Hi all, I have developed an app that has a custom dashboard. On that custom dashboard, I am using Splunk's JavaScript Web Framework to run my custom searches that call our external REST API and then the dashboard is rendered using results returned from those searches. Specifically, I'm using the Search Manager to define and process results from my searches. The code structure that I'm following for each search is as follows:   var phishInc = new SearchManager({ id: "phishing_inc", preview: true, cache: true, search: "| snxusers stat=phishing_breakdown globalFilterValue=$globalFilterValue$" }, {tokens: true}); phishInc.on('search:failed', function(properties) { }); phishInc.on('search:progress', function(properties) { }); phishInc.on('search:done', function(properties) { }); var phishing_inc_search = splunkjs.mvc.Components.get('phishing_inc'); var phishing_inc_results = phishing_inc_search.data("results", {count: 0, output_mode: 'json_rows'}); phishing_inc_results.on("data", function () { // The data from the search is processed here });   $globalFilterValue$ is a token that I have defined whose value I set from a drop-down menu. Whenever I set its value, my searches are triggered automatically as I have set tokens: true  Now I have observed that for a single search only, the results are returned pretty quickly but when I define all of my searches  (total = 15) their times add up and the complete dashboard is rendered slowly. Since all of those searches depend on the globalFilterValue token, they are probably running in a sequential manner due to which the last parts of the dashboard are rendered at the end. Is there any way to speed up the execution of all these searches by somehow running them in a parallel fashion? Does Splunk JavaScript Web Framework allow any such possibility? ... View more

Hi everyone, I am using version 8.0.0 of Splunk Enterprise and I am running into a problem due to version conflict of a JavaScript library.  In one of my dashboards, I am using JavaScript for some customization where I require moment.js for a Date-picker. The Date-picker library only works with version 2.24.0 however, Splunk also uses moment.js for its own working but an older version 2.8.3. When I try to include moment.js (version 2.24.0) there is a conflict with Splunk's version and hence I cannot use that library in my dashboard.  Please suggest me any way to resolve this conflict between Splunk's version of moment.js and my own version as the Date-picker library is only compatible with version 2.24.0 of moment.js  Shall be hugely grateful for any positive suggestions. Regards, Umair ... View more

Hi all, I am stuck in a very unfortunate condition. I am developing a modular input (using Splunk Add-on builder) that takes two input parameters, a Base URL and an API key. I am interested in validating both in my validate_input by sending a request to our server and if the response is good, then let the user save the input parameters. The problem is that my API key input parameter is of type password and in my validate_input method, I am only able to get its encrypted value in the form of ***********. How can I get its plain value so that I can use it to send request to the server? Here's my sample code for the validate_input method. def validate_input(helper, definition): """Implement your own validation logic to validate the input stanza configurations""" # This example accesses the modular input variable snx_base_url = definition.parameters.get('snx_base_url', None) snx_api_key = definition.parameters.get('snx_api_key', None) Please point me in a direction that can help me achieve the above. I shall be highly thankful to you! Regards, Umair ... View more

Dear All, I have created a Python modular input (of multiple instance type) using Splunk's Add-on builder that polls a REST API and pulls JSON data for indexing into Splunk. The parameters of the API are start and end timestamps, for which the data is required. In order to avoid duplication, I am keeping the last_polled time as a checkpoint in my modular input so that on the next execution, the script knows from where to start fetching the data. This works great when the user creates only one input from the modular input but if the user creates another input to ingest the data in a separate other index, the script will be fetching the last_polled time from the first input as checkpoints are shared within a modular input so it will miss some data if their intervals are not the same. Is there any technique to isolate checkpoints for each input so that they are not shared between them? Ideally, I would want them to be isolated according to the index and sourcetype defined by the user. I hope I was able to clear my requirement clearly, let me know if you need more information on this. Will be very happy to receive some direction on this as the documentation has little information. Regards, Umair ... View more

Hi all, I have created a modular input using Splunk's Add-on builder (v3.0.1). The modular input is based on a Python script which polls our REST API to ingest data into Splunk. The Modular input takes three Data Input Parameters, a simple text-box, a password and a checkbox. What I want to do is, based on the data ingested by the script, disable or remove the checkbox input parameter so that user cannot edit it. Does Splunk modular inputs provide any such functionality to perform this? Any help towards pointing me in the right direction will be highly appreciated. Regards, Thanks ... View more

Dear All, I have created a new modular input using Splunk's Add-on builder (v3.0.1). The modular input is based on a Python script which polls our REST API to ingest data into Splunk. The Modular inputs takes three Data Input Parameters, a simple textbox, a password and a checkbox. I have observed that the checkbox parameter is not rendering properly when I configure the modular input from Splunk Settings -> Data Inputs. It shows the Checbox as a simple text field with default value of False (see image below): But when I configure the modular input from within the add-on, it properly shows the checkbox field as below: This is kind of a weird behavior. Is that the way Splunk is supposed to show the configuration in both cases or it is a bug? Please point me towards anything which can solve this. Let me know if you need any more information to debug this. Regards, Umair ... View more

Hi Dear Splunkers, I am trying to develop a Modular Input for our REST API which will ingest some data from our API through a python script implementation. The idea is simple. The modular input will poll our REST API after some interval, fetch the data, and index it into Splunk. However, I am confused about the concept of single-instance and multiple-instance modular inputs. What I have understood is that single-instance modular inputs can be configured only once by the user and there is only one instance of the python script running at any point. Our API has the same type of data so there is no need for the user to configure multiple inputs otherwise, as the same data will be duplicated and indexed by Splunk which will be wasteful, I believe. Can someone explain to me the major difference between both types in easy terms, and also suggest which type of modular input I should create for my use case? Thanking you all for taking the time to read this. Regards! ... View more

When I run my custom search command, the results in Splunk's Statistics tab are appearing in a weird UI. The column and the "edit mark" icon are overlapped. Ideally, the column title shouldn't be overlapped with edit option. Is this due to the data of the command or that's an issue with Splunk? See attached screenshot for reference: ... View more

I am using searchbnf.conf file to provide help on my custom search commands but the search assistant is highlighting certain words from my description in green color which is not intended. How can I disable this or are there any escape characters I can use to ask Splunk to not highlight this? Here's what my search assistant is showing: And here is the entry in my searchbnf.conf file: [snxapiquota-command] syntax = snxapiquota description = Find information about your API quota, like current usage, quota left etc. example = | snxapiquota usage = public ... View more

I have written my own custom generating command in Splunk which connects to our API and fetches threat details of a domain/ip. The syntax of the command is as follows: | snxhostreputation host= e.g. snxhostreputation host=www.google.com This command generates one event for one domain but what I want to achieve is that, I should be able to pass multiple domains to this generating command and correspondingly generate events on each request to the API. The intended use-case is that users should be able to pass all domains present in their log data and get the information in the form of events. Now, as the generating command must be the very first command in a search, I cannot use any other command behind it to pass it data. What can I do to achieve my use-case? So far, I have considered changing it to a streaming search command but I am not sure how would I achieve the same there as I also want the command to work for a single value as well as a list of values. Any tips to achieve this? ... View more