All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @kc_prane , try this - create a new eval field (ServiceGroup) to check whether ServiceName is A or B, else assign it to "Other_Services" : | rex "^[^=\n]*=(?P<ServiceName>[^,]+)" | rex "TimeMS\s... See more...
Hi @kc_prane , try this - create a new eval field (ServiceGroup) to check whether ServiceName is A or B, else assign it to "Other_Services" : | rex "^[^=\n]*=(?P<ServiceName>[^,]+)" | rex "TimeMS\s\=\s(?<Trans_Time>\d+)" | eval ServiceGroup = case( ServiceName == "A", "A", ServiceName == "B", "B", 1==1, "Other_Services" ) | stats avg(Trans_Time) as Avg_Trans_Time, count as Count by ServiceGroup | rename ServiceGroup as ServiceName | sort ServiceName  
Hi @Real_captain you can use append to combine the two searches, then get the status using eval if condition: `macro_events_all_win_ops_esa` sourcetype=WinHostMon host=P9TWAEVV01STD (TERM(Esa_Invoic... See more...
Hi @Real_captain you can use append to combine the two searches, then get the status using eval if condition: `macro_events_all_win_ops_esa` sourcetype=WinHostMon host=P9TWAEVV01STD (TERM(Esa_Invoice_Processor) OR TERM(Esa_Final_Demand_Processor) OR TERM(Esa_Initial_Listener_Service) OR TERM(Esa_MT535_Parser) OR TERM(Esa_MT540_Parser) OR TERM(Esa_MT542_Withdrawal_Request) OR TERM(Esa_MT544_Parser) OR TERM(Esa_MT546_Parser) OR TERM(Esa_MT548_Parser) OR TERM(Esa_SCM Batch_Execution) OR TERM(Euroclear_EVIS_Border_Internal) OR TERM(EVISExternalInterface)) | stats latest(State) as Current_Status by service | where Current_Status != "Running" | stats count as count_of_stopped_services | eval status = if(count_of_stopped_services = 0 , "OK" , "NOK" ) | fields status | append [ search `macro_events_all_win_ops_esa` host="P9TWAEVV01STD" sourcetype=WinEventLog "Batch *Failed" System_Exception="*" | stats count as count_of_failed_batches | eval status = if(count_of_failed_batches = 0 , "OK" , "NOK" ) | fields status ] | stats values(status) as status_list | eval final_status = if(mvcount(mvfilter(status_list=="NOK")) > 0, "NOK", "OK") | fields final_status
I Have ServiceNames (A, B ,C ,D, E,  F, G, H)  but want  (C ,D, E,  F, G, H ) ServiceNames combined results and renamed as "Other_Services"  My base search | rex "^[^=\n]*=(?P<ServiceName>[^,]+)" |... See more...
I Have ServiceNames (A, B ,C ,D, E,  F, G, H)  but want  (C ,D, E,  F, G, H ) ServiceNames combined results and renamed as "Other_Services"  My base search | rex "^[^=\n]*=(?P<ServiceName>[^,]+)" | rex "TimeMS\s\=\s(?<Trans_Time>\d+)"   Required Results ServiceName         Trans_Time Count A 60 1111 B 40 1234 Other_Services( C , D, E, F,G,H) 25 1234567
Hello,    I'm new to AppDynamics world. When tried to create a platform after the installation (as the messages attached below) with the following command, and I got an error message next. Can anyon... See more...
Hello,    I'm new to AppDynamics world. When tried to create a platform after the installation (as the messages attached below) with the following command, and I got an error message next. Can anyone advise me how to resolve this issue? Thanks.  -- Jonathan Wang, 2024/07/30 Command ==> [root@appd-server platform-admin]# bin/platform-admin.sh create-platform --name myappd --installation-dir /usr/local/appdynamics/platform2/ IOException while parsing API response: Failed to connect to appd-server/fe80:0:0:0:be24:11ff:fed4:bf11%2:9191 ================== Installation step, and associated log below. ========== I finished AppDynamics installation with the following command (on Rocky Linux 9.4):    ./platform-setup-x64-linux-21.4.4.24619.sh   and got the following complete messages: Installing Enterprise Console Database. Please wait as this may take a few minutes... Installing Enterprise Console Database... Installing Enterprise Console Application. Please wait... Installing Enterprise Console Application... Creating Enterprise Console Application login... Copying timezone scripts to mysql archives... Creating Enterprise Console Application login... Setup has finished installing AppDynamics Enterprise Console on your computer. To install and manage your AppDynamics Platform, use the Enterprise Console CLI from /usr/local/appdynamics/platform2/platform-admin/bin directory. Finishing installation ...
I am also getting same error in Splunk ES 9.1.0.2. Anyone found a solution for this ?   Max retries exceeded with url: /v1/actions/process-check-result (Caused by SSLError("Can't connect to HTTPS U... See more...
I am also getting same error in Splunk ES 9.1.0.2. Anyone found a solution for this ?   Max retries exceeded with url: /v1/actions/process-check-result (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available."))    
Couldn't you theoretically deploy an app with a scripted input that would make changes to files in etc/system/local? Not saying this is the best method because if it fails you could brick the forward... See more...
