All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Dear Splunk   I have a use case to send some notification/warning alert to those users who are met with some criteria in search. How can i send alert only to the members(identified in search) in B... See more...
Dear Splunk   I have a use case to send some notification/warning alert to those users who are met with some criteria in search. How can i send alert only to the members(identified in search) in BCC list as the alert configuration have a mandatory TO list (for at least one member ) which  do not required in the use case. simple , i want to set up an alert only with bcc'd users not anyone in "to" list
Hi All, how to write a query in Splunk to take two same days in a week only if the difference between the start day and end day is not more than 24 hours. For example - the two days can be Tuesday, bu... See more...
Hi All, how to write a query in Splunk to take two same days in a week only if the difference between the start day and end day is not more than 24 hours. For example - the two days can be Tuesday, but the query should check the difference between two Tuesdays is less than 24 hours, which means the end day hours and the starting day hours falls in the same Tuesday.
As Workaround i now used CSS to hide the "View on Mobile" button. .view-mobile {     display: none !important; }
messages shows the below: Search head cluster member A is having problems pulling configurations from the search head cluster captain B. Changes from the other members are not replicating to this me... See more...
messages shows the below: Search head cluster member A is having problems pulling configurations from the search head cluster captain B. Changes from the other members are not replicating to this member, and changes on this member are not replicating to other members. Consider performing a destructive configuration resync on this search head cluster member. any idea regarding the resync commands ??
It's the other way around - you might need table if you didn't have stats. If you do stats it produces a results table from your summarized events. And yes, join will probably be the way to go. As y... See more...
It's the other way around - you might need table if you didn't have stats. If you do stats it produces a results table from your summarized events. And yes, join will probably be the way to go. As you seem to have different sets of fields, you simply extract them _before_ doing stats values(interesting_field1) as interesting_field1 values(interesting_field2) as interesting_field2 [...] by common_field
Thanks in tonn for your prompt response
Hi @SampathkumarK , in addition to the other hints: in the bottom of the ServerClass form, you have the preview of clients in the serverclass, so you can immediately check if the whitelist is correc... See more...
Hi @SampathkumarK , in addition to the other hints: in the bottom of the ServerClass form, you have the preview of clients in the serverclass, so you can immediately check if the whitelist is correctly running. Then you can go in the clients form and see the serverclasses enabled for those clients. Ciao. Giuseppe
I have added more info about the data in the main comment. Is stats the right Splunk command to use even if I need a table as result?
I have added more info about the data in the main comment
Hi @Ram2 , in this case (having only two hosts, please try this: <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token... See more...
Hi @Ram2 , in this case (having only two hosts, please try this: <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="host"> <label>Server</label> <choice value="*">All</choice> <choice value="host1">host1</choice> <choice value="host2">host2</choice> <prefix>host="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> </query> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query> index=app-index source=application.logs $host$ ( "Initial message received with below details" OR "Letter published correctley to ATM subject" OR "Letter published correctley to DMM subject" OR "Letter rejected due to: DOUBLE_KEY" OR "Letter rejected due to: UNVALID_LOG" OR "Letter rejected due to: UNVALID_DATA_APP" ) | rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" | chart count over Application by Msgs | rename "Initial message received with below details" AS Income, "Letter published correctley to ATM subject" AS ATM, "Letter published correctley to DMM subject" AS DMM, "Letter rejected due to: DOUBLE_KEY" AS Reject, "Letter rejected due to: UNVALID_LOG" AS Rej_log, "Letter rejected due to: UNVALID_DATA_APP" AS Rej_app | table Income Rej_app ATM DMM Reject Rej_log Rej_app </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form> Ciao. Giuseppe
Thanks for the response @yuanliu  May I know what this block is doing?  | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g" I don't see lines starting with startswith ... See more...
Thanks for the response @yuanliu  May I know what this block is doing?  | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g" I don't see lines starting with startswith but see correct lines ending with endswith   when I run this command separately  |inputlookup messages.csv | fields Messages | rename Messages as search | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g" I see a column with name search and value (""field1"") Do we need to have field1 inside parentheses and two double quotes?
Hi @apomona , with my search you have the list of servers where the EventCode 4776 is't present in the last two minutes. The other time is required to have (if present) the last occurrence of the e... See more...
Hi @apomona , with my search you have the list of servers where the EventCode 4776 is't present in the last two minutes. The other time is required to have (if present) the last occurrence of the event: index="ad_windows" EventCode=4776 earliest=-60m@m | eval period=if(_time>now()-120,"Last","Previous") | stats count(eval(period="Last")) AS count latest(_time) AS _time BY host | append [ | inputlookup DomainController.csv | eval count=0 | fields host count ] | stats sum(count) AS total latest(_time) AS _time BY host | where total=0 | eval _time=if(_time=0,"No events in the period",_time) | table host _time Ciao. Giuseppe
Thank you, found the authentication.conf with LDAP Configuration on our indexers
At a high level: You need to find a method of the Jmeter application to either dump/send/ftp/scripts  etc the csv files into a folder and create an inputs.conf with the required config(props.conf) ... See more...
