All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @ITWhisperer  First time its coming when i am trying to refresh the same query i am not find any values   Query which i am trying: index="mulesoft" applicationName="scheduler" environment=DEV ... See more...
Hi @ITWhisperer  First time its coming when i am trying to refresh the same query i am not find any values   Query which i am trying: index="mulesoft" applicationName="scheduler" environment=DEV message="Upcoming Executions for Scheduler :*" [search index="mulesoft" applicationName=" scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |where content.currStatus!="Interface has no entry found in object Store"|stats count by content.currStatus If i use the query in seperate search its showing the latest correlation values: message="Upcoming Executions for Scheduler :*" environment=DEV | stats latest(correlationId) as correlationId | table correlationId        
Why have you just ignored my suggestion and not included the rex line I suggested?
index="wireless_retail" source="create_freedom.transactionlog" OPERATION="/FPC/Redemption/Redeem" |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber... See more...
index="wireless_retail" source="create_freedom.transactionlog" OPERATION="/FPC/Redemption/Redeem" |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |table accountNumber this queryis not displaying any results for me if i run the results are blank 
OK but you already know how to extract these elements as you have shown this in your question
Please provide examples of what is working and what is not working otherwise just saying it is not working is not very helpful!
thanks for the response. But i need to extract only the accountNumber, channel,serialnumber from REQUEST and transactionReferenceNumber from RESPONSE and display in table format
Sorry its not working .Sometimes the values coming but sometimes its not showing any values .
Assuming your events all follow the same pattern i.e. REQUEST followed by RESPONSE followed by RETRYNO, you could extract them prior to using spath | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<R... See more...
Assuming your events all follow the same pattern i.e. REQUEST followed by RESPONSE followed by RETRYNO, you could extract them prior to using spath | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST | spath input=RESPONSE
Hi @marco_massari11 , identify the three regexes and collect them using .* Ciao. Giuseppe
Hello @gcusello , you're right, in Splunk I have the following error "The regex '((EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_shar... See more...
Hello @gcusello , you're right, in Splunk I have the following error "The regex '((EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)))' does not extract anything. It should specify at least one named group. Format: (?<name>...)". I tried also to split the regex in two separated whitelist, but I think they are in AND, so it's not working. Have you some solution? Regards, Marco
is there any other way we can do it 
Have REQUEST and RESPONSE been already extracted successfully? Btw, your event isn't (completely) JSON; it does contain some JSON elements, but unless these have been extracted, you won't be able to... See more...
Have REQUEST and RESPONSE been already extracted successfully? Btw, your event isn't (completely) JSON; it does contain some JSON elements, but unless these have been extracted, you won't be able to use spath on them.
Apart from you, who else knows how frequently the correlation id changes?
Hi, all,    I am looking for a way to chart the the average cpu and memory per process for all the hosts in two indexes? The scenario that I have been working on is that I have a bunch of machi... See more...
Hi, all,    I am looking for a way to chart the the average cpu and memory per process for all the hosts in two indexes? The scenario that I have been working on is that I have a bunch of machines running roughly 4 or 5 java applications per host.... and I am looking for a way to make a time series chart with the average cpu and memory used by each java processes in a dashboard...   like  host 1 site 1 average cpu chart and average memory chart site 2 average cpu chart and average memory chart site 3 average cpu chart and average memory chart  site 4 average cpu chart and average memory chart  host 2 site 1 average cpu chart and average memory chart site 2 average cpu chart and average memory chart site 3 average cpu chart and average memory chart  site 4 average cpu chart and average memory chart  site 5 average cpu chart and average memory chart  site 6 average cpu chart and average memory chart    I tried to get the top processes via hosts, via this code  ``` | mstats max("NIX.ps_metric.pctCPU") AS CPU,max("NIX.ps_metric.pctMEM") AS MEM WHERE ("index"="first_index" OR "index"="second_index") AND "host"="test_host" span=5m BY host ARGS COMMAND | top limit=20 COMMAND BY CPU MEM host | chart values(CPU) as CPU, values(MEM) as MEM over COMMAND BY host ``` but all i get is the top processes like by run command and not the actual processes, they seem to be grouped under the java process.... java      CPU  ,  MEMORY crond   cpu, memory bash  cpu, memory     Is there a way to split the monitoring to get something useable?   Ideally, I would like to alert when a particular site is being over worked, like CPU > 85%...   Ta,   Lane
You may want to have a look at this blog first and further explore Splunks Dashboard Studio, this is built into Splunk and differs from the classic and will help with  making them more appealing   ... See more...
You may want to have a look at this blog first and further explore Splunks Dashboard Studio, this is built into Splunk and differs from the classic and will help with  making them more appealing    https://www.splunk.com/en_us/blog/platform/dashboards-ga-introducing-splunk-dashboard-studio.html
Hi @MichaelBs, I’m a Community Moderator in the Splunk Community. This question was posted 7 years ago, so it might not get the attention you need for your question to be answered. We recommend t... See more...
