All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

You can't. Even with output_format=hec you can specify some metadata fields like source or sourcetype (which can affect your license usage) but the destination index has to be provided explicitly wit... See more...
You can't. Even with output_format=hec you can specify some metadata fields like source or sourcetype (which can affect your license usage) but the destination index has to be provided explicitly with the collect command invocation.
I found the solution, For those who encounter same problem, you need to restart IIS application to reload CLR, not only the service~
Hi @ejwade, I'm with @bowesmana on this - I don't think it's possible to run | collect with multiple index locations. You could do this instead: | makeresults count=2 | streamstats count | eval ... See more...
Hi @ejwade, I'm with @bowesmana on this - I don't think it's possible to run | collect with multiple index locations. You could do this instead: | makeresults count=2 | streamstats count | eval index = case(count=1, "myindex1", count=2, "myindex2") | appendpipe[| search index="myindex1"| collect index=myindex1] | appendpipe[| search index="myindex2"| collect index=myindex2] You will need an appendpipe command for each index you want to export to, but you should know the destination indexes in advance anyway.
i have a log and i am able to fetch all the codes which is of same format, but not able to fetch logs of one error code: {"stream":"stderr","logtag":"P","log":"10/May/2024:09:31:53 +1000 [dgbttrfr]... See more...
i have a log and i am able to fetch all the codes which is of same format, but not able to fetch logs of one error code: {"stream":"stderr","logtag":"P","log":"10/May/2024:09:31:53 +1000 [dgbttrfr] [correlationId=] [subject=], ERROR au.com.jbjcbdj.o.fefewgr.logging.LoggingUtil - severity = \"ERROR\", DateTimestamp = \"09/May/2024 23:31:53\", errorCode = \"PAY_STAT_ERR_0017\", errorMessage = \"Not able to fetch error\","hostname":"ip-101-156-185.ap-southeast-2.internal","host_ip":"10.56","cluster":"nod/pmn08"} i tried fetching using this :  |rex field=log "errorCode\s=\s*(?<errorCode>[^,\s]+)"and key value pair:|rex field=log "errorCode\s=\s*(?<errorCode>[^,\s]+)" But not able to fetch the values whereas i can `be able to fetch all other` `codes exceopt this. can anyone help. Thanks in Advance
Isn't this a duplicate question answered a week back ? https://community.splunk.com/t5/Splunk-Cloud-Platform/Single-card-value-background-color-change/m-p/685989#M3011
Hi @PATAN, With Dashboard Studio, you can either dynamically color the text OR the background - as far as I know, you can't do both. You could achieve this effect a couple of ways though - create t... See more...
Hi @PATAN, With Dashboard Studio, you can either dynamically color the text OR the background - as far as I know, you can't do both. You could achieve this effect a couple of ways though - create two visualisation panels, one for Dropped, and one for NotDropped, and make them show/hide depending on the value of the token.   Another option (if you are using Absolute mode) is to put a square behind the single value box which colors itself based on the token, and the single value changes the text color based on the token (with a transparent background). Here's some example code: { "visualizations": { "viz_UVeH0JP5": { "type": "splunk.singlevalue", "dataSources": { "primary": "ds_VyZ1EWbM" }, "options": { "majorColor": "> majorValue | matchValue(majorColorEditorConfig)", "backgroundColor": "transparent" }, "context": { "majorColorEditorConfig": [ { "match": "NotDropped", "value": "#2f8811" } ] } }, "viz_eKO2ikid": { "type": "splunk.rectangle", "options": { "fillColor": "> fillDataValue | rangeValue(fillColorEditorConfig)", "rx": 10, "strokeColor": "> strokeDataValue | matchValue(strokeColorEditorConfig)" }, "context": { "fillColorEditorConfig": [ { "value": "#171d21", "to": 100 }, { "value": "#088F44", "from": 100 } ], "fillDataValue": "> primary | seriesByType(\"number\") | lastPoint()", "strokeDataValue": "> primary | seriesByType(\"number\") | lastPoint()", "strokeColorEditorConfig": [ { "match": "Dropped", "value": "#D41F1F" }, { "match": "NotDropped", "value": "#d97a0d" } ] }, "dataSources": { "primary": "ds_dSLmtNBD" } } }, "dataSources": { "ds_VyZ1EWbM": { "type": "ds.search", "options": { "query": "| makeresults\n| eval value=\"$status$\"\n| table value" }, "name": "dummy_search" }, "ds_dSLmtNBD": { "type": "ds.search", "options": { "query": "| makeresults\n| eval value=if(\"$status$\"=\"Dropped\",100,0)\n| table value" }, "name": "background" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" }, "input_I2IoVEpX": { "options": { "items": [ { "label": "Dropped", "value": "Dropped" }, { "label": "Not Dropped", "value": "NotDropped" } ], "token": "status", "selectFirstSearchResult": true }, "title": "Dropdown Input Title", "type": "input.dropdown" } }, "layout": { "type": "absolute", "options": { "width": 1440, "height": 960, "display": "auto" }, "structure": [ { "item": "viz_eKO2ikid", "type": "block", "position": { "x": 610, "y": 180, "w": 250, "h": 130 } }, { "item": "input_I2IoVEpX", "type": "input", "position": { "x": 630, "y": 70, "w": 198, "h": 82 } }, { "item": "viz_UVeH0JP5", "type": "block", "position": { "x": 610, "y": 180, "w": 250, "h": 130 } } ], "globalInputs": [ "input_global_trp" ] }, "description": "", "title": "colors" }    
Hi, I am new to AppD. I want to using  Method Invocation Data Collectors to collect data for specific method, show System.Net.Sockets.Socket:DoConnect  in my business transaction snapshot. Here is... See more...
