Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Raghav2384
Raghav2384
Motivator
Member since:
04-06-2014
09-23-2022
Community Statistics
| Posts | 319 |
| Solutions | 43 |
| Karma Given | 78 |
| Karma Received | 144 |
| Member Since | 04-06-2014 |
Activity Feed
- Got Karma for Re: How to change a specific value of a field in my events to another value in a search?. 09-22-2022 07:07 AM
- Got Karma for Re: Compare two fields and ignore the data with same values. 06-28-2022 08:16 PM
- Got Karma for Re: How to change a specific value of a field in my events to another value in a search?. 04-10-2022 10:19 PM
- Got Karma for Re: First Time Running Error - Mac OS. 03-17-2022 06:55 AM
- Got Karma for Re: How to change the font size for single value visualizations in 6.4.1?. 05-17-2021 11:49 PM
- Karma Re: How to set a new pass4SymmKey password on a search head cluster deployer? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: relating fields with eval for martin_mueller. 06-05-2020 12:48 AM
- Karma Re: How do i set a retention period for any index...? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to index email values without special characters? for woodcock. 06-05-2020 12:48 AM
- Karma Re: Enterprise license violation for martin_mueller. 06-05-2020 12:48 AM
- Karma Re: Search head cluster captain overloaded with jobs waiting at 100% or 0% post upgrade from 6.2.x to 6.4.1 (On Solaris) for rbal_splunk. 06-05-2020 12:48 AM
- Karma Re: Why am I getting jms_ta errors? for Damien_Dallimor. 06-05-2020 12:48 AM
- Karma Re: I have installed the Splunk forwarder, but why am I unable to search the event logs from all machines? for skoelpin. 06-05-2020 12:48 AM
- Karma Re: Is there a way to migrate indexed data from a legacy standalone indexer to a new indexer cluster? for esix_splunk. 06-05-2020 12:48 AM
- Karma Re: How do I extract this field from my sample data using rex? for richgalloway. 06-05-2020 12:48 AM
- Karma Re: How do I extract this field from my sample data using rex? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How do I extract this field from my sample data using rex? for supabuck. 06-05-2020 12:48 AM
- Karma Re: How to set a new pass4SymmKey password on a search head cluster deployer? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to set a new pass4SymmKey password on a search head cluster deployer? for ddrillic. 06-05-2020 12:48 AM
- Karma Re: Is there a way to migrate indexed data from a legacy standalone indexer to a new indexer cluster? for jkat54. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-01-2020
08:55 AM
Adding a little to the wise words from @alacercogitatus, there are quite a few ways to this.
OP might have found a solution already. If anyone still stuck on this, below is one of the many ways to do it
Have Tokens for your form Elements
Anything user enters is stored in Token
You can get really creative and do a search as
|makeresults
|eval Input1 = $token1$
|eval Input2 = $token2$
|eval Input3 = $token3$
|collect index= host= sourcetype=
All of these are part of core Splunk, no custom code. Read more about collect command here
https://docs.splunk.com/Documentation/SplunkCloud/8.0.2003/SearchReference/Collect
Hope this helps!
Thanks,
Raghav
... View more
03-23-2017
06:18 PM
cool....I am able to pass the arguments to external script but the can't add this to triggered alert action as results are always 0 though there's value. I guess it passes the arguments and cleans itself out?
I run this |gentimes start=-1|eval x=120|map search="|gentimes start=-1 | script python Hello $x$"
I get the values of x printed to a text file but results say 0. If i could get the results populated so that they are displayed in triggered alerts & pass arguments that would solve it all. And i would drive to Texas and buy you a beer :)...is it possible?
... View more
03-22-2017
05:07 PM
you gotta be kidding me 🙂 that shed the exact amount of light i needed....Thank you
... View more
03-22-2017
04:27 PM
Hello Experts,
I am trying to pass an argument to a python script using "script command"
|gentimes start=-1|eval x=120|script python Hello $x$
throws me the following error (not sure how to make it an int from string on splunk side)
External search command 'Hello' returned error code 1.
If i try the following, it works as expected
|gentimes start=-1|eval x=120|script python Hello 120 -> Works
On the python side, if i say if sys.argv[1] > 100 elif sys.argv[1] < 100 (creates a message based on the condition) will always generate same message even when elif condition is true. I realized it's string and once i did int(sys.argv[1]) works on python side but not from splunk using $x$ . Could you please shed some light?
Appreciate your help
Thanks,
Raghav
... View more
10-25-2016
08:49 PM
Excellent! Please accept this as an answer so that it can easily be found.
Thanks,
Raghav
... View more
10-24-2016
07:10 PM
8 Karma
Hey @hemendralodhi,
Not sure if you are still looking for an answer, try to embedding the !important after the css element. I have inline css doing the same which can easily be wrapped in a css file.
Syntax:
<row>
<panel>
<html>
<style type="text/css">
.dashboard-panel .panel-body.html {
padding: 10px 10px;
background-color: #120660;
}
.single-value .single-result {
font-size: 20px !important;
}
</style>
</html>
</panel>
</row>
Hope this helps!
