All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm trying to accomplish the same thing. Were you able to come up with a solution?
If I run the below code I am getting events in output json file , if I want to get statistics , is there any api available  if I want to get error count and stdev in json file , how can I use the ... See more...
If I run the below code I am getting events in output json file , if I want to get statistics , is there any api available  if I want to get error count and stdev in json file , how can I use the python code to get these values   payload=f'search index="prod_k8s_onprem_vvvb_nnnn" "k8s.namespace.name"="apl-siii-iiiii" "k8s.container.name"="uuuu-dss-prog" NOT k8s.container.name=istio-proxy NOT log.level IN(DEBUG,INFO) (error OR exception)(earliest="07/25/2024:11:30:00" latest="07/25/2024:12:30:00")\n' '| addinfo\n' '| bin _time span=5m@m\n' '| stats count(eval(log.level="ERROR")) as error_count by _time\n' '| eventstats stdev(error_count)' print(payload) payload_escaped = f'search={urllib.parse.quote(payload)}' headers = { 'Authorization': f'Bearer {splunk_token}', 'Content-Type': 'application/x-www-form-urlencoded' } url = f'https://{splunk_host}:{splunk_port}/services/search/jobs/export?output_mode=json' response = requests.request("POST", url, headers=headers, data=payload_escaped, verify=False) print(f'{response.status_code=}') txt = response.text if response.status_code==200: json_txt = f'[\n{txt}]' os.makedirs('data', exist_ok=True) with open("data/output_deploy.json", "w") as f: f.write(json_txt) f.close() else: print(txt)  
Why have you got timeSinceLastSeen in the by clause - this was not suggested by @gcusello - what do you get when you do exactly as suggested?
I found the issue described in Symptom 1 of this link https://splunk.my.site.com/customer/s/article/No-Clients-Showing-up-on-Deployment-Server-After-Upgrade-to-9-2-0-1 Resolved!
After upgrading my deployment server to Enterprise 9.2.2 the clients are no longer connecting to the deployment server. When I launch my DS UI and check for clients connecting, it says 0. Has anyone ... See more...
After upgrading my deployment server to Enterprise 9.2.2 the clients are no longer connecting to the deployment server. When I launch my DS UI and check for clients connecting, it says 0. Has anyone had this issue?
It is one of several blocks of lines inside the log file.  Each starts with the little snippet I put above and then has any number of lines after it.  While the file is a .txt, the look to me would b... See more...
It is one of several blocks of lines inside the log file.  Each starts with the little snippet I put above and then has any number of lines after it.  While the file is a .txt, the look to me would be a xml document that pushes out the log file.  I've not seen one like it before.  I was thinking I'd need a props or transform or both to set this date/time, but it's my first experience with it.
Wow.  The developer that created that log needs to be taught how to use Splunk so he can see how awful his creation is. Is that one event or several?  Or is that the prologue to the log file? You m... See more...
Wow.  The developer that created that log needs to be taught how to use Splunk so he can see how awful his creation is. Is that one event or several?  Or is that the prologue to the log file? You may be able to use a custom datetime.xml file or you may want to consider an input script that normalizes the timestamp.
I have tried the below query as per your suggestion, But not getting the result, index=_audit sourcetype=audittrail action=success AND info=succeeded | eval secondsSinceLastSeen=now()-_time | eval ... See more...
I have tried the below query as per your suggestion, But not getting the result, index=_audit sourcetype=audittrail action=success AND info=succeeded | eval secondsSinceLastSeen=now()-_time | eval timeSinceLastSeen=tostring(secondsSinceLastSeen, "duration") | stats count BY user timeSinceLastSeen | append [| rest /services/authentication/users | rename title as user | eval count=0 | fields user ] | stats sum(count) AS total BY user timeSinceLastSeen,
How do we uninstall existing AppD configuration from our SAP systems? Looking for documentation for uninstallation process for machine agents, Java agents, ABAP App agents and Datavard transports.
I am trying to create a sourcetype for a new client: Note StartDate=xxxx is where the log begins.  However the StartTime=*** is not with it, but I need both int he logs.  How do I create this source... See more...
