All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @ richgalloway  Thanks for the reply,The query looks good but I am missing  the below two fields  in the results. Can help in getting them populated. 1) | rex "status:\s+(?<Status>.*)\"}"  2) | ... See more...
Hi @ richgalloway  Thanks for the reply,The query looks good but I am missing  the below two fields  in the results. Can help in getting them populated. 1) | rex "status:\s+(?<Status>.*)\"}"  2) | rex "Path\:\s+(?<ResourcePath>.*)\"" 
That looks like it's the token setter JS from the dashboard examples. However, you have require(['jquery', 'underscore', 'splunkjs/mvc', 'util/console'], function($, _, mvc, console) { whereas the... See more...
That looks like it's the token setter JS from the dashboard examples. However, you have require(['jquery', 'underscore', 'splunkjs/mvc', 'util/console'], function($, _, mvc, console) { whereas the original is require(['jquery', 'underscore', 'splunkjs/mvc'], function($, _, mvc) { have you tried removing the util/console and console declarations  
Thanks for all the replies. Looks like there are 2 approaches to explore.  The foreach approach seems to work fine. I'd like to explore the other as well. Sorry for the response delay. I had PTO and ... See more...
Thanks for all the replies. Looks like there are 2 approaches to explore.  The foreach approach seems to work fine. I'd like to explore the other as well. Sorry for the response delay. I had PTO and some other things to do. 
Thanks much for your reply! I'm checking with the support if they can help to set props.conf on the backend, since we are using splunk cloud.
Hello  I have some issue getting the Windows performance -Velocity SD Service Counters logs. I used [perform://Velocity SD Service Counters] counter=* disable==0 instances=* object=Velocity SD ... See more...
Hello  I have some issue getting the Windows performance -Velocity SD Service Counters logs. I used [perform://Velocity SD Service Counters] counter=* disable==0 instances=* object=Velocity SD Service Counters mode=multikv showZeroValue=1 index=windows But not getting events. Any recommendation will be highly appreciated!  
Hi @Iris_Pi would it be feasible to specify the time zone using source stanzas in props.conf instead of sourcetype in this case? [source::] takes precedence over [<sourcetype>] in props.conf.   
Hi @Muthu_Vinith could you please clarify the question.. Do you want to on-board an SSO error file to Splunk?
Hello Pickle, thanks much for the help! I'm using the raw endpoint and I can set the host by using the host parameter now.  
This app now exists which does a better job at PDF production https://splunkbase.splunk.com/app/7171  
Hey PickleRick, I see, I was not aware that having different sourcetype than stash would double licence usage thank you for making me aware of that. I see so the only solutions available to restrict... See more...
Hey PickleRick, I see, I was not aware that having different sourcetype than stash would double licence usage thank you for making me aware of that. I see so the only solutions available to restrict search access based on filters is to create separate apps or do data processing prior to event ingestion. I didn't want to do separate apps because of congestion, especially since they will only differ from one line in the search filter. Please correct me if I'm wrong but I thought this would increase costs. Wasn't aware that having different sourcetypes other than stash would also incur costs (thanks). The speeding up search was in reference to summary indexing, not a concern. I was wondering why summary indexing wouldn't work since filtering the search for only superheros/villains will speed up the search, which is what summary indexing is meant to help with. The main purpose was always for access restrictions. Thanks,
Try this : [hecpaloalto_in] INGEST_EVAL = index=if(match(sourcetype, "pan:logs"), "palo_alto", "aws")
@marcoscala were you able to fix the Palo Alto Splunk app throwing JS errors ?
@shawno were you able to fix the error ? 
FYI, converting to Dashboard Studio fixes the diagrams, but truncates the tables. yay.
Same here, for as long as I can remember (don't ask me the versions) -- but still currently an issue with 9.2.2. Funny thing is, I have about 9 graphs, and three work OK. Tried all kinds of tactics l... See more...
Same here, for as long as I can remember (don't ask me the versions) -- but still currently an issue with 9.2.2. Funny thing is, I have about 9 graphs, and three work OK. Tried all kinds of tactics like: putting the graphs on on it's own line, putting all together, changing the order, trying landscape v.s. letter, changing the paper type, "plain text", "HTML & plain text"....
Hello,  Is there a way to add 3rd party python modules to the add-on builder? I am trying to create a python script in the add-on builder, but looks like I need to use a module that is not included... See more...
Hello,  Is there a way to add 3rd party python modules to the add-on builder? I am trying to create a python script in the add-on builder, but looks like I need to use a module that is not included in the add-on builder. Thanks for any help on this. Tom  
The transaction command creates a field called "duration" that is the difference in the _time values from the first and last events of the transaction.  That should fill this need, assuming _time is ... See more...
The transaction command creates a field called "duration" that is the difference in the _time values from the first and last events of the transaction.  That should fill this need, assuming _time is set by properly extracting the "timestamp" value at index time. The transaction command is not very performant, however.  A more efficient way to do it uses stats. "My base query" ("Starting execution for request" OR "Successfully completed execution") | rex "status:\s+(?<Status>.*)\"}" | rex field=_raw "\((?<Message_Id>[^\)]*)" | rex "Path\:\s+(?<ResourcePath>.*)\"" | rex "timestamp\\\":(\d+)" | stats min(timestamp) as startTime, max(timestamp) as endTime by Message_Id | eval duration = endTime - startTime | eval end_timestamp_s = endTime/1000, start_timestamp_s = startTime/1000 | eval human_readable_etime = strftime(end_timestamp_s, "%Y-%m-%d %H:%M:%S"), human_readable_stime = strftime(start_timestamp_s, "%Y-%m-%d %H:%M:%S"), duration = tostring(duration, "duration") | table Message_Id human_readable_stime human_readable_etime duration  
Well, I did change one thing from your last example.  Here is the final version that worked as required, for those that read this later. <input id="app_nodes_multiselect" type="multiselect... See more...
Well, I did change one thing from your last example.  Here is the final version that worked as required, for those that read this later. <input id="app_nodes_multiselect" type="multiselect" depends="$app_fm_app_id$" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | inputlookup aix_kv_apm_comps WHERE entity_type!=$app_fm_group_nodes$ | search [| makeresults | eval search="internal_parent_id=(".mvjoin($app_fm_app_id$, " OR internal_parent_id=").")" | return $search] | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition match="$form.app_fm_entity_id$=&quot;*&quot;"> <set token="app_net_fm_entity_id">_all</set> <set token="condition">1</set> </condition> <condition> <set token="condition">2</set> <eval token="app_net_fm_entity_id">case(mvcount($form.app_fm_entity_id$)="2" AND mvindex($form.app_fm_entity_id$,0)="*", mvindex($form.app_fm_entity_id$,1), mvfind($form.app_fm_entity_id$,"^\\*$$")=mvcount($form.app_fm_entity_id$)-1, "_all", true(), $form.app_fm_entity_id$)</eval> <set token="app_net_fm_entity_id">$app_fm_entity_id$</set> </condition> </change> </input>    
Thank you sooo much!!!  That worked perfectly!!!  
Hi @Jonathan.Wang, Thank you for following up. Since the community has not jumped in yet either. I think the best next step is to contact Support.  AppDynamics is migrating our Support case handli... See more...
Hi @Jonathan.Wang, Thank you for following up. Since the community has not jumped in yet either. I think the best next step is to contact Support.  AppDynamics is migrating our Support case handling system to Cisco Support Case Manager (SCM). Read on to learn how to manage your cases.  If contact Support or find a solution on your own, please share your learnings as a reply to this post.