All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, we recently installed the Veeam App for Splunk and put the logs from our Veeam Backup & Replication and Veeam One server into it. Unfortunatelly we are getting no data in the Veeam Data Platform... See more...
Hi, we recently installed the Veeam App for Splunk and put the logs from our Veeam Backup & Replication and Veeam One server into it. Unfortunatelly we are getting no data in the Veeam Data Platform Monitoring or Veeam Security Events section. We can see the raw logs and also the fileds. Does anyone has an idea why we are getting no data in the veeam app? Best regards
btw, i tried below rex , any idea why its not showing any records  
can you please suggest how to use INDEXED_EXTRACTIONS = JSON or spath. i mean any example and what are the benefits.
so basically i would like to find all error code with their order id  i want to use below main search  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" leve... See more...
so basically i would like to find all error code with their order id  i want to use below main search  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" level=TRACE so what i posted earlier part of above search  i want to extract all errorcodes and their order id  Later i am planning to put bar chart for the same based on range hope you got requirement
Hi @bhaskar5428 , this is the regex to extract the highlighted fields:   | rex "\"orderId\":\"(?<orderId>[^\"]+)\"},\"error\":\{\"errorCode\":\"(?<errorCode>[^\"]+)\""   that you can test at htt... See more...
Hi @bhaskar5428 , this is the regex to extract the highlighted fields:   | rex "\"orderId\":\"(?<orderId>[^\"]+)\"},\"error\":\{\"errorCode\":\"(?<errorCode>[^\"]+)\""   that you can test at https://regex101.com/r/XkBntG/1 but I hint to try with INDEXED_EXTRACTIONS = JSON or spath. Ciao. Giuseppe
Can the webhook payload for an Splunk alert be configured manually.?? I have Servicenow Api End Point and need to modify the payload for an alert.
I have an M1 macbook, and the pyagent provided by appdynamics has a dependency called ```appdynamics_bindeps``` similarly if i try to run the agent in linux env using utm i had the same error with t... See more...
I have an M1 macbook, and the pyagent provided by appdynamics has a dependency called ```appdynamics_bindeps``` similarly if i try to run the agent in linux env using utm i had the same error with the same dependancy
message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={"transactionItems":[{"itemId":"4f2... See more...
message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={"transactionItems":[{"itemId":"4f2170cd-35f6-4d03-b0fe-6ebbca6e00cb","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"adea3dff-8e02-433e-a2ad-94bac828989b","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bf96b534-2150-4228-843f-9fb920a1f44f","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb6e42ac-ee83-48b6-8213-7faf0311c6d0","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bdd8a76f-ddb4-4616-a793-68ddd72aad0e","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb339f2a-ad85-410c-9043-275aa1e4fe17","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595011","currencyCode":"INR"}}}],"orderStatusResponse":{"orderStatus":"ORDER_FAILURE","orderId":"b95d0d10-9709-4299-9d3e-8c65dd5a539d"},"error":{"errorCode":"SEP013","errorDescription":"Cannot find IDMS-0784 account by accNumber: 0190595009"}}]
Not working   
Please find the text message   message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={... See more...
Please find the text message   message: Send jms message [queue=SEP.TO.PEIN, statusCode=200, idempotencyId=b95d0d10-9709-4299-9d3e-8c65dd5a539d, processId=PE2400000582026, delivApp=null, message={"transactionItems":[{"itemId":"4f2170cd-35f6-4d03-b0fe-6ebbca6e00cb","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"adea3dff-8e02-433e-a2ad-94bac828989b","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bf96b534-2150-4228-843f-9fb920a1f44f","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb6e42ac-ee83-48b6-8213-7faf0311c6d0","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"bdd8a76f-ddb4-4616-a793-68ddd72aad0e","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595009","currencyCode":"INR"}}},{"itemId":"cb339f2a-ad85-410c-9043-275aa1e4fe17","status":"FAILED","accountIdentification":{"contractAccountNumber":{"branchCode":"0784","accountNumber":"0190595011","currencyCode":"INR"}}}],"orderStatusResponse":{"orderStatus":"ORDER_FAILURE","orderId":"b95d0d10-9709-4299-9d3e-8c65dd5a539d"},"error":{"errorCode":"SEP013","errorDescription":"Cannot find IDMS-0784 account by accNumber: 0190595009"}}] Above highlighted am trying to extract in two fields, Please help  and also below query am using  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" SEP013 But i can not use above , because eventually i need all errorcodes , and that is available on below search query.  index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" level=TRACE      ---> so please suggest how can i find error code and order id by using this search
| rex \"orderId\":\"(<?orderId>[\w\-]+)\" | rex \"errorCode\":\"(<?errorCode>\w+)\"
Hi @bhaskar5428, this seems to be a json format, so if you use INDEXED_EXTRACTIONS = JSON in the props.conf or if you use the spath command (https://docs.splunk.com/Documentation/Splunk/9.2.2/Search... See more...
