We have a multi select dropdown say with option "All, A , b, c , D"
Requirement: Whenever user selects "All" , then user cannot select any other option. If user selects anything else , then he can select multiple things.
My logic : Create a javaScript which reads the value selected by the user and then if "All" is selected , then convert multiselect drop down to a normal dropdown . If anything else is selected , then let it be a multiselect dropdown .
Things i have tried:
1) Fetching value from dropdown to JavaScript using "splunkjs/mvc/textinputview" (var token_def = defaultTokenModel.get("token_name");)
2) If token_def = "all" , then render the view to normal dropdown . Else it remains to be multiselect dropdown.
Second thing i want to try it by using global flag . Setting it value 1 when "All" is selected and "0" for others , then passing it to html.
Please advice. Please provide me doc related to javascript if available since i am new in this.
Thanks in Advance!!!
↧
apply javascript on Multiselect dropdown
↧
Getting a failed to join cluster error from an indexer after an inadvertent IP change (and change back), but the CM reports the indexer is joined and healthy. How to fix?
Indexer was running normally yesterday. We offlined it, and after maintenance, rebooted it. When it came back up, it had a new IP because *reasons*, and joined the cluster with the new IP. After realizing what happened, and much troubleshooting with my NOC, they got the right IP in place and I offlined/rebooted again. Everything looked normal, but I'm seeing this error today:
Search peer dc1prsplixap08 has the following message: Failed to register with cluster master reason: failed method=POST path=/services/cluster/master/peers/?output_mode=json master=DC1PRSPLDP01:8089 rv=0 gotConnectionError=0 gotUnexpectedStatusCode=1 actual_response_code=500 expected_response_code=2xx status_line="Internal Server Error" socket_error="No error" remote_error=Cannot add peer=11.1.136.166 mgmtport=8089 (reason: Peer with guid=C395587E-CB3A-4492-8662-71AFD3002A89 is already registered and UP). Make sure pass4SymmKey is matching if the peer is running well. [ event=addPeer status=retrying AddPeerRequest: { _id= active_bundle_id=F24FD19BC912B3FE530FB3917ED1B287 add_type=Initial-Add base_generation_id=0 batch_serialno=1 batch_size=20 forwarderdata_rcv_port=9997 forwarderdata_use_ssl=0 last_complete_generation_id=0 latest_bundle_id=F24FD19BC912B3FE530FB3917ED1B287 mgmt_port=8089 name=C395587E-CB3A-4492-8662-71AFD3002A89 register_forwarder_address= register_replication_address= register_search_address= replication_port=9000 replication_use_ssl=0 replications= server_name=dc1prsplixap08 site=default splunk_version=6.6.0 splunkd_build_number=e21ee54bc796 status=Up } ].
Linux, Splunk version 6.6.3
↧
↧
inputlookup |append [search] vs search | append [|inputlookup]
I am getting different results for the following two queries and I cannot understand why
(index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=*mydomain
| eval acctN=mvindex(Account_Name,1)
| search acctN=*
| bin _time span=1d as date
| eval ComputerName=replace(ComputerName,".mydomain","")
| eval user=upper(acctN)
| eval domain=upper(TargetAccountDomain)
| stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type
| sort 0 user ComputerName
| search user=myID
| append [| inputlookup user_device_logon.csv | search user=myID]
| sort 0 user ComputerName
| eval earliest=strftime(earliest,"%F"), latest=strftime(latest,"%F")
This returns 20 items. But If I revers the order of the component searches:
| inputlookup user_device_logon.csv | search user=myID
| append
[ search (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=*mydomain
| eval acctN=mvindex(Account_Name,1)
| search acctN=*
| bin _time span=1d as date
| eval ComputerName=replace(ComputerName,".mydomain","")
| eval user=upper(acctN)
| eval domain=upper(TargetAccountDomain)
| stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type
| sort 0 user ComputerName
| search user=myID]
| sort 0 user ComputerName
| eval earliest=strftime(earliest,"%F"), latest=strftime(latest,"%F")
This returns 19 items.
If I run the two component searches separately, the lookup table returns 19 items and the windows event search returns 1 item.
The difference appears to be that the second search does not include the appended search results in the total results. What am I doing wrong here?
