About Marco

Marco · ‎05-25-2021

I recently submitted an app to SplunkBase. I need to transfer ownership of the app to the company I work for. who can I contact about transferring ownership? I've emailed splunkbase-admin@splunk.com but i haven't heard back from them, any tips? Thank you , Marco

Marco · ‎05-24-2021

For step 1 you are supposed to use this Url: https://api.splunk.com/2.0/rest/login/splunk

Marco · ‎05-24-2021

<drilldown> <condition field="Failed Jobs"> <link target = "_blank">search?q=index%3Dabc%20source%3D%22%2FsplunkLogs%2FJOB_MDJX_CS_STATS_PLATINUM.csv%22%7C%20eval%20fields%3Dsplit(_raw%2C%22%2C%22)%20%7Ceval%20Environment%3Dmvindex(fields%2C11)%7Ceval%20JOBFLOW_ID%3Dmvindex(fields%2C0)%20%7Ceval%20JOB_EXEC_TIME%3Dmvindex(fields%2C8)%7Ceval%20RunDate%3Dmvindex(fields%2C3)%7Ceval%20JOB_STATUS%3Dmvindex(fields%2C5)%7Cwhere%20Environment%3D%22E3%22%7Cwhere%20JOBFLOW_ID%20LIKE%20%22%25%25%22%7Ceval%20RunDate%3D%2220%22.mvindex(fields%2C3)%7Ceval%20Run_Date%3Dstrptime(RunDate%2C%22%25Y%25m%25d%22)%0A%7Cfieldformat%20Run_Date%3Dstrftime(Run_Date%2C%22%25d%2F%25b%2F%25Y%22)%7Cwhere%20JOB_STATUS%3D%3D%22FAILED%22%7Cstats%20COUNT</link> </drilldown> This is what my code looks like when I want to drilldown to a detailed search. You have the token selected_value , in the conditions field you can change "Failed Jobs" to what you are expecting . Also very important, you have to put your query inside a url encoder: https://meyerweb.com/eric/tools/dencoder/ <--- This one works good. -Marco

Marco · ‎05-21-2021

If you're a Developer you can get a Developer License. It will give you access to Splunk Enterprise for 6 month and you can renew it. https://dev.splunk.com/enterprise/dev_license/ Thank you, Marco

Marco · ‎05-20-2021

Hello, I ran my app against appinspect and received the following failure: check_for_expansive_permissions A posix world-writable file was found. File: appserver/static/images/ Given I developed my app in a windows environment, I created a Linux box that was running Splunk and changed then permissions manually. Then Packaged the app using Splunk's Slim Package command. This got rid of the Failure but didn't allow me to submit my app to Splunkbase because Splunk was "Unable to Extract Package". can anyone point me in the right direction? -Marco C.

Marco · ‎05-18-2021

@klaxdal I checked my bin directory and it looks like only half of splunk installed (compared to the Bin Directory on Windows Splunk). I'm going to uninstall the app and let you.

Marco · ‎05-18-2021

@klaxdal Although it didn't work it gave me different results. I appreciate the help

Marco · ‎05-18-2021

I am currently trying to install Splunk a Linux Centos box. I have tried to install both the .RPM and TAR files for Splunk but I keep getting this error: I've Also tried forcing the installation but no luck. Thank you, Marco

Marco · ‎04-27-2021

<fieldset submitButton="false"> <input type="dropdown" token="Device_Type_Token" searchWhenChanged="true"> <label>Device Type</label> <choice value="All Devices">All Devices</choice> <choice value="Switches">Switches</choice> <choice value="Hypervisors">Hypervisors</choice> <choice value="Pinged IP">Pinged IP</choice> <choice value="VNF">VNF</choice> <change> <condition value="All Devices"> <link>All_Devices_Dashboard</link> </condition> <condition value="Switches"> <link>Switches_Dashboard</link> </condition> <condition value="Hypervisors"> <link>Hypervisors_dashboard</link> </condition> <condition value="Pinged IP"> <link>Pinged_IP_Dashboard</link> </condition> <condition value="VNF"> <link>VNF_Dashboard</link> </condition> </change> </input> </fieldset> Insert the dashboard name in the <link></link> fields. No.XML extension is needed -Marco

