All Topics

Top

All Topics

Hello all, I can not find any documentation about Event Service. Can someone provide me link for Event Service documentation? Have a general question what exactly Event Service is? How many nodes... See more...
Hello all, I can not find any documentation about Event Service. Can someone provide me link for Event Service documentation? Have a general question what exactly Event Service is? How many nodes for Event Services in cluster
Hello all! I have a question about the components of AppD. There are several components of AppD like - Controller, Agents, Tier, Nodes, etc., but a very important component is a database. Can some... See more...
Hello all! I have a question about the components of AppD. There are several components of AppD like - Controller, Agents, Tier, Nodes, etc., but a very important component is a database. Can someone provide me with information about what is the difference between AppD DataBase and AppD DataBase Agent? What DB Agent monitoring more? How does DataBase work? I know that documentation, placed here :  https://docs.appdynamics.com/appd/22.x/22.4/en/database-visibility But I assume this documentation has only information about DB Agent, or am I wrong? Thanks for your help!
I configured successfully the Add-On Microsoft Azure on my HFs for retrive dinamically and enrich my ES suite with users and groups from AAD but i can't find the way for retrive the group members. As... See more...
I configured successfully the Add-On Microsoft Azure on my HFs for retrive dinamically and enrich my ES suite with users and groups from AAD but i can't find the way for retrive the group members. As the KB microsoft the api for retriving it is separate from the other methods and should be "/members". Is it a lack of this connector from ms developers or is there a way for solve it? I found one more post for this topic but with no response.
Hi  We had a javascript and css created to acknowledge the errors in Splunk dashboard. Reference link is here https://community.splunk.com/t5/Dashboards-Visualizations/Need-help-in-applying-checkbo... See more...
Hi  We had a javascript and css created to acknowledge the errors in Splunk dashboard. Reference link is here https://community.splunk.com/t5/Dashboards-Visualizations/Need-help-in-applying-checkbox-in-splunk-table-and-saving-the-on/m-p/503603#M33311 It needs a feature "SELECT ALL" option at the top of the row to select all the errors in that particular page. So that we can acknowledge the errors at one instance. Current logic, we are clicking the tick box one by one before pressing the acknowledge button. Is it possible to append this logic in the existing JS without breaking current logic? Please refer the JS, XML and CSS attached CSS: /* The standalone checkbox square*/ .checkbox { width:0px; height:0px; border: 2px solid #000; display: inline-block; } /* This is what simulates a checkmark icon */ .checkbox.checked:after { content: ''; display: block; width: 2px; height: 7px; /* "Center" the checkmark */ position:relative; top:1px; left:-8px; border: solid black; border-width: 0 2px 2px 0; transform: rotate(45deg); } .checkbox, .radio { min-height: 12px; padding-left: 12px; } td.numeric, th.numeric { text-align: left; } #myTable tr.range-acked td { background-color: #82e566 !important; } #myTable tr.range-not-acked td { background-color: #ff0000b3 !important; } JS:   require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function (_, $, mvc, TableView) { // Access the "default" token model var tokens = mvc.Components.get("default"); var selected_values_array = []; var submittedTokens = mvc.Components.get('submitted'); console.log("This is Multi-select table JS"); // Custom renderer for applying checkbox. var CustomRenderer = TableView.BaseCellRenderer.extend({ canRender: function (cell) { return _(['Tick']).contains(cell.field); }, render: function ($td, cell) { var cell_value = cell.value.split("|")[0]; var ack_value = cell.value.split("|")[1]; var ack_flag = ack_value !