Couldn't you theoretically deploy an app with a scripted input that would make changes to files in etc/system/local? Not saying this is the best method because if it fails you could brick the forwarder, but I would think it is theoretically possible if there are no other means possible.
I'm trying to accomplish the same thing. Were you able to come up with a solution?
If I run the below code I am getting events in output json file , if I want to get statistics , is there any api available  if I want to get error count and stdev in json file , how can I use the ... See more...
If I run the below code I am getting events in output json file , if I want to get statistics , is there any api available  if I want to get error count and stdev in json file , how can I use the python code to get these values   payload=f'search index="prod_k8s_onprem_vvvb_nnnn" "k8s.namespace.name"="apl-siii-iiiii" "k8s.container.name"="uuuu-dss-prog" NOT k8s.container.name=istio-proxy NOT log.level IN(DEBUG,INFO) (error OR exception)(earliest="07/25/2024:11:30:00" latest="07/25/2024:12:30:00")\n' '| addinfo\n' '| bin _time span=5m@m\n' '| stats count(eval(log.level="ERROR")) as error_count by _time\n' '| eventstats stdev(error_count)' print(payload) payload_escaped = f'search={urllib.parse.quote(payload)}' headers = { 'Authorization': f'Bearer {splunk_token}', 'Content-Type': 'application/x-www-form-urlencoded' } url = f'https://{splunk_host}:{splunk_port}/services/search/jobs/export?output_mode=json' response = requests.request("POST", url, headers=headers, data=payload_escaped, verify=False) print(f'{response.status_code=}') txt = response.text if response.status_code==200: json_txt = f'[\n{txt}]' os.makedirs('data', exist_ok=True) with open("data/output_deploy.json", "w") as f: f.write(json_txt) f.close() else: print(txt)  
Why have you got timeSinceLastSeen in the by clause - this was not suggested by @gcusello - what do you get when you do exactly as suggested?
I found the issue described in Symptom 1 of this link https://splunk.my.site.com/customer/s/article/No-Clients-Showing-up-on-Deployment-Server-After-Upgrade-to-9-2-0-1 Resolved!
After upgrading my deployment server to Enterprise 9.2.2 the clients are no longer connecting to the deployment server. When I launch my DS UI and check for clients connecting, it says 0. Has anyone ... See more...
After upgrading my deployment server to Enterprise 9.2.2 the clients are no longer connecting to the deployment server. When I launch my DS UI and check for clients connecting, it says 0. Has anyone had this issue?
It is one of several blocks of lines inside the log file.  Each starts with the little snippet I put above and then has any number of lines after it.  While the file is a .txt, the look to me would b... See more...
It is one of several blocks of lines inside the log file.  Each starts with the little snippet I put above and then has any number of lines after it.  While the file is a .txt, the look to me would be a xml document that pushes out the log file.  I've not seen one like it before.  I was thinking I'd need a props or transform or both to set this date/time, but it's my first experience with it.
Wow.  The developer that created that log needs to be taught how to use Splunk so he can see how awful his creation is. Is that one event or several?  Or is that the prologue to the log file? You m... See more...
Wow.  The developer that created that log needs to be taught how to use Splunk so he can see how awful his creation is. Is that one event or several?  Or is that the prologue to the log file? You may be able to use a custom datetime.xml file or you may want to consider an input script that normalizes the timestamp.
I have tried the below query as per your suggestion, But not getting the result, index=_audit sourcetype=audittrail action=success AND info=succeeded | eval secondsSinceLastSeen=now()-_time | eval ... See more...
I have tried the below query as per your suggestion, But not getting the result, index=_audit sourcetype=audittrail action=success AND info=succeeded | eval secondsSinceLastSeen=now()-_time | eval timeSinceLastSeen=tostring(secondsSinceLastSeen, "duration") | stats count BY user timeSinceLastSeen | append [| rest /services/authentication/users | rename title as user | eval count=0 | fields user ] | stats sum(count) AS total BY user timeSinceLastSeen,
How do we uninstall existing AppD configuration from our SAP systems? Looking for documentation for uninstallation process for machine agents, Java agents, ABAP App agents and Datavard transports.
I am trying to create a sourcetype for a new client: Note StartDate=xxxx is where the log begins.  However the StartTime=*** is not with it, but I need both int he logs.  How do I create this source... See more...
I am trying to create a sourcetype for a new client: Note StartDate=xxxx is where the log begins.  However the StartTime=*** is not with it, but I need both int he logs.  How do I create this sourcetype?  C:\Program Files\Universal\UAGSrv\xxx>set StartDate=Mon 07/29/2024 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set StartTime=14:45:09.56   any assistance would be very helpful and appreciated.
Are your nodes physical or e.g. from VMware or some cloud instances?
Hi this is answer from Community Slack Slackbot 17:08 There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ Tr... See more...
Hi this is answer from Community Slack Slackbot 17:08 There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ TrackMe https://splunkbase.splunk.com/app/4621/ Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/ Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings Some helpful posts: https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe https://www.duanewaddle.com/proving-a-negative/ r. Ismo
your query is showing who is successfully logged into splunk.. not the user not logged in splunk. 
Hi @Lijesh.Athyalath, I found this Knowledge Base Article. Can you see if this helps? https://community.appdynamics.com/t5/Knowledge-Base/How-do-I-deploy-a-NET-Agent/ta-p/41772