticsearch? Any help or useful resources would be greatly appreciated. Thank you in advance for your time and assistance!    
Response Code: 401 Response text: <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="WARN">call not properly authenticated</msg> </messages> </response> I am using Splun... See more...
Response Code: 401 Response text: <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="WARN">call not properly authenticated</msg> </messages> </response> I am using Splunk bearer token in my python program using REST API, but suddenly I got this error also I have another precisely program that using Splunk token and it works fine without get the error that I got from the other program.  I already test the token it gets 200 responses. I don't know what happens. 
Hello. I have a lot of events. Each event contains similar string \"errorDetail\":\"possible_value\"  Please specify how to create new field \"errorDetail\" and  stats all possible values? (There a... See more...
Hello. I have a lot of events. Each event contains similar string \"errorDetail\":\"possible_value\"  Please specify how to create new field \"errorDetail\" and  stats all possible values? (There are more than 50 kinds of errorDetail) For example: \"errorDetail\":\"acctNumber\"  \"errorDetail\":\"Message Version higher"\ \"errorDetail\":\"email\" Thank you.
Hello Community, On June 14, AppDynamics transitioned to Cisco Support Case Manager (SCM) for case creation and management. Since the migration, we have become aware that some customers are experie... See more...
Hello Community, On June 14, AppDynamics transitioned to Cisco Support Case Manager (SCM) for case creation and management. Since the migration, we have become aware that some customers are experiencing difficulties accessing SCM to create/view cases. We sincerely apologize for any inconvenience this may have caused and want to assure you that Cisco is working diligently to resolve these issues as quickly as possible.   As a temporary workaround, beginning Saturday, August 17th, users who have encountered errors when attempting to open cases will be able to bypass these errors and proceed with case creation. Please note that for cases created using this workaround, only the user who initiates the case will have access to view it in SCM. If you need to share the visibility of these cases with others in your organization, please ensure that they are included in the CC list when creating the case. Please note that visibility is restricted to email communications only for data privacy and security.  If you continue to experience issues with SCM, or if you have any other concerns, please do not hesitate to contact us at appd-support@cisco.com for further assistance.  Thank you for your understanding and continued partnership. 
Hello everybody, I'm working on a query that does the following: 1. Pull records, mvexpand on a field named INTEL. This is a multi-value field that could have anywhere from 1 to 11 different values... See more...
Hello everybody, I'm working on a query that does the following: 1. Pull records, mvexpand on a field named INTEL. This is a multi-value field that could have anywhere from 1 to 11 different values. 2. Once expanded, perform a lookup using INTEL to retrieve a field WEIGHT. A weight is assigned to each INTEL value, between 1 and 5. 3. After the lookup, collapse the split records back into one record.  At first glance I figured I could do `... | mvexpand | lookup | mvcombine | nomv` but since the records are no longer identical because both INTEL and WEIGHT are different, I don't think I can use mvcombine anymore. To Visually demonstrate the issue ID INTEL 12345 A, B, C, D   After mvexpand ID INTEL 12345 A 12345 B 12345 C 12345 D   After Lookup ID INTEL WEIGHT 123456 A 1 123456 B 2 123456 C 3 123456 D 4   Ultimately, I would like to get back to this ID INTEL WEIGHT 123456 A,B,C,D 1,2,3,4   Any tips?
I have a dataset to visualize my organization in Splunk. When I search for Org=CDO, I get all the direct reports under the CDO, which include positions like CSO and CIO. Under each of these positions... See more...
I have a dataset to visualize my organization in Splunk. When I search for Org=CDO, I get all the direct reports under the CDO, which include positions like CSO and CIO. Under each of these positions, there are many VPs, and under each VP, there are many directors. How can I retrieve the results for the entire hierarchy under the CDO using Splunk? We have a field named Org and another field name job_title When I search Org=CDO I get only direct reports of CDO, no other value in the raw event to extract. any help would be appreciated
Im trying to substract  the total number i have of alerts that send and email  from the total amount of alerts that are bookmarked in SSE.  The only examples I found on the community used either the ... See more...
Im trying to substract  the total number i have of alerts that send and email  from the total amount of alerts that are bookmarked in SSE.  The only examples I found on the community used either the same index, or sub-searches (neither worked in my scenario) My query for  the alerts is : | rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" My query for bookmarks is:  | sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display
Hello , I have a transaction which is coming as multievent. i can use the  "| transaction" command to club as one event.  1)  I want the transaction ID extracted  based on the below-highlighted ( Gr... See more...
Hello , I have a transaction which is coming as multievent. i can use the  "| transaction" command to club as one event.  1)  I want the transaction ID extracted  based on the below-highlighted ( Green)  2) Now, I want to  get the transaction time  based on the below-highlighted  (Yellow) Below is the raw event log.   Thanks In advance!      