== ""; console.log(cell.value,ack_flag,ack_value); var div = (ack_flag ? $('<div>') :$('<div>').attr({ "id": "chk-number" + cell_value, "value": cell_value }).addClass('checkbox').click(function () { if ($(this).attr('class') === "checkbox") { selected_values_array.push($(this).attr('value')); $(this).removeClass(); $(this).addClass("checkbox checked"); console.log(selected_values_array); } else { $(this).removeClass(); $(this).addClass("checkbox"); var i = selected_values_array.indexOf($(this).attr('value')); if (i != -1) { selected_values_array.splice(i, 1); } console.log(selected_values_array); } })) var b = (ack_flag ? $td.addClass('range-cell').addClass('range-acked') : $td.addClass('range-cell').addClass('range-not-acked')); div.appendTo($td); } }); //List of table ID var sh = mvc.Components.get("myTable"); if (typeof(sh) != "undefined") { sh.getVisualization(function (tableView) { tableView.on('rendered', function() { console.log("Output 1"); setTimeout(function(){ // Apply class of the cells to the parent row in order to color the whole row tableView.$el.find('td.range-cell').each(function() { console.log("Output 2"); $(this).parents('tr').addClass(this.className); console.log(this.className); }); console.log("Output 3"); },100); }); // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomRenderer()); tableView.table.render(); }); } // Disabling button while search is running var mysearch = mvc.Components.get('mysearch'); var mainSearch = mvc.Components.get('mainSearch'); var myrevertsearch = mvc.Components.get('myrevertsearch'); var myjirasearch = mvc.Components.get('myjirasearch'); mysearch.on('search:start', function (properties) { $("#mybutton").attr('disabled', true); }); mysearch.on('search:done', function (properties) { $("#mybutton").attr('disabled', false); mainSearch.startSearch(); }); myrevertsearch.on('search:done', function (properties) { console.log("Revert Search Done"); $("#myrevertbutton").attr('disabled', false); mainSearch.startSearch(); console.log("Main Search Done"); }); myjirasearch.on('search:start', function (properties) { $("#myjirabutton").attr('disabled', true); }); myjirasearch.on('search:done', function (properties) { $("#myjirabutton").attr('disabled', false); mainSearch.startSearch(); }); $(document).ready(function () { //setting up tokens with selected value. $("#mybutton").on("click", function (e) { e.preventDefault(); tokens.set("mytoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); $("#mybutton").attr('disabled', true); }); $("#myrevertbutton").on("click", function (e) { e.preventDefault(); myrevertsearch.startSearch(); $("#myrevertbutton").attr('disabled', true); console.log("Hiee"); }); $("#myjirabutton").on("click", function (e) { e.preventDefault(); tokens.set("myjiratoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); $("#myjirabutton").attr('disabled', true); }); }); });   XML:     <form version="1.1" script="jiraselect.js" stylesheet="multiselect_color.css" hideEdit="true" isVisible="true" hideAppBar="true"> <label>Error Acknowledgment UI</label> <search id="ram_inst_search" ref="rpt_ram_institution"></search> <search id="mysearch"> <query> |inputlookup $dash$ | dedup ID | where ID IN ($mytoken$) | eval Ack=now(),Ack_time="UPD",Ack_By="$env:user_email$"+","+strftime(Ack,"%c") | outputlookup $dash$ append=True</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <search id="myjirasearch"> <query> |inputlookup $dash$ | dedup ID | where ID IN ($myjiratoken$) | eval Ack=now(),Ack_time="JIRA",Ack_By="$env:user_email$"+","+strftime(Ack,"%c") | eval Message_Text = "Update from SD to raise JIRA ticket - "+Message_Text | eval Message_Text= if(isnull(Ack_By) AND LIKE(Message_Text,"%Update from SD to raise JIRA%"),substr(Message_Text,39,len(Message_Text)),Message_Text) | outputlookup $dash$ append=True</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <search id="myrevertsearch"> <query> |inputlookup $dash$ | where ID = "$UnAckID$" | eval Ack="",Ack_time="",Ack_By="" | eval Message_Text= if(LIKE(Message_Text,"%Update from SD to raise JIRA%"),substr(Message_Text,39,len(Message_Text)),Message_Text) | outputlookup $dash$ append=True</query> </search> <!