Activity Feed
- Posted Tenable WAS Add-On for Splunk Missing Data: State OR VPR Value on All Apps and Add-ons. 12-27-2024 01:47 PM
- Posted Re: Why are Splunk some logs missing from kiwi syslog? on Getting Data In. 10-30-2024 07:09 AM
- Posted Re: Regex works with in regex101 but not in Splunk on Other Usage. 03-11-2024 07:44 AM
- Posted Re: Regex works with in regex101 but not in Splunk on Other Usage. 02-29-2024 06:59 AM
- Karma Re: Regex works with in regex101 but not in Splunk for gcusello. 02-29-2024 06:56 AM
- Karma Re: Regex works with in regex101 but not in Splunk for inventsekar. 02-29-2024 06:56 AM
- Posted Regex works with in regex101 but not in Splunk on Other Usage. 02-28-2024 02:49 PM
- Tagged Regex works with in regex101 but not in Splunk on Other Usage. 02-28-2024 02:49 PM
- Posted Re: Stacked Column Chart w/more than 3 criteria challenge on Dashboards & Visualizations. 11-07-2023 06:15 AM
- Karma Re: Stacked Column Chart w/more than 3 criteria challenge for fredclown. 11-07-2023 05:51 AM
- Posted Re: Stacked Column Chart w/more than 3 criteria challenge on Dashboards & Visualizations. 10-18-2023 07:04 AM
- Posted Re: Stacked Column Chart w/more than 3 criteria challenge on Dashboards & Visualizations. 10-17-2023 01:39 PM
- Posted Stacked Column Chart w/more than 3 criteria challenge on Dashboards & Visualizations. 10-12-2023 07:30 AM
- Got Karma for Re: Combine two tstat search to create one table. 08-01-2023 09:54 AM
- Got Karma for Re: Dashboard Studio App does not show in Select an App when linking to another dashboard. 05-11-2023 01:53 PM
- Posted Re: Dashboard Studio App does not show in Select an App when linking to another dashboard on Dashboards & Visualizations. 05-11-2023 10:15 AM
- Posted Re: Is it possible to add Dashboard Studio to the Navigation Menu of an App? on Dashboards & Visualizations. 12-22-2022 02:34 PM
- Posted Is it possible to add Dashboard Studio to the Navigation Menu of an App? on Dashboards & Visualizations. 12-22-2022 10:48 AM
- Posted Re: Dashboard Studio App does not show in Select an App when linking to another dashboard on Dashboards & Visualizations. 11-24-2022 08:19 AM
- Tagged Re: Dashboard Studio App does not show in Select an App when linking to another dashboard on Dashboards & Visualizations. 11-24-2022 08:19 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
12-27-2024
01:47 PM
Hello, I just installed the Tenable WAS Add-On for Splunk in my test instance. When combing through the data I noticed we were not able to see the State, VPR fields. Both of these fields are needed to stay consistent with our current Vulnerability Management Program. The state field is an absolute must to report on active and fixed vulnerabilities. Thank in advance for any assistance provided.
... View more
Labels
- Labels:
-
development
-
Other
-
search
-
troubleshooting
10-30-2024
07:12 AM
Hi @lbrhyne,
I’m a Community Moderator in the Splunk Community.
This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.
Thank you!
... View more
03-11-2024
07:44 AM
I thought I would pop in and let you all know the resolution from Splunk.
:\d{2}\s+(?P<Successful>\d+)\s+(?P<Failed>\d+)\s+(?P<Percentage>\S+) IN bodyPreview
... View more
11-07-2023
06:15 AM
After @fredclown above stated there was no way to do a fourth dimension in a Bar Chart, I opened a case with Splunk. Low and behold, he was right, which lead to some changes in our SPL. I thought I would share, just in case somebody else runs into the same issue. ```Grab badging data for the previous week```
index=* sourcetype="ms:sql" CARDNUM=* earliest=-4w@w latest=-0w@w
| bin span=1d _time
| rename CARDNUM as badgeid
| stats count by badgeid _time
| join type=left badgeid
```Use HR records to filter on only Active and LOA employees```
[search index=identities sourcetype="hr:ceridian" ("Employee Status"="Active" OR "Employee Status"="LOA*") earliest=-1d@d latest=@d
| eval "Employee ID"=ltrim(tostring('Employee ID'),"0")
| stats count by "Employee ID" _time | fields - time | rename "Employee ID" as employeeID | fields - count
```Filter on Hybrid Remote users in Active Directory that are not Board Members and are in the Non-Branch region```
| lookup Employee_Data_AD_Extract.csv employeeID OUTPUT badgeid badgeid_1 RemoteStatus District employeeID Region]
| where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") AND Region="Non-Branches"
| eval badgeid=coalesce(badgeid,badgeid_1)
```Calculate the number of badge check-ins in a given week by badgeid```
| bin span=1w _time
|stats latest(Region) as Region latest(employeeID) as employeeID latest(District) as District latest(RemoteStatus) as status count as "weekly_badge_in" by badgeid _time
```Calulation to determine the number of employees within District that are Hybrid Remote but have not badged-in```
| join District
[| inputlookup Employee_Data_AD_Extract.csv | fields badgeid badgeid_1 RemoteStatus District employeeID Region
| where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") ```AND NOT like(District,"IT")``` AND NOT like(District,"Digital") AND Region="Non-Branches"
| stats count as total by District]
| eval interval=case('weekly_badge_in'>=3,">=3", 'weekly_badge_in'<3,"<3")
| table _time District interval total
```Modify District Here vvv```
| where District="Compliance"
| stats max(total) as total count as total_intervals by _time District interval | sort District - _time | fields - District
| chart max(total) as total_emp max(total_intervals) as total by _time interval
| rename "total: <3" as "<3" "total: >=3" as ">=3" "total_emp: <3" as total | fields - "total_emp: >=3"
| stats sum(eval(total-('<3'+'>=3'))) as no_badge_ins last("<3") as "<3" last(">=3") as ">=3" by _time | rename _time as week_of
| eval week_of=strftime(week_of,"%Y-%m-%d")
... View more
09-06-2023
06:48 PM
It is a known issue related to SPL-235420. It is fixed in 9.1.0 https://docs.splunk.com/Documentation/Splunk/9.1.0/ReleaseNotes/Fixedissues#Charting.2C_reporting.2C_and_visualization_issues As a workaround, specify the app name directly in the dashboard definition.
