Activity Feed
- Posted Re: Search generates this error - Regex: regular expression is too large on Splunk Search. 10-03-2024 02:56 PM
- Posted Re: Search generates this error - Regex: regular expression is too large on Splunk Search. 10-03-2024 02:54 PM
- Karma Re: Search generates this error - Regex: regular expression is too large for sainag_splunk. 10-03-2024 02:54 PM
- Posted Re: Search generates this error - Regex: regular expression is too large on Splunk Search. 10-03-2024 02:45 PM
- Posted Re: Search generates this error - Regex: regular expression is too large on Splunk Search. 10-03-2024 10:16 AM
- Posted Search generates this error - Regex: regular expression is too large on Splunk Search. 10-03-2024 09:22 AM
- Posted Re: Dashboard Studio count input on Dashboards & Visualizations. 09-06-2024 10:00 AM
- Posted Re: Dashboard Studio count input on Dashboards & Visualizations. 09-05-2024 02:33 PM
- Posted Dashboard Studio count input on Dashboards & Visualizations. 09-05-2024 01:10 PM
- Posted Re: In Dashboard Studio using count of results in a different section on Dashboards & Visualizations. 09-05-2024 11:52 AM
- Karma Re: In Dashboard Studio using count of results in a different section for ITWhisperer. 09-05-2024 11:52 AM
- Posted In Dashboard Studio using count of results in a different section on Dashboards & Visualizations. 09-05-2024 10:05 AM
- Posted Re: Adding asterisk to host list on Splunk Search. 08-28-2024 01:16 PM
- Posted Re: Handling nulls in a string on Splunk Search. 08-28-2024 12:39 PM
- Posted Adding asterisk to host list on Splunk Search. 08-28-2024 12:32 PM
- Posted Re: Handling nulls in a string on Splunk Search. 08-21-2024 09:30 AM
- Posted Handling nulls in a string on Splunk Search. 08-20-2024 02:39 PM
- Posted Re: Line breaking odd issue on Splunk Search. 07-31-2024 01:50 PM
- Karma Re: Line breaking odd issue for PickleRick. 07-31-2024 01:50 PM
- Karma Re: Line breaking odd issue for yuanliu. 07-31-2024 01:50 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-03-2024
02:56 PM
Thanks for the assistance @sainag_splunk . I didn't know about some of the btool options. I normally do btool --debug [inputs|props|transforms] list <stanza>
... View more
09-06-2024
10:00 AM
This works.
| makeresults
| fields - _time
| eval hosts="$servers_entered$"
| makemv delim="," hosts
| eval count=mvcount(hosts)
| table count
... View more
09-05-2024
11:52 AM
Thanks @ITWhisperer . That is the solution.
... View more
08-29-2024
11:09 AM
Oh. This is something we in Poland call "shooting the sparrow with a cannon". If you really want to modify user's input, you should do so on client's side using the <change> functionality of the dashboard. But I'm still asking what's the point in doing so. If you want to have predefined choices you use different inputs. If you let the user type in something freely honor their choice (and/or educate the users to add the wildcard by themselves).
... View more
08-28-2024
12:39 PM
@bowesmana, @gcusello, and @yuanliu thanks for the responses. This has been shelved due to funding issues. If it gets funded, we will go back to the vendor and see if they can add something that will say this is new or timestamp it so we can keep track that way.
... View more
07-31-2024
01:50 PM
@PickleRickThat was the issue. I was only pushing to the UF and not the indexers. Sometimes I forget that props.conf has parts that go to the indexer and parts go to the search heads.
... View more
05-09-2024
10:13 AM
1 Karma
I would change the code since I know I have to maintain any future updates to that file myself and that it might break how other reports display in a PDF. I would also check out the "betterpdf" app in splunkbase (https://splunkbase.splunk.com/app/7171).
... View more
04-30-2024
10:03 AM
Thanks. Since transforms.conf doesn't have the limitations of EXTRACT, I finally got it working.
... View more
04-02-2024
01:45 PM
Thanks. I hadn't thought of that. Since I posted the question, NetSkope came back with a solution. I was sent this conf_file_stanzas = conf_file_object.get_all()
replace the above line with following:
conf_file_stanzas = conf_file_object.get_all(only_current_app=True) With that the issue was resolved. The code was trying to get information from another TA.
... View more
03-11-2024
03:25 PM
I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=. According to this page, https://splunk.github.io/addonfactory-solutions-library-python/credentials/#solnlib.credentials.CredentialNotExistException , this is due to the username not being valid. I'm trying to work out how to get what is passed to credentials.py since the information in the username doesn't make sense to me. Is there anyway of debugging credentials.py, I tried to put print statements in, but the TA UI didn't like it. I had to remove the print statements to get the UI working again. I've tried debugging via command line but always get stuck at this point, session_key = sys.stdin.readline().strip(). I can't work out what I need to do to see where the user information is coming from. Any help on how I can debug this? TIA, Joe
... View more
- Tags:
- debug
Labels
- Labels:
-
configuration
-
dashboard
-
troubleshooting
02-27-2024
11:19 AM
@PickleRickYou are correct. It is poorly written. I have already made three suggestions to them of which one is to split it into an ingest piece and a search piece.