-- Information panel --> <fieldset submitButton="true" autoRun="false"> <input type="radio" token="dash" searchWhenChanged="true"> <label>Choose Current/Historic Data</label> <choice value="ram_error_ack_kv">Monthly</choice> <choice value="ram_error_ack_kv_bkup">Historic</choice> <default>ram_error_ack_kv</default> <initialValue>ram_error_ack_kv</initialValue> </input> <input type="time" token="time1" searchWhenChanged="true"> <label>Time Window</label> <default> <earliest>-2h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="inst" searchWhenChanged="true"> <label>Institution EMEA</label> <choice value="*">ALL</choice> <default>*</default> <fieldForLabel>Institution_name</fieldForLabel> <fieldForValue>Institution</fieldForValue> <search> <query>|inputlookup emea_institution_kv_data | join type=outer Institution [ | inputlookup institution_name.csv | sort institution_number | eval Institution=institution_number] | eval Institution_name=if(isnull(institution_name),substr(Institution,7,2)+" "+"Inst",institution_name) | table Inst_desc Institution Institution_name</query> <earliest>-15m</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="ackby" searchWhenChanged="true"> <label>Acknowledged By</label> <choice value="*">ALL</choice> <default>*</default> <fieldForLabel>Ack_name</fieldForLabel> <fieldForValue>Ack_name</fieldForValue> <search> <query>|inputlookup acknowledged_names.csv</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="ackflag" searchWhenChanged="true"> <label>Acknowledged (Y/N)</label> <choice value="*">ALL</choice> <choice value="Yes">Yes</choice> <choice value="No">No</choice> <default>*</default> <initialValue>Yes</initialValue> </input> <input type="text" token="UnAckID" searchWhenChanged="true"> <label>Enter Un Ack ID</label> </input> <input type="text" token="error" searchWhenChanged="true"> <label>Type Error String here</label> <default></default> </input> </fieldset> <row> <panel> <html> <h3> <a href="https://de-splunk.1dc.com/en-US/manager/TA-omnipay-platform/admin/macros/error_skiplist?f_ns=TA-omnipay-platform&amp;uri=%2FservicesNS%2Fnobody%2FTA-omnipay-platform%2Fadmin%2Fmacros%2Ferror_skiplist&amp;action=edit&amp;ns=TA-omnipay-platform" target="blank"> <font color="blue">Click to Update Error Skip List</font> </a> </h3> <style> div.fieldset.dashboard-form-globalfieldset div.dashboard-element.html.dashboard-element-html { display: inline-block; } </style> <div> <input type="button" id="mybutton" value="Ack Selected Rows"/> <input type="button" id="myrevertbutton" value="Un Ack Entered Id"/> <input type="button" id="myjirabutton" value="Ack and Create Jira Ticket"/> <a href="https://de-splunk.1dc.com/en-US/app/TA-omnipay-platform/ram_error_dashboard" class="btn btn-primary" text-align="right">Refresh</a> </div> </html> </panel> </row> <row> <panel> <html> <div class="imgheader"> <div style="text-align: right;"> <h4> <a data-toggle="modal" data-target="#Help_modal"> <font color="blue">Help, information for this dashboard</font> </a> </h4> </div> </div> <style> #Help_modal.dropdown-menu { float: left; min-width: 421px; top: -1000% !important; left: 40% !important; } .close { text-align: right; border-radius: 1px 2px 2px 2px; <!--width: 30% !important; height: 600px !important;--> } pre { text-align: left; } .modal-footer { background: #ffe0 !important; padding: 1px 1px 1px 1px; } </style> <!