Activity Feed
- Posted Re: How to Perform a Lookup in Splunk When Some Fields in the Lookup Table Are Empty ? on Splunk Search. a week ago
- Posted Re: How to Perform a Lookup in Splunk When Some Fields in the Lookup Table Are Empty ? on Splunk Search. a week ago
- Posted How to Perform a Lookup in Splunk When Some Fields in the Lookup Table Are Empty ? on Splunk Search. a week ago
- Posted Re: "Connection was reset" when trying to make an API request using CURL on Security. 2 weeks ago
- Posted "Connection was reset" when trying to make an API request using CURL on Security. 2 weeks ago
- Karma Re: Add-on for LDAP: Why am I only getting a few attributes back from ldapsearch (from SA-ldapsearch 2.2.3 and Splunk 6.3.2)? for BlueSocket. 3 weeks ago
- Posted Re: How do I add yesterday's date to an emailed report subject? on Reporting. 01-07-2025 05:28 AM
- Karma Re: How do I add yesterday's date to an emailed report subject? for woodcock. 01-07-2025 05:26 AM
- Posted Help with the Splunk Add-on Builder - creating a custom Python app on Splunk Dev. 11-15-2024 06:35 AM
- Karma Re: Is it possible to loadjob a post-processed search? for nick405060. 11-06-2024 06:41 AM
- Karma Re: How to set loading order for panels? for woodcock. 10-03-2024 06:45 AM
- Posted Re: How to increase height of input text box html dashboard on Dashboards & Visualizations. 10-03-2024 01:20 AM
- Posted Re: How to increase height of input text box html dashboard on Dashboards & Visualizations. 10-03-2024 12:22 AM
- Posted Help with token setting and unsetting on Splunk Search. 09-18-2024 06:47 AM
- Posted Re: Conditional token usage on Dashboards & Visualizations. 08-15-2024 06:31 AM
- Karma Re: Conditional token usage for ITWhisperer. 08-15-2024 06:31 AM
- Posted Re: Conditional token usage on Dashboards & Visualizations. 08-15-2024 05:14 AM
- Posted Re: Conditional token usage on Dashboards & Visualizations. 08-15-2024 02:45 AM
- Posted Conditional token usage on Dashboards & Visualizations. 08-15-2024 02:00 AM
- Got Karma for Getting Microsoft Teams Data into Splunk?. 07-10-2024 12:26 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-10-2023
09:48 AM
great answer, was very useful, thanks.
... View more
11-10-2023
02:00 AM
Hi, The filename is called "lookup_edit" and you can navigate to it using the UI: Settings - User Interface - Views.
... View more
10-31-2023
02:44 AM
Make sure you are in the lookup editor app context. If you`re using Splunk Cloud: https://<domain_name>.splunkcloud.com/en-GB/manager/lookup_editor/data/ui/views
... View more
10-18-2023
07:13 AM
Found the problem...the latest time was same as the earliest time. Correct syntax: | eval Date = strftime(_time,"%d-%b-%y"), earliest=relative_time(_time,"@d"), latest=relative_time(_time,"+d@d")
... View more
10-18-2023
07:04 AM
Hi Everyone, I`ve got a dropdown input that generates 30 date entries and stores the choice in the "date.tok2" token. I`d like to be able to pass the token to a table to run a search over the period chosen from the drop down, but this is not working as expected (not generating any results - I know the query works because if I run it independently it produces results, so the problem must be with the token). I`ve got an identical drop down menu that works fine and it successfully passes the token onto the table at the beginning of the dashboard (that token is called "date.tok" and is used to set "earliest_tok" and "latest_tok"). Any help would be greatly appreciated. <input type="dropdown" token="date.tok2" searchWhenChanged="true">
<label>Date</label>
<fieldForLabel>Date</fieldForLabel>
<fieldForValue>earliest</fieldForValue>
<search>
<query>| makeresults
| timechart span=d count
| sort - _time
| where _time <= relative_time(now(),"@d")
| fields - count
| eval Date = strftime(_time,"%d-%b-%y"), earliest=relative_time(_time,"@d"), latest=relative_time(_time,"@d")
| dedup Date</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<selectFirstChoice>true</selectFirstChoice>
<change>
<set token="earliest_tok2">$row.earliest$</set>
<set token="latest_tok2">$row.latest$</set>
</change>
</input>
<table>
<search>
<query>| ...| ...</query>
<earliest>$earliest_tok2$</earliest>
<latest>$latest_tok2$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
... View more
Labels
- Labels:
-
token
10-18-2023
01:13 AM
Hi @somesoni2 , I can`t really get the first search to work, how are the count calculations being performed ? x and y are not integers, so not sure how sum() is going to work ?
... View more
10-05-2023
01:28 AM
Hi @MattHatter Did you find a solution to this ? We had exactly the same problem and we managed to get is resolved by editing the lookup_edit file (under Settings - User Interface - Views) as follows: <view template="lookup_editor:/templates/generic.html" type="html" isDashboard="true" isVisible="true">
<label> Lookup edit </label>
</view>
... View more
09-28-2023
11:53 AM
1 Karma
Hi @gcusello , Thanks for getting back to me. Turns out the splunk user did not have access to the pihole.log, only to the pihole-FTL.log files. Splunk started to ingest both files after I changed the permissions. Thanks, Toma.
... View more
09-27-2023
03:38 PM
My inputs.conf on the rasberryPi look like this: [monitor:///var/log/pihole.log]
disabled = 0
sourcetype = pihole
index = main
[monitor:///var/log/pihole-FTL.log]
disabled = 0
sourcetype = pihole:ftl
index = main Both log files exist in /var/log, but only one sourcetype gets sent to my indexer and that`s "pihole:ftl". Any assistance would be greatly appreciated.
