We have a simple dashboard that contains Tweets for our client like shown below
1. I transferred money last night, am worried I sent it to the wrong person. Ap only giving me a 6 digit number how 2 get more details?
2. List item @Run_amuk @CommBank I set up an account online super easy, #ApplePay is awesome. Looks like it’s goodbye CommBank after 30 years.
3. ...
4. ...
5. ...
6. ...
7. goes on
We want to have additional 2 fields Agree and Disagree for further identification of the message is real message or it can be ignored. So this dashboard used by front end user who will click on one of these options. As soon as they click one of the options, that tweet should go away from the dashboard, we need TweetText followed by agree or / and disagree field in a csv file.
Can we achieve this solution? Kindly advise.
↧
Dashboard Survey
↧
Could I give feedback to forwarder from receiver?
In my structure, receiver will predict something with the data if the forwarder gives some data to the receiver.
After predicting, there are some information let receiver know that some problems may occur in forwarder.
Therefore, the information should be sent to the forwarder.
Is there any good idea?
Thank you.
↧
↧
How to rename count of field values conditionally.
Hi,
I have below data in below format using stats count command
Date - FR GE SP UK NULL
16/11/18 - 0 1 1 1 1
17/11/18 - 3 0 0 0 0
18/11/18 - 0 0 0 1 1
**Search Command**
| convert ctime(_time) AS Date timeformat="%d/%m/%y"
| eval Country=case(File_Copied="NatCo 1","UK",File_Copied="NatCo 2","GE",File_Copied="NatCo 4","SP",File_Copied="natco 3","FR")
| chart count(File_Created) over Date by Country
| convert ctime(_time) AS Date timeformat="%d/%m/%y"
| eval Country=case(File_Copied="NatCo 1","UK",File_Copied="NatCo 2","GE",File_Copied="NatCo 4","SP",File_Copied="natco 3","FR")
| chart count(File_Created) over Date by Country
But I want to display data as below:
Date - FR GE SP UK NULL
16/11/18 - KO OK OK OK OK
17/11/18 - OK KO KO KO KO
18/11/18 - KO KO KO OK OK
If count is >0 then it will be print"OK" and If count is equal to 0 then "KO"
Please suugest if this is possible. I am trying lot, but not succeed. Any help will be appreciated.
↧
How can I drilldown from a word cloud chart and pass the clicked value to the new dashbard?
Hello,
I am using word cloud, and want to pass the clicked word to a drilldown dashboard. Is it possible?
I tried to follow this: https://answers.splunk.com/answers/471329/is-it-possible-to-drilldown-from-an-status-indicat.html
But I am not able to get the value(the clicked word).
↧
Preview generating custom command result
Hi
I want to add a generating custom command that will query one of our DBs. So I have followed the tutorials and created a class that inherits from `GeneratingCommand` and implemented the `generate` method. Problem is that Splunk waits for **all** the results to return and the query might be slow (4-5 seconds). So following some of the docs it looks like `timeline_events_preview` is what I need but I still don't get the live update of the events view (Similar to using the builtin `search` command).
I can't post the original code (for copyright reasons) but I can't make it work even with the next simple example:
@Configuration(streaming=True)
class MyGeneratingCommand(GeneratingCommand):
def generate(self):
for i in range(10 ** 6):
yield {'_time': time.time(), '_raw': 'test {}'.format(i), 'events_no': i}
I added a `limits.conf` file to `$SPLUNK_HOME/etc/apps/myapp/local` with:
[search]
timeline_events_preview = true
When I use the custom command Splunk waits for all 1 million results to return before showing some of them in the events view.
↧
↧
How can I send raw log data to external server from Splunk Instance?
I want to send raw data to external server from Splunk Instance. I mean, I want to send from splunk server not from clients or Universal forwarders. I dont want to install some scripts to all clients. I will install on external server and splunk will send to my script.
↧
How to share Dashboard created using DBXQuery based reports
Hi There
I used Splunk DB Connect to connect the Sqldatabase and generated DBXQuery based reports/ dashboard. But that is not shareable.
Kindly tell me how to set the permission to let the other users to view the dashboard.
Thanks & Regards,
Gopi Thakur
↧
JOin independent query results.
I have 2 logs like below :
2018-11-20 04:41:23,873.873 - MainThread - 49102 - INFO views - endTime - 2018-11-20 04:41:23.870460 reqId - id
2018-11-20 04:41:23,863.863 - MainThread - 49102 - INFO views - reqID - id , startTime - 2018-11-20 09:41:23.234
From first statement I need reqId and endTime.
From second statement I need reqId and startTime.
I need to join both the results and retrieve startTime and endTime for each reqId and calculte the time taken.
Can someone please help me to form a query to join the results.
↧
Enterprise Security License
Hi Team,
We have 1 Cluster master, 1 Deployment Master, 8 Indexers and 6 Search Head servers in our environment. In which Licensing is deployed in our Deployment master server and we have bought license for 700 GB per day for which i can able to see the same in GUI by navigating to Licensing page from Settings in Deployment master GUI. And also i can able to get the information such as how much it has been utilized and how much its still having for the day and so on.
