Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About tomapatan
tomapatan
Contributor
Member since:
09-27-2022
04-24-2026
Community Statistics
| Posts | 107 |
| Solutions | 11 |
| Karma Given | 23 |
| Karma Received | 5 |
| Member Since | 09-27-2022 |
Activity Feed
- Posted Re: Splunk Cloud app shows correct version but serves outdated JS from appserver/static on Splunk Dev. 04-23-2026 09:45 AM
- Posted Re: Splunk Cloud app shows correct version but serves outdated JS from appserver/static on Splunk Dev. 04-22-2026 12:59 AM
- Posted Re: Splunk Cloud app shows correct version but serves outdated JS from appserver/static on Splunk Dev. 04-21-2026 11:35 AM
- Posted Splunk Cloud app shows correct version but serves outdated JS from appserver/static on Splunk Dev. 04-21-2026 06:33 AM
- Karma Re: There is option add a field to an existing kvstore without edit conf files? for livehybrid. 02-10-2026 05:38 AM
- Posted Re: How to get Splunk Webhook Alert actions to send entire search results as JSON payload? on Alerting. 10-16-2025 03:46 AM
- Posted Re: Access to REST via Power Automate on Splunk AppDynamics. 10-16-2025 03:45 AM
- Posted Access to REST via Power Automate on Splunk AppDynamics. 10-16-2025 01:10 AM
- Posted Re: Webhook from Splunk to Power Automate only sends one result - expecting multiple on Splunk Cloud Platform. 10-15-2025 02:37 AM
- Posted Re: Webhook from Splunk to Power Automate only sends one result - expecting multiple on Splunk Cloud Platform. 10-14-2025 08:08 AM
- Posted Webhook from Splunk to Power Automate only sends one result - expecting multiple on Splunk Cloud Platform. 10-14-2025 05:44 AM
- Karma Re: Report shows missing fields after owner reassignment (Splunk Cloud) for isoutamo. 09-08-2025 01:58 AM
- Posted Report shows missing fields after owner reassignment (Splunk Cloud) on Splunk Dev. 09-05-2025 10:26 AM
- Posted Re: Filtering fields via REST API not working with parentheses on Splunk Dev. 09-02-2025 12:41 AM
- Karma Re: Filtering fields via REST API not working with parentheses for PickleRick. 09-02-2025 12:32 AM
- Posted Re: Filtering fields via REST API not working with parentheses on Splunk Dev. 09-02-2025 12:14 AM
- Posted Re: Filtering fields via REST API not working with parentheses on Splunk Dev. 07-22-2025 01:05 AM
- Posted Re: Filtering fields via REST API not working with parentheses on Splunk Dev. 07-21-2025 11:59 PM
- Posted Filtering fields via REST API not working with parentheses on Splunk Dev. 07-21-2025 02:15 PM
- Posted Re: How to switch the dashboard after a regular interval in the app ? on Dashboards & Visualizations. 07-03-2025 05:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-23-2026
09:45 AM
Hi, I’ve bumped the version using the Add‑on Builder. I checked the two most recent versions, and it’s been done correctly - one shows an increment in the build number from the previous version.
... View more
04-22-2026
12:59 AM
Will try a restart next week - in the meantime I fixed it by creating a new app and copied the files from my previous app - packaged it and deployed it.
... View more
04-21-2026
11:35 AM
Hi, I can see the contents of the .js file and it does not include my latest changes - so not a caching issue. Can`t see any obvious errors giving more context.
... View more
04-21-2026
06:33 AM
I’ve created a custom Splunk app (TA-custom_scripts) that contains JavaScript and CSS files located at: etc/apps/TA-custom_scripts/appserver/static/ I packaged the app using Splunk Add-on Builder, downloaded the resulting .spl file, and uploaded it to Splunk Cloud. The app installs successfully and Splunk Cloud shows the correct app version (v1.0.9), which matches my local development version. However, the contents of a JS file I modified are not reflected in Splunk Cloud: Opening the JS file directly in the browser shows an older version of the file The app version reported in Splunk Web is correct (v1.0.9) The file path and filename are unchanged The updated JS works correctly in my local Splunk instance What I’ve Verified So Far Confirmed the app version in Splunk Cloud is v1.0.9 Confirmed the JS file exists under appserver/static Accessed the JS file directly via the browser-the content does not include my latest changes. I did not restart Splunk Cloud. Any guidance would be greatly appreciated.
