Hi @Maximiliano.Salibe,
It looks like since this was an older thread, the other members did not chime in. Since it has been a few days, did you happen to find a solution or anything you can share? ...
See more...
Hi @Maximiliano.Salibe,
It looks like since this was an older thread, the other members did not chime in. Since it has been a few days, did you happen to find a solution or anything you can share? If you still need help with this, you can contact Cisco AppDynamics Support. https://www.appdynamics.com/support
It depends on what data you have in your events and how they are linked. For example, is the ticket number unique to the ticket. Do subsequent events contain all the information from previous events ...
See more...
It depends on what data you have in your events and how they are linked. For example, is the ticket number unique to the ticket. Do subsequent events contain all the information from previous events for the same ticket? Is the SLA fixed for all tickets or is there a way to determine that the SLA is from the ticket (via a lookup perhaps)? Please provide more detail, ideally some anonymised representative sample events so we can see what you are dealing with.
Hello All, Im trying to use Splunk and Tableau and in order to do so I need to use the Splunk ODBC Driver. I've followed these instructions: https://docs.splunk.com/Documentation/ODBC/3.1.1/UseO...
See more...
Hello All, Im trying to use Splunk and Tableau and in order to do so I need to use the Splunk ODBC Driver. I've followed these instructions: https://docs.splunk.com/Documentation/ODBC/3.1.1/UseODBC/InstallationmacOS and downloaded the driver, however the driver only give options for MacOS 11.6. I've tried downloading that driver however the download error I get is "File wasn't available on site". I'm wondering if anyone has any solutions I could try to download this driver Thanks
Hi All, I have one set of output having 8 closed tickets for two consecutive months as a result of splunk query. I also need to check whether each one of them breached SLAs or not based on their lev...
See more...
Hi All, I have one set of output having 8 closed tickets for two consecutive months as a result of splunk query. I also need to check whether each one of them breached SLAs or not based on their level of priority. How to traverse through each and every record through splunk query? Please Note: I also need to put in the formula to check which tickets got breached and what is the breach age and finally average age for breach of tickets. Please suggest how to proceed with this use case.
Consider using a lookup table that maps the first two octets to a location. If the lookup returns the same fields as the iplocation command then you could use the geostats command to display the dat...
See more...
Consider using a lookup table that maps the first two octets to a location. If the lookup returns the same fields as the iplocation command then you could use the geostats command to display the data on a map. You probably would need to create a lookup definition and use the Advanced settings to define CIDR match on the address field. The lookup might look something like this addr City Country Region lat lon 192.168.0.0/16 foo United States Texas xxx yyy 172.168.0.0/16 bar United States California aaa bbb
Hello, I need your help for something. I want to get a dropdown via using a result from a search with using js. I want the dropdown to take the search result: index=_internal |stats c...
See more...
Hello, I need your help for something. I want to get a dropdown via using a result from a search with using js. I want the dropdown to take the search result: index=_internal |stats count by source |table source Thank you so much
Hello All, I am installing Alert manager Enterprise on a standalone on-prem server. I can it indexed in a existing index or should I be using another new index for config. Also what would be ...
See more...
Hello All, I am installing Alert manager Enterprise on a standalone on-prem server. I can it indexed in a existing index or should I be using another new index for config. Also what would be the HEC host field, will it be my url for the splunk instance and what would be the HEC port as well. In my understanding is that, alert manager takes splunk alerts and displays it, Im not sure why HEC is even used when setting this up? Thank you for all the help! #
Thank you everyone for commenting. I have pre-defined location already based on the first two octets of the IP address schema. I thought there would be a way to identify location in that manner. Exam...
See more...
Thank you everyone for commenting. I have pre-defined location already based on the first two octets of the IP address schema. I thought there would be a way to identify location in that manner. Example Log in attempt from user1 from 192.168.x.x means they are coming from Texas Log in attempt from user2 from 172.168.x.x mean they are coming from California. Rember this are examples and I totally understand their local IP and geo tagging might not be possible since there internal IP. In this example we know the first two octas indicated California or Texas. The idea is to have a dashboard for Linux users that shows a map of Authentication user taking place based on IP address. There is only two IP address scheme we are dealing with and only two locations in this example each corresponding to the location in the example 192.168.x.x is Texas and 172.168.x.x is California. Hope this helps:) Something like the below image:
OK. Show us one of your 4624 events found in verbose mode (blur sensitive data if needed). BTW, looking at my 4624 events I don't see anything that should yield action=success extraction.
Ahhhh. yes. The usual confusion between Deployer and Deployment Server (I read "deploy server" as Deployer, you read it - probably good - as DS). This naming is confusing, especially for newbies.
