All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All .. is there a way to add dimensions to the URL that posts into the "Search Entity Dimensions" search in the ITSI Infrastructure Overview dashboard? eg : "service_name" and "department" Ideall... See more...
Hi All .. is there a way to add dimensions to the URL that posts into the "Search Entity Dimensions" search in the ITSI Infrastructure Overview dashboard? eg : "service_name" and "department" Ideally want to link from a dashboard into a Focused by dimensions list of entities for example: https://itsi-blah.splunkcloud.com/en-GB/app/itsi/entity_overview?countPerPage=20&earlie[…]w&page=1&refreshInterval=-1&sortTypeBy=entities_count... & <my dimensions>   
Hello, We have python upgrade readiness app installed in our on prem clustered environment and enabled. Can someone help me with the list of steps to uninstall it?     Thanks
Hi All,   I am trying to create an alert via Terraform / REST API with action as "MS teams publish to channel" I could not find any documentation for action value and other parameters required for... See more...
Hi All,   I am trying to create an alert via Terraform / REST API with action as "MS teams publish to channel" I could not find any documentation for action value and other parameters required for it. Could any one let me know those parameters list?   Thanks, somu.
There are several vulnerabilities, some almost 5 years old, that are still present in the latest Splunk Kubernetes image version. Do we have an ETA on when will these get resolved? Here is the list ... See more...
There are several vulnerabilities, some almost 5 years old, that are still present in the latest Splunk Kubernetes image version. Do we have an ETA on when will these get resolved? Here is the list CVE-2018-1000654 CVE-2018-1000879 CVE-2018-1000880 CVE-2018-1121 CVE-2018-19211 CVE-2018-19211 CVE-2018-20657 CVE-2018-20657 CVE-2018-20657 CVE-2018-20786 CVE-2018-20839 CVE-2019-12900 CVE-2019-14250 CVE-2019-14250 CVE-2019-14250 CVE-2019-17543 CVE-2019-19244 CVE-2019-8905 CVE-2019-8906 CVE-2019-9674 CVE-2019-9674 CVE-2019-9923 CVE-2019-9936 CVE-2019-9937 CVE-2020-17049 CVE-2020-17049 CVE-2020-21674 CVE-2021-20193 CVE-2021-24032 CVE-2021-31879 CVE-2021-35937 CVE-2021-35937 CVE-2021-35938 CVE-2021-35938 CVE-2021-35939 CVE-2021-35939 CVE-2021-3927 CVE-2021-39537 CVE-2021-39537 CVE-2021-3974 CVE-2021-3997 CVE-2021-4166 CVE-2021-4209 CVE-2021-43618 CVE-2022-0351 CVE-2022-1619 CVE-2022-1720 CVE-2022-2124 CVE-2022-2125 CVE-2022-2126 CVE-2022-2129 CVE-2022-2175 CVE-2022-2182 CVE-2022-2183 CVE-2022-2206 CVE-2022-2207 CVE-2022-2208 CVE-2022-2210 CVE-2022-2284 CVE-2022-2285 CVE-2022-2286 CVE-2022-2287 CVE-2022-2309 CVE-2022-2343 CVE-2022-2344 CVE-2022-2345 CVE-2022-23491 CVE-2022-23990 CVE-2022-2522 CVE-2022-27943 CVE-2022-27943 CVE-2022-27943 CVE-2022-2819 CVE-2022-2845 CVE-2022-2849 CVE-2022-2923 CVE-2022-2946 CVE-2022-2980 CVE-2022-3037 CVE-2022-3153 CVE-2022-3219 CVE-2022-3234 CVE-2022-3235 CVE-2022-3256 CVE-2022-3296 CVE-2022-3352 CVE-2022-3705 CVE-2022-40023 CVE-2022-40897 CVE-2022-40897 CVE-2022-40897 CVE-2022-40899 CVE-2022-4292 CVE-2022-4293 CVE-2022-4899 CVE-2023-0049 CVE-2023-0054 CVE-2023-0288 CVE-2023-0433 CVE-2023-0464 CVE-2023-0464 CVE-2023-0465 CVE-2023-0465 CVE-2023-0466 CVE-2023-0466 CVE-2023-0512 CVE-2023-1127 CVE-2023-1170 CVE-2023-1175 CVE-2023-1264 CVE-2023-24056 CVE-2023-24056 CVE-2023-24056 CVE-2023-24056 CVE-2023-27534 CVE-2023-27534 CVE-2023-27536 CVE-2023-27536 CVE-2023-28484 CVE-2023-28486 CVE-2023-28487 CVE-2023-29469
Correlation Search drilldowns that include newlines have those newlines removed when using a Mission Control Incident's "Contributing events" link. This isn't a terrible problem if each line has a sp... See more...
