Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About tej57
tej57
Contributor
Member since:
12-24-2018
11-21-2024
Community Statistics
| Posts | 86 |
| Solutions | 11 |
| Karma Given | 55 |
| Karma Received | 26 |
| Member Since | 12-24-2018 |
Activity Feed
- Got Karma for Re: How can I make the size of tables in splunk studio flexible?. 10-21-2024 10:06 PM
- Karma Re: Update a notable once an incident is opened or closed in ServiceNow for AbhishekD. 10-21-2024 08:04 AM
- Karma Re: SH cluster for richgalloway. 10-21-2024 08:03 AM
- Karma Re: sourcetypes for systemd and sudo logs for inventsekar. 10-21-2024 08:02 AM
- Karma Re: Getting "Searches Delayed" warning in the splunk ES (cloud)search head for richgalloway. 10-21-2024 07:57 AM
- Got Karma for Re: How can I make the size of tables in splunk studio flexible?. 10-21-2024 07:53 AM
- Posted Re: How can I make the size of tables in splunk studio flexible? on Splunk Enterprise. 10-21-2024 07:47 AM
- Posted Re: How to check if apps/add-on running in splunk cloud which are dependent on python versions < 3.9? on Splunk Cloud Platform. 09-10-2024 07:49 AM
- Posted Re: help with indexer clustering problem on Monitoring Splunk. 09-10-2024 07:37 AM
- Posted Re: Dedicated search head with admin rights but not admin of indexer cluster. on Deployment Architecture. 09-10-2024 07:34 AM
- Karma Re: Dedicated search head with admin rights but not admin of indexer cluster. for dural_yyz. 09-10-2024 07:32 AM
- Posted Re: License Server minimum on Deployment Architecture. 09-10-2024 07:29 AM
- Karma Re: How can I combine a field value , if the other 3 field values are the same for ITWhisperer. 09-10-2024 07:24 AM
- Posted Re: splunkcloud SSL errors on Splunk Cloud Platform. 09-10-2024 12:44 AM
- Posted Re: How to solve security issue when using Rest API to connect to splunk? on Splunk Dev. 09-09-2024 11:51 PM
- Got Karma for Re: splunk user can schedule reports but not dashboard. 09-02-2024 05:38 AM
- Posted Re: Forage Task Guide on Splunk Search. 08-29-2024 05:09 AM
- Posted Re: How to apply different drilldown actions based on the column value clicked in table in Dashboard studio on Dashboards & Visualizations. 08-29-2024 05:06 AM
- Posted Re: Updating Bitglass App on Splunk Cloud Install on Splunk Cloud Platform. 08-29-2024 12:48 AM
- Posted Re: How to solve security issue when using Rest API to connect to splunk? on Splunk Dev. 08-29-2024 12:40 AM
Topics I've Started
No posts to display.
10-21-2024
07:47 AM
2 Karma
Hello @rrovers, The layout in the dashboard studio can be set to either absolute or grid. However, there is currently no option to set dynamic height and width of the table based on number of rows. Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!!
... View more
09-10-2024
07:49 AM
Hello @pratrox, I believe this has been addressed in the latest version of Upgrade Readiness App. Just have the app installed on your environment and run the Python scan from the UI interface and it should display incompatible apps/add-ons. Splunkbase link - https://splunkbase.splunk.com/app/5483 Thanks, Tejas. --- If the above solution helps, an upvote is appreciated!!
... View more
09-10-2024
07:37 AM
Hello @KhalidAlharthi , This could be indicative of underlying hardware problem as well. You can check for the same if the issue still persist after a rolling restart. Apart from connectivity issue what other errors do you observe? Thanks, Tejas.
... View more
09-10-2024
07:34 AM
In addition to what @dural_yyz said, you can restrict team1 from accessing the dedicated search head by not creating the users for team1 on the new instance. And make sure to provide appropriate capabilities to team2 so that they're not able to modify or search the indexes belonging to team1 Thanks, Tejas
... View more
09-10-2024
07:29 AM
Hey @kirk_in_porto , These are the minimum required hardware specifications. It is not that Splunk won't work with less number of cores or RAM, but it'll affect the performance. You might not get efficient output from less cores if you intend to run more number of searches or processes through the license manager instance. It'll still try to function as much as it can. However, just for training purpose, it is okay to have less number of cores/RAM associated to an instance. Thanks, Tejas.
... View more
09-10-2024
12:44 AM
Can you share more details on which port you're trying to access?
... View more
09-09-2024
11:51 PM
Hello @shai, You can find the SplunkCloud root CA from the Universal Forwarder package present on your SplunkCloud search head. It gives you a forwarder package with preconfigured outputs to forward the data to SplunkCloud indexers. Within the same app, you can find the certificates that you need to append your self signed ones with. The package name should go something like this - 100_<<stack_name>>_splunkcloud Thanks, Tejas.
