@mathiasy123 what is your role. I guess, You need admin rights to move knowledge objects across apps. If its not possible create the alert in MC app using run a search.
... View more
@smartpraseetha Since UFs are not sending directly to indexers, they won't require SSL. But gain this will be a vulnerability between UF & HF.
... View more
@mathiasy123 The alert has to be created in monitoring console to show up. Since it is already created you can move it to monitoring console app. Edit -> move -> select "monitoring console" If this helps, up vote is appreciated.
... View more
@smahuja Since append creates a new record combining fields using eval won't work. Try using join command instead of append. Then eval should work
... View more
@diptij Can you please share your monitor stanza? Did you check splund logs for any errors? It should not depend the add-on. It only depends on 1) The user running splunk on the server must have read permissions to the directories. 2) monitor stanza should be error free
... View more
@bharathkumarnec It might be due to case variance in the field names. kvstore lookups are case sensitive to field names while csv lookups are not. Can you please verify that?
... View more
@chinmay25 you can use mvdedup after stats to remove duplicate values. eval START_TIME=mvdedup(START_TIME), END_TIME=mvdedup(END_TIME) also you can use list in place of values | stats list(START) as START list(END) as END by JOBNUMBER JOBNAME If this helps, upvote would be appreciated
... View more
@vn_g you have to create a token and pass it to the drilldown row/panel. In the xml you need to add depends to either panel OR row <row depends="$tokenname$"> <panel depends="$tokenname$">
... View more
@cdemir you have to disable the entity imports on the sh deployer and push the bundle assuming you have not touched these inputs and created a local copy of the same.
... View more
@VijaySrrie you should use initial check point value (part of the query) for this field "access_timestamp ". Then the query uses this as checkpoint and fetches the data after that.
... View more
@Reethika If its not communicating, you can no longer deploy apps to the client. 1) Does the client sending data to splunk indexer? index=_internal host="client" 2) If yes, try to restart splunk service on the client 3) Is there any firewall between client & Deployment Server? you can check this from DC doing telnet forwarderip:9997 4) if it checks out, please look for errors in the splunkd logs on the client .
... View more
@mah 1. Use fields to get the required fields only after the base search in both the searches. this will improve performance index="A" sourcetype="AB" source="C" | fields X Y Z 2. You can optimize the sub search specifically these three | dedup rpg id | sort rpg | stats values(rpg_name) as pg by id acc_name site
... View more
@splunkettes try this remove the owner and add/edit below stanza to either default.meta OR local.meta. This can be used for all KO OR specific to lookups. Replace roles with actual role of the user. If you want this for all the roles within the app replace it with "*", which is a bad practice. All KOs: [] access = read : [roles], write : [roles] Only for lookups: [lookups] access = read : [roles], write : [roles]
... View more
@tbrown This has nothing to do with the app. Please check the below. 1) Can you please check whether the role that run splunkd has access to the data to be monitored. 2) Does the client is forwarding internal logs to the main splunk instance. index=_internal host="client" 3) Does the client communicating to the deployment server? settings -> forwarder management 4) if all the above checks out, please look for errors in the splunkd logs on the client .
... View more
@chinmay25 one solution would be using the below command instead of convert | eval START_TIME=strftime(START , "%H:%M:%S), END_TIME=strftime(END , "%H:%M:%S) | table JOBNAME START_TIME END_TIME The multiple values are due to the below command | stats values(START) as START values(END) as END by JOBNUMBER JOBNAME
... View more
@danielbb check splunkd.log for more errors leading to the crash. If you still not able to figure out, open a support ticket with splunk and share diag.
... View more
@fdevera I assume you are using the inputlookup as subsearch. Please output the field required from the lookup like here NOT [| `get_seclabel(host,"domain_controller","-90d")` | fileds value ] and match the field name to the field name in main search. If it is host, rename value to host NOT [| `get_seclabel(host,"domain_controller","-90d")` | fileds value | rename value as host] Hope this helps
... View more
@splunkettes you need to create owner for this app in either default.meta/local.meta. Its is best practice to make the user who owns this app as the owner so the lookups created using outputlookup command will be saved against the owner. you can give read& write permissions to the roles that require corresponding access.
... View more
@d4wc3k you need to check couple of things 1) Is there any firewall between DC & intermediate forwarder? you can check this from DC doing telnet forwarderip:9997 2) IS ssl enabled for this transfer? If so certs should match you can check this in "inputs.conf" on intermediate forwarder
... View more
@allenhau Use either one of the below in your base search OR command dest_port=4402 OR dest_port=4404 IN command dest_port IN (""4402 4404"")
... View more