Yorokobi's Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

Yorokobi's Topics

Splunk: 7.2.1 Service Now add-on: 4.0.0 Service Now version: London I have the add-on deployed to my search head cluster and am able to create incidents in Service Now but the incidents do not... See more...
Splunk: 7.2.1 Service Now add-on: 4.0.0 Service Now version: London I have the add-on deployed to my search head cluster and am able to create incidents in Service Now but the incidents do not contain the search results as expected based on the add-on's documentation (https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usecustomalertactions): Depending on the search that you save as an alert, the custom alert action might create multiple events or incidents in ServiceNow. This can occur if the search string that you save as an alert returns multiple events. The number of events returned by the search equals the number of incidents or events created in ServiceNow. I have tested with a multi-column table with dozens of rows as well as with a single column table with only one result. The modular alert does not add the search results to the incident. Nor does it create multiple incidents when the result count is greater than one. Is the documentation correct but the MA is not behaving as it should or is the documentation incorrect and we should be expected to use the Splunk Drilldown button from now on? The latter is a poor option as SIDs expire too quickly and Splunk alert search results should not be held as a system of record--that's the whole point of creating an incident. I can add information to an incident with the | snowincident command's "--comments" option but I don't expect my Splunk users to know how to graft search results to a data generating command (that is a significant bit of acrobatics we shouldn't have to do based on the bahaviour expected from the modular alert action).
Hey folks, Any suggestions for how to parse the XML payload from ShopperTrak's REST endpoint obtained via the REST API Modular Input? Link to full payload: https://gist.github.com/yorokobi/2b8... See more...
Hey folks, Any suggestions for how to parse the XML payload from ShopperTrak's REST endpoint obtained via the REST API Modular Input? Link to full payload: https://gist.github.com/yorokobi/2b8f1004be5b6142eaf05a1670bb1b8c (I tried enabling soft wrapping, but it didn't take.) Pretty (and smaller) sample (use the gist for your own testing): <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <sites> <site storeID="1319"> <traffic exits="13" enters="25" startTime="201608251030"/> <traffic exits="15" enters="13" startTime="201608251045"/> <traffic exits="16" enters="11" startTime="201608251100"/> </site> <site storeID="1455"> <traffic exits="14" enters="26" startTime="201608251030"/> <traffic exits="30" enters="21" startTime="201608251045"/> <traffic exits="19" enters="17" startTime="201608251100"/> </site> <site storeID="2161"> <traffic exits="32" enters="29" startTime="201608251330"/> <traffic exits="33" enters="35" startTime="201608251345"/> <traffic code="01" exits="" enters="" startTime="201608251400"/> </site> <site storeID="0486"> <traffic exits="16" enters="17" startTime="201608251130"/> <traffic exits="13" enters="17" startTime="201608251145"/> <traffic exits="30" enters="21" startTime="201608251200"/> </site> <site storeID="2503"> <traffic exits="3" enters="2" startTime="201608251230"/> <traffic exits="1" enters="4" startTime="201608251245"/> <traffic exits="4" enters="0" startTime="201608251300"/> </site> <site storeID="2162"> <traffic exits="14" enters="18" startTime="201608251330"/> <traffic exits="19" enters="22" startTime="201608251345"/> <traffic exits="18" enters="12" startTime="201608251400"/> </site> <site storeID="2561"> <traffic exits="5" enters="5" startTime="201608251330"/> <traffic exits="8" enters="8" startTime="201608251345"/> <traffic exits="3" enters="3" startTime="201608251400"/> </site> <site storeID="1647"> <traffic exits="16" enters="12" startTime="201608251230"/> <traffic exits="8" enters="9" startTime="201608251245"/> <traffic code="02" exits="" enters="" startTime="201608251300"/> </site> <site storeID="0436"> <traffic exits="20" enters="11" startTime="201608251230"/> <traffic exits="21" enters="20" startTime="201608251245"/> <traffic exits="22" enters="23" startTime="201608251300"/> </site> <site storeID="1751"> <traffic exits="16" enters="9" startTime="201608251330"/> <traffic exits="15" enters="5" startTime="201608251345"/> <traffic exits="7" enters="12" startTime="201608251400"/> </site> <site storeID="1438"> <traffic exits="18" enters="13" startTime="201608251330"/> <traffic exits="14" enters="11" startTime="201608251345"/> <traffic exits="12" enters="10" startTime="201608251400"/> </site> <site storeID="2029"> <traffic exits="15" enters="19" startTime="201608251030"/> <traffic exits="23" enters="15" startTime="201608251045"/> <traffic exits="16" enters="18" startTime="201608251100"/> </site> <site storeID="0471"> <traffic exits="19" enters="16" startTime="201608251230"/> <traffic exits="25" enters="15" startTime="201608251245"/> <traffic code="01" exits="" enters="" startTime="201608251300"/> </site> </xml> I have played with the following props.conf entries with pretty much zero success (not necessarily all at the same time--I haven't kept a running record). SHOULD_LINEMERGE=false BREAK_ONLY_BEFORE=<site\s KV_MODE=xml LINE_BREAKER=(<\/site>) My attempts at using |xpath or |rex max_match=0 have likewise yielded less than stellar results. What I need is a method of correctly tying storeID with exits, enters, startTime, and code when it shows up. Thanks in advance.