... View more
02-21-2024
03:29 PM
1 Karma
Hi All, I found this https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652793 and in there is this. SplunkWeb users may experience different behaviors for the UI preferences that used to persist and show latest preferences by updating ui-prefs.conf on the fly. Now after upgrade to 9.0.5+ or 9.1.0+ its behavior changed and no longer uses ui-prefs.conf to remember the user's UI level preferences, but instead, uses the url in the request or localStorage/Web Storage. In Firefox I found this webappsstore.sqlite in my ../Library/Application Support/Firefox/Profiles/e0fxb1hs.default-release which is similar to the above. Is this where the ui-prefs.conf information was moved to? I've had a request from a user that wants to set the 'Selected fields', but after the upgrade to 9.1.2 the changes would be stored in a sqlite DB. Is this correct? Is there any way of changing the 'Selected fields' other than using the backend? Does this work for other apps beyond Search? TIA, Joe
... View more
Labels
- Labels:
-
using Splunk Enterprise
02-13-2024
09:15 AM
I worked with Sahil Sharma of Technical Support on this. The answer was to update the add-on from 4.0.1 to 4.0.2. That fixed the problem.
... View more
12-07-2023
03:55 PM
1 Karma
From your SPL, it looks like you're trying to access the first line after At as the message type Have you tried extracting Message type with | rex field=_raw "(?s)At \d+:\d+:\d+\s+-0800\s+-..\s+(?<message_type>\w+):" where the .. will match the line feed (you may only need a single dot, depends on the data.
... View more
11-07-2023
12:01 PM
With a little massaging of fields, we can get you the desired output. | inputlookup external_url.csv
| lookup external_results.csv allowed_url as url OUTPUTNEW url as isFound
| eval fw_url=isFound, isFound=if(isnull(isFound),"false", "true")
| table allowed_url fw_url isFound
... View more
10-11-2023
12:14 PM
1 Karma
@yuanliuThanks. I would have never figured out the mvjoin(mvindex. That is something I don't use. You gave me enough help that I was able to work out something I can give to another team. Karma point awarded.
... View more
10-03-2023
01:50 PM
@PickleRickThanks. I've upvoted the idea.
... View more
09-14-2023
01:25 PM
I'm working with a custom TA, AlertAction_SFTP, that has the following .conf.spec file. [my_sftp_alert_action]
param.sftp_server = <string>
param.sftp_user = <string>
param.sftp_rfile = <string>
param.sftp_key = <string>
param.ssh_key_dir = <string>
param.sftp_password = <string> When I try to use $date$ in the file name, filename-$date$, I get "Remote path is invalid." I've tried multiple ways of doing this including adding date to my search index=vuln sourcetype="qualys:hostDetection" signature="SMB Version 1 Enabled" TAGS="*Server*" earliest=-1d@d latest=@d
| eval date=strftime(relative_time(now(), "-1d@d"), "%Y-%m-%d")
| table date, * I've tried $results.date$, $date$, and a couple of other things. Is there some reason that the rfile path must not use a Spunk variable? TIA Joe
... View more
- Tags:
- alert action
- fields
Labels
- Labels:
-
alert action
07-21-2023
01:36 PM
1 Karma
Strings need to be in double quotes and embedded quotes need to be escaped | eval data="{\"time\": \"2023-07-21T19:10:48+00:00\", \"pid\": 24086, \"msec\": 1689966648.059, \"remote_addr\": \"aaa.bbb.ccc.ddd\", \"request_time\": 0.005, \"host\": \"sitename.noname.org\", \"remote_user\": \"-\", \"request_filtered\": \"GET /healthz HTTP/1.1\", \"status\": 200, \"body_bytes_sent\": 13, \"bytes_sent\": 869, \"request_length\": 72, \"http_referer_filtered\": \"\", \"http_user_agent\": \"-\", \"http_x_forwarded_for\": \"-\", \"context\": \"973235423dccda96a385ca21c133891632a28d91\"}"
... View more
06-24-2023
11:49 AM
Unfortunately, various tools using regexes can have their own ideas about the need of escaping (or not) various things. Most notorious about this is of course vim with its "counterintuitive" use of backslashes on groupping parentheses and pluses. Anyway, some tools don't mind extra backslash even if it's not needed, some do. That's why I'd try to be as precise as possible and go s/\\"/"/g
... View more
10-17-2022
09:15 AM
1 Karma
Thanks @richgalloway for the solution. That does exactly what I need it to do.
... View more
10-17-2022
08:29 AM
This looks like one of the following or at least a path to resolving: Can the splunk user read that file? CHMOD / CHOWN settings correct? Also I would encourage you to put the file in /tmp/<yourfile.txt> rather than the /opt/splunk/bin directory I believe that this is a standalone splunk instance and not a distributed environment as you mentioned a laptop. Which user owns the splunk folder and processes, are the basic permissions set right and is there a home directory for the splunk user? Otherwise add a home dir for splunk (mkhomedir_helper splunk)
... View more
09-09-2022
10:23 AM
1 Karma
You don't have. to rename; in fact better avoid renaming in props.conf. The answer is keyword AS. Excerpt from lookup: The required syntax is in bold. lookup [local=<bool>] [update=<bool>] <lookup-table-name> ( <lookup-field> [AS <event-field>] )... [ OUTPUT | OUTPUTNEW (<lookup-destfield> [AS <event-destfield>] )... ] Note: The lookup command can accept multiple lookup and event fields and destfields. For example: ...| lookup <lookup-table-name> <lookup-field1> AS <event-field1>, <lookup-field2> AS <event-field2> OUTPUTNEW <lookup-destfield1> AS <event-destfield1>, <lookup-destfield2> AS <event-destfield2>
... View more
08-23-2022
09:23 AM
I had the same error this morning. I didn't have either the Lookup Table file or the Lookup definitions as global. Once I changed them both to global, the error went away.
... View more