--<div class="modal custom-modal-60 fade" id="Help_modal" tabindex="-1" role="dialog" aria-labelledby="Help_modal_Label">--> <div class="dropdown-menu other-menu shared-poptart close" id="Help_modal" tabindex="-1" role="dialog" aria-labelledby="Help_modal_Label"> <div class="modal-dialog" role="document"> <div class="modal-content"> <div class="modal-header"> <!--<button type="button" class="close" data-dismiss="modal" aria-label="Close"> <span aria-hidden="true"/> </button>--> <div style="text-align: left;"> <h4 class="modal-title" id="Help_modal_Label">Dashboard:</h4> </div> </div> <pre> <b>Dashboard Information</b> This dashboard is for acknowledging or unacknowledge errors <p> <b>For queries or feedback on this dashboard, mail to</b>:<b> </p> </pre> <!--<div class="modal-footer"> <button type="button" class="btn btn-default" data-dismiss="modal">Close</button> </div>--> </div> </div> </div> </html> </panel> </row> <row> <panel> <html> <style> <!--#test h2 { text-align: center !important; background-color: aliceblue; }--> .dashboard-body { padding: 2px 2px 2px 2px; <!--color: #3c444d;--> color: #ce8820; background-color: #ffffff; min-height: 500px; } .dashboard-row .dashboard-panel h2.panel-title { text-align: center !important; background-color: mistyrose; border: 1px solid black; font-size: 21px; font-weight: bold; padding: 12px 2px 12px 2px; margin: 2px 2px 2px 2px; } .dashboard-row .dashboard-panel .panel-head h3 { text-align: center !important; background-color: rgba(0, 164, 253, 0.37); } .dashboard-row .dashboard-panel .panel-body.html, .dashboard-row .dashboard-panel .panel-body.splunk-html { padding: 0px !important; } td.numeric, th.numeric { text-align: center !important; } .table td, .table th { text-align: left; color: black !important; border: 1px solid black !important; font-size: 13.5px; } label { font-weight: bold; } .table .sorts a { color: black; font-weight: 500; font-size: 14.3px; } .fieldset { margin-bottom: -17px; } .dashboard-header h1 { font-size: 30px; font-weight: 700; line-height: 76px; text-align: center; padding: 2px 2px 2px 2px; margin: 2px 2px 2px 2px; background-color: coral; color: #3c444d; } .dashboard-header { margin-bottom: 10px; min-height: 28px; background: chocolate; padding: 2px; } .dashboard-row .dashboard-cell { float: left; <!--background-color: darkslategrey; --> } .results-table { color: black; } .SimpleResultsTable table.simpleResultsTable { white-space:pre-line; } #myTable tr.range-acked td { background-color: #82e566 !important; border: 1px solid black; } #myTable tr.range-not-acked td { background-color: #ff6363 !important; border: 1px solid black; } .modal-header .close { top: 20px; right: -220px; margin-top: -2px; position: unset; background-color: none; border: 1px solid transparent; color: #5c6773; -webkit-box-shadow: none; box-shadow: none; text-decoration: none; text-shadow: none; -webkit-transition: background .2s,border .2s,-webkit-box-shadow .2s,-webkit-text-decoration .2s; transition: background .2s,border .2s,-webkit-box-shadow .2s,-webkit-text-decoration .2s; transition: background .2s,border .2s,box-shadow .2s,text-decoration .2s; transition: background .2s,border .2s,box-shadow .2s,text-decoration .2s,-webkit-box-shadow .2s,-webkit-text-decoration .2s; -webkit-filter: none; filter: none; } </style> </html> <table id="myTable"> <search id="mainSearch"> <query>|inputlookup $dash$ | rename "Package_Name,Procedure_Name,File_Name,Host_Name" AS Package_Name_Procedure_Name_File_Name_Host_Name | search `error_skiplist` | dedup ID | eval fields=split(Ack_By,",") | eval Ack_name=mvindex(fields,0) | eval Ack_name = if(isnotnull(Ack_name),Ack_name,"NA") | eval ack_flag=if(isnotnull(Ack_By),"Yes","No") | search Institution=$inst$ Platform="EMEA" Ack_name=$ackby$ ack_flag=$ackflag$ Message_Text="*$error$*" | eval _time=strptime(Date_Time,"%d-%m-%Y %H:%M:%S") | convert mstime(_time) AS ms_time | addinfo | where ms_time &gt;= info_min_time AND ms_time &lt;= info_max_time | eval Ack=if(isnull(Ack_time),"",Ack_time) | eval Tick=ID."