I am trying to create a sourcetype for a new client: Note StartDate=xxxx is where the log begins.  However the StartTime=*** is not with it, but I need both int he logs.  How do I create this sourcetype?  C:\Program Files\Universal\UAGSrv\xxx>set StartDate=Mon 07/29/2024 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set StartTime=14:45:09.56   any assistance would be very helpful and appreciated.
Are your nodes physical or e.g. from VMware or some cloud instances?
Hi this is answer from Community Slack Slackbot 17:08 There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ Tr... See more...
Hi this is answer from Community Slack Slackbot 17:08 There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ TrackMe https://splunkbase.splunk.com/app/4621/ Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/ Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings Some helpful posts: https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe https://www.duanewaddle.com/proving-a-negative/ r. Ismo
your query is showing who is successfully logged into splunk.. not the user not logged in splunk. 
Hi @Lijesh.Athyalath, I found this Knowledge Base Article. Can you see if this helps? https://community.appdynamics.com/t5/Knowledge-Base/How-do-I-deploy-a-NET-Agent/ta-p/41772
Hi gcusello, Thanks for the reply,  Iam looking to get results like below. my base search | rex "^[^=\n]*=(?P<ServiceName>[^,]+)" | rex "TimeMS\s\=\s(?<Trans_Time>\d+)" Results Servic... See more...
Hi gcusello, Thanks for the reply,  Iam looking to get results like below. my base search | rex "^[^=\n]*=(?P<ServiceName>[^,]+)" | rex "TimeMS\s\=\s(?<Trans_Time>\d+)" Results ServiceName         Trans_Time Count A 60 1111 B 40 1234 Other_Services( C , D, E, F,G,H) 25 1234567
Hi @kc_prane , ony one question: what's time_Token? if it's a field, please try something like this: <your_search | eval services_names=if(services_names IN ("A", "B"), service_name, "Other_Servic... See more...
Hi @kc_prane , ony one question: what's time_Token? if it's a field, please try something like this: <your_search | eval services_names=if(services_names IN ("A", "B"), service_name, "Other_Services") | stats values(time_Token) AS time_Token BY services_names | table services_names time_Taken  otherwise, please explain what's time_Token, or apply my approach to your search. Ciao. Giuseppe
I Have  Service_names  (A, B ,C ,D, E,  F, G, H, I J, K, L , M)  but want  (C ,D, E,  F, G, H, I J, K, L , M ) services_names renamed as "Other_Services"  | Stats by  services_names  | table services... See more...
I Have  Service_names  (A, B ,C ,D, E,  F, G, H, I J, K, L , M)  but want  (C ,D, E,  F, G, H, I J, K, L , M ) services_names renamed as "Other_Services"  | Stats by  services_names  | table services_names  time_Taken Thanks in advance!
Hi @harishsplunk7 , please try this: index=_audit tag=authentication info=succeeded earliest=-30d@d latest=now | stats count BY user | append [ | rest /services/authentication/current-context... See more...
Hi @harishsplunk7 , please try this: index=_audit tag=authentication info=succeeded earliest=-30d@d latest=now | stats count BY user | append [ | rest /services/authentication/current-context | where NOT username="splunk-system-user" | eval count=0 | rename username AS user | fields user ] | stats sum(count) AS total BY user | where count=0 Ciao. Giuseppe
I am looking the for the search query to show of any of the user not logged into splunk.  For example, we have 1500 user accounts but only 1200 user logged into splunk for last 90 days and remaini... See more...
I am looking the for the search query to show of any of the user not logged into splunk.  For example, we have 1500 user accounts but only 1200 user logged into splunk for last 90 days and remaining 300 user are not logged, so i want to list the 300 users. i have retention period of 1 year.
It depends on the retention period of your indexes - essentially you need the latest time by user but if your retention period is not large enough you may not find the user you are looking for - all ... See more...
It depends on the retention period of your indexes - essentially you need the latest time by user but if your retention period is not large enough you may not find the user you are looking for - all that tells you is that there is no record for the user, which may or may not be useful.