Correlation Search drilldowns that include newlines have those newlines removed when using a Mission Control Incident's "Contributing events" link. This isn't a terrible problem if each line has a space at the end of it, but if a line of SPL has no trailing space and the newline is removed, the search breaks because each line becomes jammed together with the following one.
Say I have events of the form: { something: "cool", subfield: { this: "may contain", arbitrary: ["things"], and: { more: "stuff" } } ... See more...
Say I have events of the form: { something: "cool", subfield: { this: "may contain", arbitrary: ["things"], and: { more: "stuff" } } } The internal structure of `subfield` is arbitrary. I would like to count how many different `subfield` values I have. How can I accomplish this? My initial thought was maybe there was some function I could use to JSON encode the field, so that I could just have an | eval subfieldstr = to_json_string(subfield) and then I could just do a "stats dc" on subfieldstr, but I can't find such a function, and searching for it is difficult (there are endless results of people trying to do the exact opposite)
I have a situation where I'm using case to compare 2 fields to identify a fuzzy match, but in field 1 I may have "boa.com" and in field 2 I have "Bank Of America"  what I want to do is to take the le... See more...
I have a situation where I'm using case to compare 2 fields to identify a fuzzy match, but in field 1 I may have "boa.com" and in field 2 I have "Bank Of America"  what I want to do is to take the letters of field 1 and the first letter of each word in field 2 (understanding there is no potential maximum number of words the value may contain).  I know I can usually do something with mvindex by using an index field of -1 to identify the "last value" of a multi value field, but I'm not sure how to try to marry that with case(like and substr().  Has anyone ever accomplished anything like this before?   I'm trying things like | rex field=Company "(?<CamelCase>\b(\w))" but its only returning "b" in CamelCase instead of "boa"
I have a query to display following 3 fields  | table pp_user_action_name,Today_Calls,Avg_today i want to replace 'Avg_today' column header with today's date like '11/1/2023'  is it possible? 
I am trying to remove T and Z from the output timestamp results. Can you please help me with the query to remove  and space in the place of T and Z. 2023-11-01T15:54:00Z
Basically I have a search with a lot of fields, similar to this example:     | makeresults | eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5     from this I would basically like to keep everything excep... See more...
Basically I have a search with a lot of fields, similar to this example:     | makeresults | eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5     from this I would basically like to keep everything except for aa* that does not contain the suffix x. I tried     | fields -aa* aa*x     as well as similar approaches, but they do not work: 1) either deleting all aa* (including aa*x) 2) not keeping b or 3)not deleting aa* at all. I would know how to solve this with regex: "aa.+(?<!x)$" as can be seen here: https://regex101.com/r/JfVHCJ/latest Is there any SPL equivalent?
Hello, How to calculate distinct count with condition? How to calculate unique vuln that has score >0, group by ip? Before calculation ip vuln score 1.1.1.1 vuln1 0 1.1.1.1 vu... See more...
Hello, How to calculate distinct count with condition? How to calculate unique vuln that has score >0, group by ip? Before calculation ip vuln score 1.1.1.1 vuln1 0 1.1.1.1 vuln1 0 1.1.1.1 vuln2 3 1.1.1.1 vuln2 3 1.1.1.1 vuln2 3 1.1.1.1 vuln3 7 1.1.1.1 vuln3 7 2.2.2.2 vuln1 0 2.2.2.2 vuln4 0 2.2.2.2 vuln5 5 2.2.2.2 vuln5 5 After calculation ip dc(vuln) dc(vuln) score > 0 1.1.1.1 3 2 2.2.2.2 3 1 Thank you so much
Hello, i have no clues, thanks for reading in advance: In any case, right now, i can't open splunk web because it gives me 500 internal error and i found the critical point: server.conf, i just trie... See more...
Hello, i have no clues, thanks for reading in advance: In any case, right now, i can't open splunk web because it gives me 500 internal error and i found the critical point: server.conf, i just tried and if don't put nothing it works, but if i put any path it brokes everything. Behind this problem there is that after writing the configurations files (i followed the splunk documentation strictly so...) the connection doesnt't work when i try to troubleshoot. I will post my files here so i hope it should be more clear what i did: inputs.conf on the index: [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = /path/to/mycervercombinedfile.pem sslPassword = mypass requireClientCert = false outputs.conf on the forwarders : [tcpout] defaultGroup = mygroup [tcpout:mygroup] server = index ip:9997 sslCertPath = path/to/my combinedservercert.pem sslPassword = mypass sslVerifyServerCert = true useClientSSLCompression = true server.conf on both index and forwarder: [sslConfig] sslPassword = mypass sslRootCAPath = path/to/myCertAuthCertificate.pem to putting something on web.conf i'm waiting to solve these internals problems before. I almost forgot to say that i do not think there is a problem with how i created the certificates, i repeated the process n times already and i followed the instructions; TheCaRootCert is the same that I shared with forwarders and index, then i created from this certificate, a separate one for all the servers involved and then i concatened them in one. Thank so much for reading and i would appreciate receiving some advices on hot to proceed further, I'm going insane.  P.S: Sorry for my english but i'm not a native speaker.  
