I would use a SplunkWeb controller for this. Here is how you would make it: Step 1: Make the controller binary Make an executable in the app under the path: $SPLUNK_HOME/etc/apps//appserver/controllers/. If your controller was called my_custom_controller, it would be under: $SPLUNK_HOME/etc/apps/appserver/controllers/my_custom_controller.py. See the following example of a Splunk controller: https://github.com/LukeMurphey/splunk-web-input/blob/master/src/appserver/controllers/web_input_controller.py Step 2: Expose the controller Make a web.conf in the app under the path: $SPLUNK_HOME/etc/apps//default/web.conf. Add a line to this file that exposes your controller. Below is an example (assuming your controller is named called my_custom_controller.py): [endpoint:my_custom_controller] Restart Splunk for the controller to be visible. You can verify that your controller is recognized by navigating to /paths with your browser (e.g. http://mysplunkserver/paths); your controller should be listed if this worked (just search for your controller name, e.g. "my_custom_controller"). Step 3: Wire-up your HTML form Your controller will be exposed under the path /custom//my_custom_controller. For example, if you declared a function called "do_something" within your controller called "my_custom_controller" which is included the in the "my_app" app, then you could access that function from an HTML form with the URL "/custom/my_app/my_custom_controller/do_something"). ... View more

You do this by entering by editing the event and entering only a comment. Leave the other fields empty and it not change those items (will leave the status, urgency and owner unchanged). ... View more

Oh wait, it looks like you already did: http://answers.splunk.com/answers/240633/correlation-search-results-not-displaying-correctl.html ... View more

This was fixed in version 1.1.1 of the Website Monitoring; upgrading should fix the problem. ... View more

I hadn't named the Drill-down search while creating the notable. Once it was updated, the contributing events started showing up as expected. ... View more

Hi Luke, I was trying to explore for options of comparing and identifying the lookup changes using a Splunk search query. However I have had no luck so far. Do you think there would be a way to compare the 2 versions in a splunk search query and capture the modified information or do we need to rely on external tools to do the comparison ? Our requirement is to show the changes within a splunk dashboard itself detailing the time, user and the change. Regards Swati ... View more

haha, we have all been there :). BTW: I noticed you are using the WebsiteStatusCellRenderer. May I presume thats one from the Website Monitoring app? I'm just curious if you were making changes to that app or if you were using for something new. Let me know if you need any help with that too. ... View more

ES 3.2.1 no longer users the CSV lookup file to maintain the state of notable events; it now uses a KV-store (necessary in order to support Search Head Clustering). ES 3.2.1 automatically migrates the contents of incident_review.csv to the KV-store upon upgrade. You should still be able to view the contents using the incident_review lookup though since the macro refers to incident_review_lookup which now points to the KV-store based lookup (unless customizations were made on your install). I'm not sure why the statuses were reset. I would recommend opening a support case to troubleshoot the issue. ... View more

Thank you Luke! ... View more

I'm not sure where it is covered in the docs; it may be covered in the developer classes. ... View more

I totally agree, in this day and age, no link should be hard coded, all should use a relative path. Browsers are now intelligent enough to detect that all you want to do is use the same root URL but with a different path on the end. ... View more

The answer depends on where you want to get the information. In search: | rest /services/authentication/current-context splunk_server=local | fields username In a SplunkWeb controller (Python): import cherrypy user = cherrypy.session['user']['name'] In a splunkd REST endpoint (Python, when inheriting from splunk.rest.BaseRestHandler): user = self.request['userName'] In Javascript: function getUser(){ var uri = Splunk.util.make_url("/splunkd/__raw/services/authentication/current-context?output_mode=json"); var info = null; // Fire off the request jQuery.ajax({ url: uri, type: 'GET', async: false, success: function(result) { console.info(result); info = result; } }); return info.entry[0].content.username; } var user = getUser(); ... View more

Adding the site to the list of trusted sites fixed the issue. ... View more

I submitted a request to get the docs updated. They are now updated to indicate where to put the app: http://docs.splunk.com/Documentation/CIM/4.1.0/User/Install ... View more

Hi, there are a couple of possible paths: - a Splunk forwarder on the windows system uses input capabilities provided by the forwarder and configurations provided by the windows Add-on to gather the events and send them to Splunk indexers. A search head uses configurations provided by the Windows addon and CEF app to output syslog to ArcSight. This is our preferred solution. - a third party solution on the windows system converts events to syslog and sends them to an intermediate location via syslog. A Splunk forwarder picks up these events and uses configurations provided by the windows Add-on to gather the events and send them to Splunk indexers. A search head uses configurations provided by the Windows addon and CEF app to output syslog to ArcSight. ... View more

3.2.1 released a few days ago still uses this extremely slow import. A minute of fiddling with a few .py files after updating takes https://localhost:8000/en-US/custom/SA-ThreatIntelligence/notable_info/all from 13.2s to 10s, for example. Still terrible, but it was 32% more terrible before the fiddling... Also, it seems there are slow calls being made from the main UI thread synchronously, as complained about by my browser: ... View more

As mentioned, you need to have these events tagged for web and proxy for ES. You should refer to the documentation for ES's dashboards for how your data should be tagged to appear in these correctly. http://docs.splunk.com/Documentation/ES/3.2.1/User/MoreNetworkdashboards http://docs.splunk.com/Documentation/CIM/4.1.0/User/Web ... View more

There is a note about application.css and dashboard.css in the documentation: http://docs.splunk.com/Documentation/Splunk/6.1.4/AdvancedDev/Migration#JavaScript_and_CSS_support_changes . ... View more

CEF standard says that the version field is mandatory, so "+"es are not an error. Header Information CEF uses syslog as a transport mechanism. It uses the following format, comprised of a syslog prefix , a header and an extension , as shown below: Jan 18 11:07:53 host CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|[Extension] The CEF:Version portion of the message is a mandatory header. The remainder of the message is formatted using fields delimited by a pipe ("|") character ... ... View more

The assets have a priority of either medium or high. The correlation search is defined with a severity of high. It is my understanding that for both types of assets, the resulting urgency would be high. Is this not the case? ... View more

The events are sent to the notable index via a summary indexing alert action. Below is a sample of a correlation searches alert action that summary indexes the results: [Endpoint - Host Sending Excessive Email - Rule] action.summary_index = 1 action.summary_index._name = notable action.summary_index.ttl = 1p Manually running the search interactively won't trigger the alert actions (that is something that the scheduler does). ... View more

There is a Splunk app called Slideshow that allows you display a set of dashboards on an interval. You could set it up with just the one view and it will refresh it automatically. ... View more