  Hello Splunkers!! As per the below screenshot, you can see jobs are running fine. But events are not collecting into summary index. Please help me to suggest some potential reason and fixes ... See more...
  Hello Splunkers!! As per the below screenshot, you can see jobs are running fine. But events are not collecting into summary index. Please help me to suggest some potential reason and fixes   Scheduled search with push data to summary index.      
I want to manually add an event to an index, using collect seems to be the most straight forward method. I am asking for a method to use makeresults and eval to add field quotes like the native Aruba... See more...
I want to manually add an event to an index, using collect seems to be the most straight forward method. I am asking for a method to use makeresults and eval to add field quotes like the native Aruba SNMP log format to send in raw format to an index Background: We had a power outage at one of our sites. Report and Alert searches look for active user Wi-Fi sessions. Because the access points were offline, when users left for the day the Wi-Fi session end log events were not sent from Aruba to Splunk , which is causing false positive alerts. The Aruba SNMP logs look like this:  timestamp=1723828026 notification_from_address = "172.20.0.69" notification_from_port = "34327" SNMPv2-SMI::mib-2.1.3.0 = "10679000" SNMPv2-SMI::snmpModules.1.1.4.1.0 = "1.3.6.1.4.1.14823.2.3.1.11.1.2.1219" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = "0x07e808100a0706002d0700" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.51.0 = "192.168.50.54" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.52.0 = "0xd8be1f2f9c1a" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.3.0 = "0x2462ce8053b1" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.94.0 = "RAP1053a" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.28.0 = "0" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.59.0 = "0" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.103.0 = "2" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.136.0 = "11" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.137.0 = "1" My search: | makeresults | eval timeStamp=now() | eval logEvent="timestamp=1723830464 notification_from_address = \"172.20.0.17\" notification_from_port = \"43015\" SNMPv2-SMI::mib-2.1.3.0 = \"2063900\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = \"0x07e8080e0d310f002d0700\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.51.0 = \"192.168.50.67\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.52.0 = \"0xd8be1f7d1076\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.3.0 = \"0x482f6b06b171\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.94.0 = \"AP7\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.28.0 = \"0\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.59.0 = \"0\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.103.0 = \"2\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.136.0 = \"10\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.137.0 = \"1\"" | collect index=aruba_snmp sourcetype=snmp_traps output_format=raw testmode=true The search result looks like what I want but when sent in raw format the escape \ are visible. How do I obscure or remove the \ in raw format? Thank you for any help in advance.
Hi Experts, Is it possible to change the "Return to Splunk" link on the home page so that it goes to custom URL instead of default URL? If anyone knows how to do this, I'd appreciate the help! ... See more...
Hi Experts, Is it possible to change the "Return to Splunk" link on the home page so that it goes to custom URL instead of default URL? If anyone knows how to do this, I'd appreciate the help! Thanks
Hello, There is an index named "linux" in our environment that needs to have the source universal forwarder changed to reflect a new server that is forwarding data. In other words, a server "syslog... See more...
Hello, There is an index named "linux" in our environment that needs to have the source universal forwarder changed to reflect a new server that is forwarding data. In other words, a server "syslog_01.server.net" was migrated to a new server "syslog_02.server.net". (not the actual domains.) The index "linux", I believe, is still listening to syslog_01, and needs to be changed to syslog_02. The universal forwarder was installed on the syslog_02 server. So I have two fairly high-level questions: 1.) How would I go about see the current configuration of the "linux" index (at least in terms of where it is listening?) 2.) How would I change where this index is listening? I've inherited the Splunk environment and am still a little fuzzy on how it was originally configured (the person who set it up no longer works here), but it looks like the data path goes like this: Universal forwarder  > heavy forwarder server > two index servers < master server to control index servers. I believe this is a standard configuration. The person who set up the environment left scant documentation regarding universal forwarder configuration. Apparently, universal forwarders are "Configured automatically by adding new universal forwarder server to linux_outputs or windows_outputs class" in the master server. However in the master server (splunk_home/etc/system/local), serverclass.conf doesn't contain any data. Although, I'm not entirely sure this would be the correct config file to change. Again, I'm fairly new to this environment and not sure how to proceed. Any and all input would be appreciated. Thank you!
I really need help I'm trying to get my panels to move from red to green based on live stats, but nothing works. I tried the UI and I'm pretty sure I got the right thing selected but my panels won't ... See more...
I really need help I'm trying to get my panels to move from red to green based on live stats, but nothing works. I tried the UI and I'm pretty sure I got the right thing selected but my panels won't show up red, yellow or green can anyone please help me out. So, I figured out that percentages don't work well with dynamic element backgrounds how can I work around that?