All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks much for your reply! I'm checking with the support if they can help to set props.conf on the backend, since we are using splunk cloud.
Hello  I have some issue getting the Windows performance -Velocity SD Service Counters logs. I used [perform://Velocity SD Service Counters] counter=* disable==0 instances=* object=Velocity SD ... See more...
Hello  I have some issue getting the Windows performance -Velocity SD Service Counters logs. I used [perform://Velocity SD Service Counters] counter=* disable==0 instances=* object=Velocity SD Service Counters mode=multikv showZeroValue=1 index=windows But not getting events. Any recommendation will be highly appreciated!  
Hi @Iris_Pi would it be feasible to specify the time zone using source stanzas in props.conf instead of sourcetype in this case? [source::] takes precedence over [<sourcetype>] in props.conf.   
Hi @Muthu_Vinith could you please clarify the question.. Do you want to on-board an SSO error file to Splunk?
Hello Pickle, thanks much for the help! I'm using the raw endpoint and I can set the host by using the host parameter now.  
This app now exists which does a better job at PDF production https://splunkbase.splunk.com/app/7171  
Hey PickleRick, I see, I was not aware that having different sourcetype than stash would double licence usage thank you for making me aware of that. I see so the only solutions available to restrict... See more...
Hey PickleRick, I see, I was not aware that having different sourcetype than stash would double licence usage thank you for making me aware of that. I see so the only solutions available to restrict search access based on filters is to create separate apps or do data processing prior to event ingestion. I didn't want to do separate apps because of congestion, especially since they will only differ from one line in the search filter. Please correct me if I'm wrong but I thought this would increase costs. Wasn't aware that having different sourcetypes other than stash would also incur costs (thanks). The speeding up search was in reference to summary indexing, not a concern. I was wondering why summary indexing wouldn't work since filtering the search for only superheros/villains will speed up the search, which is what summary indexing is meant to help with. The main purpose was always for access restrictions. Thanks,
Try this : [hecpaloalto_in] INGEST_EVAL = index=if(match(sourcetype, "pan:logs"), "palo_alto", "aws")
@marcoscala were you able to fix the Palo Alto Splunk app throwing JS errors ?
@shawno were you able to fix the error ? 
FYI, converting to Dashboard Studio fixes the diagrams, but truncates the tables. yay.
Same here, for as long as I can remember (don't ask me the versions) -- but still currently an issue with 9.2.2. Funny thing is, I have about 9 graphs, and three work OK. Tried all kinds of tactics l... See more...
Same here, for as long as I can remember (don't ask me the versions) -- but still currently an issue with 9.2.2. Funny thing is, I have about 9 graphs, and three work OK. Tried all kinds of tactics like: putting the graphs on on it's own line, putting all together, changing the order, trying landscape v.s. letter, changing the paper type, "plain text", "HTML & plain text"....
Hello,  Is there a way to add 3rd party python modules to the add-on builder? I am trying to create a python script in the add-on builder, but looks like I need to use a module that is not included... See more...
Hello,  Is there a way to add 3rd party python modules to the add-on builder? I am trying to create a python script in the add-on builder, but looks like I need to use a module that is not included in the add-on builder. Thanks for any help on this. Tom  
The transaction command creates a field called "duration" that is the difference in the _time values from the first and last events of the transaction.  That should fill this need, assuming _time is ... See more...
The transaction command creates a field called "duration" that is the difference in the _time values from the first and last events of the transaction.  That should fill this need, assuming _time is set by properly extracting the "timestamp" value at index time. The transaction command is not very performant, however.  A more efficient way to do it uses stats. "My base query" ("Starting execution for request" OR "Successfully completed execution") | rex "status:\s+(?<Status>.*)\"}" | rex field=_raw "\((?<Message_Id>[^\)]*)" | rex "Path\:\s+(?<ResourcePath>.*)\"" | rex "timestamp\\\":(\d+)" | stats min(timestamp) as startTime, max(timestamp) as endTime by Message_Id | eval duration = endTime - startTime | eval end_timestamp_s = endTime/1000, start_timestamp_s = startTime/1000 | eval human_readable_etime = strftime(end_timestamp_s, "%Y-%m-%d %H:%M:%S"), human_readable_stime = strftime(start_timestamp_s, "%Y-%m-%d %H:%M:%S"), duration = tostring(duration, "duration") | table Message_Id human_readable_stime human_readable_etime duration  
Well, I did change one thing from your last example.  Here is the final version that worked as required, for those that read this later. <input id="app_nodes_multiselect" type="multiselect... See more...
Well, I did change one thing from your last example.  Here is the final version that worked as required, for those that read this later. <input id="app_nodes_multiselect" type="multiselect" depends="$app_fm_app_id$" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | inputlookup aix_kv_apm_comps WHERE entity_type!=$app_fm_group_nodes$ | search [| makeresults | eval search="internal_parent_id=(".mvjoin($app_fm_app_id$, " OR internal_parent_id=").")" | return $search] | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition match="$form.app_fm_entity_id$=&quot;*&quot;"> <set token="app_net_fm_entity_id">_all</set> <set token="condition">1</set> </condition> <condition> <set token="condition">2</set> <eval token="app_net_fm_entity_id">case(mvcount($form.app_fm_entity_id$)="2" AND mvindex($form.app_fm_entity_id$,0)="*", mvindex($form.app_fm_entity_id$,1), mvfind($form.app_fm_entity_id$,"^\\*$$")=mvcount($form.app_fm_entity_id$)-1, "_all", true(), $form.app_fm_entity_id$)</eval> <set token="app_net_fm_entity_id">$app_fm_entity_id$</set> </condition> </change> </input>    
Thank you sooo much!!!  That worked perfectly!!!  
Hi @Jonathan.Wang, Thank you for following up. Since the community has not jumped in yet either. I think the best next step is to contact Support.  AppDynamics is migrating our Support case handli... See more...
Hi @Jonathan.Wang, Thank you for following up. Since the community has not jumped in yet either. I think the best next step is to contact Support.  AppDynamics is migrating our Support case handling system to Cisco Support Case Manager (SCM). Read on to learn how to manage your cases.  If contact Support or find a solution on your own, please share your learnings as a reply to this post. 
The transaction command provides a duration field for the difference in times. Is this not sufficient for your needs?
Hi All, I am having 20+ Panels in Studio Dashboard, As per Customer Requirement they wants only 5 Panels Per Page, Could you pls help on JSON Code how to Segregate the Panels, For Example, If Click ... See more...
Hi All, I am having 20+ Panels in Studio Dashboard, As per Customer Requirement they wants only 5 Panels Per Page, Could you pls help on JSON Code how to Segregate the Panels, For Example, If Click on 1st it should display only 5 Panel, if I Click on next Dot it should display next 5 Panels and So On.  
Essentially, the mvrange and mvexpand gives you two events one with row equal to zero and one with row equal to one. If you can use these to calculate how far back you want the send event to be based... See more...
Essentially, the mvrange and mvexpand gives you two events one with row equal to zero and one with row equal to one. If you can use these to calculate how far back you want the send event to be based on the difference between the info_min_time and info_max_time (which are returned by addinfo), you can modify the calculation for earliest and latest appropriately. Hopefully that makes sense.