Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About AleCanzo
AleCanzo
Path Finder
Member since:
06-11-2025
a week ago
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 32 |
| Karma Received | 0 |
| Member Since | 06-11-2025 |
Activity Feed
- Posted Re: Splunk SOAR Run Query escaping double quotes in placeholder values on Splunk Search. a week ago
- Karma Re: Splunk SOAR Run Query escaping double quotes in placeholder values for natecrisler. a week ago
- Posted Splunk SOAR Run Query escaping double quotes in placeholder values on Splunk Search. a week ago
- Karma Re: Limits of events returned for ITWhisperer. 11-20-2025 02:59 AM
- Posted Re: Limits of events returned on Splunk Search. 11-20-2025 02:55 AM
- Karma Re: Limits of events returned for livehybrid. 11-20-2025 02:33 AM
- Karma Re: Limits of events returned for gcusello. 11-20-2025 01:36 AM
- Posted Limits of events returned on Splunk Search. 11-20-2025 01:18 AM
- Karma Re: Log Event to an index for Splunk Alert with multiple results for gcusello. 11-03-2025 08:02 AM
- Karma Re: Splunk High Availability setup for gcusello. 09-02-2025 06:20 AM
- Karma Re: How to create dashboard with clickable hyperlinks to search results? for gcusello. 08-29-2025 01:22 AM
- Karma Re: How to implement "NOT IN" in Splunk for gcusello. 08-25-2025 07:06 AM
- Karma Re: How do I get a complete list of users logging into Splunk Enterprise & ES for gcusello. 08-25-2025 05:49 AM
- Posted Re: Three.js on Splunk Dev. 08-11-2025 05:17 AM
- Karma Re: Three.js for livehybrid. 08-07-2025 06:16 AM
- Posted Three.js on Splunk Dev. 08-07-2025 05:44 AM
- Posted Re: Disable outline in splunk on Splunk Dev. 08-05-2025 02:39 AM
- Karma Re: Disable outline in splunk for thahir. 08-05-2025 02:36 AM
- Tagged Disable outline in splunk on Splunk Dev. 08-05-2025 02:02 AM
- Tagged Disable outline in splunk on Splunk Dev. 08-05-2025 02:02 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a week ago
Hi everyone, I'm facing an issue when executing a Splunk search through a Splunk SOAR playbook using the Run Query action. My goal is to pass a JSON array from SOAR to a Splunk search and then parse it with spath. For example, in SOAR I have a variable containing: [{"a":1,"b":2},{"a":3,"b":"text"}] In the search I use something like: | makeresults
| eval data="{1}"
| spath input=data path={} output=row
| mvexpand row
| spath input=row However, SOAR appears to escape the double quotes before sending the search to Splunk. Instead of receiving: | eval data="[{\"a\":1,\"b\":2},{\"a\":3,\"b\":\"text\"}]" (or another valid SPL representation) Splunk receives: | eval data=\"[{\"a\":1,\"b\":2},{\"a\":3,\"b\":\"text\"}]\" which causes a parsing error because the escaped quotes are present directly in the SPL query. Additional notes: The source object in SOAR is already a valid JSON string (generated with json.dumps()). The issue occurs before spath is executed. If I hardcode the JSON directly in Splunk, the search works as expected. The problem seems related to how the Run Query action substitutes placeholders ({0}, {1}, etc.) and escapes double quotes. Has anyone encountered this behavior with Splunk SOAR's Run Query action? Is there a recommended way to pass JSON strings containing double quotes into a Splunk search without SOAR escaping them into \"? Thanks in advance.
... View more
11-20-2025
02:55 AM
Hi @livehybrid, Let me explain better. I have SOAR and Enterprise on Cloud. I'm trying to get, via "run query" in a playbook, some resultst from SIEM to SOAR. The query is a simple | inputlookup command on a csv. However i don't get all the results. Where's the problem? Splunk Cloud? the request from SOAR? Thanks 🙂
... View more
11-20-2025
01:18 AM
Hi guys, is there a limit of the number's events returned in splunk? I'm trying to run a query with inputlookup, but i see only 50_000 results, while my lookup has more results. The limit.conf file seems to be useless, any suggestions? Thanks 🙂
... View more
Labels
- Labels:
-
lookup
08-11-2025
05:17 AM
Hi @livehybrid , I'm not trying to build a custom visualization, i'm trying to visualize a 3d object in a dashboard's panel.
... View more
08-07-2025
05:44 AM
Hi guys, I'm trying to put a 3d visualization that i've made with three.js in my splunk dashboard, but it doesn't work. I've put my main.js in .../appserver/static and the html in an html in my dashboard. Any docs/recommendations? Thanks, Alecanzo.
... View more
08-05-2025
02:39 AM
Thank you @thahir, it's working. But when i try to navigate the page with TAB, the outlines are hidden... I'm taking your answer as correct, hoping no developer is going to hate me 😉 Thank you, AleCanzo.
... View more
08-05-2025
01:57 AM
Hi guys, I'm searching for a way to disable the outline of the links in splunk classic dashboard. There was a similar question on the community, but i'm not understanding the answers. In my css i'm trying with: a:focus{ outline: none !important} but it doesn't work. Thank you!
... View more
- Tags:
- css
- splunk dev
Labels
- Labels:
-
app
07-08-2025
05:33 AM
Hi guys, I'm trying to customize an app I created. For the dashboards, I placed the CSS file in appserver/static and linked it in the dashboard using stylesheet="my.css". How does it work for the app's CSS? Where should I put the CSS file? Do I also need to reference it in any .conf file? Thanks for your attention.
... View more
Labels
- Labels:
-
app
06-19-2025
06:34 AM
Hi everyone, What's the value of a token if is not set in an input? An empty string, null() or? I was trying to do something like: | eval user=if(isnull("$user_token$"), user, "$user_token$"), but it doesn't work.
... View more
Labels
- Labels:
-
troubleshooting
06-12-2025
05:43 AM
Hi, i'm searching for a way to modify my app/dashboard to be able to modify the entries of a table (such as delete/duplicate/copy/multiselect rows). Any suggestions? Maybe i have to look at the scripts from the lookup editor app? I really don't know where to start. I know how to write in python but i haven't created a script already. Thanks 🙂 Dashboard view
... View more
Labels
- Labels:
-
lookup
06-11-2025
06:54 AM
No, i'm trying to do something different. Every time my Alert is triggered, i want to output some fields (like severity, expiration, ss_name...) to a kvs lookup. Then i want to see the lookup on a dashboard: i'm doing this cause i'm trying to create an app where i can manage alerts (like Alert Manager). Of course i can just create a dashboard where i table all the events from the Alert, but then i'm not sure i'm going to be able to modify the table.
... View more
06-11-2025
06:33 AM
Hi, this is my first interaction with Splunk Community so be patient please 🙂 I'm trying to output some fields from an Alert to a kvs lookup. I'm using a Lookup editor app and a KVS app, but probably i'm missing some theory. Thanks!
... View more
Labels
- Labels:
-
lookup
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a week ago
|
Karma given to
