Hello everyone, I am new to Splunk. I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“printing,error”) occurred. How could I do this...
See more...
Hello everyone, I am new to Splunk. I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“printing,error”) occurred. How could I do this? So I have events with:
sourcetype=winprintmon host=bartender2020
type=PrintJob
printer="*"(gets all printer) ex: zebra1065
could have status of "printing"/"printing,error"/"spooling"
so what I wanted to do is if a printer has error(status="printing,error") at 6am, count the events of that printer that has status="spooling"(which is the queue) that occurred after 6am. Desired result format: printer name | Counts of spooling(queue) | Hope this explains better, been dealing with this for days Thank you so much in advance!
Hi @avikc100 , you have to use the eval command to change the source value. so you could use the case statment having many values: | eval source=case(
source="*PACA.log", "Canada Pricing Call...
See more...
Hi @avikc100 , you have to use the eval command to change the source value. so you could use the case statment having many values: | eval source=case(
source="*PACA.log", "Canada Pricing Call",
source="*second_value.log" "Second value",
source="*third_value.log" "Third value") Ciao. Giuseppe
this is my splunk query:
index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/ExternalPACA.log" |eval timestamp=strftime(_time, "%F") | chart limit=30 count as ...
See more...
this is my splunk query:
index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/ExternalPACA.log" |eval timestamp=strftime(_time, "%F") | chart limit=30 count as count over source by timestamp
it is showing result as :
but I want to add a custom name to it, how should I do that?
This is what i have so far.. <form version="1.1" theme="light">
<label>AutoSelectMulti</label>
<init>
<set token="pre_indexes"></set>
</init>
<fieldset submitButton="true" au...
See more...
This is what i have so far.. <form version="1.1" theme="light">
<label>AutoSelectMulti</label>
<init>
<set token="pre_indexes"></set>
</init>
<fieldset submitButton="true" autoRun="false">
<input type="multiselect" token="server" searchWhenChanged="true">
<label>Server</label>
<fieldForLabel>dns</fieldForLabel>
<fieldForValue>dns</fieldForValue>
<search>
<query>index=summary source=sc dns=eaz* | dedup dns | table dns</query>
</search>
<delimiter> ,</delimiter>
</input>
<input type="multiselect" token="ds1">
<label>DS1</label>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>index=summary source=sc dns=eaz* | search dns IN ($server$) | dedup host | table host</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<delimiter> ,</delimiter>
</input>
</fieldset>
<row>
<panel>
<table>
<title>EAST DS</title>
<search>
<query>| makeresults
| eval ServerclassInfo="[serverClass:serverclass]
whitelist.0 = server1
whitelist.1 = server2
Server List which needs to add under whitelist = $server$
EAST Deployment Server : $ds$"
| fields ServerclassInfo
| fields - _time</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<title>West DS</title>
<search>
<query>| makeresults
| eval ServerclassInfo="[serverClass:serverclass]
whitelist.0 = server1
whitelist.1 = server2
Server List which needs to add under whitelist = $server$
WEST Deployment Server : $ds$"
| fields ServerclassInfo
| fields - _time</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form> What Ultimately I'm looking is if i select 5 servers which are belongs to 3 goes to US and 2 go to UK, I want it to have two panels. The US panel shows the 3 servers with what DS. Whereas other panel shows the identical thing, but only the 2 servers . That's okay if we don't have that Deployment Server input too.
I tried setting parallelIngestionPipelines = 2 in server.conf and the behavior did not change. I also tried stopping sysmon deamon and disabling sysmon journald input. It had no effect on the abo...
See more...
I tried setting parallelIngestionPipelines = 2 in server.conf and the behavior did not change. I also tried stopping sysmon deamon and disabling sysmon journald input. It had no effect on the above behavior.
Hi @Easwar.C,
Have you been able to review the comment your post got? If it helped, please click the 'Accept as Solution" button on the reply that helped. If no, reply back to the thread and keep t...
See more...
