All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I already edit the controller-info.xml and put the javaagent.jar in the application, but the application doesn't show after i restart the services. Why this happen?
There are many reasons why a transform might not work.  The most common is the regular expression doesn't match the incoming data.  It's also possible the source name doesn't match what's in props.co... See more...
There are many reasons why a transform might not work.  The most common is the regular expression doesn't match the incoming data.  It's also possible the source name doesn't match what's in props.conf so the transform is never invoked.
Yes, you can run the reload deploy-server command and should install the props and transforms on the forwarders (if done correctly).  It will not install them on indexers or search heads.
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
Try something like this |tstats max(_time) as _time, where index=windows [|metadata type=hosts index=win index=linux | eval now=now() | eval diff= now - lastTime | where diff > 18000 | table host ]... See more...
Try something like this |tstats max(_time) as _time, where index=windows [|metadata type=hosts index=win index=linux | eval now=now() | eval diff= now - lastTime | where diff > 18000 | table host ] by host,index
There are two different approaches to this. One is to compare the result of searches. But this is limited to a given set of constraints (source, sourcetype, host) and since props and transforms can ... See more...
There are two different approaches to this. One is to compare the result of searches. But this is limited to a given set of constraints (source, sourcetype, host) and since props and transforms can be defined based on each of those parameters, tracking them down to the real difference in config can be tricky (and doing a summarized field count over - for example - sourcetype might not show you difference in sources). Another is to run btool and compare effective configs. splunk btool props list --debug splunk btool transforms list --debug splunk btool fields list --debug and so on
Check the "inspect job" screen. Most probably dedup is _not_ your main culprit here. You're using a lot of non-equality checks which means (assuming this is in your initial search) that Splunk has t... See more...
Check the "inspect job" screen. Most probably dedup is _not_ your main culprit here. You're using a lot of non-equality checks which means (assuming this is in your initial search) that Splunk has to parse each event containing string test123. If there's a lot of data there's a lot of parsing. BTW, unless you're absolutely sure about your data, your process with dedup is flawed - dedup just filters out subsequent occurrences of given field in any event regardless of other fields so are you absolutely sure that deduping at this point does not influence your stats further down the pipeline?
hi @ITWhisperer , I just need a list of hosts which are not reporting since last 5 days along with index information.
What is it that you are trying to achieve that metadata is not giving you?
You are aligning your times to the beginning of the week that the month starts in and the beginning of the week is a Sunday, which in this case takes you back into the previous month. Given that mont... See more...
You are aligning your times to the beginning of the week that the month starts in and the beginning of the week is a Sunday, which in this case takes you back into the previous month. Given that months have different lengths, what exactly do you want your chart to show?
I have following search. how can I add indexes information in the results: |tstats max(_time) as _time, where index=windows by host,index |append [|metadata type=hosts index=win index=linux  ] | e... See more...
I have following search. how can I add indexes information in the results: |tstats max(_time) as _time, where index=windows by host,index |append [|metadata type=hosts index=win index=linux  ] | eval now=now() | eval diff= now - lastTime | search diff > 18000 | eval notreportingsince=tostring(diff,"duration") | table host lastTime notreportingsince | convert ctime(lastTime) as lastTime | table host notreportingsince lastTime,index    
Can you see the "original_host" field in the events in your Veeam index now?
Hi @sankar_1986 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi all. We have several synthetics in a splunk Obervability cloud and I want to add their metrics in the Splunk enterprie that we have inside a private network. I have seen that with Splunk Infrast... See more...
Hi all. We have several synthetics in a splunk Obervability cloud and I want to add their metrics in the Splunk enterprie that we have inside a private network. I have seen that with Splunk Infrastructure Monitoring Add-on ,  i could ingest data, but it is not entirely clear to me how to configure it. Can anyone help me with the steps I need to follow to achieve this? I already have the Add-on installed in the HF and in the SearchHead of splunk Enterprise Thanks in advance. JAR
Here is my search: ... earliest="4/1/2024:00:00:00" latest="8/1/2024:00:00:00" | bin span=1h _time | addinfo | eval marker = if(_time < (relative_time(info_min_time,"+1mon@mon@w")), "April","Jul... See more...
Here is my search: ... earliest="4/1/2024:00:00:00" latest="8/1/2024:00:00:00" | bin span=1h _time | addinfo | eval marker = if(_time < (relative_time(info_min_time,"+1mon@mon@w")), "April","July") | eval _time = if(_time < (relative_time(info_min_time,"+1mon@mon@w")),_time + 90*24*3600, _time) | chart count max(data) by _time marker | where _time>=relative_time(now(), "-1mon@mon@w") with the above my April chart is shifted over July but it does not starts from the first day of the month but last June.  in my eval _time  shift: 3rd line from the bottom I would like to know how can I reflect exact month days instead doing "+90*23*3600", ( April,July = 31days, where June is 30), thanks
Hi -  I am looking to optimise this search by removing dedup, the idea of the search is to remove duplicate paymentId fields & create a table with the fields specified under the stats count. The ... See more...
Hi -  I am looking to optimise this search by removing dedup, the idea of the search is to remove duplicate paymentId fields & create a table with the fields specified under the stats count. The search currently takes 300+ seconds to run for 4hrs worth of data. AND card_issuer_stats AND acqRespCode!="0" AND acqRespCode!=85 AND acqRespCode!=100 AND gwyCode="test123" |dedup paymentId |stats count by acqCode,acqRespCode,mainBrand |sort -count Any help would be greatly appreciated, thanks
Hi Team, I am developing Splunk dashboard to provide the weekly restart status of all enterprise application servers. Since this dashboard is intended to show the restart status for last 7 days of h... See more...
Hi Team, I am developing Splunk dashboard to provide the weekly restart status of all enterprise application servers. Since this dashboard is intended to show the restart status for last 7 days of huge server count, totally 18 panels have been developed and using <condition match="****> option, I am hiding/un-hiding these panels for last 7 years. During validation, there's a delay in loading the panels due to performance factor and I am not sure, whether design approach followed is correct or not. Kindly advise how to effective improve the response time while loading the panels.
Hi Srinath The reason this happens, especially in Cloud Environments, is that the machine agent running there will get a certain hostname back, which doesn't match the hostname being detected or se... See more...
Hi Srinath The reason this happens, especially in Cloud Environments, is that the machine agent running there will get a certain hostname back, which doesn't match the hostname being detected or set by the application agent. You just have to look at what unique hostname the machine agent is returning, versus the unique hostname that the app agent is returning. They have to match for it to link and show the machine agent within the application dashboard. If it's not possible to auto detect, the easiest way is within the machine agent controller-info.xml or environment variable, set the unique host id to the exact same as the app agent host name value being returned by the app agent. That will resolve it Ciao
Hi @SplunkExplorer you can try this : <yoursearch> | stats dc(*) as *
Hello, looks like debug/refresh was enough.