The iplocation command doesn't work with internal IP addresses (192.128.x.x, 10.x.x.x, etc.). That's because many companies use the same IP address space so a lookup by IP alone is not meaningful. ...
See more...
The iplocation command doesn't work with internal IP addresses (192.128.x.x, 10.x.x.x, etc.). That's because many companies use the same IP address space so a lookup by IP alone is not meaningful. Your company would have to create and install their own .mmdb file with the appropriate information.
I have a Linux Environment and SSH is a thing here. I need to show SSH log in with location. I got the map to work but know I need to figure out how to show the IP's based on two locations based on t...
See more...
I have a Linux Environment and SSH is a thing here. I need to show SSH log in with location. I got the map to work but know I need to figure out how to show the IP's based on two locations based on the first two octets of the IP address schema. Example: Texas: 192.168.x.x California: 172.16.x.x index=Exampe_index "ssh" sourcetype="Example_audit" "res"=success type=USER_LOGIN hostname=*| iplocation addr | geostats latfield=lat longfield=lon count
i am getting this error below regarding pass4SymmKey WARN HTTPAuthManager [1045 MainThread] - pass4SymmKey length is too short. See pass4SymmKey_minLength under the clustering stanza in server.conf ...
See more...
i am getting this error below regarding pass4SymmKey WARN HTTPAuthManager [1045 MainThread] - pass4SymmKey length is too short. See pass4SymmKey_minLength under the clustering stanza in server.conf INFO ServerRoles [1045 MainThread] - Declared role=cluster_master. INFO ServerRoles [1045 MainThread] - Declared role=cluster_manager. ERROR ClusteringMgr [1045 MainThread] - pass4SymmKey setting in the clustering or general stanza of server.conf is set to empty or the default value. You must change it to a different value. ERROR loader [1045 MainThread] - clustering initialization failed; won't start splunkd what exactly the problem is ? i am defined the exact proper legth of pass4SymmKey , but still it is not working . below is the server.conf file , The server.conf file for updated version will look like below : [general] serverName = *** pass4SymmKey = generated_pass4SymmKey_value [sslConfig] sslPassword = *** description = ABCDEFGH peers = * quota = MAX stack_id = *** description = ABCDEFGH peers = * quota = MAX stack_id = forwarder [***:ABCDEFGH] description = ABCDEFGH peers = * quota = MAX stack_id = free [indexer_discovery] [clustering] cluster_label = *** mode = manager replication_factor = 3 search_factor = 2 pass4SymmKey_minLength = 32 what am i missing ?
Hi @mendi , ok, it's a different condition: <your_search>
| eval key=if(Status="DONE",Reference,NewReference)
| fields Name Reference Status Date Creator NewReference Type
| stats
dc(Status) A...
See more...
Hi @mendi , ok, it's a different condition: <your_search>
| eval key=if(Status="DONE",Reference,NewReference)
| fields Name Reference Status Date Creator NewReference Type
| stats
dc(Status) AS Status_count
count(Status) AS Status
values(*) AS *
BY key
| where Status_count=1 AND Status="DONE"
| table Name Reference Status Date Creator NewReference Type Ciao. Giuseppe
Hi @Chiranjeev , what's the format of your logs? it's the standard windows or a different one? I experienced many issues using a concentrator for windows logs. If the format is different, you shu...
See more...
Hi @Chiranjeev , what's the format of your logs? it's the standard windows or a different one? I experienced many issues using a concentrator for windows logs. If the format is different, you shuld reparse them. Ciao. Giuseppe
I have added a New SAML group and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable t...
See more...
I have added a New SAML group and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable to access the resources(indexes). Upon verifying in the users section of Splunk Cloud settings, I noticed that the specific users within that AD group were not assigned their roles. Is there a troubleshooting step I should take? I noticed an option in the SAML settings to reload the SAML configuration, but I am worried to click on it.
Another Easy way is to use forearch command: below is the example. |makeresults | eval mv=mvappend("5", "15"), total = 0, count = 0 | foreach mode=multivalue mv [eval total = total + <<ITEM>>, co...
See more...
Another Easy way is to use forearch command: below is the example. |makeresults | eval mv=mvappend("5", "15"), total = 0, count = 0 | foreach mode=multivalue mv [eval total = total + <<ITEM>>, count = count + 1]
I have added a New SAML group from our organisation Azure AD and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that gro...
See more...
I have added a New SAML group from our organisation Azure AD and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable to access the resources. Upon verifying in the users section of Splunk Cloud settings, I noticed that the specific users involved in that group were not assigned their roles. Is there a troubleshooting step I should take? I noticed an option in the SAML settings to reload the SAML configuration, but I am hesitant to click on it.
"Approved", "Declined" etc are not series, they are values on the x-axis. You need to refactor your search to create series. If you need help doing that, please share your data source code.