Thanks,
Raghav
... View more
10-22-2016
07:51 AM
I do not think that is required. Since you are working on only one out of 8 indexers, I would just put that indexer in offline mode and disable boot start. We applied OS patches on our 33 indexer cluster by taking one indexer offline at the time.
IT did take lot of time but I never had to touch my master ot the configurations on the master once during the process. As long as the work you are about to do doesn't alter the application or configs, you should be alright.
I apologize for the delay.
Thanks,
Raghav
... View more
10-20-2016
01:15 PM
1 Karma
Hello @runiyal
Method #1:You can extract the source values to a extracted field and then apply the condition after extraction.
Example: Sourcename is the field you extract and you can simply ask splunk to |search Sourcename=vendor which will limit it to the events that contain that field
Method # 2: use a combination of eval , match function and the condition you want.
Method#3: use stats and eval combination with a AND condition (If both conditions you are looking for are key pairs)
Hope this helps,
Thanks,
Raghav
... View more
10-20-2016
12:33 PM
1 Karma
@sbattista09 , We had the same message couple of weeks ago....We just ran java service and Splunk with proper permissions and it worked like charm...kinda what Damien said above.
Thanks,
Raghav
... View more
10-20-2016
12:30 PM
1 Karma
Hey @mlevsh
8 Indexers (2 sites) i am assuming multi site indexer cluster?
If you are not modifying/altering the application (Example: Splunk upgrade etc) you could simple use the offline command and yes it's safe to temporarily disable boot start if the patching requires multiple reboots.
Do you have a source to backup data data from that indexer? Not that you require to backup data....always safe to have a copy while working on these machines. Since it's a multisite cluster...hoping data is always a mimic on the second site...check for data size .
But yeah, offline command and temporarily disabling boot start should be sufficient.
Thanks,
Raghav
... View more
09-30-2016
08:41 PM
Hey @skoelpin
Is the ask here to fix the 8089 vulnerability anyway or using the self signed cert only?
In general, if you want to force the cipherSuite, i would just add the following to server.conf under sslconfig stanza (This will take care of all the SSLv3 POODLE stuff)
What it doesn't take care of is XSS (Cross Site Scripting) vulnerability if you using versions older than 6.3.3 (I say 6.3.3 because that's the version has XSS patch)
supportSSLV3Only = false
cipherSuite = TLSv1.2:!eNULL:!aNULL
While you are in there, disable kvstore port 8191 if you don't need it as that will pop up in the scan results eventually.
Hope this helps!
Thanks,
Raghav
... View more
09-26-2016
04:46 PM
Hi @rsingh,
There was a communication rom splunk asking folks to upgrade splunk or renew default certs that ship with Splunk before July 17,2016. Off course that was only for Enterprise splunk customers with a valid license.
If you have a Enterprise splunk instance with valid license, contact splunk and they should help you out with a renewal script or provide you instructions to solve the situation you are in
OR
upgrade splunk instance to 6.3.3 or above as they ship with extended default certs.
Hope this helps!
Thanks,
Raghav
... View more
09-20-2016
08:46 AM
1 Karma
Hey @iamarunk,
Here's how licensing works
Free Splunk : cannot exceed 3 violations in a rolling 30 day window
Enterprise Splunk (With active license): cannot exceed 5 violations in a rolling 30 day window
If it's an Enterprise Splunk Instance with active License, please contact your Splunk Support person to get a reset key. Once you add the reset key, the search functionality will resume (Your indexing does not get interrupted due to this btw)
After you resume the search functionality, go to LURV/ License utilization . If you are in a distributed setup, these metrics will be found on your license master.
Check for hints as to what and how this license overage has caused and correct it. Here's what i would do
Check which index/host/Business unit is consuming license more than it's entitled to
Filter the data upfront (Before it hits the Indexers)
If all the data is required/already filtered, start a dialogue with Business/Splunk teams to buy more license.
Hope this helps!
Thanks,
Raghav
... View more
09-07-2016
08:31 AM
Excellent! Please accept it as an answer if it helped you and others can find it easily.
... View more
09-07-2016
06:03 AM
1 Karma
Hello @skender27,
First: App access/permissions has higher precedence (Example: If i have an app called XYZ which has permissions as read: admin, write: admin only) Though there are dashboards in that app with Read:, Write: , Folks who are not admins cannot get to the dashboard as it's not visible to them in the first place.
Second: default = true is nothing but when they click on that app, that's view/dashboard is what displayed right away. It doesn't mean that even if folks do not have access to that view can see it. If they do not have access to the view name="abc" and it that's the default view for that app, they would see an error (Page/View not found)
When you say different landing pages/views for different users, are you talking about same app with a different landing/view for different roles? I am not sure if that's even possible. It comes down to this, either you can see it or not see it.
Hope this helps!
Thanks,
Raghav
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-23-2022
08:52 AM
|
Karma given to