... View more
10-16-2025
03:46 AM
Where did you find the Power Automate IP`s that need adding to the Splunk API allow list ?
... View more
10-16-2025
03:45 AM
@Mathanjey I saw an old post where you found a solution, can you assist ?
... View more
10-16-2025
01:10 AM
Has anyone successfully configured access from Microsoft Power Automate to the Splunk REST API? I’ve managed to query the API using a Python script by adding the IP to the allow list, but I’m struggling to find the IP addresses Power Automate uses so I can do the same for it. I’m not an expert in Power Automate, and unfortunately I’m not getting any error messages - the flow just hangs, which makes me suspect it’s a connectivity issue due to IP restrictions. If anyone has done this before, I’d really appreciate the guidance!
... View more
Labels
- Labels:
-
other
10-15-2025
02:37 AM
This is expected behaviour, and the payload includes only the first result row from the triggering search results, according to the documentation.
... View more
10-14-2025
08:08 AM
Hi @livehybrid As a workaround, I’ve configured Splunk to send one alert per result, but ideally I’d like to receive all results in a single webhook call and handle them as an array in Power Automate. Thanks,
... View more
10-14-2025
05:44 AM
Hello, I’ve set up a scheduled alert in Splunk that sends results to a Power Automate webhook, which then parses the JSON and posts the data to a Microsoft Teams chat. The issue I’m facing is that only one result is received, even though the search returns multiple events. In Power Automate, the result field in the JSON payload is treated as an object, not an array. As a workaround, I’ve configured Splunk to send one alert per result, but ideally I’d like to receive all results in a single webhook call and handle them as an array in Power Automate. Has anyone encountered this before? Any advice or examples would be greatly appreciated! Thanks.
... View more
Labels
- Labels:
-
other
09-05-2025
10:26 AM
Report (saved search) originally owned by me and running correctly Created a new role and user to access the report via REST API Granted the role access to the relevant indexes Used Reassign knowledge objects to change the report owner to the new user (new owner now shows correctly) Problem When I run the report as myself: all expected fields are present. When I log in as the new user (who also owns the report) and run the same report: some fields are missing from results. The search completes without an obvious error - just that some fields have no values. I could write an inline regex to extract the fields, but I`m intrigued by the problem...
... View more
Labels
- Labels:
-
rest API
09-02-2025
12:41 AM
Interesting-and you're right. The knowledge objects are actually defined in a different app than the one I'm using to run the API calls.
... View more
09-02-2025
12:14 AM
It turns out the issue wasn’t related to parentheses or evaluation order. The real problem was that the FROM field is only available at search time-so it worked in Splunk Web, but not through the REST API. I had to use an inline field extraction to get it working properly.
... View more
07-22-2025
01:05 AM
Thanks, "AND" is uppercase in both examples, but the issue persists. I followed your suggestion and checked the search job properties and the eventSearch changes to: index=my_index System="MySystem*" (Title=A OR Title=B OR Title=C OR Title=D OR Title=E OR (Title=F FROM=1) OR (Title=G FROM=2)) Still not working via REST, unfortunately.
... View more
07-21-2025
11:59 PM
Thanks, tried to filter downstream without success, unfortunately. I am using URL encoding.
... View more
07-21-2025
02:15 PM
Hi Everyone, I`m running a query via the Splunk REST API (using Python), and need to filter events based on the following requirements: - Always include events where TITLE is one of: A, B, C, D, E - Only include events where TITLE=F and FROM=1 OR TITLE=G and FROM=2 This works fine in Splunk Web, but when sent via the REST API the conditional clause for TITLEs F and G don`t get applied correctly Works via Splunk WEB and REST (without filtering based on FROM) index=my_index System="MySystem*" Title=A OR Title=B OR Title=C OR Title=D OR Title=E OR Title=F OR Title=G Works on WEB, not via REST (filtering based on FROM) index=my_index System="MySystem*" Title=A OR Title=B OR Title=C OR Title=D OR Title=E OR (Title=F and FROM=1) OR (Title=G AND FROM=2) I`ve tried to apply the filtering downstream, but the issue persists. I’m unable to query a saved search because some fields are extracted at search time and aren’t available when accessed via the REST API. As a result, I need to extract those fields directly within the query itself when using the REST API. (Note: the TITLE field is being extracted correctly.) Many thanks.
