Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About learningmode
learningmode
Explorer
Member since:
06-29-2022
09-10-2025
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 06-29-2022 |
Activity Feed
- Posted Re: Using multi-select input1 results to drive multi-select input2 menu in dashboard studio on Dashboards & Visualizations. 09-10-2025 09:59 PM
- Posted Re: Using multi-select input1 results to drive multi-select input2 menu in dashboard studio on Dashboards & Visualizations. 09-10-2025 04:31 PM
- Posted Re: Using multi-select input1 results to drive multi-select input2 menu in dashboard studio on Dashboards & Visualizations. 09-10-2025 01:42 PM
- Posted Using multi-select input1 results to drive multi-select input2 menu in dashboard studio on Dashboards & Visualizations. 09-10-2025 12:22 PM
- Got Karma for Re: The Client forwarder management not showing the clients. 07-03-2025 09:45 AM
- Posted Re: Overriding Splunk default input.conf & adding meta tags to achieve item-level filtering of events in _* indexes on Getting Data In. 06-07-2024 07:19 AM
- Posted Overriding Splunk default input.conf & adding meta tags to achieve item-level filtering of events in _* indexes on Getting Data In. 06-06-2024 03:32 PM
- Tagged Overriding Splunk default input.conf & adding meta tags to achieve item-level filtering of events in _* indexes on Getting Data In. 06-06-2024 03:32 PM
- Tagged Overriding Splunk default input.conf & adding meta tags to achieve item-level filtering of events in _* indexes on Getting Data In. 06-06-2024 03:32 PM
- Tagged Overriding Splunk default input.conf & adding meta tags to achieve item-level filtering of events in _* indexes on Getting Data In. 06-06-2024 03:32 PM
- Tagged Overriding Splunk default input.conf & adding meta tags to achieve item-level filtering of events in _* indexes on Getting Data In. 06-06-2024 03:32 PM
- Tagged Overriding Splunk default input.conf & adding meta tags to achieve item-level filtering of events in _* indexes on Getting Data In. 06-06-2024 03:32 PM
- Posted Re: The Client forwarder management not showing the clients on Deployment Architecture. 03-04-2024 12:03 PM
Topics I've Started
09-10-2025
09:59 PM
Hi Victor, And there is the little thing I was missing...understanding that the multi-select was looking for a list and I was sending an array. I would probably never had figured that out. Thank you so much for your quick replies and working solution! To anyone reading this later, adding that table to the dashboard and duplicating the search results for the multi-select object to visually inspect the format and values of the token being passed was very helpful. I highly recommend it as a troubleshooting step. Final working query: index=_internal earliest=-15m group=queue name=* [ | makeresults | eval host_list="$tok_MultiSelect1$" | makemv delim="," host_list | eval host_list=mvmap(host_list, "\"" . trim(host_list) . "\"") | eval search = "host IN (" . mvjoin(host_list, ",") . ")" | return $search ] | fields name | dedup name sortby name | stats count by name | rename name as Queues | table Queues Regards
... View more
09-10-2025
04:31 PM
Hi Victor, I recognize that approach and I know I've tried it before and failed. However, knowing that it's likely something I am overlooking, I tried this again. This time though, I set up a table and mirrored your query to that too (trust, but verify inline with the actual token) What I didn't expect to see is that in the TABLE, the list of queues ARE being returned (see below). My problem was actually that MultiSelect2 seems to be refusing to publish them. This is true regardless if I select "Queues(array)" for the menu label and value fields in the MultiSelect2 properties. I deleted and recreated MultiSelect2, same problem. Perhaps this has been the issue all along: Same exact query but sending the output to a table instead: Queues aggqueue auditqueue fschangemanager_queue httpinputq indexqueue nullqueue parsingqueue rulesetqueue splunktcpin tcpout typingqueue Not solved, but making great progress in that it looks like the real problem may have just shown itself. If this is the case, I can only imagine how many attempts copilot and I have made before that actually should have worked... Any thoughts on this new direction? I appreciate your help with this!
