Hi, Have you guys found any fix for this issue?? Thanks. ... View more

Hi, I created one endpoint following your instruction. It is working fine for GET requests but giving 405(Method not allowed)/500 (internal server error)  for POST request. ... View more

Hi @rsathish47 , Did you find any solution for file upload functionality? ... View more

Hi @sarvesh_11  Did you find any workaround to upload the file to Splunk server via dashboard?? ... View more

Hi @ekost and @alhod2si , I'm also facing similar issues with this add-on. After changing the sourcetype to "barracuda:log" I'm not able to find any logs on "barracuda:*" sourcetype. When I search the internal index, it shows the license_usage and metrics logs for firewall/web sourcetypes. The only thing I suspect is negative avg_age and max_age in metrics logs. Can you please help me to identify what I'm doing wrong here.   Event samples, Sep 10 18:22:16 xxx.xxx.xxx.xxx Sep 11 01:22:16 ABCDXYZ 2020-09-10 22:22:16.494 +0000 ABCDXYZ TR xxx.xxx.xxx.xxx 443 xxx.xxx.xxx.xxx 2202 "-" "-" GET TLSv1.2 www.abcd.com HTTP/1.1 200 58111 943 SERVER DEFAULT PASSIVE VALID /ar/Home-standard/Kitchens-Secret xxx.xxx.xxx.xxx 2202 271 Sep 10 18:22:14 xxx.xxx.xxx.xxx Sep 11 01:22:14 ABCDXYZ 2020-09-10 22:22:14.029 +0000 ABCDXYZ WF ALER HEADER_VALUE_LENGTH_EXCEEDED xxx.xxx.xxx.xxx 63998 xxx.xxx.xxx.xxx 443 LOG NONE [length\="2691 bytes" header\="Referer" value\=" https\\://abcd.com/Serving/aasd.bs?cn\=brd&PluID\=0&Pos\=2342342344&EyeblasterID\=1080963447&clk\=1&sct\=1&dg\=1075209614&dgo\=1075209614&pc\=&sessionid\=19283719823&"] GET www.abbcd.com/ TLSv1.2 xxx.xxx.xxx.xxx 63998   [udp://<ip>:514] connection_host = ip sourcetype = barracuda:log index = barracuda     ... View more

Hi, Please check the below documentation. I guess it will help with executing saved searches and displaying results. Let me know if you need more details or help. https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtowork/#To-run-a-saved-search-and-display-search-results   ... View more

@niketn  @woodcock  @gcusello  @somesoni2  Hi All, Can you please help me with this issue. Thank you.  ... View more

can you provide one json event sample ... View more

try the below query, index=nonprod kubernetes.container_name IN ("tpt", "rsv", "rsw") MESSAGE IN ("Code request", "pin in email", "pin in sms") | spath output=msg path=MESSAGE | table msg | stats count ... View more

this can be achieved by developing custom command or custom alert action. It requires python script and the script can be developed to handle your requirement. There are no ready-made solution or apps are available. ... View more

Hi, the remote_tab parameter only disables checking for new apps. You added this settings in the default directory, so some settings from the local directory may be overriding it. In the backend Splunk will keep on checking on internet for new versions and upgrades. To disable that add following code to etc/system/local/web.conf [settings] updateCheckerBaseURL = 0 for more details - https://wiki.splunk.com/Community:ConfigureNoInternet accept and up-vote the answer if it helps. ... View more

Hi, Run the given query for particular time range or real-time and get count of events by host. If count is greater than 0 than host is UP, else DOWN. host=host_1 OR host=host_2 | stats count by host | eval status = if(count>0, "Up", "Down") | table host, status accept & up-vote the answer if it helps ... View more

Hi, please try the below updated query, [| inputlookup host.csv | table host ] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now | eval host = if(index="wire", USERNAME, host) | fields host SystemTime EventCode NAME | lookup tutu.csv NAME as AP_NAME OUTPUT Building | eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") | stats latest(SystemTime) as SystemTime by host EventCode | xyseries host EventCode SystemTime | rename "6005" as LastLogon "6006" as LastReboot | eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) | eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") | lookup toto.csv HOSTNAME as host output SITE | stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host | sort -"Days without reboot" accept and up-vote the answer if it helps. ... View more

please share your search query writing to summary index and some duplicate event examples ... View more

Hi @christianubeda , Answer given by @gcusello is absolutely correct. I would like to add something to it. If there is no specific reason or feature that you are looking in 7.3.4 than you can directly upgrade from 6.5.2 to 7.2.9.1. In this case you don't have to any other version as intermediate step. In the docs, version 7.2.9.1 is not mentioned, but you can download it from Older Versions . Splunk 7.2.9.1 is just an minor upgrade to 7.2.9 with date & time format fix for 2020. You can check the below links for reference, https://docs.splunk.com/Documentation/Splunk/7.2.9/Installation/AboutupgradingREADTHISFIRST#Upgrade_paths https://docs.splunk.com/Documentation/Splunk/7.2.9/Indexer/Upgradeacluster accept & up-vote the answer if it helped. happy splunking........!!! ... View more

accept the answer that helped to close the question ... View more

accept the answer that helped to close the question. ... View more

so where these comment should be stored? if user changes or refresh the page, the comment will be gone. Also it will not be available on other user's dashboard. ... View more

Hi @adcon82 , try the following dashboard code and change the following token as per your requirement, - search_string - define your different search parameters for different dropdown values - table_seq - define you the table column sequence for different dropdown values <form> <label>Test Dashboard</label> <fieldset submitButton="false"> <input type="dropdown" token="protocol" searchWhenChanged="true"> <label>Protocol</label> <choice value="SFTP">SFTP</choice> <choice value="HTTPS">HTTPS</choice> <change> <condition label="SFTP"> <set token="search_string">sourcetype=splunkd</set> <set token="table_seq">_time, _raw</set> </condition> <condition label="HTTPS"> <set token="search_string">host=localhost</set> <set token="table_seq">_raw,_time</set> </condition> </change> </input> </fieldset> <row> <panel> <table> <search> <query>index=_internal protocol=$protocol$ $search_string$ | table $table_seq$</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> accept & upvote the answer if it helps. ... View more

to assist better, please provide some example and query for the in which you are using the lookup. ... View more

Hi @ips_mandar , There are many was to index and segregate data while indexing it. - If all the files from the folder are same type, than create a new sourcetype for the data and index data to the particular sourcetype created for GTA/GSTA(Brazil)/MTA(UK)/ATD(USA). Than you can search for the particular sourcetype and Splunk will return events from old and new host names. index=index_name sourcetype=<your_sourcetype> Now, if the country name part is going to be constant even after folder name changed, than you can simply search for host name containing the country name. index=index_name souretype=sourcetype_name host=brazil There are many other possible ways, but it all depends on your environment. If folder is having multiple types of log files and all them are getting indexed to different index & sourcetype than it will make it very complex scenario. Regarding creating macros following reference will help (if the above options solves your problem, create the macro of base search query) https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Definesearchmacros https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Searchmacroexamples accept & upvote the answer if ti helps. ... View more