No matching visualization found for type:wordcloud,in app:wordcloud_app,even set to global permission hi . everyone.I am not very good at English, I used a deployer to push the Wordcloud app to the search header, but the visualization tab didn't have the chart, and I tried to set the app permissions to global, but still, it didn't work. I opened the example in Wordcloud, and I saw the following message. No matching visualization found for type:wordcloud,in app:wordcloud_app If I install it on a single Splunk, it can work. Why can't it be used in search clusters? ... View more

On Search Head Cluster Mode, I have 4 search heads. I want to call some JS and CSS static resources in dashboard of search app. So how do I upload these JS and CSS to all search heads (directory : /appserver/static)? I think I can use deployer,so I follow the steps below Create an app on the deployer. and put JS and CSS file in directory /opt/splunk/etc/shcluster/apps/appname/appserver/static . Push this bundle to all search heads Set the app permissions as global Switch to dashboard of search app , and then load CSS and JS in the form tag of the dashboard. But it isn't working, I view the html source code of the dashboard, it doesn't load these static resources, why? ... View more

We know we can see the number of clients on the Forwarder Management page of the deployment server, but I want to show it on the dashboard, Can I use SPL to count the number of clients on the deployment server? By the way, my splunk architecture is search header cluster + index cluster. ... View more

I enabled the powershell logging function on WinServer2k8 or Winserver2012 in following steps create a default profile: C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1 Add these to default profile.ps1 file $LogCommandHealthEvent = $true $LogCommandLifecycleEvent = $true Then I try executing a powershell command in powershell window,I can see this record in the event viewer. Now ,I will use splunk forwarder push that to splunk , I created following inputs.conf stanza: c:\program files\splunk forwarder\apps\splunk_TA_Windows\local\inputs.conf [WinEventLog://Windows Powershell] disabled=0 ` I also tried the following inputs [WinEventLog://Microsoft-Windows-Powershell/Operational] disabled=0 Splunk can't receive the PowerShell log，However, I can receive Windows Security log, so I think I might input Invalid stanza in inputs.conf and I can't find an error that related inputs from internal log Who can tell me how to create inputs stanza correctly? ... View more

I have a SOC (Security Operation Center) that has an API to receive alert content from splunk（splunk version 6.4.4）.When the alert is triggered, I hope Splunk can send the alert contents to SOC API. So what way should I send the alert type to SOC API? The fields and contents of each alert are different. In addition, it can be formatted as JSON? Should I use the Run a script action? Is there a best way sent alert content to SOC API ? ... View more

