Hi,
After deploying Maps+, I'm able to do a lot of things, with the exception of drilldown.
I have enabled it in the *Format Visualization* settings, as per documentation, and I've filled the *Edit drilldown* form, but when I double click on a marker, all I get is a zoom in (or, sometimes, nothing at all). I've also tried to convert the panel to HTML, and tweaked around it, but the drilldown does not trigger.
One strange thing is that, in the *Edit drilldown* form, I get this warning:
*This custom visualization might not support drilldown behavior.*
Then I save the panel, and nothing happens on the double click.
Any suggestion?
↧
Why am I getting the following warning when trying to use Drilldowns in Maps+: "This custom visualization might not support drilldown behavior."
↧
What language does the Selks application use — French or English?
Hello. Do you have a version of this with English labels and variables?
From the tagging, it looks like https://splunkbase.splunk.com/app/4014/ shows screen shots in French only.
I'll go through and translate it it's only in French, but won't spend the time if there is one that is in English.
Thanks!
↧
↧
Can you help me an issue concerning my accelerated data model summary creation?
I have one data model with acceleration. I am using Splunk version 6.5.3. On my Splunk instance, It is showing 100% built data model. But still, I am not getting data with the `tstats` command and summariesonly=true.
This thing is only happening in my particular instance. It's working on other colleagues instances without any issue with same Splunk version. I couldn't find any errors in the logs.
How do I debug this problem? Are there any steps to debug?
↧
What is the best solution to debug an input of the REST API Modular Input App?
Hi everyone,
what is the best solution to debug an input of the "**REST API Modular Input**" Apps ?
it's possible to call the GET input manually ?
regars
↧
Could I get some advice on configuring self-signed certs between Forwarder and Indexer?
Hello Everyone,
I am having trouble configuring self-signed certs and was wondering if I could possibly get some advice.
I am doing this in a test environment with the express purpose of replicating the configurations listed in the Splunk docs (.../Splunk/7.1.3/Security/Howtoself-signcertificates)
These configs are being performed on a deployment server. The deployment server's splunk.secret was replicabed to all boxes upon initial install. This splunk 7.1.2 on RHEL 7.
Currently I am getting the following error:
- ERROR TcpInputProc - Error encountered for connection from src=10.0.0.1:36014. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
- WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='unknown CA'.
Here is my configuration:
# Create a key to sign your certificates.
/opt/splunk/bin/splunk cmd openssl genrsa -aes256 -out myCAPrivateKey.key 2048
splunk_$certs
- Generate a new Certificate Signing Request (CSR) When prompted, create a password for the key.
/opt/splunk/bin/splunk cmd openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr
splunk_$certs
- Anything not specified is left default/blank
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:DC
Locality Name (eg, city) []:Washington
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyTestOrg
Organizational Unit Name (eg, section) []:SecDiv
A challenge password []:splunk_$certs
Common Name (e.g. server FQDN or YOUR name) []:Deployment_Server
- Use the CSR myCACertificate.csr to generate the public certificate:
/opt/splunk/bin/splunk cmd openssl x509 -req -in myCACertificate.csr -sha512 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 10950
splunk_$certs
# Create the server certificate for the search head to forward its data to the indexers
/opt/splunk/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
splunk_$certs
- Generate and sign a new server certificate
/opt/splunk/bin/splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
splunk_$certs
- Anything not specified is left default/blank
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:DC
Locality Name (eg, city) []:Washington
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyTestOrg
Organizational Unit Name (eg, section) []:SecDiv
Common Name (e.g. server FQDN or YOUR name) []:Search_Head
A challenge password []:splunk_$certs
/opt/splunk/bin/splunk cmd openssl x509 -req -in myServerCertificate.csr -SHA256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095
splunk_$certs
- Create a single PEM file
- Once you have your certificates, you must combine the server certificate and your keys into a single file that Splunk software can use.
cat myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > myNewServerCertificate.pem
- The CA cert is copied to a deployment app so it can be reused. The Search_Head/server certs are moved.
- The 'dev_transit_forwarder_certs' app is transfered to the search head via the deployment server
cp myCA* /opt/splunk/etc/deployment-apps/dev_transit_forwarder_certs/splunk
mv myNew* /opt/splunk/etc/deployment-apps/dev_transit_forwarder_certs/splunk
mv myServer* /opt/splunk/etc/deployment-apps/dev_transit_forwarder_certs/splunk
# Create the server certificate for the search head to forward its data to the indexers
/opt/splunk/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
splunk_$certs
- Generate and sign a new server certificate
/opt/splunk/bin/splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
splunk_$certs
- Anything not specified is left default/blank
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:DC
Locality Name (eg, city) []:Washington
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyTestOrg
Organizational Unit Name (eg, section) []:SecDiv
Common Name (e.g. server FQDN or YOUR name) []:Indexer
A challenge password []:splunk_$certs
/opt/splunk/bin/splunk cmd openssl x509 -req -in myServerCertificate.csr -SHA256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095
splunk_$certs
- Create a single PEM file
- Once you have your certificates, you must combine the server certificate and your keys into a single file that Splunk software can use.
cat myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > myNewServerCertificate.pem
- The certs are copied to a deployment app.