... View more
Labels
- Labels:
-
configuration
08-17-2023
05:29 AM
Good point, The timestamps are quite old. What are the defaults for MAX_DAYS_AGO and MAX_DAYS_HENCE as I cannot see them being defined in the sourcetype settings ? Should I go ahead and define them ? Some of the data is older than 2000 days. Many thanks.
... View more
08-17-2023
05:23 AM
Hi, I`ve added a sample event and sourcetype configurations, hope this is enough information.
... View more
08-17-2023
01:40 AM
Hi Everyone,
Data coming in from an API is using the _indextime as the _time field because the timestamp format that is being sent is not recognised by Splunk.
An example of the timestamp would look like this:
2016-06-21T01:18:51-07:00
OR
2018-02-16T06:34:31-08:00
As you can see, an offset of -7 or -8 hours is being added to the time field.
The timestamp format we`re currently using for the sourcetype is:
%Y-%m-%dT%H:%M:%S%:z
This is no longer working after the sender made some changes to the timestamp, but I`m not entirely sure how to represent the new format.
Using Splunk Cloud.
Any help would be greatly appreciated.
Toma.
... View more
- Tags:
- sourcetype
- timestamp
Labels
- Labels:
-
sourcetype
07-05-2023
07:41 AM
Hi, We use a hybrid environment, so I could clone the dashboard and put it onto the SOC SH as a temporary workaround until the issue with the lookup editor affecting the main SH gets resolved by Splunk (we have a case open with them). Do you have any suggestions on how to setup a URL redirect from the existing dashboard to the temporary one ? Using Splunk v9. Many thanks.
... View more
07-04-2023
07:38 AM
Hi, We`ve got a dashboard sitting on a problematic SH and would like to clone and move it to another working SH. Is there a way to redirect the users to the newly created cloned dashboard ? Many thanks, Toma
... View more
06-29-2023
07:18 AM
Update: DBConnect is sending the logs to both our Cloud and On Prem instances - some events are missing from the Cloud indexer, although they are present on the local indexer. We`ve raised a support ticket with Splunk to investigate.
... View more
06-26-2023
04:49 AM
Hello, Can`t seem to find anything in the _internal index and the DB Connect Health dashboard doesn`t appear to be working. - I`m currently looking into this. "How are you verifying that you have missing records?" - I use the "delta" command to compute the difference between the current value of the rising column field and the previous value. The gaps are only present in the Splunk index and I can see all the rows incrementing as expected in the DB connection. - I also compared the total number of events with the total number of records in the database over a given period of a day and the results are inconsistent: most days they are correct, but every few days there is a discrepancy.
... View more
- Tags:
- hi
06-22-2023
08:06 AM
Hello, We ingest data from a database using rising columns, however a small amount of events are missing from the index, although I can see them in DBConnect. The field that we use as a rising column is set as an identity column so I`m expecting that each new value is generated based on the current seed & increment. Query timeout is set to 30 seconds, max rows to retrieve is 0 (maximum), fetch size is 300 and frequency is 60 seconds - from what I`ve observed this should be sufficient for our requirements. Any assistance would be greatly appreciated. Many thanks.
... View more
- Tags:
- dbconnect
06-05-2023
07:54 AM
Hi, The operational requirement is to run the report every minute, but I`m thinking to propose to run it every 5 mins outside of busy operational times. We do have enough resources to run the queries, but would still like to optimise the search and frequency as much as possible. Currently I`m using the report as a base search for my dashboard, but I`m not entirely sure how to call both of the reports, as suggested ? Many thanks.
... View more
06-02-2023
04:51 AM
Is it possible to add multiple cron schedules to a single base report ?
... View more
06-02-2023
03:50 AM
Hi,
I have a dashboard that runs off the back of a report that is scheduled to run every minute. I need to amend the report schedule to run every minute between the specified hours AND every 5 minutes outside those hours to save on resources.
My current cron expression looks like this:
*/1 * * * *
To run every minute between the specified hours, I could write something like this.
*/1 3-8,12-20 * * *
The question I have is how to add a clause to schedule the search to run every 5 minutes outside those hours?
Many thanks.
... View more
Labels
- Labels:
-
cron
04-20-2023
02:40 AM
How would I get this working for reports with a longer name format, for example: [REPORT] This is a test report I`ve tried to URL encode the characters without success: %5BREPORT%5D%20This%20is%20a%20test%20report
... View more
04-20-2023
02:13 AM
1 Karma
Hi Gregg, This is amazing, thanks for sharing, wish I could mark more than one answer as a solution. joao_amorim answer was addressing my basic question, but I can see how I can expand on the REST API topic using your solution. Many thanks, Toma
... View more
- Tags:
- other
04-20-2023
02:06 AM
Please ignore my previous answer, the report was set to private and this does in fact work. I had to add the "-o" (output) flag and specify where the file should go to as I didn`t know what the default location was.
... View more
04-20-2023
01:12 AM
Unfortunately it doesn`t work. I`m getting Error in 'savedsearch' command: Unable to find saved search named 'Test' Although the report definitely exists and is scheduled to run.
... View more
04-18-2023
06:26 AM
Hi Rich, I guess my question is what is the correct endpoint and what is the correct syntax for exporting the report as a CSV file ? I`ve looked at the "REST API Reference Manual", but couldn't really find my answer. Many thanks.
... View more