I have some json data forward to universal forwarder via syslog. Then universal forwarder is forwarders them to the indexer cluster. syslog （on log source server） ——> uf——>indexer cluster When I searching I can see some short json got truncated . It is truncated after about 1000~2000 characters or so， I set props.conf on indexers as follows: [mysourcetype] INDEXED_EXTRACTIONS = json category = Structured SHOULD_LINEMERGE = false disabled = false pulldown_type = true TIME_FORMAT = %s TIME_PREFIX = ^\{"timestamp": TRUNCATE = 0 raw json {"timestamp":1527213681,"request_headers":{"host":"172.10.101.200:8888","connection":"keep-alive","referer":"http:\/\/172.10.101.200:8888\/superset\/dashboard\/ptsjyy\/?preselect_filters=%7B%22114%22%3A%7B%22__time_grain%22%3A%22month%22%2C%22source%22%3A%5B%5D%7D%7D","accept-encoding":"gzip, deflate, sdch","x-requested-with":"XMLHttpRequest","cookie":"session=.eJyV0N1qxCQABeB3mesQfxONr7KUMNGxhtq6qNtlW_ruFXrdQudu4HxzYD5hj5VaAtfrjSbYzwAOlJFcxKA3iWa13uChtOJSo0WU1iiYwLca915e6G3kjd7sogXxzUfOURgTOQmzbkoRX6TX64FeLmG4XDxmGuYjje2Kz7Sns_VSH-AukHq_OsaEkbNcZsn5LAV3dgwL2NJRsIbXEii_n3RneUA2rvyhOh6Z_iV-7Xma4Nao_nxIwNc3efpdRg.Ddpwlg.tze07woTDVEN_iZ4sIS_jzT4VGI","accept-language":"en-US,en;q=0.8","user-agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.71 Safari\/537.36","accept":"application\/json, text\/javascript, *\/*; q=0.01"},"id":"34a2743ad59c93907872","method":"GET","uri":"\/superset\/explore_json\/table\/39\/","client":"10.195.28.22","uri_args":{"form_data":"{\"datasource\":\"39__table\",\"viz_type\":\"area\",\"slice_id\":113,\"granularity_sqla\":\"riqi\",\"time_grain_sqla\":\"month\",\"since\":\"\",\"until\":\"\",\"metrics\":[\"sum__VAL_02\"],\"groupby\":[\"source\"],\"limit\":50,\"timeseries_limit_metric\":null,\"order_desc\":true,\"show_brush\":false,\"show_legend\":true,\"line_interpolation\":\"linear\",\"stacked_style\":\"stack\",\"color_scheme\":\"googleCategory20c\",\"rich_tooltip\":true,\"contribution\":false,\"show_controls\":false,\"x_axis_format\":\"%Y-%m-%d\",\"x_axis_showminmax\":true,\"y_axis_format\":\",\",\"y_axis_bounds\":[null,null],\"y_log_scale\":false,\"rolling_type\":\"None\",\"time_compare\":null,\"num_period_compare\":\"\",\"period_ratio_type\":\"growth\",\"resample_how\":null,\"resample_rule\":null,\"resample_fillmethod\":null,\"annotation_layers\":[],\"where\":\"\",\"having\":\"\",\"filters\":[],\"extra_filters\":[{\"col\":\"__time_grain\",\"op\":\"in\",\"val\":\"month\"},{\"col\":\"source\",\"op\":\"in\",\"val\":[]}]}","preselect_filters":"{\"114\":{\"__time_grain\":\"month\",\"source\":[]}}"},"alerts":[{"msg":"Repetitive non-word characters anomaly detected","id":51002,"match":6}]} Truncated json (displayed in search results)： {"timestamp":1527213681,"request_headers":{"host":"172.10.101.200:8888","connection":"keep-alive","referer":"http:\/\/172.10.101.200:8888\/superset\/dashboard\/ptsjyy\/?preselect_filters=%7B%22114%22%3A%7B%22__time_grain%22%3A%22month%22%2C%22source%22%3A%5B%5D%7D%7D","accept-encoding":"gzip, deflate, sdch","x-requested-with":"XMLHttpRequest","cookie":"session=.eJyV0N1qxCQABeB3mesQfxONr7KUMNGxhtq6qNtlW_ruFXrdQudu4HxzYD5hj5VaAtfrjSbYzwAOlJFcxKA3iWa13uChtOJSo0WU1iiYwLca915e6G3kjd7sogXxzUfOURgTOQmzbkoRX6TX64FeLmG4XDxmGuYjje2Kz7Sns_VSH-AukHq_OsaEkbNcZsn5LAV3dgwL2NJRsIbXEii_n3RneUA2rvyhOh6Z_iV-7Xma4Nao_nxIwNc3efpdRg.Ddpwlg.tze07woTDVEN_iZ4sIS_jzT4VGI","accept-language":"en-US,en;q=0.8","user-agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.71 Safari\/537.36","accept":"application\/json, text\/javascript, *\/*; q=0.01"},"id":"34a2743ad59c93907872","method":"GET","uri":"\/superset\/explore_json\/table\/39\/","client":"10.195.28.22","uri_args":{"form_data":"{\"datasource\":\"39__table\",\"viz_type\":\"area\",\"slice_id\":113,\"granularity_sqla\":\"riqi\",\"time_grain_sqla\":\"month\",\"since\":\"\",\"until\":\"\",\"metrics\":[\"sum__VAL_02\"],\"groupby\":[\"source\"],\"limit\":50,\"timeseries_limit_metric\":null,\"order_desc\":true,\"show_brush\":false,\"show_legend\":true,\"line_interpolation\":\"linear\",\"stacked_style\":\"stack\",\"color_scheme\":\"googleCategory20c\",\"rich_tooltip\":true,\"contribution\":false,\"show_controls\":false,\"x_axis_format\":\"%Y-%m-%d\",\"x_axis_showminmax\":true,\"y_axis_format\":\",\",\"y_axis_bounds\":[null,null],\"y_log_scale\":false,\"rolling_type\":\"None\",\"time_compare\":null,\"num_period_compare\":\"\",\"period_ratio_type\":\"growth\",\"resample_how\":null,\"resample_rule\":null,\"resample_fillmethod\":null,\"annotation_layers\":[],\"where\":\"\",\"having\":\"\",\"filters\":[],\"extra_filters\":[{\"col\":\"__time_grain\",\"op\":\"in\",\"val\":\"month\"},{\"col\":\"source\",\"op\":\"in\",\"val\":[]}]}","preselect_filters":"{\ I use the json validator to verify JSON data syntax and no special characters in JSON. I try searching internal log . but I can't find any error logs about json truncation. index=_internal LineBreakingProcessor data_sourcetype=mysourcetype all help will be appreciated. ... View more