Hi @bhaskar5428, this seems to be a json format, so if you use INDEXED_EXTRACTIONS = JSON in the props.conf or if you use the spath command (https://docs.splunk.com/Documentation/Splunk/9.2.2/SearchReference/Spath) in the search you should be able to extract your fields. It's also possible to use the rex command to extract the field, but to do this I need an example of your data in text format (not a screenshot), using the Inser/Edit code sample button (the one with "</>"). Ciao. Giuseppe
adding command which i have tried but not working , need help correct rex patternt index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" |fields message |rex fi... See more...
adding command which i have tried but not working , need help correct rex patternt index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" |fields message |rex field=_raw "errorCode=(?<Error>[^,]*)" |rex field=_raw "orderId":(?<Order>\w+)" |table Error, Order
    Hi team , from above screenshot can you suggest how can i extract SEP013 against "errorCode": I need count of events for SEP013   Note : am planning to put dedup on order id , so i will ... See more...
    Hi team , from above screenshot can you suggest how can i extract SEP013 against "errorCode": I need count of events for SEP013   Note : am planning to put dedup on order id , so i will get correct count
| rex field=_raw max_match=0 "(?s)\<ReportItem>(?<pluginout>.*?)\<\/ReportItem\>" Having offered that, @yuanliu is correct, it is usually better to treat structured data with correct tools e.g. spat... See more...
| rex field=_raw max_match=0 "(?s)\<ReportItem>(?<pluginout>.*?)\<\/ReportItem\>" Having offered that, @yuanliu is correct, it is usually better to treat structured data with correct tools e.g. spath, However, without a complete representation of your event data, and a fuller understanding of what it is you are actually trying to achieve, the rex above meets your minimal needs.
Hi Andre.Penedo, Thanks for posting on community. Analysis: Seems like you are attempting to create a health rule using wildcard to enable dynamic database monitoring. Answer: Unfortunately, it'... See more...
Hi Andre.Penedo, Thanks for posting on community. Analysis: Seems like you are attempting to create a health rule using wildcard to enable dynamic database monitoring. Answer: Unfortunately, it's not possible to create a Health Rule that dynamically evaluates data from different tablespaces in AppDynamics. I tried to recreate your condition and make health rules using wildcards. However, it appears that specifying metrics using wildcards is only supported for JVM, machine, and CLR branches, and not for database custom metrics. Use Wildcards in Metric Definitions Specifying metrics using wildcards, is only supported in JVM, machine, and CLR branches. Suggestion: Currently, the best approach is to create individual health rules for each known tablespace, as you might have aware of. This ensures monitoring but requires manual updates when new tablespaces are added. However, This could be a valuable enhancement for future releases.How about submitting this as request to our Idea Exchange? Hope this help. Regards, Martina
Your illustrated fragment suggests that your raw events are either XML or contains XML documents.  I strongly discourage treating structured data such as XML as plain text.  Please post complete samp... See more...
Your illustrated fragment suggests that your raw events are either XML or contains XML documents.  I strongly discourage treating structured data such as XML as plain text.  Please post complete sample event. (Anonymize as needed.)
Hi @inventsekar.  OEL8 is Oracle Enterprise Linux 8.9. No, we haven't opened the case yet, it's in progress.
I have a raw Nessus file that I've processed by separating host names into individual hosts. However, I am encountering a problem with extracting data between <ReportItem> tags, especially when there... See more...
I have a raw Nessus file that I've processed by separating host names into individual hosts. However, I am encountering a problem with extracting data between <ReportItem> tags, especially when there are multiple lines involved (I have multiple report Items in one event under a hostname) .   Here is the regular expression I am using:   | rex field=_raw max_match=0 "\<ReportItem\s(?<pluginout>.*?)\<\/ReportItem\>" OR | rex field=_raw max_match=0 "\<ReportItem\s(?<pluginout>.*(\s+)?)\<\/ReportItem\>"     Unfortunately, it doesn't seem to capture anything that spans multiple lines, as shown in the example below:   "<ReportItem>     ...     (multiline content)     ... </ReportItem>"   Could you please help me adjust my regular expression to correctly capture multiline content within <ReportItem?   Note: ReportItem without multi lines are extracting fine.   any help would be appreciated  
Hello Splunkers!  You can now easily install Splunk Enterprise and the Universal Forwarder using this handy script. It supports all available versions and can be installed on any Linux distributio... See more...
Hello Splunkers!  You can now easily install Splunk Enterprise and the Universal Forwarder using this handy script. It supports all available versions and can be installed on any Linux distribution. For detailed installation steps, please visit : https://github.com/PraxisForge/Install_Splunk #Upgrade universal forwarder version (nix) #Splunk Enterprise(nix) #Universal Forwarder(nix) #Upgrade Splunk Enterprise version(nix)