Marco · ‎04-16-2021

@richgalloway It's just so random, I like it XD. Thank you Cheers! -Marco

Marco · ‎04-16-2021

This is probably my favorite Splunk quote, but I no Idea what it means. Can anyone point me in the right direction? "All Batbelt. No Tights" -Marco

Marco · ‎04-14-2021

Hello, I recently made my first Splunk App, I had to go back and make some changes so I repackaged it and changed the build number. When I went to upload my new app (APPS>INSTALL APP FROM FILE> ) I selected the "Upgrade app. Checking this will overwrite the app if it already exists." checkbox. When I reviewed the app none of my changes applied. I then checked the file directory of the Splunk app and found a Default.old folder. Can someone explain to me what is happening? Why isn't my updated app showing? What do I need to do in the future so that my changes show? App Directory Thank you, Marco

Marco · ‎04-13-2021

@ryan_mercer if you are trying to accept Input From a user this guy has some really good examples on how to do that. https://github.com/JasonConger/SplunkConf18 I was able to make something like this from his examples. Not sure if this is what you're going for. -Marco

Marco · ‎04-13-2021

Thank you, using the REGEX example i was able to generate a count but since I am not to familiar with REGEX I did it another way. host=*| eval SPECIAL=if(like(COMMAND, "% SPECIAL") OR like(COMMAND, "% SPECIAL %"),1,0)| chart sum(SPECIAL) Using an Or statement gets me the same results. -Marco

Marco · ‎04-09-2021

Hello I have two similar strings that I need to differentiate. These are the key words in the String 1. Special 2 Specialist When they come into Splunk it comes in as a command: EX: "Alter User Special" "Alter User Specialist" Currently I am using these queries: host=*| eval SPECIALIST=if(like(EVNTCOMMAND, "% SPECIALIST%"),1,0)| chart sum(SPECIALIST) host=*| eval SPECIAL=if(like(EVNTCOMMAND, "% SPECIAL%"),1,0)| chart sum(SPECIAL) I need the % after Special and Specialist because sometimes there is more data after those strings. Any Suggestions? Thank you, Marco

Marco · ‎04-09-2021

@ITWhisperer Thank you, Originally I tried that but it creates a whole new "Panel" . At this point I am starting to believe italics cannot be done inside the description tags. Correct me if I'm wrong. Best Wishes, Marco

Marco · ‎04-08-2021

@ITWhisperer I am trying to add Italics to the description tag <dashboard> <label>test</label> <description>I want to italicize this text ---> This Text <-----</description> </dashboard>

Marco · ‎04-08-2021

I am trying to figure out how to italicize text in a Splunk dashboard. I've done this using the HTML Tags and it works but it's not giving me what I want. Is there a way to italicize text using simple XML? Thank you, Marco

Marco · ‎04-05-2021

@richgalloway Thank you for the clarification -Marco C.

Marco · ‎04-02-2021

Salutations, I had a question about the App.Conf file. If i'm going to submit an App to SplunkBase is the install_source_checksum field necessary ? I've read saying it should not be explicitly set. https://dev.splunk.com/enterprise/docs/reference/splunkappinspectcheck/ So should I just leave it as install_source_checksum = blank or not include the field at all? # # Splunk app configuration file # [package] id = Test App [install] is_configured = 0 install_source_checksum = 5496cc42397de0bdcddb4592ab4c2725bfdf947b [ui] is_visible = 1 label = Test App

Marco · ‎03-18-2021

Hello I am currently trying to add some color styling to my Splunk table. When ever I make the changes and refresh the page it reverts to the original format. *Note I do have admin and Power privilege's. Also, the owner of the dashboard is none. Can anyone tell me why the changes aren't saving?

