All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I owe you a lot of beers!
URLs with spaces in them must be encoded.  Use the urlencode command available with the Webtools Add-on (https://splunkbase.splunk.com/app/4146).
The regular expression in the rex command has some misplaced escape characters that are preventing matches.  Try this query index=xxxxx 'User ID" | rex field=_raw "User\sID-(?<username>\w+)" | sta... See more...
The regular expression in the rex command has some misplaced escape characters that are preventing matches.  Try this query index=xxxxx 'User ID" | rex field=_raw "User\sID-(?<username>\w+)" | stats count by username  
Description How can I produce a URL in an alert email that uses field values, either by in-line results or in the body of the email. When an alert is triggered an email is sent with field dashboard_... See more...
Description How can I produce a URL in an alert email that uses field values, either by in-line results or in the body of the email. When an alert is triggered an email is sent with field dashboard_url. For projects with no spaces in the name, the URL is clickable. If there is a space, the URL contains only up to the space and is broken. Sample query   | makeresults format=json data="[{\"project\":\"projectA - Team A\"},{\"project\":\"projectB\"}]" | eval dashboard_url="https://internal.com:8000/en-US/app/search/dash?form.q_project=".project.""   Result: https://internal.com:8000/en-US/app/search/dash?form.q_project=projectA - Team A Workarounds attempted I tried building the dashboard_url in the email body using results.project. The same condition occurs, projects with spaces get a broken link.
I have a simple search  index=xxxxx "User ID" and I need the correct syntax to get the actual username in the results. Sample Event INFO xcvxcvxcvxcvxcvxcvxcvxcvxcvxcvvcx - Logged User ID-XXXXXX ... See more...
I have a simple search  index=xxxxx "User ID" and I need the correct syntax to get the actual username in the results. Sample Event INFO xcvxcvxcvxcvxcvxcvxcvxcvxcvxcvvcx - Logged User ID-XXXXXX Now I can easy do a count of how many people logged on but need to report on the XXXXXX I thought about doing index=xxxxx 'User ID" | rex field=_raw "User\/s\ID\/-\(?<username>\d+)" | stats count by username The search is returning the results and just a count but I need to see the username in my stats. I am new to this so please mind the ignorance 
At a high Level:   Think about what data you want from your website, is it OS logs Application logs, Security Logs etc and identify them. For those logs you want is there a Splunk TA - Search o... See more...
At a high Level:   Think about what data you want from your website, is it OS logs Application logs, Security Logs etc and identify them. For those logs you want is there a Splunk TA - Search on Splunk Base. (This will help with the data integration and parse the data). Install a Universal Forwarder onto the Web Hosted Servers and monitor the logs or other methods are API and Splunk HEC. You may even have to use a Heavy Forwarder to collect the logs - this depends on the logs/data you want and your Splunk architecture.
Hi Anand, Can you please give us a little bit of details about your environment? How many controllers are you using in your environment ? is it HA or a single environment? Thanks Cansel
How do i integrate my website hosted on AWS(ec2) with splunk?
Hi Raja, Do you have regular load on your application. ? Although this is a very common situation and the cause is mainly associated with the non-arrival of the load of the captured ITs, many diffe... See more...
Hi Raja, Do you have regular load on your application. ? Although this is a very common situation and the cause is mainly associated with the non-arrival of the load of the captured ITs, many different issues can cause this situation. If you wish, we can come together with a short session to find the root cause. Thanks Cansel
Genius! Works perfectly!
Hi Surya You can do it and much  more with Dexter https://developer.cisco.com/codeexchange/github/repo/Appdynamics/AppDynamics.DEXTER/ Thanks Cansel
Hi Pooja, Yes you can do it with a several method. Can you access / edit master page of your solution.? Thanks Cansel
| eval fidelity=if(source="source 1", 1, 2) | eventstats min(fidelity) as best by device | where fidelity == best
It states ImportError: libssl.so.1.0.0: cannot open shared object file: No such file or directory Try running sudo ldconfig Running ldconfig after installing or removing shared libraries ensures t... See more...
It states ImportError: libssl.so.1.0.0: cannot open shared object file: No such file or directory Try running sudo ldconfig Running ldconfig after installing or removing shared libraries ensures that the system's dynamic linker can find and load the libraries correctly. If that doesnt work check your permissions, check what changes if any were made on the splunk server running the TA, that may help, if that all fails then support call may be your option.
This should produce an equivalent token value:     <input token="name" type="multiselect"> <label>Name</label> <choice value="*">ALL</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>nam... See more...
This should produce an equivalent token value:     <input token="name" type="multiselect"> <label>Name</label> <choice value="*">ALL</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>name IN ("</valuePrefix> <valueSuffix>")</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>name</fieldForLabel> <fieldForValue>val</fieldForValue> <search> <query>index=my_index | dedup name | sort name | eval val = name+"\",\""+name+".*"</query> </search> </input>     This will produce token values like:     (name IN ("VALUE1","VALUE1.*") OR name IN ("VALUE2","VALUE2.*") ...)     Which are equivalent to     (name="VALUE1" OR name="VALUE1.*" OR name="VALUE2" OR name="VALUE2.*" ... )       EDIT:  Now that I think about it, you can make exactly that token value by doing this:   <input token="name" type="multiselect"> <label>Name</label> <choice value="*">ALL</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix></valuePrefix> <valueSuffix></valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>name</fieldForLabel> <fieldForValue>val</fieldForValue> <search> <query>index=my_index | dedup name | sort name | eval val = "name=\""+name+"\" OR name=\""+name+".*\""</query> </search> </input>  
Hi Steve, Are you sure about your controller  version ? I'm using this platform since 2012 but never heard the version (4.10.x) that you mention at your previous post . Controller version before "... See more...
Hi Steve, Are you sure about your controller  version ? I'm using this platform since 2012 but never heard the version (4.10.x) that you mention at your previous post . Controller version before "Calendar Versioning" platform using; 4.2.x - 4.3.x - 4.4.x -4.5.x then with Calendar Versionin 20.x (sinsce 2020) So can you please share your exact controller version (may be with screenshot can be more helpfull) And also which version and framework of your core aPM agent that currently facing issue also Thanks Cansel
In Splunk, the webhook Alert action accepts a single endpoint value to which to send the webhook. If you create an alert, then you can view it in Settings->"Searches, Reports, and Alerts", click the ... See more...
In Splunk, the webhook Alert action accepts a single endpoint value to which to send the webhook. If you create an alert, then you can view it in Settings->"Searches, Reports, and Alerts", click the "Edit" dropdown, then click "Advanced Edit", then scroll down to the fields of "action.webhook". Here you can specify more settings for your webhook. As for sending a webhook for Akamai, do you have documentation describing what the webhook should look like? If I understand correctly, you would like Splunk to have an alert which sends a webhook to Akamai that contains an IP, from a field in the alert.
If you are using dashboard studio, then you should see a "Default value" field appear on the Configuration column when the text input (text filter) box is highlighted in edit mode.
Hi Maniish, What kind issue are you faceing of ? Can you please give a little bit detail of your issue Thanks Cansel
You would have to tell Splunk how to split the events. You can do this by setting the LINE_BREAKER field in a props.conf file in an app in your indexers. If you could post a sample of your event (wi... See more...
You would have to tell Splunk how to split the events. You can do this by setting the LINE_BREAKER field in a props.conf file in an app in your indexers. If you could post a sample of your event (with sensitive data removed) and a rough description of your splunk setup (single machine or distributed?), then it would be easier to give you more specific pointers.