... View more
08-29-2024
05:09 AM
Hello @MatthewWolf, If you need the number of event counts for a particular category, you can use the following search: index=<<index_name>> sourcetype="fraud_detection.csv"
| stats count by category
| sort - count This will give you output of all the categories present with event count in decreasing order (i.e. highest count first). Thanks, Tejas. --- If the above solution helps, an upvote is appreciated.!!
... View more
08-29-2024
05:06 AM
Hello @Viral_G, You can have token value set based on the selected field/column on the table. You can then have another panel created to display the selected token and have a drilldown set on the new panel. Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!!
... View more
08-29-2024
12:48 AM
Hello @ccampbell, The reason you are not able to upgrade the app to the latest version is that the app is not listed to be compatible with SplunkCloud platform on Splunkbase. If you wish to have the updated package available for upgrade on SplunkCloud platform, you'll need to have the developer of the app update the platform compatibility details. Please refer to the following screenshot displaying platform compatibility for the app. I assume that the app inspect vetting would have failed for the app package and hence platform compatibility for SplunkCloud would be missing. As a solution to this, you can download the app package from Splunkbase, modify the app_id (app.conf and the folder name, and anywhere else within the package if used), repackage the app and upload it as a private app. This approach is not recommended since it doesn't allow you to track and stay updated with the future updates. Additionally, while uploading the private app, if the app inspect fails, you'll need to work on fixing the errors and repackage the app again and vet it continuously until it succeeds the vetting process. The best approach would be to have the developer engaged and make the app compatible to SplunkCloud platform. Thanks, Tejas --- If the above solution helps, an upvote is appreciated.!!
... View more
08-29-2024
12:40 AM
Hello @shai, In this scenario, you'll need to combine your certs along with SplunkCloud certificates. Just append the CA file to include self signed certificate and SplunkCloud rootCA and use the same for communication. This chain will help you communicate with both Splunk Enterprise On-Prem and SplunkCloud environment. Thanks, Tejas. --- The above solution helps, an upvote is appreciated.!!
... View more
Hello @loganramirez, Can you confirm if the user trying to schedule a PDF is having the list_settings capability enabled on the role? As mentioned in the following doc, list_settings capability is required to have the menu option populated. Doc - https://docs.splunk.com/Documentation/Splunk/9.3.0/Viz/DashboardPDFs#Schedule_PDF_delivery Thanks, Tejas. --- If the above solution works, an upvote is appreciated !!
... View more
06-17-2024
07:33 AM
Hello @Maxime, By default Splunk tries to parse the data that got ingested from whatsoever log source it had been onboarded. However, there's no gaurantee that Splunk will be able to understand the log source completely and provide you with the fields. There are lots of apps and add-ons available on Splunkbase for the exact same purpose (to collect and parse the data). However, if you do not find associated app/add-on, you can write the sourcetype configuration as per your requirement and you should then be able to get the necessary fields. Also, if the data generated is in structured format (JSON, XML, CSV, etc.), Splunk has parsing written for those by default. In that case, you'll be able to directly visualize the data. You can find the relevant documentation links below: - https://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkdoeswithyourdata - https://docs.splunk.com/Documentation/Splunk/latest/Data/Overviewofeventprocessing - https://docs.splunk.com/Documentation/Splunk/latest/Data/Createsourcetypes - https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Configuring_new_source_types Thanks, Tejas. --- If the above solution helps, an upvote is appreciated.
... View more
06-07-2024
06:24 AM
Hello @Amadou , I believe SSE should be used in conjunction with Splunk Enterprise Security. The correlation searches within ES, ESCU, and SSE have MITRE tactics associated with each of them. The number of correlation searches with MITRE tactics are highlighted with dark color on the SSE dashboard and the less number would be light in shade. I do not think this is possible to achieve on Splunk Enterprise. However, if you are able to achieve this through custom solution using .css or .js, let the community know. Thanks, Tejas.
... View more
06-07-2024
06:21 AM
Hello @deangoris, The Splunk packaging toolkit will also work in the similar fashion. The packages created using the toolkit should not have the local folder within it. Otherwise it'll fail on the UI itself. The best way to deal with this situation is to have a Barebone app created from the UI and have all the KOs migrated to the custom private app. This way it helps modifying the objects from UI in future as well. Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!!
... View more
06-07-2024
06:14 AM
Hello @vijreddy30 , This may be possible because of following setting in the alert: Trigger If this is set to Once, change it to "For each Result" and it should trigger alert for all the records. Thanks, Tejas. --- If the above solution helps, an upvote is appreciated.