How can I remove the account bar (the black bar at the top with the Splunk logo, application menu, etc.) from an app in Splunk 6? I see how to do it with CSS overrides for an app's dashboards but no ... See more...
How can I remove the account bar (the black bar at the top with the Splunk logo, application menu, etc.) from an app in Splunk 6? I see how to do it with CSS overrides for an app's dashboards but no way to do so for the entire app (reports, dashboards, search, pivot, etc.) without using the Django framework?
Is there a way to use a renamed field as part of the $row.fieldname$ variable? Take the following single panel dashboard: <dashboard> <label>Temp</label> <row> <table> ... See more...
Is there a way to use a renamed field as part of the $row.fieldname$ variable? Take the following single panel dashboard: <dashboard> <label>Temp</label> <row> <table> <searchString>index=temp | stats count by application_id application_name environment log_type log_level | sort -count</searchString> <earliestTime>-24h@h</earliestTime> <drilldown> <link>/app/search/temp2?form.app_id=$row.application_id$</link> </drilldown> </table> </row> </dashboard> Which links to a similar single panel dashboard: <form> <label>Temp2</label> <fieldset autoRun="true"> <input type="text" token="app_id"> <label>Enter an Application ID:</label> <default>*</default> </input> </fieldset> <row> <table> <searchString>index=temp application_id=$app_id$ | stats count by application_id application_name environment log_type log_level | sort -count</searchString> <earliestTime>-24h@h</earliestTime> </table> </row> </form> However, if I change the first dashboard's search to include | rename application_id AS "Application ID" so the dashboard table has better visual appeal, I cannot use $row.application_id$ ; the value to pass to the second dashboard has changed to "Application ID" and $row."Application ID"$ does not work, either. Is there a way to have the table for the first dashboard use renamed fields but still pass the row's application_id with $row.fieldname$ or similar? Using Simple XML and Splunk 6.0.1
I want to import only the last X months/days/whatever of data from my database via DB Connect. Is there a better procedure than the following? Create a temporary index (restart Splunk, etc.) C... See more...
I want to import only the last X months/days/whatever of data from my database via DB Connect. Is there a better procedure than the following? Create a temporary index (restart Splunk, etc.) Create the DB input to send to the temp index and set tail.follow.only=true Wait for Splunk to create the state.xml file Stop Splunk Change the DB connection's state.xml and set the value for the rising column to the start date I want Change the inputs.conf to use the "permanent" index and remove the tail.follow.only line Start Splunk Is it possible to create the $SPLUNK_HOME/var/lib/splunk/persistentstorage/dbx/HASH/state.xml and manifest.properties manually? What hash function does Splunk use and what does it hash? The input name or something else?
I have the DBConnect app successfully connected to an Oracle DB and I can successfully perform ad-hoc queries. However, I am unable to figure out how to use a DB lookup using the advanced options to ... See more...
I have the DBConnect app successfully connected to an Oracle DB and I can successfully perform ad-hoc queries. However, I am unable to figure out how to use a DB lookup using the advanced options to use the following SQL query: SELECT c.chan_id, c.inst_id, i.inst_name from TempTable.chan c, TempTable.inst i WHERE c.inst_id = i.inst_id ORDER BY c.inst_id I defined the lookup in Manager >> Lookups >> Database Lookups, Advanced lookup settings. Whether I specify the chan_id, inst_id and inst_name columns as Lookup Fields and chan_id as an Input Field I get the following error when I try using it in a search or with '|inputlookup tablename': The lookup table 'tablename' is invalid. What am I missing?
systemd replaces SysV init scripts and some Linux distributions are migrating to or currently support systemd (such as Arch Linux). The traditional start-up script /etc/init.d/splunk (or /etc/rc.d/sp... See more...
systemd replaces SysV init scripts and some Linux distributions are migrating to or currently support systemd (such as Arch Linux). The traditional start-up script /etc/init.d/splunk (or /etc/rc.d/splunk) does not work in a pure systemd configuration, a unit file is required. This thread is getting outdated. See the official documentation and additional information below: - https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/RunSplunkassystemdservice - https://docs.splunk.com/Documentation/Splunk/7.2.6/Workloads/Configuresystemd - https://answers.splunk.com/answers/738877/splunk-systemd-unit-file-in-versions-722-and-newer.html - https://www.duanewaddle.com/splunk-7-2-2-and-systemd/
I have the following entry in one of my advanced XML views/dashboards <module name="HiddenSearch" autoRun="True"> <param name="search">index=jmx tag=AMQ | stats max(QueueSize)... See more...
I have the following entry in one of my advanced XML views/dashboards <module name="HiddenSearch" autoRun="True"> <param name="search">index=jmx tag=AMQ | stats max(QueueSize) as maxqSize | chart eval(round(avg(maxqSize),0)) as qsize | rangemap field=qsize low=0-5000 elevated=5001-10000 default=severe</param> <param name="earliest">-5m@m</param> <param name="latest">now</param> <module name="SingleValue"> <param name="field">qsize</param> <param name="beforeLabel">Avg. Queue Size:</param> <param name="classField">range</param> </module> </module> I would like to convert the SingleValue/rangemap to a radialGauge but I am unable to determine the proper context for: <param name="charting.chart">radialGauge</param> <param name="charting.chart.rangeValues">[0,5000,10000,15000,20000]</param> ... and use the same "earliest" and "latest" or real-time search parameters. The chart formatter modules do not seem to support radialGauge.