All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have used it in some cases. I need to check how I have configured it when back on my laptop.
Hi @LizAndy123, Following the @gcusello understanding, I added a few more context to the results. | rex field=_raw "User-(?<User>\w+)\s+assigned\s+Role-(?<Operation_Type>.+?)\s(?<Where>.+?)\sto\s(?... See more...
Hi @LizAndy123, Following the @gcusello understanding, I added a few more context to the results. | rex field=_raw "User-(?<User>\w+)\s+assigned\s+Role-(?<Operation_Type>.+?)\s(?<Where>.+?)\sto\s(?<ToUser>.+?)$"  In these case, I'm supposing that you can tell to the stakeholders the following: User= The person who execute the operation Operation_Type= What operation was did Where= The asset that was changed in this operation ToUSer= The user whom received the permission  
Hi @splunk6, The mvexpand should work but if not as you mentioned, maybe the rex command could fix that to you. To get all the matches of Channel:    | makeresults | eval request="REQUEST=\"{... See more...
Hi @splunk6, The mvexpand should work but if not as you mentioned, maybe the rex command could fix that to you. To get all the matches of Channel:    | makeresults | eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\"," | rex max_match=0 field=request "\,\"Channel\"\:\"(?<Channel>.+?)\""   To get only one result for the channel (the first one) by search:   | makeresults | eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\"," | rex field=request "\,\"Channel\"\:\"(?<Channel>.+?)\""       Note: It's import to mention that I created the request field to add your REQUEST field value into the | makeresults, ok? In your code, you should use only the rex field=REQUEST with or without max_match=0. I hope it helps you. Happy splunking!
Thanks @hrawat  The logs are as expected then 05-03-2024 17:46:52.999 +0000 WARN AutoLoadBalancedConnectionStrategy [24761 TcpOutEloop] - Current dest host connection 1.2.3.4:5678, oneTimeClient=0... See more...
Thanks @hrawat  The logs are as expected then 05-03-2024 17:46:52.999 +0000 WARN AutoLoadBalancedConnectionStrategy [24761 TcpOutEloop] - Current dest host connection 1.2.3.4:5678, oneTimeClient=0, _events.size()=993, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0, _lastHBRecvTime=Fri May 3 17:46:48 2024 is using 475826 bytes. Total tcpout queue size is 512000. Warningcount=2001
I guess no one else is doing this? Thanks and God bless, Genesius
I tried below script in my windows test vm and restarted the splunk. Hostname still shows as the short name in Splunk GUI. The search logs shows the fqdn though . On the deployment server , in the f... See more...
I tried below script in my windows test vm and restarted the splunk. Hostname still shows as the short name in Splunk GUI. The search logs shows the fqdn though . On the deployment server , in the forwarder management client view, how is the hostname column populated? Or where is the hostname column populated from? I need the hostname in the forwarder management client view to show the fqdn of the windows endpoints.  
@Albert_Cyber ,    Kind of, we are in the process of creating custom apps for these use cases and adaptive response actions. The only problem is it really is a pain to create a whole app to just ma... See more...
@Albert_Cyber ,    Kind of, we are in the process of creating custom apps for these use cases and adaptive response actions. The only problem is it really is a pain to create a whole app to just make some very simple api calls and run basic commands like dig against a specified variable. We are following: Create an AR action | Documentation | Splunk Developer Program the guidance from these docs as there isn't much out there on it and I'm more of a bash scripter than a python programmer so it is a very slow process for us. 
Hello @richgalloway , have you any possible solution?
Sorry for the late response on this but this is exactly what we did created a user and role separate from the others exec_view and assigned that role read-only permissions and assigned it to specific... See more...
Sorry for the late response on this but this is exactly what we did created a user and role separate from the others exec_view and assigned that role read-only permissions and assigned it to specific users. Thanks for the information! 
This exact scenario just happened in our environment as well and it turned out a savedsearch with the same name was under a different user. Thank you for providing this old but still applicable post!... See more...