At a high level: You need to find a method of the Jmeter application to either dump/send/ftp/scripts  etc the csv files into a folder and create an inputs.conf with the required config(props.conf) file to monitor the csv files. Where the csv files will be located you will need a UF configured so that it sends to the Indexers. The csv files should contain a time stamp, this should comes from the Jmeter application, and hopefully it does,  otherwise it will use default mod time. In the inputs.conf there's an option to monitor the files and then delete them, this is the batch option so once it monitors the csv file, it sends it to the sinkhole (deletes it), other wise use the normal monitor option, your choice. The it’s the goal is achievable, needs some setup/config/testing/refining/data checking.
This is a Jmeter question, then.  Other than manual export, what other capabilities/interfaces does Jmeter provide?  Any API call that will allow you to query all test cases? (Scripted input.)  Any w... See more...
This is a Jmeter question, then.  Other than manual export, what other capabilities/interfaces does Jmeter provide?  Any API call that will allow you to query all test cases? (Scripted input.)  Any way to trigger export after each test?  Or simply allow scheduled export? (File input.)  Is there a hook-like mechanism to trigger an arbitrary script after test? (HEC, file input, scripted input.)  There can be other possibilities.  If you know the answer but are unfamiliar with Splunk mechanisms, What data can I index? is a good place to start.  If you do not, present the documentation to a Jmeter expert and ask. Additionally, this is a search forum.  The subject is more suitable in Getting Data In.  Even there, I doubt if many people will be intimately familiar with Jmeter.
Yes, unfortunately this is the way it works - I have never fully worked out why this is the case - but most of the time it doesn't really matter as - I have used techniques to solve this where I need... See more...
Yes, unfortunately this is the way it works - I have never fully worked out why this is the case - but most of the time it doesn't really matter as - I have used techniques to solve this where I needed to only get the fields that pertained to the particular event, but that involved quite a bit of other work You can do something simple like search bla | transpose 0 | where isnotnull('row 1') | transpose 0 header_field=column | fields - column If this is just about data investigation and looking for things. Give us more on any use case where this is an issue and we can see if there is a way to solve it.  
OK, I can see what you mean now.  And I can confirm with this emulation   | makeresults format=csv data="a,b,c,d va,vb ,,vc,vd" | head 1   a b c d va vb     With little informatio... See more...
OK, I can see what you mean now.  And I can confirm with this emulation   | makeresults format=csv data="a,b,c,d va,vb ,,vc,vd" | head 1   a b c d va vb     With little information from its official documentation, I can argue either way as to this is a feature or a bug.  But you must have a use case in mind.  How will head be used in your application, and what is your expected result?
You can check via the below REST command in the Splunk search bar on the Deployment Server to see the settings  | rest splunk_server=local /services/configs/conf-serverclass | fields crossServer... See more...
You can check via the below REST command in the Splunk search bar on the Deployment Server to see the settings  | rest splunk_server=local /services/configs/conf-serverclass | fields crossServerChecksum, disabled, endpoint, filterType, id, repositoryLocation, restartSplunkWeb, restartSplunkd, splunk_server, stateOnClient, targetRepositoryLocation, title, whitelist.0 | rename title AS server_class_name | table server_class_name, whitelist.0, crossServerChecksum, disabled, endpoint, filterType, id, repositoryLocation, restartSplunkWeb, restartSplunkd, splunk_server, stateOnClient, targetRepositoryLocation
We have a requirement to have a splunk dashboard which shows all the testcases that we have run from Jmeter for visibility purpose. I want to understand how can we achieve this. Jmeter gives the opt... See more...
We have a requirement to have a splunk dashboard which shows all the testcases that we have run from Jmeter for visibility purpose. I want to understand how can we achieve this. Jmeter gives the option to export the detailed reports in csv format which can be uploaded to splunk but that would be manual approach, every time uploading csv file would be time consuming one. Is there anyway we can integrate Jmeter with Splunk which allows to dump the reports on splunk. The limitation here is since its a project in an organization, any external app or plugin can not be installed which is not approved by the organization.
Hello To integrate AppDynamics with Zabbix  you can check below steps: Use the AppDynamics REST API. Explore middleware or integration platforms. Develop custom connectors or plugins. Evaluate ... See more...
Hello To integrate AppDynamics with Zabbix  you can check below steps: Use the AppDynamics REST API. Explore middleware or integration platforms. Develop custom connectors or plugins. Evaluate third-party solutions. Hope it helps Thank you stevediaz