I need a way to stop users with access to a Studio dashboard from being able to clone it. From this they are able to edit this new dashboard, giving these particular user too much access. These users having a minimal amount of role capabilities, Search and List all objects. So I'm unable to give them any less capabilities. (not that any seem to relate to this.) Any help or ideas would be greatly appreciated. Thanks

Hi All- What would you say is the recommended method for handling CSV files?  Ingesting it into an index or using it as a lookup table?  TLDR - Server team keeps server master list as CSV.  Want to bring it into Splunk as the reference (baseline) which all other tools report against (AD, CS, R7 etc).  Should I ingest that CSV into an index or keep it a csv and use it as a lookup table?   Thanks in Advance!

Im trying to blacklist the below eventcodes since we dont have any use for them but somehow it is not working . I made the below change and delpoyed it to all UF via DS . Any idea why it is not working ?    [WinEventLog://Security] disabled = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist = 1003,501,510,7036,1066,17137,8003,403,404,410,900-902,4690,4099 index = winlog renderXml=false

Hello Splunk Community, I am trying to add the following command to the props.conf file to make the following search permanent:   I am still very new to the Splunk world and therefore I have no experience with the props.conf file. I made a copy of the props.conf file in the folder /opt/splunk/etc/system/local and put the command in there (See below).   However, when starting Splunk now  the following message appears:   I suspect I phrased the command wrong or wrote it into the wrong section in props.conf. Also, it would be interesting to know if the part of the command that brings the events in table form can also be written into the props.conf file and if so into which section of the file? Many thanks and greetings

Hey All,  I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,  1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medium| eventId=4xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com.......  2) ABC:0|Application|ABCD|I2.0|US03|Logging Update|Medium| eventId=5xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com 3) ABC:0|Application|ABCD|I2.0|VS05|Logging Revert|Medium| eventId=6xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com So, in the event(1) I want to rename the src_user as dest_user and shost as dhost without the same fields in the other 2 types of events.  In the "Props.conf" I can add below,  FIELDALIAS-src_host = src_host AS dest_host FIELDALIAS-shost = shost AS dhost but the issue is that if I use the above in props.conf the changes will get applied across all the event codes, so, my question is if there is a way to achieve this for only the specific code lets say, "TS01".  Any help on this will be much appreciated.  Thanks.   

Hi there, Kindly help me on  Search to trigger an alert by scan the logs for scheduled job and check elapsed time (threshold time) for each job execution instance If the elapsed time exceeds the specified threshold for ALL the three executions. Thanks in Advance, Regards, Theja

Hello, I need your help to find a way to achieve the following use case: in main search: I've to categories: Windows and NIX. both the categories have ip and hostname fields. category             ip                         hostname windows         x.x.x.x                    a nix                     y.y.y.y                      b Now my requirement is to join the above result set with another result set based on the following business rules: - for windows, I want to join based on the hostname only. - for nix, I want to join  based on both ip and hostname. Thanks in advance for the help.

Hi All,  Before i post here i have tried everything under https://community.splunk.com/t5/Splunk-Search/How-to-join-2-indexes/m-p/560334  but couldnt figure out my search.  Index01 contains  fields of interest as follows :  host, hostname, agent_version,agent_date The difference between host & hostname fields is host contains  name of HF server (which i dont want to correlate)  while hostname contains the list of device names  (which i want to correlate with Index02).  In Index02., the fields of interest are:  host (default field), _time (default field)  To summarize, the field hostname from Index01 matches the values of the field host from Index02 . So this is the common denominator. Requirement is for all the devices from index01,  find  out the latest time stamp (as in when the device last logged) from Index02.    Below is what i need to achieve: hostname(Index01) agent_date (Index01) agent_version (Index01) LastSeen (Index02) xxx xxx xxx xxxx         Have tried below 2 queries but no luck.   It shows 0 results found.  But if i run the search individually they show data.     index=index01 | rex field=dns "(?P<hostname>[a-zA-Z0-9-]+)." | dedup hostname [ search index=Index02 | stats latest(_time) as lastSeen_epoch BY host | eval LastSeen=strftime(lastSeen_epoch,"%m/%d/%y %H:%M:%S") | fields host LastSeen ] | table hostname agent_date agent_version LastSeen OR index=index01 [ search index=Index02 | stats latest(_time) as lastSeen_epoch BY host | eval LastSeen=strftime(lastSeen_epoch,"%m/%d/%y %H:%M:%S") | fields host LastSeen ] | rex field=dns "(?P<hostname>[a-zA-Z0-9-]+)." | dedup hostname | table hostname agent_date agent_version LastSeen          

Hello, From the GUI (DB Input), it seems that Splunk is unable to detect any Rising Column due to our sub query:     SELECT event_time FROM sys.fn_get_audit_file ( (SELECT TOP(1) e.audit_file_path FROM [sys.dm_server_audit_status] e WHERE e.name = 'Audit-select-statement'), default, default) WHERE event_time > ? ORDER BY event_time ASC       unfortunately, Splunk DB Connect is unable to detect any rising column. If I remove the SELECT TOP(1), the rising column appear again. The goal is to query the audit table with the current filename. I saw another discussion (https://community.splunk.com/t5/Splunk-Search/DB-Connect-rising-column-combination-of-two-columns/m-p/121434) but seems the enhancement request (DBX-564) is still not ready. Would anyone happen to have the same issue ? Kind Regards,  

Hello all, I have been using Splunk's classic dashboard for a while now and I switched to dashboard studio, one thing I can't seem to figure out is when I need to have different values of labels from the value actually used by the token. Say the data source of a dropdown is an SQL query with 2 columns, one I want to use as the label (aka value displayed to the user), the other as the token's actual value, is that possible? If it helps in classic dashboard it is done via     <fieldForLabel>name</fieldForLabel> <fieldForValue>age</fieldForValue>       Any ideas? Thank you very much!