All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Sorry for the confusion. I tried with your query but am able to retrive only the accountnumber , but channel, serial number , memory (from response) is not retrieving. could you please check my updat... See more...
Sorry for the confusion. I tried with your query but am able to retrive only the accountnumber , but channel, serial number , memory (from response) is not retrieving. could you please check my updated query index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.customer{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body.customer{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.customer{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |table accountNumber serialNumber Channel redemptionEquipmentMemory
Hello @sajo.sam , This error message we see when there is an incorrect controller information passed.  You may check the access key by running this below command. kubectl get secret cluste... See more...
Hello @sajo.sam , This error message we see when there is an incorrect controller information passed.  You may check the access key by running this below command. kubectl get secret cluster-agent-secret -n appdynamics -o jsonpath='{.data.controller-key}' | base64 --decode Also please check the network connection Run the following command to check the connection curl -v -k -u singularity-agent@dtvnprod:<access_key> https://dtvnprod.saas.appdynamics.com:443/sim/v2/agent/clusterRegistration Hope this helps. Best Regards, Rajesh Ganapavarapu
Hello, I set up a dashboard with ABSOLUTE mode but want to change it to GRID mode. Is that possible?  I am asking because I created a bunch of tables (6) and only 3 of them are showing at the top. ... See more...
Hello, I set up a dashboard with ABSOLUTE mode but want to change it to GRID mode. Is that possible?  I am asking because I created a bunch of tables (6) and only 3 of them are showing at the top. The ones at the bottom aren't. I think it has to do with a GRID line around the top 3 and the bottom 3 aren't in that grid line. I need to be able to show all 6 tables. Any help?
There could be several reasons for failure. Please verify whether your environment is utilizing a Docker runtime built on ContainerD or a similar platform. If your inten... See more...
There could be several reasons for failure. Please verify whether your environment is utilizing a Docker runtime built on ContainerD or a similar platform. If your intended machine agent is v22.3.0, it only supports Docker runtime exclusively. Additionally, ensure that the user has access to /run/docker.sock . You can check this by running: bash cat /run/docker.sock In past instances, this issue occurred due to either no running containers or permission problems. You can diagnose this with the following command:   sudo curl -s -S -i --unix-socket /var/run/docker.sock http:/info docker info If you're utilizing the containerd runtime, consider upgrading to the latest version, such as 24.3.0 MA. I would recommend you to open a Support ticket for any further help as it involves a lot of debugging. Best Regards, Rajesh Ganapavarapu          
Hi @ITWhisperer  First time its coming when i am trying to refresh the same query i am not find any values   Query which i am trying: index="mulesoft" applicationName="scheduler" environment=DEV ... See more...
Hi @ITWhisperer  First time its coming when i am trying to refresh the same query i am not find any values   Query which i am trying: index="mulesoft" applicationName="scheduler" environment=DEV message="Upcoming Executions for Scheduler :*" [search index="mulesoft" applicationName=" scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |where content.currStatus!="Interface has no entry found in object Store"|stats count by content.currStatus If i use the query in seperate search its showing the latest correlation values: message="Upcoming Executions for Scheduler :*" environment=DEV | stats latest(correlationId) as correlationId | table correlationId        
Why have you just ignored my suggestion and not included the rex line I suggested?
index="wireless_retail" source="create_freedom.transactionlog" OPERATION="/FPC/Redemption/Redeem" |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber... See more...
index="wireless_retail" source="create_freedom.transactionlog" OPERATION="/FPC/Redemption/Redeem" |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |table accountNumber this queryis not displaying any results for me if i run the results are blank 
OK but you already know how to extract these elements as you have shown this in your question
Please provide examples of what is working and what is not working otherwise just saying it is not working is not very helpful!
thanks for the response. But i need to extract only the accountNumber, channel,serialnumber from REQUEST and transactionReferenceNumber from RESPONSE and display in table format
Sorry its not working .Sometimes the values coming but sometimes its not showing any values .
Assuming your events all follow the same pattern i.e. REQUEST followed by RESPONSE followed by RETRYNO, you could extract them prior to using spath | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<R... See more...
Assuming your events all follow the same pattern i.e. REQUEST followed by RESPONSE followed by RETRYNO, you could extract them prior to using spath | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST | spath input=RESPONSE
Hi @marco_massari11 , identify the three regexes and collect them using .* Ciao. Giuseppe
Hello @gcusello , you're right, in Splunk I have the following error "The regex '((EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_shar... See more...
Hello @gcusello , you're right, in Splunk I have the following error "The regex '((EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)))' does not extract anything. It should specify at least one named group. Format: (?<name>...)". I tried also to split the regex in two separated whitelist, but I think they are in AND, so it's not working. Have you some solution? Regards, Marco
is there any other way we can do it 
Have REQUEST and RESPONSE been already extracted successfully? Btw, your event isn't (completely) JSON; it does contain some JSON elements, but unless these have been extracted, you won't be able to... See more...
Have REQUEST and RESPONSE been already extracted successfully? Btw, your event isn't (completely) JSON; it does contain some JSON elements, but unless these have been extracted, you won't be able to use spath on them.
Apart from you, who else knows how frequently the correlation id changes?
Hi, all,    I am looking for a way to chart the the average cpu and memory per process for all the hosts in two indexes? The scenario that I have been working on is that I have a bunch of machi... See more...
Hi, all,    I am looking for a way to chart the the average cpu and memory per process for all the hosts in two indexes? The scenario that I have been working on is that I have a bunch of machines running roughly 4 or 5 java applications per host.... and I am looking for a way to make a time series chart with the average cpu and memory used by each java processes in a dashboard...   like  host 1 site 1 average cpu chart and average memory chart site 2 average cpu chart and average memory chart site 3 average cpu chart and average memory chart  site 4 average cpu chart and average memory chart  host 2 site 1 average cpu chart and average memory chart site 2 average cpu chart and average memory chart site 3 average cpu chart and average memory chart  site 4 average cpu chart and average memory chart  site 5 average cpu chart and average memory chart  site 6 average cpu chart and average memory chart    I tried to get the top processes via hosts, via this code  ``` | mstats max("NIX.ps_metric.pctCPU") AS CPU,max("NIX.ps_metric.pctMEM") AS MEM WHERE ("index"="first_index" OR "index"="second_index") AND "host"="test_host" span=5m BY host ARGS COMMAND | top limit=20 COMMAND BY CPU MEM host | chart values(CPU) as CPU, values(MEM) as MEM over COMMAND BY host ``` but all i get is the top processes like by run command and not the actual processes, they seem to be grouped under the java process.... java      CPU  ,  MEMORY crond   cpu, memory bash  cpu, memory     Is there a way to split the monitoring to get something useable?   Ideally, I would like to alert when a particular site is being over worked, like CPU > 85%...   Ta,   Lane
You may want to have a look at this blog first and further explore Splunks Dashboard Studio, this is built into Splunk and differs from the classic and will help with  making them more appealing   ... See more...
You may want to have a look at this blog first and further explore Splunks Dashboard Studio, this is built into Splunk and differs from the classic and will help with  making them more appealing    https://www.splunk.com/en_us/blog/platform/dashboards-ga-introducing-splunk-dashboard-studio.html
Hi @MichaelBs, I’m a Community Moderator in the Splunk Community. This question was posted 7 years ago, so it might not get the attention you need for your question to be answered. We recommend t... See more...
Hi @MichaelBs, I’m a Community Moderator in the Splunk Community. This question was posted 7 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you!