Marco · ‎03-18-2021

Hi All, I just wanted to share an issue I was having that might save someone in the future a headache. I was trying to change one of the pictures in my dashboard, so I went to Appserver>Static>Images Folder and swapped out the pictures. I then packaged up the app, using Splunk's built in packaging tool. I went to my test environment and uploaded the new app(with the new picture) and to my surprise the old one was still there. I must have spent hours double checking my code, and repackaging the app to make sure I wasn't at fault. Turns out all you need to do is clear your cache. In conclusion, if your new images aren't loading on the webpage and you've tried refreshing the CSS via bump MySplunkInstance:8000/en-US/_bump. Try Clearing out your cache, it should do the trick. Thank you, Marco

Marco · ‎03-17-2021

I found the answer. I am currently using Splunk 8.1 and it looks like the Splunk's Packaging toolkit is built into it. If you go into the Splunk Bin folder you can issue Slim commands from there. For Example, C:\Program Files\Splunk\bin>slim usage: slim [-v] [-h] [--debug] [--quiet] {config,describe,generate-manifest,package,partition,validate,update-installation} ... execute a packaging toolkit command options: -v, --version show program's version number and exit -h, --help show this help message and exit --debug save debugging information --quiet suppress all messages except error messages slim commands: {config,describe,generate-manifest,package,partition,validate,update-installation} config get, set, or unset user or system options describe describe an app and its dependencies generate-manifest create a new or updated app manifest package make an app source package for distribution partition split an app source package into a set of targeted deployment packages validate verify an app and its dependencies update-installation perform an update action on an installation graph Which is exactly the same thing as the Splunk Packaging tool kit. To package an app here just issue the following: slim package "C:\Users\MyAppDirectory" In conclusion, Splunk's Packaging Toolkit is already built into Splunk.

Marco · ‎03-16-2021

Hello All, What is the difference between packaging a Splunk app using Splunk's Packaging Toolkit and packaging the app via the Splunk Package App command? I've packaged the app both ways: When I use Splunk's Packaging Toolkit I get a tar.gz. When I use the Splunk command splunk package app TestApp I get a .SPL Which isn't an issue, I can convert an SPL into a tar.gz. My question is does the Packaging Toolkit do something that the Splunk package app command can't?

Marco · ‎03-01-2021

Hello All, I'm developing a Splunk app and was asked to use git for source control. I'm curious to know if anyone uses git for source control on a Splunk app and how they implemented it. Any tips would be useful. Thank you, Marco

Posts	64
Solutions	6
Karma Given	26
Karma Received	6
Member Since	‎08-11-2020

Online Status	Offline
Date Last Visited	‎08-17-2022 10:24 PM

Transferring ownership of a splunk app

How to fix "check for expansive permissions " Fail...

Splunk install for Linux Centos

All Batbelt. No Tights

Upgrading a Splunk App

How to distinguish two similar strings

Italicize Text inside a Splunk Dashboard

App.Conf Configuration Question

Edits to my Splunk dashboard aren't saving

Pictures and CSS not updating?

Transferring ownership of a splunk app

Re: Splunk and Postman

Re: How to display the details of the panel using ...

Re: Unable to get Enterprise License Free Trial

How to fix "check for expansive permissions " Fail...

Re: Splunk install for Linux Centos

Re: Splunk install for Linux Centos

Splunk install for Linux Centos

Re: Drilldown to another dashboard's dropdown stat...

Re: All Batbelt. No Tights

All Batbelt. No Tights

Upgrading a Splunk App

Re: Using a range of numbers as input for a token

Re: How to distinguish two similar strings

How to distinguish two similar strings

Re: Italicize Text inside a Splunk Dashboard

Re: Italicize Text inside a Splunk Dashboard

Italicize Text inside a Splunk Dashboard

Re: App.Conf Configuration Question

App.Conf Configuration Question

Edits to my Splunk dashboard aren't saving

Pictures and CSS not updating?

Re: Packaging a Splunk

Packaging a Splunk

Git For managing a Splunk app

Are you a member of the Splunk Community?