This exact scenario just happened in our environment as well and it turned out a savedsearch with the same name was under a different user. Thank you for providing this old but still applicable post! 
I would like to display the Name of a drop down option in the label of a panel.  The token for the drop down filter is $value$.  How would I display the Name, such as MY VALUE 1, MY VALUE 2, etc. as ... See more...
I would like to display the Name of a drop down option in the label of a panel.  The token for the drop down filter is $value$.  How would I display the Name, such as MY VALUE 1, MY VALUE 2, etc. as a token?  I tried label.$value$ and that did not work for me.    
Hi @Mandar.Kadam, I see you also created a Support ticket. Can you share the solution from Support here as a reply? This will help others with the same problem in the future  
REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","... See more...
REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}",   Below is my splunk query: index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body{}{}.headers{}{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber |mvexpand transactionReferenceNumber |table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber Can someone suggest me how to retrive the channel from this request. Its empty forme. also its inside the body->headers->channel. how to retrive the second element from the request input. please someone reply as it is very urgent to complete my work  
Hi, index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST... See more...
Hi, index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body{}.headers{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber |mvexpand transactionReferenceNumber |table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber with this query i was able to retrieve the following as you suggested but the channel alone is missing. It s inside the "body", ->"headers"->"Channel". could you please let me know that alone how to retrive the path so that it wld be helpful for me to complete my work. Thanks in advance
1. Check Your Admin Permissions etc  2. Could it be AV / blocking the action - command?  
The whitelist value must be a list of event IDs or one or more key=regex expressions.  The current value is just a regular expression, which is not supported.
Sorry for the confusion. I tried with your query but am able to retrive only the accountnumber , but channel, serial number , memory (from response) is not retrieving. could you please check my updat... See more...
Sorry for the confusion. I tried with your query but am able to retrive only the accountnumber , but channel, serial number , memory (from response) is not retrieving. could you please check my updated query index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.customer{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body.customer{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.customer{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |table accountNumber serialNumber Channel redemptionEquipmentMemory
Hello @sajo.sam , This error message we see when there is an incorrect controller information passed.  You may check the access key by running this below command. kubectl get secret cluste... See more...
Hello @sajo.sam , This error message we see when there is an incorrect controller information passed.  You may check the access key by running this below command. kubectl get secret cluster-agent-secret -n appdynamics -o jsonpath='{.data.controller-key}' | base64 --decode Also please check the network connection Run the following command to check the connection curl -v -k -u singularity-agent@dtvnprod:<access_key> https://dtvnprod.saas.appdynamics.com:443/sim/v2/agent/clusterRegistration Hope this helps. Best Regards, Rajesh Ganapavarapu
Hello, I set up a dashboard with ABSOLUTE mode but want to change it to GRID mode. Is that possible?  I am asking because I created a bunch of tables (6) and only 3 of them are showing at the top. ... See more...
Hello, I set up a dashboard with ABSOLUTE mode but want to change it to GRID mode. Is that possible?  I am asking because I created a bunch of tables (6) and only 3 of them are showing at the top. The ones at the bottom aren't. I think it has to do with a GRID line around the top 3 and the bottom 3 aren't in that grid line. I need to be able to show all 6 tables. Any help?
There could be several reasons for failure. Please verify whether your environment is utilizing a Docker runtime built on ContainerD or a similar platform. If your inten... See more...
There could be several reasons for failure. Please verify whether your environment is utilizing a Docker runtime built on ContainerD or a similar platform. If your intended machine agent is v22.3.0, it only supports Docker runtime exclusively. Additionally, ensure that the user has access to /run/docker.sock . You can check this by running: bash cat /run/docker.sock In past instances, this issue occurred due to either no running containers or permission problems. You can diagnose this with the following command:   sudo curl -s -S -i --unix-socket /var/run/docker.sock http:/info docker info If you're utilizing the containerd runtime, consider upgrading to the latest version, such as 24.3.0 MA. I would recommend you to open a Support ticket for any further help as it involves a lot of debugging. Best Regards, Rajesh Ganapavarapu