But we got the information stating that we have already have 380 GB of License dedicated for Enterprise Security but where can i see the License usage per day for ES and how much its getting utilized and so on in GUI.
Kindly note we have deployed Splunk Enterprise APP separately in a search head server.
So need your help to know how can we find a way to show up the ES license used and so on.
↧
↧
How to group events and extract a field when grouped events contain a specific value?
We have some overnight jobs which run and log out to splunk. On top of this we have a dashboard which groups by the job id and extracts information like start time, end time, duration etc.
The query looks a bit like this:
index=foo | stats range(_time) as duration by job-id | table job-id duration
We now want to add a status column to tell us if the job completed or had an error. If any of the events in a grouping have a log level of `ERROR` it should show `Error`, otherwise it should show `Ok`.
I've tried this snippet:
eval status=if(in(level, "ERROR"), "Error", "Ok")
Which is fine for evaluating on each event, but I want the grouping to show either `Error` or `Ok` depending on values in the the `level` field for each group.
Is this possible in splunk, and how should I write the query?
↧
How can I export alerts with names matching a specific phrase ( say "oscar").
How can I export alerts with names matching a specific phrase ( say "oscar"). And the report need to include all the details of each alert settings, include search, schedule, etc.
Thanks
↧
How to change the panel title font size in XML?
Hello,
I would like to change the dashboard panel title font size using XML, not CSS.
I found the following in one of the posts:
But when I insert it inside of the and it still changes the title font of ALL the panels in my dashboard.
How would I change the title font for one particular panel only?
Kind Regards,
Kamil
↧
Update credentials via command line
Hi,
we have implemented key rotation on GCP and we need to be able to set the new credentials via command line. Does anyone knows how ?
We've found the password file, but credentials are encrypted and I'm not sure how I can encrypt the new creds and update the .conf file via command line.
Thanks.
↧
↧
data storage
I know this question has been asked before today...
My company is researching Splunk, and we have a strict policy that we do not share data with anyone outside our firm. If I am reading your documentation correctly, when using Splunk my data is uploaded to Splunk. Do I have the option to utilize Splunk without sharing the data, which would keep me in compliance with my company's data use and storage policies?
↧
How to migrate a cluster master from one instance to another
Currently, the search head and cluster master reside in the same Splunk instance. What are the steps to migrate the cluster master to a dedicated Splunk instance on another server? We are using Splunk version 6.5.
thanks in advance.
↧
Dashboards embedding
Hi,
I have multiple dashboards, A, B and C.
Is this possible to have a Summary dashboard that has a drop down or three radio button so that when ever a user clicks/selects A, A loads, B and B loads and so on, on a single page?
Thanks in-advance.
↧
Splunk Universal Forwarder Starting Problem
Hello. I am troubleshooting a UF installed on a Windows system. I noticed that the SplunkForwarder service only starts if the "Log On As" user for the service has administrator rights on the system. How can I grant permissions to start the service without it needing admin rights on the system?
↧
↧
Identify Number of Forwarders in Splunk environment
Hello Everyone . I have one doubt. In the Splunk Architect, my organization is using..it is mentioned 4 forwarders with their server name. But when i am running any query i am seeing more than 50 hosts. Is it correct understanding that Number of Forwarders = Number of Hosts and how to check the correct result ?
↧
Use the CSV as a list of exemption to the query
I do have a main query which shows the IP Address that the computer is connecting to (Dest_IP) , but there are Dest_IP that I need to exempt and there would be a huge list so I'm planning to use the CSV. How can I do the query that exempts the list of IP Address that is in the CSV?
| datamodel Computers STOR search | search FTP.dest_ip!=10* **<<-- This should be a CSV that has a list of IPP Addresses that should be exempted**
[| inputlookup owatch_ss_objects.csv | search inet_facing=* | rename src_ip as FTP.src_ip | fields + FTP.src_ip | format]
| fields + FTP.src_ip, FTP.dest_ip, FTP.password, FTP.arg, FTP.command, FTP.mime_type, FTP.Spike_Log
| bucket _time span=1d as Day
| timechart span=1d count by FTP.Spike_Log
↧
How do I exempt a CSV file in a main search?
I have a main query which shows the destination IP of the computer and there are some destination IPs that I need to exempt, and there are many IP address that I need to exempt, How can I put the CSV as an exemption to the main search?
| datamodel IPP_Assets STOR search | search FTP.dest_ip!=10* **<- This should be a CSV that has a IP Addresses and need to exempt to the main search**
[| inputlookup owatch_ss_objects.csv | search inet_facing=* | rename src_ip as FTP.src_ip | fields + FTP.src_ip | format]
| fields + FTP.src_ip, FTP.dest_ip, FTP.password, FTP.arg, FTP.command, FTP.mime_type, FTP.Spike_Log
| bucket _time span=1d as Day
| timechart span=1d count by FTP.Spike_Log
↧