|".Ack | eval "Program_ID Program_Name" = Program_ID+","+Program_Name | makemv delim="," "Program_ID Program_Name" | makemv delim="," Package_Name_Procedure_Name_File_Name_Host_Name | makemv delim="," Ack_By | rex max_match=100 field=Message_Text "(?&lt;split__regex&gt;.{0,100}(?:\s|$)|[^\s]+)" | rename split__regex as Message_Text | table Tick ID ms_time Institution Date_Time Ack Ack_By Ack_time "Program_ID Program_Name", Program_Run_ID Package_Name_Procedure_Name_File_Name_Host_Name Message_Text email | sort 0 - ms_time | eval skip_ram_user=if(like(Package_Name_Procedure_Name_File_Name_Host_Name,"%RAM%"),1,if(like(Package_Name_Procedure_Name_File_Name_Host_Name,"%ram%"),1,0)) | where skip_ram_user != 1 | fields - email Ack ms_time Ack_name Ack_time skip_ram_user</query> <earliest>$time1.earliest$</earliest> <latest>$time1.latest$</latest> <refresh>2m</refresh> <refreshType>delay</refreshType> </search> <option name="count">25</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">true</option> <drilldown> <condition field="*"></condition> </drilldown> </table> </panel> </row> <row depends="noshow"> <panel> <html> <style> .input-dropdown { min-width: 190px !important; width: 190px !important; max-width: 170px !important; } .splunk-dropdown .select2-container { min-width: 190px !important; width: 190px !important; max-width: 170px !important; } .input-text { min-width: 190px !important; width: 190px !important; max-width: 170px !important; } .input-text &gt; input[type="text"] { min-width: 190px !important; width: 190px !important; max-width: 170px !important; } </style> </html> </panel> </row> </form>      
I have the following source path which I am monitoring..I want splunk to use the _time from the source file. /a/host*/ads/stdout.230621-125941 Thanks in Advance
Splunk provides enhanced visibility and faster troubleshooting for your Kubernetes environments with the latest enhancements to the Kubernetes navigator. The Kubernetes navigator enables engineering ... See more...
Splunk provides enhanced visibility and faster troubleshooting for your Kubernetes environments with the latest enhancements to the Kubernetes navigator. The Kubernetes navigator enables engineering teams to quickly visualize and monitor the performance of their Kubernetes deployments with an easy-to-use, out-of-the-box UI that automatically discovers Kubernetes components and containerized services in their environment.  Read the product documentation to learn more. What’s New? The latest enhancements deliver: More intuitive navigation: New main-panel dashboards with more detailed built-in charts, multiple tabs, and breadcrumb trail to easily pivot to interdependencies without context switching. Kubernetes navigator node details Deeper visibility: New workload heatmap view provides developers with a graphical interface to identify outlier conditions in their pods and containers. Expanded Control Plane views for enhanced visibility into the performance of services supporting Kubernetes workloads. Kubernetes navigator workload heatmap Accelerated troubleshooting: Fully discovered property metadata, accelerated detector creation, direct linking to detector state, and advanced chart configurations to speed up issue detection and resolution. Kubernetes navigator Autodetect The Kubernetes navigator is one of the OOTB navigators in Splunk Infrastructure Monitoring. A navigator is a set of screens that allow users to orient and explore their tech stack. Start exploring today!
Hello Team I am having a Dashboard created with below Table output. The table is having a dynamic column names (in Date format) Output as below: TestMQ 2023-06-23 2023-06-22 2023-06-21 ... See more...