Hi @MichaelBs, I’m a Community Moderator in the Splunk Community. This question was posted 7 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Hi Splunk Developers, we are currently investigating whether we can improve the UI and UX of our splunk classic dashboards. Therefore we are looking for UI/UX frameworks or tools that we could integ... See more...
Hi Splunk Developers, we are currently investigating whether we can improve the UI and UX of our splunk classic dashboards. Therefore we are looking for UI/UX frameworks or tools that we could integrate in splunk.  Unfortunately we are struggling to include anything other than simple javascript, html and css.  What we are trying to include: lit (https://lit.dev) but splunk completely ignores custom created html tags. they simply dont appear in the dashboard, eventhough splunk doesnt mark them as "red"/wrong. Question: Do any of you use any other UI/UX frameworks or tools for your splunk dashboards to make them more "state of the art", "responsive" and "appealing" to imporve the User Experience? If yes, what are you using? + Were you able to make use of lit.dev?
Hello there, I have a problem with one of our Splunk installations on Windows. The server certificate is expired and I'm unable to renew it. I've tried renaming C:\Program Files\Splunk\etc\auth\serv... See more...
Hello there, I have a problem with one of our Splunk installations on Windows. The server certificate is expired and I'm unable to renew it. I've tried renaming C:\Program Files\Splunk\etc\auth\server.pem and restarting Splunk, which ends with that: The certificate generation script did not generate the expected certificate file:C:\Program Files\Splunk\etc\auth\server.pem. Splunkd port communication will not work. SSL certificate generation failed. And I also tried this command: C:\Program Files\Splunk\bin>splunk createssl server-cert -d "C:\Program Files\Splunk\etc\auth" -n server -c *servername* Which also fails with this: CreateProcess: error 193 Command failed (ret=-1), exiting. Anyone knows how to fix this? Thanks in advance. Best regards Alex
Hi All, I have the below json format. REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redempt... See more...
Hi All, I have the below json format. REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}", RESPONSE="{"body":{"model":{"isRedeemed":true,"transactionReferenceNumber":"6200754043","redeemType":"Original","redemptionFailureReasonType":null,"redemptionEquipmentMake":"Apple","redemptionEquipmentModel":"iPhone 14 Pro Max 128GB Deep Purple","redemptionEquipmentMemory":"128 GB","committedPrice":1,"additionalFees":0},"code":200,"messages":null,"isSuccess":true},"headers":{"connection":"close","content-type":"application/json;charset=utf-8","set-cookie":["AWSELB=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899F8C6DFC23D16712EBB4CB423C132BEE67F4F3CB94A24AC7D3196B970C175CF4E9;PATH=/","AWSELBCORS=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899F8C6DFC23D16712EBB4CB423C132BEE67F4F3CB94A24AC7D3196B970C175CF4E9;PATH=/;SECURE;SAMESITE=None","visid_incap_968152=mMXe9betSnmAGjb6EkS6d8pCNGYAAAAAQUIPAAAAAACzpzJ8pi0eFle6ni7emEj9; expires=Fri, 02 May 2025 07:32:03 GMT; HttpOnly; path=/; Domain=.likewize.com","nlbi_968152=pTYgM3uDpkZMpK2uILjsZwAAAABT3d67R/8WtJ556QqTUFQd; path=/; Domain=.likewize.com","incap_ses_677_968152=NKgET8f8eCtwLRsU8y9lCcpCNGYAAAAAghYI7GnE7TXEfi+SGl0EKw==; path=/; Domain=.likewize.com"],"content-length":"354","server":"Jetty(9.4.45.v20220203)"}}", RETRYNO="0", ENDPOINT="https://apptium.freedommobile.ca/Activation.TradeUp", OPERATION="/FPC/Redemption/Redeem", METHOD="POST", CONNECTORID="0748a993-4566-48ae-9885-2a4dce9de585", CONNECTORNAME="Likewize", CONNECTORTYPE="Application", CONNECTORSUBTYPE="REST", STARTTIME="1714700999019", ENDTIME="1714701003106", RESPONSETIME="4087", SUCCESS="1", CLIENT="eportal-services", CREATEDDATE="2024-05-03 01:50:03", USERNAME="BMashiana@FreedomMobile.ca", SESSIONID="_dd9ad114-bb2b-4c7f-a7aa-cfc3b929f674", ACTIONID="6e9c5f97-27bc-42fb-b1d3-61a701e4a708", TRACKID="3618c3e3-9bd1-4acc-af6a-f71f31b9092c"   How do I retrieve the account number, channel code, serialNumber from REQUEST and transactionReferenceNumber from RESPONSE using splunk query. I have tried using spath and its not working out for me and displays a blank result. Please help asap. index="wireless_retail" source="create_freedom.transactionlog" OPERATION="/FPC/Redemption/Redeem" |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |table accountNumber
Hi @marco_massari11, at a first sight the regex isn't correct, what does it happen if you try to use it in search using the regex command? Ciao. Giuseppe