Hi, I`m looking to export a scheduled report using the REST API but I`m struggling with the syntax. I was able to run a new search inside "curl" and export it, but can`t seem to be able to do the same for saved reports. Would be grateful if someone could help with the syntax for exporting the following report as a CSV file:     curl -k -H "Authorization: Bearer myValidToken" https://myValidDomain.splunkcloud.com:8089/servicesNS/userName/app/saved/searches/%20Test%20/history       ... View more

Hi Everyone, I`m learning about the Splunk REST API and I`m experiencing some temperamental behaviour, for example I can fetch results using the query listed below from some reports, but it fails for others, example below:   curl -k -H "Authorization: Splunk myValidToken" https://myValidDomainName.splunkcloud.com:8089/services/saved/searches/%5BLOOKUP%5D%20Active%20Directory%20Devices%20No2/acl    Response:   <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Could not find object id=[LOOKUP] Active Directory Devices No2</msg> </messages> </response>   The report name is correct. Have you got any suggestions for me ? Many thanks, Toma ... View more

I`m trying to query Splunk Cloud using the REST API so that I can export some data externally, however I`m not entirely sure how to download/install/configure the ACS Open API 3.0 specification. The Splunk documentation is a bit ambiguous. I`m also unable to setup a new authentication token, receiving the error below. I`m using an admin account.     curl -u username:password -X POST https://admin.splunk.com/[myValidStackName]/adminconfig/v2/tokens {"code":"401-unauthorized","message":"{\"messages\":[{\"type\":\"ERROR\",\"text\":\"Unauthorized\"}]}. Please refer https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSerrormessages for general troubleshooting tips."}         ... View more

Hi, Can someone recommend a way to save the results of a Splunk search locally or to shared drive? We`re using a hybrid deployment (Cloud and Enterprise), but the data we require is available in Cloud only. Many thanks, Toma ... View more

We have a requirement to share a Splunk report externally and I`m aware we can achieve this by using iframes to embed the report. My question is who can access the iframe - assuming it`s everyone who has a copy of the iframe/URL - and if there`s a way to restrict access to certain users only ? Can the restriction be applied within Splunk, or does it need to be applied within the external web app that we`re sharing with ? ... View more

Hi Everyone, I was reading through this article that led me to believe it`s possible to display external web content in Splunk, however it doesn`t appear to be working for me. Interestingly, it works fine outside of Splunk (ie: if I save the source as an HTML file locally on my computer), but it doesn`t display the iframe if I put it in a Splunk dashboard. Any assistance would be greatly appreciated. Source code below. <?xml version='1.0' encoding='utf-8'?> <dashboard version="1.1"> <label>My iFrame Dashboard</label> <row> <html> <h2>Embedded Web Page!</h2> <iframe src="https://myValidDomainName" width="100%" height="300">&gt;</iframe> </html> </row> </dashboard>   ... View more

Hi, I`m following this article in an attempt to ingest Teams data into Splunk and I need some help with testing the webhook - can someone confirm what the webhook URL is ?         curl WEBHOOK_ADDRESS -d '{"value": "test"}'           Also, looking at the documentation for the Teams Add-on for Splunk it states that "theTeams Webhook is not available for Splunk Cloud installations." - has anyone found an alternative solution for Cloud Deployments ? We use Splunk in a hybrid (cloud + on prem) environment. Many thanks. ... View more

I have the following search which returns a table of all hostnames and operating systems. | inputlookup hosts.csv | search OS="*server*" | table hostname, OS I would like to add a checkbox to exclude Windows Server 2008 builds. This is what I have so far: <row> <panel> <input type="checkbox" token="checkbox" searchWhenChanged="true"> <label></label> <choice value="Windows Server 2008*">Exclude Server 2008</choice> <change> <condition match="$checkbox$==&quot;Enabled&quot;"> <set token="setToken">1</set> </condition> <condition> <unset token="setToken"></unset> </condition> </change> </input> </panel> </row>   New panel to show server builds depending on the checkbox: <query> | inputlookup hosts.csv | search OS="*server*" AND OS!="$checkbox$" | stats count as total <query> This only works when the checkbox is selected and correctly excludes the 2008 builds from the search, but doesn`t display anything when the checkbox is unselected. I would like to display all devices when the  checkbox is unselected. ... View more

Recently we needed to update the Client Secret for one of our tenants and I wanted to ask what is the most efficient way of tracking what the token expiry date is  and to create an alert in Splunk? I had a look at the logs and couldn`t find anything to indicate when the access token is about to expire. ... View more

Hi Everyone, I have a field called "User" that contains similar values and I was wondering how to remove or merge similar values? For example: "Tony W" and "Anthony W" (both values of the same field) should be merged together. I was looking at the fuzzy search and jellyfish apps on SplunkBase, but couldn't find a solution to the problem. My search query: (index="abc" Name=*) OR (index="xyz" department=* displayName=*) | eval User=if(isnull(Name), upper(displayName), upper(Name)) | stats values(department) as department by User ... View more

Hi Everyone, I have 3 pie charts in a panel, showing agent statistics as follows: - 1st pie chart displays overall statistics split by analyst; - 2nd pie chart displays daily statistics split by analyst ( | where shift="Day") - 3rd pie chart displays nightly statistics split by analyst ( | where shift="Night"). I've created a drilldown which works fine for the overall pie chart and it correctly displays the data in another panel based on the value of the slice.  To accomplish this I`ve created a token called "tokNames" and assigned an initial value of ALL *. <init> <set token="tokNames">*</set> </init> Drilldown for the Overall pie chart: <drilldown> <set token="tokNames">$click.value$</set> </drilldown> The problem starts with the daily and nightly pie charts - when I click on a name, it displays all the statistics of that particular agent, instead of showing only the daily or only the nightly statistics. Any assistance would be greatly appreciated. Thank you in advance. Toma. ... View more