Hello Team I am having a Dashboard created with below Table output. The table is having a dynamic column names (in Date format) Output as below: TestMQ 2023-06-23 2023-06-22 2023-06-21 2023-06-20 2023-06-19 2023-06-18 2023-06-17 2023-06-16 And so on - till 30 days MQ.NAME 5.03 17.04 25.75 19.82 32.14 56.81 10.91 85.14 .... My requirement is to color code these values based on the threshold condition as "[<60 = Green] | [>85 = Red] | [>60 AND <85 = Amber]" I am new to Splunk and still learning. Kindly suggest how this can be achieved i.e. to modify the dynamic Column values based on the Threshold conditions. @ITWhisperer
Hi Team ,   Has anyone worked on finding out unused dashboards or alerts in Splunk . Can you please assist me . Thanks in Advance
Do we have any facility in the Splunk that we can achieve the High availability or Disaster recovery features in the Splunk. if yes, please share the documents for this.  Your response will be appre... See more...
Do we have any facility in the Splunk that we can achieve the High availability or Disaster recovery features in the Splunk. if yes, please share the documents for this.  Your response will be appreciated.!!!
Hello Everybody!  First thanks for your time to help me. I have a cluster environment, with: 3 - Sh's 231 232 233 4 - Hf's 223  This HF is an old server that was used in the environment... See more...
Hello Everybody!  First thanks for your time to help me. I have a cluster environment, with: 3 - Sh's 231 232 233 4 - Hf's 223  This HF is an old server that was used in the environment when it was not yet clustered, this HF is the core, reciving all data [UF's,DB Connect,Scripts etc] we keep it because we have some Windows Server 2003 with UF's installed that need to report the data and for that we need an HF with an older version  238 ( This is the HF with problem  ) 239 244 3 - IDX 234 235 236 Perfect, our cluster environment is new, so all HF's (238,239,244) is a blank installation, today I'm transferring all running Scripts on 223 to 238, but I'm with a problem, I have some scripts running to get data and transfer to 238 thorught HTTPEventCollector, these scripts are also running on 238. The problem is: I run the script, I don't get any error, I can see in the logs that the HTTPColector received the event, but when I do a search in the SH's I can't see the data, only after a time like 5-10 minutes after sending the data they appear in the SH, with the exact _time when the script was run. This problem is only with 238.  239 244 and 223 work very well. I did a simple script to send data for all HF's in the same time:   Simple Script to Test Executing the script:   Events on SH (does not show event sent to 238) Events on SH Confirmation on 238 HF that received the data After 5-10 minutes: The test data sending to 238 is now showing, but with 5-10 miuntes later. What possible solutions I have already tried: Restart Splunk and the server Create a new token Executing the script on other server like 239 244 223 Look for some log in the indexers or HF I'm really starting to run out of ideas for how to solve this problem, does anyone have any ideas? Thanks in advance!      
Hello,   I have a search that I n     index="" host= sourcetype=csv source=C:\\.......\.csv | dedup CR_ID | table CR_SubmitDate CR_LMC PVER_SpecificationFreeze | eval LMC_Requested = case(matc... See more...
Hello,   I have a search that I n     index="" host= sourcetype=csv source=C:\\.......\.csv | dedup CR_ID | table CR_SubmitDate CR_LMC PVER_SpecificationFreeze | eval LMC_Requested = case(match(CR_LMC, "Yes"),"yes") | search LMC_Requested="yes" | eval LMC_Planned = case(CR_SubmitDate > PVER_SpecificationFreeze, "True") | search LMC_Planned="True" | chart count by LMC_Requested, LMC_PLanned     eed to count the values that matches "Yes". But the way I did is making conflict somewhere. How do I make a clean match that does not male problems with the chart?
Hi, I have configured an alert to send email to users who has crossed a specific metric value. I have enabled email alert action and I want to attach a word document to the email alert which contai... See more...
Hi, I have configured an alert to send email to users who has crossed a specific metric value. I have enabled email alert action and I want to attach a word document to the email alert which contains steps for troubleshooting. How can I achieve this? Please help. Thanks in advance.
