Activity Feed
- Got Karma for Re: How Do I Remove Old SAML Users?. 10-15-2024 06:27 AM
- Karma Search fields not updating on token set for jdcain. 01-26-2022 01:28 PM
- Karma Re: How split up a string into multiple fields for somesoni2. 09-09-2021 08:04 AM
- Got Karma for Re: How do I locate the captain on a search head cluster?. 09-07-2021 02:22 AM
- Karma Re: How can I add spaces between panels in dashboard? for renjith_nair. 06-04-2021 12:35 PM
- Posted Re: How do I locate the captain on a search head cluster? on Deployment Architecture. 11-25-2020 07:13 AM
- Posted Re: Splunk Mobile (Cloud Gateway) Login on All Apps and Add-ons. 10-12-2020 08:36 AM
- Got Karma for Re: Truncated scheduled report in PDF. 07-31-2020 07:40 AM
- Karma Re: Splunk Mobile (Cloud Gateway) Login for brettwilliams. 06-05-2020 12:50 AM
- Karma Splunk Mobile (Cloud Gateway) Login for jbullough. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk Mobile (Cloud Gateway) Login. 06-05-2020 12:50 AM
- Karma How do I create a base search for prebuilt panels? for DataOrg. 06-05-2020 12:49 AM
- Karma Re: Splunk App for AWS: How do I access Cloudwatch Data about EC2 performance? for summitsplunk. 06-05-2020 12:49 AM
- Karma Re: How can I increase the disk usage quota for one user? for adonio. 06-05-2020 12:49 AM
- Karma Re: How to filter by dimension and include names in mstats result? for effem. 06-05-2020 12:49 AM
- Karma Re: Perform stats count based on the value of a field for javiergn. 06-05-2020 12:49 AM
- Karma Re: Splunk Enterprise 6.6.3 Scheduled PDF Delivery For non-admins for mwdbhyat. 06-05-2020 12:49 AM
- Got Karma for Re: How do I create a base search for prebuilt panels?. 06-05-2020 12:49 AM
- Karma Re: What do I look at in splunkd.log to troubleshoot deployment client issues? for vanderaj2. 06-05-2020 12:48 AM
- Karma Why is the "Enable summary indexing" option no longer available in 6.6.0? for sylim_splunk. 06-05-2020 12:48 AM
Topics I've Started
10-28-2024
09:37 AM
Issue still persists in Splunk enterprise. I don't know why Splunk din't fix the issue yet. However, the answer is still valid.
... View more
01-04-2022
10:21 AM
This answer helped me out a lot super clean and simple and useful when you're stuck in a situation where you have to do other searches first to drive your data. Thank you!!!!
... View more
11-25-2020
07:13 AM
1 Karma
As not all instances allow for CLI access, such as Splunk Cloud, you may also query the captain from the Search GUI. | rest /services/shcluster/status splunk_server=local
| fields captain.label
... View more
10-12-2020
08:36 AM
I just created this Splunk Idea, if everyone would please vote on it! https://ideas.splunk.com/ideas/CONNID-I-22
... View more
07-19-2019
04:50 PM
2 Karma
You can do it like this:
|rest/services/data/ui/panels
| search eai:appName="Your App Here" AND panel.title="Your Panel Title Here" AND title="Your title here"
| regex eai:data = "\<query\>"
| rex field=eai:data max_match=0 "\<query\>(?<query>.*?)\<\/query\>"
| eval query=mvindex(query, <some number here>)
| map search="search $query$"
... View more
07-16-2019
07:19 AM
It appears you can use tokens in prebuilt panels, but not pass specific parameters.
Example prebuilt panel XML
<panel>
<table>
<search>
<query>index=_internal source=*splunkd.log data_host=$host_pattern$* data_sourcetype=$source_type_pattern$
... View more
12-11-2019
05:16 AM
1 Karma
In Splunk 7.*: Settings -> Searches, reports, and alerts -> Edit -> Advanced Edit -> alert.expires
... View more
03-23-2017
06:11 AM
1 Karma
The only supported Identity Providers prior to 6.5 were:
Ping Identity
Okta
Azure AD
ADFS
http://docs.splunk.com/Documentation/Splunk/6.4.6/Security/HowSAMLSSOworks
6.5.x introduced support for SAML 2.0. Any IdP (Identity Provider) that can generate a SAML 2.0 compliant SAML response can now be used with Splunk, and we'll be glad to assist.
http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/HowSAMLSSOworks
... View more
07-26-2019
07:48 AM
I had great success with the following:
Service service = getSplunkService();
String dashboardName = "rest_dashboard";
String dashboardXml = "<dashboard>\n" +
" <label>temp</label>\n" +
" <row>\n" +
" <panel>\n" +
" <chart>\n" +
" <search>\n" +
" <query>index=_internal\n" +
" | timechart count</query>\n" +
" <earliest>-1h@h</earliest>\n" +
" <latest>now</latest>\n" +
" <sampleRatio>1</sampleRatio>\n" +
" </search>\n" +
" </chart>\n" +
" </panel>\n" +
" </row>\n" +
"</dashboard>";
JobArgs jobargs = new JobArgs();
jobargs.put("name", dashboardName);
jobargs.put("eai:type", "views");
jobargs.put("eai:data", dashboardXml);
String endpoint = String.format("/servicesNS/rest_user/app_name/data/ui/views/%s", dashboardName);
service.post(endpoint, jobargs);
... View more
11-28-2018
09:31 AM
I am a Splunk Cloud customer who can not make configuration changes directly.
I was able to work around this by adding the backend collection via REST:
curl -k -u <username>:<password> -d name=<collections_name> https://<youraccountname>.splunkcloud.com:8089/servicesNS/nobody/<app-name>/storage/collections/config
... View more
10-16-2018
12:19 PM
How about this?
.... | search version="10" version="12" version="13"
... View more
04-13-2018
07:41 AM
1 Karma
Please see the Splunk Documentation for "Generate PDFs of your reports and dashboards".
http://docs.splunk.com/Documentation/Splunk/7.0.3/Report/GeneratePDFsofyourreportsanddashboards
Excerpt from documentation:
limits.conf
In the [pdf] stanza you can set the max_rows_per_table to set the maximum number of table rows that Splunk software will print out for simple results tables in a PDF. The default is 1000.
Note: This can lead to multi-page reports if your tables have lots and lots of rows. Reduce this number if you want to limit the number of pages that a table can generate for a PDF version of a dashboard.
... View more
01-17-2019
11:45 AM
Yes, you may use a REST call to delete. See DELETE for the "saved/searches/{name}" endpoint.
https://docs.splunk.com/Documentation/Splunk/6.5.1612/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D
Please keep in mind that the Splunk Search interface command line provides a 'rest' command, but this is read only, and is not a true REST client. Please use your favorite common purpose REST client. (curl, Postman, any HTTP library)
... View more
10-15-2018
09:50 AM
My solution, which works for environments up to medium size, is to create multple alerts,for example
switch alerts - all
switch alerts - ignore esxi ports
swtich alerts - ignore firewall ports
switch alerts - ignore hsm ports
Normally, 'switch alerts - all' is enabled, but when maintenance is going occur on esxi hosts, we disabled 'switch alerts - all' and enable 'switch alerts - ignore esxi ports'.
This allows a bit of control without writing a script to query your ticket tracking system, and using that data to query your cabling database, and then using that data to update a generic 'link state' alert because in my opinion, telling a NOC to ignore alerts is the worst thing you can do.
... View more