Hi, during a playbook,  I would like to check a parameter with a condition, and if the condition result true, I would like to use that parameter. But if the condition result is false, I would then ... See more...
Hi, during a playbook,  I would like to check a parameter with a condition, and if the condition result true, I would like to use that parameter. But if the condition result is false, I would then use a different parameter. is there a way to do that without duplicating a lot of blocks? 
Hi Splunkers!    How to change the color of info button in dashboard.   <panel id="global_status_op"> <title>Global Compliance</title> <html> <style> </style> <div class="infobutton" par... See more...
Hi Splunkers!    How to change the color of info button in dashboard.   <panel id="global_status_op"> <title>Global Compliance</title> <html> <style> </style> <div class="infobutton" parent="global_status_op" type="collapse" style="display: none"> <p style="font-size:15pt;"> The compliance is calculated as follow:</p> <p style="font-size:9pt;"> - If compliant, the asset is considered as complinat</p> <p style="font-size:9pt;"> - If not compliant, the asset is considered as not compliant</p> </div> </html> </panel> Thanks!
Hi I want to connect java code with splunk cloud platform can someone suggest me how can I do it.
hello   I have a admin role when I create a field alias, I can see it in the props.conf file but when I run the search the field names are unchanged [sourcetype="Perfmon:mem"] FIELDALIAS-Valu... See more...
hello   I have a admin role when I create a field alias, I can see it in the props.conf file but when I run the search the field names are unchanged [sourcetype="Perfmon:mem"] FIELDALIAS-Value = Value AS titi counter AS tutu   what is wrong please?
I try to create support ticket for Splunk Apps and Add-ons on Cloud Version, and there is a field  that can't be selected  
Hi, I lost the password for my Appdynamics Saas service during the trial period.  While trying to retrieve data via the REST API, I couldn't set up the account and password properly.  I ended up... See more...
Hi, I lost the password for my Appdynamics Saas service during the trial period.  While trying to retrieve data via the REST API, I couldn't set up the account and password properly.  I ended up using a temporary token. Today, when I attempted to access the controller, it prompted me to enter a password. However, even after entering the password, it resulted in a login failure, and the password reset instructions were not sent to my email, even after checking the spam folder. what should I do in this situation? thank you in advance.
Hi everyone I need to grouping the below 3 events with correlation ID. I have tried transaction cmd below but it is not taking multiple ends with. And also I need to extract the event start timestam... See more...
Hi everyone I need to grouping the below 3 events with correlation ID. I have tried transaction cmd below but it is not taking multiple ends with. And also I need to extract the event start timestamp and event end timestamp. | transaction correlation_id startswith="processing_stage=Obtained data" endswith="processing_stage=Successfully obtained incontact response" endswith="processing_stage=Successfully obtained genesys response" {"message_type": "INFO", "processing_stage": "Obtained data", "message": "Successfully received data from API/SQS", "correlation_id": "c5be6c24-d0e6-4f27-a11d-86f7f194ae50", "error": "", "invoked_component": "prd-start-step-function-from-lambda-v1", 'startDate': datetime.datetime(2023, 11, 1, 5, 17, 50, 326000, tzinfo=tzlocal()), 'date': 'Wed, 01 Nov 2023 05:17:50 GMT', "invocation_timestamp": "2023-11-01T05:17:50Z", "response_timestamp": "2023-11-01T05:17:50Z", } {"message_type": "INFO", "processing_stage": "Successfully obtained genesys response", "message": "Successfully obtained genesys response", "correlation_id": "c5be6c24-d0e6-4f27-a11d-86f7f194ae50", "error": "", "invoked_component": "prd-ccm-genesys-ingestor-v1", "request_payload": "", "response_details": "", "invocation_timestamp": "2023-11-01T05:18:21Z", "response_timestamp": "2023-11-01T05:18:21Z"} {"message_type": "INFO", "processing_stage": "Successfully obtained incontact response", "message": "Successfully obtained incontact response", "correlation_id": "['330dba31-3d3d-4bf0-91a3-dfba81b56abf']", "error": "", "invoker_agent": "arn:aws:sqs:eu-central-1:981503094308:prd-ccm-incontact-ingestor-queue-v1", "invoked_component": "prd-ccm-incontact-ingestor-v1",  "invocation_timestamp": "2023-11-01T06:57:09Z", "response_timestamp": "2023-11-01T06:57:09Z"} Thanks in advance
How to hide the dynamic filter tokens that we are passing in URL without using js.We need this because we don't want the user to view the tokens in URL.