... View more
09-10-2025
01:42 PM
Hi Victor, Thanks for the quick reply. Using $host_filter$ references a token, which doesn't exist. The input for this query is "$tok_MultiSearch1$". In this case, $host_filter is being used as a variable intending to represent the output of "| eval host_filter=mvjoin(quoted_hosts, ",")" from earlier in that same query. Now, whether or not $host_filter is a "legal" variable and can be used in this way is very much part of this mystery. Regards
... View more
09-10-2025
12:22 PM
Hello, I've been struggling with this for way too long and it seems like it should be a fairly simple thing to do. I'm hoping someone here can help. SCENARIO: BaseSearch1 generates a table of [host, IsBlocked, IsHF, IsIDX] fields where host=string and the remaining are boolean (0 or 1). This represents a list of hosts that have either seen a queue block since [earliest=$global_time.earliest$ latest=$global_time.latest$], are a HF/DS, or are named ^idx-*. I will put the base search at the end of this posting to make it easier to read. MultiSelect1 uses ChainSearch1 linked to BaseSearch1 to present only the hostnames from BaseSearch1 where IsBlocked=1. Query: | search IsBlocked=1 | table host Token:$tok_MultiSelect1$ OBJECTIVE: Create a datasource called ChainSearch2 for MultiSelect2 that will filter the following query using the hosts listed in $tok_MultiSelect1$, essentially like this Query: index=_internal (sourcetype=metrics OR sourcetype=splunkd) group=queue name=* host IN($tok_MultiSelect1$) | fields name | dedup name sortby name | table name ISSUES: Problem1 (Solved, basis for Problem2): Even though the base search feeding the MultiSelect1 chain search ends with " | table host IsHF IsBlocked IsIDX", I see the fields ["_time","host"] when using this query to evaluate $tok_MultiSearch1$ by sending it to a table: CODE: | makeresults | eval host_list="$tok_MultiSearch1$" ...which makes that output invalid for "host IN()" This was overcome with this query: | makeresults | eval host_list="$tok_MultiSearch1$" | fields - _time | makemv delim="," host_list | mvexpand host_list | fields - _mkv_child | eval quoted_host="\"" . host_list . "\"" | stats list(quoted_host) as quoted_hosts | eval host_filter=mvjoin(quoted_hosts, ",") | fields - quoted_hosts The result is that now host_filter = "server1","server2" Problem2 (unsolved): This query WILL return the data I am looking for index=_internal earliest=-15m group=queue host IN ("server1","server2") | fields name | dedup name sortby name | table name However, if I use $host_filter for the server values (shown above in Problem1), even though it's a comma-delimited list of quoted server names, I get an empty output: | makeresults | eval host_list="$tok_MultiSearch1$" | fields - _time | makemv delim="," host_list | mvexpand host_list | fields - _mkv_child | eval quoted_host="\"" . host_list . "\"" | stats list(quoted_host) as quoted_hosts | eval host_filter=mvjoin(quoted_hosts, ",") < where I get "server1","server2" | fields - quoted_hosts | search index=_internal earliest=-15m group=queue host IN ($host_filter) | fields name | dedup name sortby name | stats values(name) as Queues I cannot seem to get $tok_MultiSearch1$ used properly in ChainSearch2. Again, I am guessing that this is going to be something simple that I've overlooked, it's just not coming to me. Thanks in advance for any help that can be offered!
... View more
Labels
- Labels:
-
Dashboard Studio
-
drilldown
06-07-2024
07:19 AM
Hi gcusello, Thank you for your time to review this, and your quick reply! We do in fact have heavy forwarders at each tenant, so there is local control over any traffic passing through those. That said though, I am told we have over 40,000 endpoints reporting directly to the cloud , so we definitely do not know the hostnames for everything. Each tenant does have their own HEC key for those submissions, so that would be about the only way to identify and separate that traffic. In my original posting, my intended means to make these changes was via a custom inputs.conf file on all the HFs and UFs rather than modifying the events on arrival, since the inputs file is already at the source. Aside from the overhead and logistics of having to deploy that file to that many workstations and servers, I was wondering if there's any downside to this approach from the perspective of the Splunk agent itself. The ability to do override some/all of any portion of any .conf files is built into the design, so it seems like a custom inputs .conf wouldn't be a problem in any way. Any feedback on that approach? Thank you!
... View more
06-06-2024
03:32 PM
Hello, We are attempting to use Splunk Cloud as a multi-tenant environment (one company, separate entities) in a single subscription. We have in index design that isolates data to each tenant and aligns with RBAC assignments. That gets us index-level isolation for data sources that are specific to each tenant. We also stamp all non-splunk events with a tenant code so that role-based access restrictions can be used to filter returned data down to only that which matches your assigned code. This approach allows for event-level filtering from indexes where data is for ALL tenants, such as lastchanceindex. That last set of logs we need to control access to are the underscore indexes. These events are collected based on the inputs.conf files that deploy with the HF and UF agents, which do NOT have our tenant codes associated with them. I was looking for any feedback from the community as to what the downside might be to copying ../etc/system/default/inputs.conf into ../etc/system/local/inputs.conf and adding "meta = tenantcode::<your_tenant_code_goes_here_without_the_angled_brackets>" to each stanza. At that point, all SPLUNK events in the underscore indexes would also contain tenant codes and then we'd be able to achieve item-level filtering at that point. Thanks in advance for any feedback and opinions!
... View more
Labels
- Labels:
-
inputs.conf
03-04-2024
12:03 PM
1 Karma
Hi @AJ_splunk1, just a heads-up that https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers states that " In particular, there is a new system-generated app, etc/apps/SplunkDeploymentServerConfig, which contains configuration files necessary to the proper functioning of the deployment server. Do not alter this directory or its files in any way." I chose to implement the 9.2 fix (also shown on the page link above) as a separate app in \etc\apps on the ds and just called something like "Fix_DSClientList" so it's more obvious there's a modification in place. I hope that helps.
... View more