Hi I am looking for a Splunk exploitation folder related to Splunk dashboards and alerts Is anybody have an example to share please? Rgds
i have ingested logs on univesral forwarder by creating file under /var/log/filename .log & connected to heavy forwarder so now i need to parse data on heavyforwarder & i need to remove particular  ... See more...
i have ingested logs on univesral forwarder by creating file under /var/log/filename .log & connected to heavy forwarder so now i need to parse data on heavyforwarder & i need to remove particular  line from each event. so i need props .conf & transforms .conf for this >UF>HF>Indexer
Hi  I have a report showing who have added or removed a person to or from a group.  Like : index="win*" (EventCode=4728 OR EventCode=4729)  | table _time, result, target_group, target_user, src... See more...
Hi  I have a report showing who have added or removed a person to or from a group.  Like : index="win*" (EventCode=4728 OR EventCode=4729)  | table _time, result, target_group, target_user, src_user This however returns from time to time a user called "XXXXX01, XXXXX02 Etc, which is a shared account in our PAM solution.  I can find the user behind by searching:  index="PAM" duser="XXXXX*"  "cn2=(Action: Connect)" | table _time, duser, suser, command, reason How can i make the first search, then in case user = XXXXX01, search for the latest time XXXXX01 was used related to the time in the first search.  At the moment we need to run the search side by side, and the find the correct time and check out of the XXXXX account, since the ie XXXXX01 can be checked out many times during a work day. 
Phantom default login credentials do not work for aws instance. "admin/password" or "admin/ aws instace id" are not working. I guess phantom login documentation is out of dated. Can someone help please
Hi Splunkers, I have to configure, as alerts trigger actions, a mail sending that should have, in body test, some field contained in triggering events. I found here on community this post: How to im... See more...
Hi Splunkers, I have to configure, as alerts trigger actions, a mail sending that should have, in body test, some field contained in triggering events. I found here on community this post: How to implement tokens in Email alert? that explain vey clear to use $result.<field_name>$ notation but also that "the field you want to specify must be returned in the first result row of the search". So now a question arise. Suppose I have this sample search:   index=* sourcetype=cybereason:malware status=detected | stats count by machineName   It return rows with 2 fields: the machine where infection has been detected and the event count. So, I should be able to use, in my mail notification: $result.machineName$ $result.count$ but not $result.status$, cause it is used only as a filter and is not returned as search result. Am I wrong?
Hi Splunkers, we have to connect our On Prem SOAR Solution (Palo Alto Cortex) to a Splunk Cloud instance. The dedicated SOAR integrations use API and ask: Username Password URL/Hostanem/IP Addre... See more...
Hi Splunkers, we have to connect our On Prem SOAR Solution (Palo Alto Cortex) to a Splunk Cloud instance. The dedicated SOAR integrations use API and ask: Username Password URL/Hostanem/IP Address Destination port We have some problems in destination port; we tried all the Splunk common one (9997, 8000, 8089, 8443) but we got always the Connection Timeour error. I'm wondering if, due we have a Splunk Cloud Environment, we need to ask to support some 
Hi  Wanting to setup a Report to run on the third Monday of every month. Is there a way to do this? Any Cron Schedule I try doesn't allow me to commit the change. Such as: 0 8 * * 1 [ "$(date ... See more...
Hi  Wanting to setup a Report to run on the third Monday of every month. Is there a way to do this? Any Cron Schedule I try doesn't allow me to commit the change. Such as: 0 8 * * 1 [ "$(date +\%d -d 'today + 14 days')" -gt 14 ] && [ "$(date +\%u -d 'today + 14 days')" == 1 ] && echo "Run report"
I have some users that start with urn:forms:anonymous# in my lookup I was trying to to discard them use urn:forms:anonymous#*  i guess i have to use regex to bring al the users to start like this ... See more...
I have some users that start with urn:forms:anonymous# in my lookup I was trying to to discard them use urn:forms:anonymous#*  i guess i have to use regex to bring al the users to start like this urn:forms:anonymous#