- The 'dev_transit_indexer_certs' app is transfered to two indexers via the deployment server
cp myCA* /opt/splunk/etc/deployment-apps/dev_transit_indexer_certs/splunk
mv myNew* /opt/splunk/etc/deployment-apps/dev_transit_indexer_certs/splunk
mv myServer* /opt/splunk/etc/deployment-apps/dev_transit_indexer_certs/splunk
# Search Head configurations
### /dev_hf_outputs/local/server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/apps/dev_transit_forwarder_certs/splunk/myCACertificate.pem
### /dev_hf_outputs/local/outputs.conf
[indexAndForward]
index = false
[tcpout]
defaultGroup = dev_indexers
indexAndForward = false
[tcpout:dev_indexers]
server = 10.0.0.10:9996,10.0.0.11:9996
disabled = 0
[tcpout:splunkssl]
clientCert = /opt/splunk/etc/apps/dev_transit_forwarder_certs/splunk/myNewServerCertificate.pem
sslPassword = splunk_$certs
sslVerifyServerCert = false
# Indexer configurations
### /dev_indexers_inputs/local/server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/apps/dev_transit_indexer_certs/splunk/myCACertificate.pem
### /dev_indexers_inputs/local/inputs.conf
[splunktcp-ssl:9996]
disabled = 0
[SSL]
serverCert = /opt/splunk/etc/apps/dev_transit_indexer_certs/splunk/myNewServerCertificate.pem
sslPassword = splunk_$certs
requireClientCert= false
↧
↧
Changing value of x-axis field name and using it in a token
I have a horizontal bar chart where the x-axis values are "fruits", "books", "devices" and "clothes". The x-axis title is "things". I want to change "fruits" to "food", and "devices" to "games". So I used the command "replace fruits with food in things" and similar with "devices", which worked.
Now I want to be able to click on one of the bars and with the x-value, display another panel with the x-value in the query. So I set the token "$things_v$" with "$click.value$" as the drilldown value. The query in this second panel is something like "index=main_ind things="$things_v$" | top field_a". If I did not change "fruits" to "food", and "devices" to "games", I am able to get the correct results from this query. But with the replace command, I can't get any results when I click on the bar for "food" or "games". I suspect that the query is using "food" and "games" as the filter and so did not return anything.
How can I replace the x-values, and still be able to query the original data with the new (or old) x-values?
↧
UI Font Display Issue (underscores and equals signs)
In both Chrome and Firefox, both the "=" and "_" symbols do not display correctly all over the UI. This only happened when we upgraded to 7.1.1 from 7.0.1 (or 7.0.2, I forget where we were).
The underscores completely do not show, but simply look like a space. The equals signs look like an off-centered hyphen/dash (-). I believe this is because we're using old browsers and the newer Splunk uses HTML5. Firefox is running 38.5 and Chrome is 36.0.
Is there a way to change the font? If you zoom in on the text, the equals signs will eventually look right, but the underscores won't. And at one point, underscores will, but equals signs won't. It's quite frustrating.
↧
Eval MAC format within a dashboard
Hi Splunkers,
I'm not sure what I'm doing wrong maybe you guys can help me. I have a MAC field coming in from the Cisco Prime infrastructure in the correct format xx:xx:xx:xx. I built a dashboard to be able to search by MAC and get physical details about that specific MAC. I'm trying to be able to search using different MAC formats - "-", ":". I use the eval command within my search string without any luck.
index=dtna_network_ciscoprime ipAddress=$ipaddress$
| eval macAddress=replace(macAddress,"-",":")
| where
macAddress="$macaddress$"
| table ipAddress, macAddress, clientInterface, vendor, nt_host
My end goal is to be able to paste the MAC into the text box in any format ":", "-", "." and get the same results. Any help will be much appreciated.
↧
Can you help me with an issue concerning my accelerated data model summary creation?
I have one data model with acceleration. I am using Splunk version 6.5.3. On my Splunk instance, It is showing 100% built data model. But still, I am not getting data with the `tstats` command and summariesonly=true.
This thing is only happening in my particular instance. It's working on other colleagues instances without any issue with same Splunk version. I couldn't find any errors in the logs.