... View more
Labels
- Labels:
-
rest API
07-03-2025
05:44 AM
Good point! My refresh interval would have definitely been set to more than 10 seconds, so good call on that. Unfortunately, I spoke too soon—this solution won’t work as it refreshes the dashboard for all users, which isn’t the intended behaviour. I still need something similar to looping through browser tabs, but without requiring the installation of an extension.
... View more
07-03-2025
03:13 AM
Hi, This is what did the trick for me - save it as "dashboard-carousel.js" (function() {
// List of dashboard URLs to cycle through
const urls = [
"http://10.......",
"http://10.......",
"http://10......."
];
// Time interval for cycling (in milliseconds)
const interval = 10000; // 10 seconds
// Get the current index from the URL query parameter (default to 0)
const urlParams = new URLSearchParams(window.location.search);
let currentIndex = parseInt(urlParams.get("index")) || 0;
// Function to redirect to the next dashboard
function cycleDashboards() {
// Increment the index for the next cycle
currentIndex = (currentIndex + 1) % urls.length;
// Redirect to the next URL with the updated index as a query parameter
window.location.href = `${urls[currentIndex]}?index=${currentIndex}`;
}
// Start the cycling process after the specified interval
setTimeout(cycleDashboards, interval);
})(); Then reference it like this in your dashboard XML <dashboard version="1.0" hideChrome="true" script="dashboard-carousel.js">
... View more
07-02-2025
05:39 AM
1 Karma
Managed to get this resolved by ensuring the submitted token model was updated by adding submittedTokenModel.set() and submittedTokenModel.trigger() to the code. The title displaying the token value was a bit of a red herring. It showed that the default model was being updated, but it didn't reflect the state of the submitted token model.
... View more
07-02-2025
02:37 AM
Done some further testing and the "Search is waiting for input.." is caused by the query below and not the count part in XML: | head $row_count_tok$ | streamstats count as Page | eval Page = case( $row_count_tok$=24 AND Page<=12, 0, $row_count_tok$=24 AND Page>12, 1, $row_count_tok$=40 AND Page<=20, 0, $row_count_tok$=40 AND Page>20, 1 ) But I`m not sure why, as the token is in a title and I can see it`s values being extracted correctly (24 if in landscape mode or 40 if in portrait). If I refresh the browser the issue persists, if I go into editxml mode and cancel without making any changes the panel displays fine.
... View more
07-01-2025
09:52 AM
This is happening because I`ve got this set up, and it looks like the only way to refresh is to enter edit mode and exit without saving. Any ideas ? cc @livehybrid <option name="count">$row_count_tok$</option>
... View more
07-01-2025
09:47 AM
For some additional context — the dashboard actually works unless I switch from portrait to landscape or the other way round. When that happens, the only way to resolve is to enter edit mode and then exit without making any changes. Simply refreshing the page doesn't work as expected, although the token does update automatically (I`ve got the token in a title so I can view it`s values).
... View more
07-01-2025
09:27 AM
Yes, the $row_count_tok$ is being set accordingly (24 or 40, depending on the screen orientation).
... View more
07-01-2025
08:34 AM
Hi all, I’ve got a dashboard that uses a JS script to dynamically set the $row_count_tok$ token based on screen orientation: 24 for landscape (2 pages of 12 rows) 40 for portrait (2 pages of 20 rows) I pass this token into my search to determine how many rows to return, and then paginate them like so: ......
| head $row_count_tok$
| streamstats count as Page
| eval Page = case(
$row_count_tok$=24 AND Page<=12, 0,
$row_count_tok$=24 AND Page>12, 1,
$row_count_tok$=40 AND Page<=20, 0,
$row_count_tok$=40 AND Page>20, 1
)
| eval display = floor(tonumber(strftime(now(), "%S")) / 10) % 2
| where Page = display
| fields - display The token and logic work (tested manually), but I get this message on page load indicating the token was not ready when the search ran: Search is waiting for input... How do I force the query to wait for the token to load ? Many thanks.
... View more
Labels
- Labels:
-
other
06-04-2025
02:07 PM
I'm working with a CSV lookup that contains multiple fields which may include wildcard (*) values. The lookup is structured such that some rows are very specific and others are generic (e.g. *, *, *, HOST, *). I want to enrich events from my base search with the best matching Offset (name of the field) from the lookup. Challenges: Using lookup definition with match_type=WILDCARD(...) only works well if there’s a unique match — but in my case, I need to evaluate multiple potential matches and choose the most specific one. Using | map works correctly, but it's too slow.
... View more
Labels
- Labels:
-
lookup
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-24-2026
08:30 AM
|
Karma given to