Hi, I am new to AppD. I want to using  Method Invocation Data Collectors to collect data for specific method, show System.Net.Sockets.Socket:DoConnect  in my business transaction snapshot. Here is the configuration: Here is the result: I got nothing in data collector tab. Why? Did I set something wrong? Thanks!  
I don't believe it is possible to do - you can in theory do this index=_audit | head 1 | eval message="hello" | table user action message | collect testmode=f [ | makeresults | fields - _time | eval... See more...
I don't believe it is possible to do - you can in theory do this index=_audit | head 1 | eval message="hello" | table user action message | collect testmode=f [ | makeresults | fields - _time | eval index="main" | format "" "" "" "" "" ""] but you would need for the subsearch to know the index to select and that is run before the outer search, so you can't do what you are trying to do
@Miguel3393 actually if you change that line to  | eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, null()) i.e. replace the final 0 with null() then you will not get all the... See more...
@Miguel3393 actually if you change that line to  | eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, null()) i.e. replace the final 0 with null() then you will not get all the extra columns for other Codigo_error values.
OK, if you want to add in more error code use cases, then change this line | eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0) Change it like to | eval Error_{Codigo_er... See more...
OK, if you want to add in more error code use cases, then change this line | eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0) Change it like to | eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, 0) and add as many as needed 
Thankyou very much for the detailed reply, that gives me enough to action now. I appreciate the contributions to the community in this way.
If I wanted to add another error ,example Codigo_error="11", what would I have to do?
Yes, you can because the second search using the base is simply to create the single row result, which you can then turn into a token, e.g. <search id="base"> <query> bla </query> </search> <ta... See more...
Yes, you can because the second search using the base is simply to create the single row result, which you can then turn into a token, e.g. <search id="base"> <query> bla </query> </search> <table depends="$hidden$"> <search base="base"> <query> | stats values(device_ip_address) as device_ip_address | eval device_ip_address=mvjoin(device_ip_address, ",") </query> </search> <done> <set token="mytoken">$result.device_ip_address$</set> </done> </table> and then your other search can use $mytoken$ as needed - use the eval in the second search to make the format of the device_ip_address values what you need it to be for the other search.
If I wanted to add another error ,example Codigo_error="10001", what would I have to do?
Hello! I'm looking to set the index parameter of the collect command with the value of a field from each event. Here's an example.     | makeresults count=2 | streamstats count | eval index = ca... See more...
Hello! I'm looking to set the index parameter of the collect command with the value of a field from each event. Here's an example.     | makeresults count=2 | streamstats count | eval index = case(count=1, "myindex1", count=2, "myindex2") | collect index=index testmode=true     This search creates two events. Both events have the index field, one with "myindex1" as the value, and the other with "myindex2". I would like to use these values to set the index in the collect command.
Sorry, I misunderstood, it works correctly.
If error and exception then it should be error rest of them are success.but using the below query to get status still.i got both suuccess and error for the some of the transactions ID  | eval Stat... See more...
If error and exception then it should be error rest of them are success.but using the below query to get status still.i got both suuccess and error for the some of the transactions ID  | eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId    
@alfredoh14,   Here's some SPL that gives you a table with the app name, short name, and SQL: | makeresults count=3 | streamstats count as id | eval sql=case(id=1,"'' as \"FIELD\",''Missing Value'... See more...
@alfredoh14,   Here's some SPL that gives you a table with the app name, short name, and SQL: | makeresults count=3 | streamstats count as id | eval sql=case(id=1,"'' as \"FIELD\",''Missing Value'' AS \"ERROR\" from scbt_owner.SCBT_LOAD_CLOB_DATA_WORK", id=2,"'' as \"something \",''Missing Value'' AS \"ERROR\" from ART_owner.ART_LOAD_CLOB_DATA_WORK", id=3, "from Building_Mailer_owner.Building_Mailer_") | fields sql ``` The above was just to create the source data ``` | rex field="sql" "from\s+(?<lk_wlc_app_short>.+?)_owner" | lookup lookup_weblogic_app lk_wlc_app_short | table lk_wlc_app_short, lk_wlc_app_name, sql   The regular expression pulls out the table name in the SQL, eg "from XXXX_owner", and uses the short code to match the app name from the lookup. To make the lookup work, you will need to ensure that the matches are NOT case sensitive, or make sure your lookup fields match what is in the SQL.  
I understand. I managed to make a little progress using the strategy of pulling through triggered alerts. My research is as follows:******