How do I debug this problem? Are there any steps to debug?
↧
↧
In a dashboard, how do I set a token using the first value from a sort?
The first panel in my dashboard shows the amount of unique users for each software package feature version. The search I uses the DC function with the `chart` command to return the amount of unique users, list them by feature version, and then sort them;
| chart dc(USER_NAME) as "Unique User" BY FEATURE_VERSION
| sort +"Feature Version"
Once the user clicks on a specific version from panel one, I have a second panel on the dashboard which displays the usernames of the individuals. If the user doesn't click on a feature version in panel one, the second panel remains as "No results found".
What I'd like to do is set a token based on the first value from when the sort is produced. So, if that first value is 111 , then the token would be, by default, set to 111.
I'm not sure how to set a token based on that first sorted value. Any help would be much appreciated. Thank you.
↧
Can you help me dump an inventory with a large number of searches, queries and reports to a .CSV file?
I need to inventory a large number of searches, queries and reports and dump the details (name), scheduled time, search attributes, owner, email etc, into a .CSV file.
Is there a quick and easy way to do this?
↧
After joining two counts with dbquery, why are the results getting truncated?
I have one query where I want to get the results in terms of installed,uninstalled and exception machines.
We are getting not installed machine details from a Lookup file, and exception machine details are from an LDAP search. We are getting installed machine details from dbquery.
When I am joining installed and exceptions machine count with dbquery — which is having more than 70K results — the final results are getting truncated and I am getting partial results.
| inputlookup newuptodatead.csv
| where strptime(pwdLastSet,"%Y/%m/%d %H:%M:%S %Z")>=relative_time(now(),"-45d@d")
| rex field=distinguishedName "CN=.*?,DC=(?.*?),DC="|search DC=na OR DC=ap OR DC=eu OR DC=sa OR DC=mea
| rex field=distinguishedName "CN=.*?,OU=(?.*?),DC="
| search ADOU="*EngineeringLabs*" AND ADOU!="*Harvester*" AND ADOU!="*Image*" AND operatingSystem!="*Server*" AND operatingSystem="Windows*" AND cn != "*Kratos*" AND cn != "*harv*"
| eval InWBSN="Not Installed"| eval cn=upper(cn)
| join cn type=left [
| ldapsearch domain=x search="(&(objectCategory=group)(cn=WBSN_RM))" attrs="member" | rename _raw as _raw2 | fields member | append [
| ldapsearch domain=x search="(&(objectCategory=group)(cn=wbsn_rm_bsod))" attrs="member" | rename _raw as _raw2 | fields member ] | append [
| ldapsearch domain=x search="(&(objectCategory=group)(cn=wbsn_rm_tomcat))" attrs="member" | rename _raw as _raw2 | fields member ]
| stats values(member) as dn
| rex field=dn "CN=(?.*?),OU="
|table cn
|mvexpand cn
|eval cn=upper(cn)
| eval InWBSN= " Exception"
| sort 0 cn]
| join cn type=left [
| ldapsearch domain=x search="(&(objectCategory=group)(cn=WBSN_RM))" attrs="member" | rename _raw as _raw2 | fields member | append [
| ldapsearch domain=x search="(&(objectCategory=group)(cn=wbsn_rm_bsod))" attrs="member" | rename _raw as _raw2 | fields member ] | append [
| ldapsearch domain=x search="(&(objectCategory=group)(cn=wbsn_rm_tomcat))" attrs="member" | rename _raw as _raw2 | fields member ]
| stats values(member) as dn
| rex field=dn "CN=(?.*?),OU="
|table cn
|mvexpand cn
| eval cn=upper(cn)
|eval InWBSN= " Exception"
| sort 0 -cn]
| join cn type=left
[ | dbquery "AA81" " SELECT [KEY] AS cn, UPDATE_DATE AS _time FROM PA_DYNAMIC_STATUS WHERE UPDATE_DATE >= DATEADD(DAY,-60,GETDATE()) "
| append maxout=0 maxtime=0
[ | dbquery "AA" " SELECT [KEY] AS cn, UPDATE_DATE AS _time FROM PA_DYNAMIC_STATUS WHERE UPDATE_DATE >= DATEADD(DAY,-60,GETDATE()) " ]
| rex field=cn "(?[^\\.]*)"
| eval cn=trim(upper(cn))
| eval InWBSN="Installed"
| sort 0 cn ]
| join cn type=left
[ | dbquery "AA81" " SELECT [KEY] AS cn, UPDATE_DATE AS _time FROM PA_DYNAMIC_STATUS WHERE UPDATE_DATE >= DATEADD(DAY,-60,GETDATE()) "
| append
[ | dbquery "AA" " SELECT [KEY] AS cn, UPDATE_DATE AS _time FROM PA_DYNAMIC_STATUS WHERE UPDATE_DATE >= DATEADD(DAY,-60,GETDATE()) " ]
| rex field=cn "(?[^\\.]*)"
| eval cn=trim(upper(cn))
| eval InWBSN="Installed"
| sort 0 -cn]| stats Count by InWBSN
Result should be like:
InWBSN count
Installed ****
Not Installed *****
Exception *****
I am getting partial result when I am incorporating my search with Dbquery search.