The second search is supposed to be better since the lookup table will get large and the appended search will usually be small. But it is not better if it prevents the windows search from returning data.
↧
Base search XML for dashboard
I have created a new dashboard and configured the base search, but only one of the 3 panels (Web Server Error Summary) is populating the data. If I run the searches independently of the dashboard they work, but when loading the dashboard only one works.
Could you please take a look at the below XML and point me in the right direction.
Web Analytics Base Search
sourcetype=access_* status=* action=view OR action=purchase @y now 1 Top Products
Unique Visitors
Web Server Error Summary
↧
Can the tooltip be expanded to include the x-axis values?
I have a column chart that has values between 1 and 7400+. When I hover over the x-axis line it is easy to get the tooltip for the larger values, but for the columns with small amounts it is very difficult to get the tooltip to popup, you have to be exactly on the x-asis line, which can be very difficult. Below is an example of the chart:
![alt text][1]
[1]: /storage/temp/216819-splunkchart.png
It would make it a lot easier if hovering over the values would also bring up the tooltip (i.e.: SLES-10.4, SLES-11.3, etc..)
Is this possible? I'm familiar with javascript so I'm willing to go that route if necessary.
↧
↧
How can I apply JavaScript on a multiselect dropdown menu?
We have a multiselect dropdown with options "All, A , b, c , D"
Requirement: Whenever user selects "All" , then user cannot select any other option. If user selects anything else , then he can select multiple things.
My logic : Create a JavaScript which reads the value selected by the user and then if "All" is selected , then convert multiselect drop down to a normal dropdown . If anything else is selected , then let it be a multiselect dropdown .
Things I have tried:
1) Fetching value from dropdown to JavaScript using "splunkjs/mvc/textinputview" (var token_def = defaultTokenModel.get("token_name");)
2) If token_def = "all" , then render the view to normal dropdown . Else it remains to be multiselect dropdown.
Second thing I want to try is by using global flag. Setting it to value 1 when "All" is selected and "0" for others , then passing it to HTML.
Please advise. Please provide me doc related to JavaScript if available since I am new in this.
Thanks in Advance!!!
↧
XML help? Dashboard has 3 panels -- only one panel populates data. All searches work if conducted independently, however.
I have created a new dashboard and configured the base search, but only one of the 3 panels (Web Server Error Summary) is populating the data. If I run the searches independently of the dashboard they work, but when loading the dashboard only one works.
Could you please take a look at the below XML and point me in the right direction.
Web Analytics Base Search
sourcetype=access_* status=* action=view OR action=purchase @y now 1 Top Products
Unique Visitors
Web Server Error Summary
↧
Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."
"Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible. Learn more"
The above is the warning message I am getting after I updated the Splunk ES to 4.7.2. Could someone advice what needs to be done here.
↧
How do you add JavaScript file to Splunk dashboard?
Hi,
I am trying to load the JS file in my XML dashboard but I am unable to get the JS data in the XML dashboard.
I am facing difficulties.
I placed the file in the path (appname/appserver/static) and I mentioned in XML.
I am not getting the JS Data.
Please let me know what I need to do.
Thanks and Regards,
Venu
↧
↧
Problem with view in Splunk: "Uncaught TypeError: Cannot set property 'loadParams' of undefined"
Hello,
I cloned one of my views in another Splunk machine. The original works fine in the new machine but the cloned doesn't load and the Chrome browser console says:
![alt text][1]
[1]: /storage/temp/217854-captura.png
Anyone can give me an html/js solution??
Thanks
↧
Splunk field-extraction usage performance
Below is my sample log format
%timestamp% **com_java_package1**.subpackage someMessage exceptionMessage
%timestamp% someText **com_java_package2**.v1.subpackage exceptionMessage
%timestamp% **com_java_package3_v2**.subpackage exceptionMessage
%timestamp% someText someOtherText someVeryBigText **com_java_package4**.subpackage someMessage exceptionMessage
Usage 1:
index=someIndex sourcetype=someSourceType (packageName=com_java_package1 OR packageName=com_java_package2)
Usage 2:
index=someIndex sourcetype=someSourceType ("com_java_package1" OR "com_java_package2")
The logs are in a very bad shape where I cannot write a generic regex to extract packageName field.
