×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
moorte
Explorer
Member since: ‎04-12-2017
‎06-19-2025
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 4
Member Since ‎04-12-2017
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Splunk CIM-Compliance related questions

by in Splunk Enterprise
‎06-19-2025 10:18 AM
‎06-19-2025 10:18 AM
The answers already given are spot on.   When I am trying to troubleshoot my correlation searches, the first thing I do is grab the query that is being used for the correlation search and validate that it actually returns results.  Do a copy and paste from the search query in the correlation search to an SPL window to validate that you don't actually mistype things. If you get results from the query, than you want to validate that adaptive response is set (in ES versions before Splunk 😎 to make a notable.  In ES 8 you will want to make sure that event finding option is selected  The other type of finding goes into a risk score and will not actually create a finding for you in analyst queue.   If none of that works, I tend to copy the correlation search query off to another safe location and replace the query with something that for sure will fire index=_internal | head 1 | table index, sourcetype Then see if that search will fire off an alert, if it doesn't you know that you have a configuration setting messed up in the correlation search.   Hope this helps ... View more

Re: What's the value of a token if is not set in a...

by in Splunk Enterprise
‎06-19-2025 10:11 AM
2 Karma
‎06-19-2025 10:11 AM
2 Karma
The other thing you can do without installing an app is to go into the xml and create an html tag <row> <html> Value of token1 = $token1$ Value of token2 = $otken2$ </html> </row> I may have shorthanded the html tags, but basically everytime the token changes the token value will be displayed in that html tag.  Really easy way to keep track of the token value.  If you need a default token value look into using the <set> function in tokens.   But @ITWhisperer was spot on when he said that when a token is not set it is neither empty nor null.   ... View more

Re: ddl

by in Dashboards & Visualizations
‎06-19-2025 10:08 AM
1 Karma
‎06-19-2025 10:08 AM
1 Karma
It sounds like the user should be making choices from the first two dropdowns and that supplies the fields that will be provided in the third dropdown.   what you want to do this is to tokenize the first two dropdowns so that the answer from them is (use better token names) $optionA$  for the first dropdown $optionB$ for the second dropdown Then in the third dropdown, fill the list from a query and use the tokens in the query so something like this index=yourindex sourceytpe=yoursourcetype valuex=$optionA$ valuey=$optionB$ Or if it is a lookup file | inputlookup yourlookupfile | search valuex=$optionA$ valuey=$optionB$ Hope that helps.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-19-2025 04:38 PM
Karma from
View All
Karma given to
View All