... View more
08-01-2023
09:19 AM
1 Karma
I think the way to go for combining tstats searches without limits is using "prestats=t" and "append=true". Note that you maybe have to rewrite the searches quite a bit to get the desired results, but it should be possible. Also note that you maybe have to create a table before using the normal stats command to merge the tstats searches (don't know why, but worked for me, perhaps something with having all the data on the search head instead of distributed on the indexers). See thread here as well: https://community.splunk.com/t5/Splunk-Search/How-do-I-join-two-data-models-in-a-TSTATS-without-using-JOIN-or/m-p/479132
... View more
12-22-2022
02:34 PM
Answered my own question. 😔 The issue was due to the name being incorrect. The correct name was found in the url of the dashboard when opened.
... View more
03-21-2022
07:41 AM
Hello, I'm attempting to set the panel back ground color to transparent witin a couple Choropleth panels in Dashboard Studio. However, nothing seems to work... I have attempted to set the background using the following: "transparent": true, "backgroundColor": "rgba(0, 0, 0, 0)", "backgroundColor": "transparent", I can successfully change the color to white or other colors. but not transparent. Thanks in advance!
... View more
Labels
- Labels:
-
Dashboard Studio
-
panel
09-23-2021
12:11 PM
Hello, We are using inputs.conf and props.conf to ingest a flat csv file. The issue we are having is the sourcetype name is appending a -2 to the sourcetype even though it is a unique name. Example: sourcetype=sourcetypename | results sourcetypename-2 #inputs.conf
[monitor://C:\Import\sample.csv]
index= test
sourcetype= sourcetypename #props.conf
[sourcetypename]
FIELD_DELIMITER=,
CHECK_FOR_HEADER = true
HEADER_MODE = firstline Any help would be appreciated!
... View more
Labels
- Labels:
-
CSV
09-23-2021
11:55 AM
Thanks for the suggestion, but this did not resolve the issue. I have not pursued any further due to the requirement of ingesting the file was canceled. Thanks again!
... View more
02-06-2021
08:13 AM
Thank you @scelikok ! This worked perfectly! Almost. The query return the data in the format I was looking for, however it only returning 11 rows of data, where there should be a 1000+. On another note... Leave it to me to totally overthink the logic. Thanks again.
... View more
04-04-2020
07:24 AM
Thank you cmerriman! That worked perfectly! I simply copied and pasted your revisions and it worked!
... View more
01-16-2020
04:16 PM
1 Karma
providing final query, it is useful and eazy to understand how to resolve the problem.
Thank You, @lbrhyne
... View more
08-17-2019
12:13 AM
6 Karma
@lbrhyne - We all learn and payback Mate. That's why this community is having good people helping co-splunkers. Keep splunking more and spread your knowledge. Good luck
... View more
08-16-2019
07:47 AM
Thank you @nareshinsvu that worked, i think :). I just noticed that I got ahead of myself as we don't have any data for July for this index, so I won't know fully until next month. With that being said, you certainly put me on the right path!
... View more
08-12-2019
08:38 AM
1 Karma
Thank you @niketnilay! Corrected below:
<form theme="dark">
<label>Employee Retention</label>
<fieldset submitButton="false">
<input type="multiselect" token="dept" searchWhenChanged="true">
<label>Department</label>
<fieldForLabel>department</fieldForLabel>
<fieldForValue>department</fieldForValue>
<choice value="*">All</choice>
<search>
<query>index=identities sourcetype="ADP:Vantage" (ee_status!="EEStatus") department="*"
... View more
08-06-2019
11:25 PM
Thank you for your feedback, surely it will be interesting for many Splunkers!
Bye and see next time.
Giuseppe
... View more
07-28-2019
06:13 AM
You should click Accept to close this question and if you have something different (even if related), ask another.
... View more