↧
We are having a User Interface (UI) Font Display Issue (underscores and equals signs): is there a way to change the font?
In both Chrome and Firefox, both the "=" and "_" symbols do not display correctly all over the UI. This only happened when we upgraded to 7.1.1 from 7.0.1 (or 7.0.2, I forget where we were).
The underscores completely do not show, but simply looks like a space. The equals signs look like an off-centered hyphen/dash (-). I believe this is because we're using old browsers and the newer Splunk uses HTML5. Firefox is running 38.5 and Chrome is 36.0.
Is there a way to change the font? If you zoom in on the text, the equals signs will eventually look right, but the underscores won't. And at one point, underscores will, but equals signs won't. It's quite frustrating.
↧
↧
How do I use the eval command to search by MAC format within a dashboard?
Hi Splunkers,
I'm not sure what I'm doing wrong maybe you guys can help me. I have a MAC field coming in from the Cisco Prime infrastructure in the correct format xx:xx:xx:xx. I built a dashboard to be able to search by MAC and get physical details about that specific MAC. I'm trying to be able to search using different MAC formats - "-", ":". I use the eval command within my search string without any luck.
index=dtna_network_ciscoprime ipAddress=$ipaddress$
| eval macAddress=replace(macAddress,"-",":")
| where
macAddress="$macaddress$"
| table ipAddress, macAddress, clientInterface, vendor, nt_host
My end goal is to be able to paste the MAC into the text box in any format ":", "-", "." and get the same results. Any help will be much appreciated.
↧
Why does the REST API Modular Input break polling after first successful GET?
I have created several REST data inputs.
- All of them for fetching Application Status from the server using method(GET)
All are working perfectly when I click 'Save' button after setting the configuration and Re-starting the service (Splunkd)
There are a total of 16 APIs configured
The first Get API is being polled automatically according to polling interval for all 16 APIs. But, the second API is not being polled for any interval for 3 of the APIs.
I have checked every setting and they are correct.
These are the errors:
ERROR ExecProcessor - message from "python "D:\Program Files\Splunk\etc\apps\rest_ta\bin\rest.py"" HTTP Request Timeout error: HTTPSConnectionPool(host='xx.xxx.xxx.142', port=7xxx): Read timed out.
ERROR ExecProcessor - message from "python "D:\Program Files\Splunk\etc\apps\rest_ta\bin\rest.py"" HTTP Request Timeout error: HTTPSConnectionPool(host='xx.xxx.xxx.146', port=7xxx): Read timed out.
ERROR ExecProcessor - message from "python "D:\Program Files\Splunk\etc\apps\rest_ta\bin\rest.py"" HTTP Request Timeout error: HTTPSConnectionPool(host='xx.xxx.xxx.36', port=7xxx): Read timed out.
↧
Auto Refresh without reload the log
is there a command that could be used for auto refresh the log. Because rite now I am reloading the page every 2-5sec or mins for monitor the app
↧
Is it possible to not limit the bars in bar chart ??
I am generating a bar chart to display the count of services . After showing count of top 10 services , all other services are going under "other" .Is there a way to display all the services count ??
↧
↧
Is there a way to send a bulletin message to all users in a search head cluster?
Hi,
I have a search head cluster setup and was wondering if I could set up a bulletin message (or any message really) that will contact all users regardless of what host in the cluster that they are on. I'm not sure if this is possible. I already tried doing this using a bulletin message but that didn't seem to work.
Any insight would be greatly appreciated, thanks!
↧
Is there a command that could be used to auto refresh the log?
Is there a command that could be used for auto refreshing the log? Because right now, I am reloading the page every 2-5sec or mins to monitor the app.
↧
AWS Lightsail network traffic into Splunk
Hi All,
I am attempting to get log data from an AWS Lightsail server (centOS) into Splunk. Has anyone done this and willing to shed light on the most efficient way? Lightsail is a type of EC2 and may work with the Add-On, but I am not sure that is the best way to obtain the data and am having a little difficulty setting it up. Any feedback would be appreciated. Thanks!
↧