All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I just added additional  SEDCMD-removereset=s/\x1B\[0;m//g  
So, how does your rex command extract src_host_2, Service_2, and State_2 when they don't exist in the events?
Hi @Manish.Talukdar, If John's reply helped answer your questions, click the 'Accept as Solution' button. If not, reply to keep the conversation going. 
Version 9.2.2 seems to have solved this issue.   I know have Splunk Enterprise and Splunkforwarder running on the same server in three separate environments. 
I know it's an old post, but it helped me , but it leaves `[0;m` behind, which is 'Reset' I believe  
If they are intended to be Stand-Alone Machine Agent, insert a line in the Controller-Info.xml : <application name> {TypeAppNameHereAsSeeninAppDController} </application Name> Restart Machine Agent... See more...
If they are intended to be Stand-Alone Machine Agent, insert a line in the Controller-Info.xml : <application name> {TypeAppNameHereAsSeeninAppDController} </application Name> Restart Machine Agent service.
You're right.  It is still showing same amount in every interval. Thanks a lot.
Hi thanks but the problem is they are not from the same events as they are separate    
Hi @sintjm , if they are integers or they are in epochtime, you can calculate the difference using eval command: <your_search> | eval diff=Resp_time-Req_time Ciao. Giuseppe  
Hi @kp_pl , sorry but I don't understand your request: perc75(tt) is one of the calculated values, so why do you want to add a new column? Could you share how you are waiting for results? Ciao. ... See more...
Hi @kp_pl , sorry but I don't understand your request: perc75(tt) is one of the calculated values, so why do you want to add a new column? Could you share how you are waiting for results? Ciao. Giuseppe
Hi @Silah , yes you can create two different stanzas, one for each sender with different indexes. The only question is: why? usually index are choosen when you have different retentions or differe... See more...
Hi @Silah , yes you can create two different stanzas, one for each sender with different indexes. The only question is: why? usually index are choosen when you have different retentions or different access grants, not different sources or technologies. Different sources are recognized in the same index by host and different technologies are recognized by sourcetype. Ciao. Giuseppe
Hi @Shahnoor , are you sure that number of events and errors in slices of 5 minutes are different? because the search is correct. please try these two searches and manually compare results: index... See more...
Hi @Shahnoor , are you sure that number of events and errors in slices of 5 minutes are different? because the search is correct. please try these two searches and manually compare results: index=my_index CAT=B | timechart span=5m count(eval(RESULT="404")) AS Error_count and index=my_index CAT=B | timechart span=5m count Ciao. Giuseppe
(Hard sometimes to think of a good salutation that isn't boring or awkward, so fill in what you like here.), I accidentally deleted some of the data sets in my TA data model, I have a back-up from... See more...
(Hard sometimes to think of a good salutation that isn't boring or awkward, so fill in what you like here.), I accidentally deleted some of the data sets in my TA data model, I have a back-up from the original app but want to know if there is a quick and easy way to restore these. It would also be useful exercise to go over how the DM and its related data is stored in Splunk (from the backend perspective, not where to look for it in the GUI.) Thanks beforehand for any help/guidance.
Thanks a lot Giuseppe! Sincerely appreciate your quick response. I'm getting error percentage now. One small problem: for all the 5 minute spans throughout last 24 hour, I'm getting exactly same n... See more...
Thanks a lot Giuseppe! Sincerely appreciate your quick response. I'm getting error percentage now. One small problem: for all the 5 minute spans throughout last 24 hour, I'm getting exactly same number of both total event and error as well. So the error percentage is constant over time (Error count: 106, Event count: 1525, percentage: 6.95%). I know this is not correct. Number of events vary over peak and off-peak hour. Do you think it's calculating same data and plotting over different time? This is my current script looks like: index=my_index CAT=B | bin span=5m _time | stats count(eval(RESULT="404")) AS Error_count count BY _time | eval Error_Percentage=round(Error_count/count*100,4)  
Hi @RonWonkers , in Splunk Enterprise alerts it isn't possible to define fields for throttling as on Enterprise Security. If you're speaking of Enterprise Security you can use multiple fields, othe... See more...
Hi @RonWonkers , in Splunk Enterprise alerts it isn't possible to define fields for throttling as on Enterprise Security. If you're speaking of Enterprise Security you can use multiple fields, otherwise it isn't possible now, maybe in a next version. Ciao. Giuseppe
I extracted 2 fields called 'Resp_time' and 'Req_time'...Both these fields are integers. I also changed the values to epoch  How do I display the difference between the Resp_time and req_time?
Hi,  I have an alert that triggers when an employee opens a file. This alert runs every 30 minutes so we can see these alerts fast. When employee1 opens file1 we see the alert, and throttle based ... See more...
Hi,  I have an alert that triggers when an employee opens a file. This alert runs every 30 minutes so we can see these alerts fast. When employee1 opens file1 we see the alert, and throttle based on the field "employee", because if we dont throttle then this alert keeps repeating every 30 minutes. Problem is now that when employee1 opens file2, file3, or file4 we do not see this anymore since we have a throttle on employee.. Is there a way to throttle on a combination of employee and file so that when employee1 opens file1 we get an alert, when he opens file2 we get a different alert, but we dont keep seeing the same alerts repeating every 30 minutes?  
Hi , I have added the config details already  , still data is not coming
Hi @Shahnoor , you should try something like this: index=your_index CAT=B | bin span=5m _time | stats count(eval(RESULT="404")) AS 404_count count BY _time | eval perc=404_count/count*100 to adapt... See more...
Hi @Shahnoor , you should try something like this: index=your_index CAT=B | bin span=5m _time | stats count(eval(RESULT="404")) AS 404_count count BY _time | eval perc=404_count/count*100 to adapt to your conditons (e.g. CAT=B). Ciao. Giuseppe
We found lot of errors mentioned below. Queue Capacity seems be getting breached after metaspace limit is breached up. however need debug logs during the problematic time period to detect this, resta... See more...
We found lot of errors mentioned below. Queue Capacity seems be getting breached after metaspace limit is breached up. however need debug logs during the problematic time period to detect this, restart resolves the issue temporarily.  PRODCUSTOMXYZ01==> [AD Thread-Metric Reporter0] 24 Jul 2024 18:51:06,818 DEBUG ManagedMonitorDelegate - Adding metric to the Queue to publish [Custom Metrics|Log Monitor|InfraDB_Logs|Search String|ORA-0.1502|Occurrences] PRODCUSTOMXYZ01==> [extension-scheduler-pool-1] 24 Jul 2024 18:50:46,365 DEBUG SimMetricsService - Not reporting metric with name Hardware Resources|Process|ora_p00i_XYZApp|Faults|Minor Faults/sec, its value is unknown.