... View more
06-07-2024
06:11 AM
1 Karma
Hello @jrs42, In Dashboard studio, there's no option to specify a drilldown for a particular cell or a row. When you enable the drilldown, by default it gets applied to a cell. You can find the following JSON source code as an example for a drilldown to set token in dashboard studio. {
"visualizations": {
"viz_dNS83Gj5": {
"type": "splunk.table",
"dataSources": {
"primary": "ds_aQ7285AG"
},
"eventHandlers": [
{
"type": "drilldown.setToken",
"options": {
"tokens": [
{
"token": "log_level_tok",
"key": "row.log_level.value"
}
]
}
}
]
},
"viz_qGr86Sbm": {
"type": "splunk.events",
"options": {},
"dataSources": {
"primary": "ds_MmJUCreO"
}
}
},
"dataSources": {
"ds_aQ7285AG": {
"type": "ds.search",
"options": {
"query": "index=_internal source=\"*splunkd.log\"\n| stats count by log_level",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "Search_1"
},
"ds_MmJUCreO": {
"type": "ds.search",
"options": {
"query": "index=_internal source=\"*splunkd.log\" log_level=\"$log_level_tok$\"",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "Search_2"
}
},
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"latest": "$global_time.latest$",
"earliest": "$global_time.earliest$"
}
}
}
}
},
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "-24h@h,now"
},
"title": "Global Time Range"
}
},
"layout": {
"type": "absolute",
"options": {
"width": 1440,
"height": 960,
"display": "auto"
},
"structure": [
{
"item": "viz_dNS83Gj5",
"type": "block",
"position": {
"x": 0,
"y": 0,
"w": 300,
"h": 300
}
},
{
"item": "viz_qGr86Sbm",
"type": "block",
"position": {
"x": 300,
"y": 0,
"w": 1140,
"h": 300
}
}
],
"globalInputs": [
"input_global_trp"
]
},
"description": "",
"title": "Test Input Placeholder"
} Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!!
... View more
06-05-2024
11:28 PM
Hello @jbv, You can get the current time using the now() function. By default it is returned in epoch format only. You can use eval to call a field and you'll get what you want. | eval current_time_epoch=now() Thanks, Tejas. --- If the above solution helps, an upvote is appreciated.!!
... View more
06-05-2024
01:45 AM
1 Karma
Hello @rrovers, You can update the truncate limit on the first Splunk Enterprise instance that the data encounters. If your data flow is UF -> IUF -> Indexers or UF -> Indexers, in that case you need to place the following sourcetype on the indexers. And if your data flow is UF -> IHF -> Indexers, in that case you'll need to place the sourcetype configuration on the IHF. Here, IUF and IHF refer to Intermediate Universal Forwarder and Intermediate Heavy Forwarder respectively. [<<sourcetype>>]
TRUNCATE = <<max_length_of_event>> Also, you can set TRUNCATE to any value you wish. --- Thanks, Tejas.
... View more
05-29-2024
10:46 PM
Hello @karthi2809 , I do not understand the use of mvmap command here. Generally, mvmap command is used to perform some iterative operations on the multivalue field. Your SPL currently interpretes as you're trying to map ImpConReqId field with following string: "ImpConReqId: <<value of ImpConReqId>>". And if the "if condition" fails, the value gets updated to null() and then ImpConReqId gets mapped with null() value. I would suggest you to first filter out the null values using isnull() or isnotnull() functions and then perform multi value operations. Also, if you can share the full SPL query, it would be helpful to assist you better. Thanks, Tejas.
... View more
05-29-2024
03:11 AM
1 Karma
Running the script itself is updating the internal database. If it gives you an option to run the scan forcefully, you can go ahead with that. Otherwise, it should get updated every 24 hours. Thanks, Tejas.
... View more
05-28-2024
06:07 AM
In that case, you can download the app from Splunkbase and run the python script on a test server and update the csv file on the production server in the above mentioned location. Otherwise as mentioned in the following document, the scan will run only with the packages shipped - https://docs.splunk.com/Documentation/Splunk/9.2.1/UpgradeReadiness/Scan#Disable_app_list_updates Thanks, Tejas.
... View more
05-27-2024
10:15 PM
1 Karma
Hello @JayD, As you already mentioned that the apps have been forgotten for over a year, it is likely that the latest details have not been updated on the instance. You can first ensure that you have upgraded the Upgrade Readiness App to the latest version and re-run the scan. If the above apps still fail, you can follow the following steps as a workaround: - Run the following script - /opt/splunk/etc/apps/python_upgrade_readiness_app/bin/pura_get_all_apps.py (Internet connection will be required). - Create a directory named app_list in the following path - /opt/splunk/etc/apps/python_upgrade_readiness_app/local/ - Place the attached splunkbaseapps.csv in the app_list folder. - Re-run the scan and check for the final report. Thanks, Tejas. --- If the above solution helps, an upvote is appreciated.
... View more
05-27-2024
10:00 PM
Hello @Polarbear, That shouldn't be the case ideally. It can cause communication break. To avoid this kind of situation, Splunk supports backward compatibility. But that generally happens from higher tier node to lower tier node. You can also check the following document to understand the order of upgrade between Splunk components. If the search head node is on higher splunk version than the indexer peers, then that can work. However, the vice versa may not hold true. Order of Upgrade - splunk_upgrade_order_of_ops.graffle Thanks, Tejas. --- If the above solution helps, an upvote is appreciated.
... View more
05-27-2024
09:54 PM
Hello @mahesh27, Can you share your XML source code and that can help understand why the input isn't working as required? Thanks, Tejas.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-21-2024
09:10 PM
|
Karma given to