It requires lot of effort to put all combination to extract the packageName field.
Now my question is - do I really need field extraction for packageName?
Is there any potential benefits in performance of above usage over the other?
↧
How to set alert schedule?
We have 15 different hosts, we enabled an alert with condition "if host is down we need to alert it".
It has to check every 5 min if any host is down. It has to alert it and also should not alert for second time for same host. How should I do it?
**example**: At 10:00 AM HostA is down we need to alert it and if at 10:01 HostA and HostB are down then I should get an alert saying HOSTB is down, but I should not receive alert for HOSTA again for 15mins.
Here is what we did, is it correct?
![alt text][1]
[1]: /storage/temp/216818-splunk-alert.png
↧
How do I connect my Java program to Splunkd server?
I'm using the below mentioned code in java:
import com.splunk.*; // The entry point to the client library
public class Connection
{
public static void main(String[] args)
{
ServiceArgs loginArgs = new ServiceArgs();
loginArgs.setUsername("admin");
loginArgs.setPassword("changeme");
loginArgs.setHost("apl10865gtapp14");
loginArgs.setPort(8089);
loginArgs.setScheme("http");
HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);
Service service = Service.connect(loginArgs);
for (Application app : service.getApplications().values())
{
System.out.println(app.getName());
}}}
Below mentioned is the error which I get....
Exception in thread "main" java.lang.RuntimeException: Connection refused: connect
at com.splunk.HttpService.send(HttpService.java:409)
at com.splunk.Service.send(Service.java:1293)
at com.splunk.HttpService.post(HttpService.java:308)
at com.splunk.Service.login(Service.java:1122)
at com.splunk.Service.login(Service.java:1101)
at com.splunk.Service.connect(Service.java:187)
at Connection.main(Connection.java:13)
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.net.NetworkClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at com.splunk.HttpService.send(HttpService.java:403)
... 6 more
Not sure what the problem is..!!
Can you guys please help me out on this?
↧
↧
How can I reorder this table so the column B data represents the month prior?
I have the following table:
Month Value
September 12
October 78
November 88
December 132
I want to display the value of October in September, November in October and so on. The final output should look like this:
Month Value
September 78
October 88
November 132
December Value of January
How can this be achieved? Please help. Thanks in advance.
↧
How can we view the data retention policy we have set?
Hi All,
We have set the data retention has 1 year (365 days) for in cluster master. But when we search the data in Search and Reporting app for an index then we can able to fetch data more than a year too. For audit purpose we need to track what would be the exact data retention and after that there should not be any logs for the same. But in our case we can able to fetch data more than a year too.
So is there any search query that can able to pull the exact data retention which has been set for all indexes and beyond that there should not be any data for that particular index.
These are the configurations which we have been set in cluster master server under the following folder:
/opt/splunk/etc/master-apps/mc_master_indexes/local
[splunk@mon-prod-cm-1 local]$ cat indexes.conf
[default]
frozenTimePeriodInSecs = 31536000
maxTotalDataSizeMB = 20971520
[volume:hot]
path=/data/hot
maxVolumeDataSizeMB=2831156
[volume:cold]
path=/data/cold
maxVolumeDataSizeMB=12268340
So need your quick help regarding the same to get the exact retention which has been set for all indexes.
↧
How can I change the x-axis label on my chart to a month count?
Hi,
I have this table:
_time ATTENUATION EOL
2017-09-08 15 21
2017-09-09 15.3 21
.
.
2017-10-01 15.7 21
2017-10-02 15.4 21
I stored the data since June, so for every day I have a value for "ATTENUATION" and a value for EOL that is always the same for every day because is a threshold.
Since I have a lot of values, Splunk doesn't show me any value in the x-axis
I want to chart all data, that I have stored, with a simple line chart (without any stats) grouped by month.
Any ideas?
Thanks a lot
↧
Splunk App for Network Topology Visualisation
I am looking for a Splunk App to visualize network topology over a world map. I want to be able to display network nodes on the map by its geographic coordinates, draw the links between the nodes, and show other attributes, like alerts, traffic volumes, est.
I am not able to find anything like that on Splunkbase.
Do you have any suggestions?