Hi @Easwar.C,
Have you been able to review the comment your post got? If it helped, please click the 'Accept as Solution" button on the reply that helped. If no, reply back to the thread and keep the conversation going.
Hi @arun97 , usually these issues are related to the network bandwidth or low workstation memory. Did you experienced this isuue on all Splunk dashboards or only in some of them? Are you using a V...
See more...
Hi @arun97 , usually these issues are related to the network bandwidth or low workstation memory. Did you experienced this isuue on all Splunk dashboards or only in some of them? Are you using a VPN? this usually give high slowness. Ciao. Giuseppe
Splunk support portal doesn't let file a case as it expects an input "Splunk Support access to your company data" However no option is available to select.
Hello Splunkers!! I want to achieve below results in Splunk. Please help me how to achieve this in SPL. Whenever the field is carrying number string then I want below expected results. Current r...
See more...
Hello Splunkers!! I want to achieve below results in Splunk. Please help me how to achieve this in SPL. Whenever the field is carrying number string then I want below expected results. Current results Expected values 1102.1.1 1102.01.01 1102.1.2 1102.01.02 Thanks in advance!!
@KendallW Thank you for the response but it returned only a single word no the whole sentence ('testing', when I table it it splits it into like this: Starting logs recent logs) : ...
See more...
@KendallW Thank you for the response but it returned only a single word no the whole sentence ('testing', when I table it it splits it into like this: Starting logs recent logs) : ( most "/example ......a bunch of sensative information" Error: someone stepped on the wire. Goal is to have it like this: D:"//user/local/line500" Error : someone stepped on the wire. D://user/local/line980 ,indo Error : Simon said Look
Opening a Splunk Support case is not a straight forward task. If you notice the screenshot, It asks me to provide answer to the question "Splunk Support access to your company data" , However ther...
See more...
Opening a Splunk Support case is not a straight forward task. If you notice the screenshot, It asks me to provide answer to the question "Splunk Support access to your company data" , However there is no Option to select and because of this I am unable to open a case.
These might be useful: https://community.splunk.com/t5/All-Apps-and-Add-ons/parsing-log-text-to-get-a-specific-info/m-p/484283 https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Spl...
See more...
These might be useful: https://community.splunk.com/t5/All-Apps-and-Add-ons/parsing-log-text-to-get-a-specific-info/m-p/484283 https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-properly-parse-logs-that-contain-one/m-p/200151 Also see if an app helps, the extractions and such like are useful to inspect and use as needed: https://splunkbase.splunk.com/app/3186#/overview (from https://community.splunk.com/t5/Getting-Data-In/How-to-parse-Apache-access-logs-in-Splunk/m-p/266983)
Hello ALL, I installed On-Premises AppDynamics 24.7 on Rocky Linux 9.4 host. After complete the Enterprise Console installation (through installation script "platform-setup-x64-linux-24.7.0.10038....
See more...
Hello ALL, I installed On-Premises AppDynamics 24.7 on Rocky Linux 9.4 host. After complete the Enterprise Console installation (through installation script "platform-setup-x64-linux-24.7.0.10038.sh", I continued to setup the Controller (demo profile) and Events Service. The three jobs completed successfully, as shown below. Controller starts OK. But Events Service can not start up. There is Red Critical health status highlighted. The error message: Task failed: Starting the Events Service api store node ... How to make Events Service get started up ? Thanks.
Thanks. I got it to work, but had to modify the syntax slightly to remove the backslashes - this worked. [yoursourcetype]
SEDCMD-singletodouble=s/'/"/g
Hello refahiati, Have you verified with a manual inspection of the conf files on the weblogic server that the desired changes were made? If so, restart the agent on the weblogic server again. Othrew...
See more...
Hello refahiati, Have you verified with a manual inspection of the conf files on the weblogic server that the desired changes were made? If so, restart the agent on the weblogic server again. Othrewise, revalidate that you deployed the configs correctly. Inspecting the splukd.log in var/log folder is also useful for gathering more details about what might be going wrong.