↧
↧
Dell Defender Syslog field extraction - Can I combine 7 regex into one extraction?
This post is about combining field extractions.
I am working with **Dell Defender Syslogs** and want to extract different types of messages.
But those Syslogs differ in length and content so **I have trouble building one regex to cover all**.
Also if you are using the OR statement you can't bind multiple parts to one field unless you rename it.
(REGEX ERROR MESSAGE: two named sub-patterns have the same name )
**This REGEX would cover all raws.**
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?.*)
**Message examples:**
Prefix: Oct 12 15:54:14 IP Oct 12 15:54:14 SERVERNAME SERVER_NAME:
1. Radius Request from IP:PORT Request ID: REQUEST_ID
2. Radius request: Access-Request for USER_NAME from IP:PORT through NAS:AccessNode Request ID: REQUEST_ID Session ID: SESSION_ID
3. Radius response: Authentication Acknowledged User-Name: USER_NAME, Request ID: REQUEST_ID Session ID: SESSION_ID
4. User USER_NAME authenticated with token TOKENNUMBER Session ID: SESSION_ID
5. Radius response: Access-Challenge User-Name: USER_NAME Request ID: 5 Session ID: SESSION_ID
6. Requesting response USER_NAME
7. Info: User USER_NAME found as user CN=USER NAME,OU=Windows 7,OU=Users,OU=ORGANIZATION_UNIT,OU=WHERE,DC=COUNTRY,DC=DOMAIN,DC=local Session ID: SESSION_ID
**What I need are Fields like this to enable proper filtering and search possibilities:**
Timestamp (Oct 2 15:54:11 OR Oct 12 15:54:11)
IP (x.x.x.x)
EventTime (Oct 2 15:54:11 OR Oct 12 15:54:11)
ServerName (SERVER_NAME)
Type (Radius Request, Radius request, Radius response, authenticated, Requesting response, Info)
Message (covering additional information)
UserName (USER_NAME)
RequestID (REQUEST_ID)
SessionID (SESSION_ID)
**Here are the regex that work for individual lines:**
1. Radius Request from IP:
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+) (?.*) (?\d+.\d+.\d+.\d+):(?\d+) Request ID: (?\w+)
2. Radius request: Access-Request
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+): (?\w+-\w+) \w+ (?\w+) \w+ (?\d+.\d+.\d+.\d+):(?\d+) through (?\w+:\w+) Request ID: (?\w+) Session ID: (?\w+)
3. Radius Response:
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+): (?\w+ \w+) User-Name: (?\w+), Request ID: (?\w+) Session ID: (?\w+)
4. User Authenticated:
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):User (?\w+) (?\w+) (?\w+ \w+ \w+) Session ID: (?\w+)
5. Radius response: Access-Challenge
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+): (?\w+-\w+) User-Name: (?\w+) Request ID: (?\w+) Session ID: (?\w+)
6. Requesting response
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+) (?\w+)
7. Info: User ...
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+): User (?\w+) (?.*) Session ID: (?\w+)
**Questions:**
Is there a way to combine all 7(+ one that covers all) REGEX statements in one extraction? If so, what would it look like?
What would be your way to configure this kind of input?
Do I need to follow an order so one REGEX doesn't cover others by accident?
↧
How to show only certain results in the statistics (by hiding some search results)?
Hello,
I would like to hide the following results in bold and only have the final eval statement show. I am only doing the calculations for the last eval statement.
source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="4*" OR ObjectAccount="5*"
| eval **Sales**=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount,"5%"),DomesticAmount,0)
| stats sum(Sales) as **Sales**, sum(Costs) as **Costs**
| eval **CM**=Sales+Costs
| eval CMPer=(CM/Sales)*100
Also, I noticed that I can not put a by statement after the eval, should I only include it in the stats section and how will I be able to categorize the CMPer by another value?
↧
Splunk HTTP Appender - Two entries are logging for longer HTTP requests
Splunk Http appender is logging 2 entries for longer http requests. The first has the headers and the second has the body (a Soap envelope in our case). The log entries are separated by about 5 milliseconds. Is there any way to force Splunk to keep the entire request in a single log entry? The odd thing is we do not see this behavior for http responses - they always appear in a single entry no matter the size.
↧