All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @SampathkumarK , in addition to the other hints: in the bottom of the ServerClass form, you have the preview of clients in the serverclass, so you can immediately check if the whitelist is correc... See more...
Hi @SampathkumarK , in addition to the other hints: in the bottom of the ServerClass form, you have the preview of clients in the serverclass, so you can immediately check if the whitelist is correctly running. Then you can go in the clients form and see the serverclasses enabled for those clients. Ciao. Giuseppe
I have added more info about the data in the main comment. Is stats the right Splunk command to use even if I need a table as result?
I have added more info about the data in the main comment
Hi @Ram2 , in this case (having only two hosts, please try this: <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token... See more...
Hi @Ram2 , in this case (having only two hosts, please try this: <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="host"> <label>Server</label> <choice value="*">All</choice> <choice value="host1">host1</choice> <choice value="host2">host2</choice> <prefix>host="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> </query> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query> index=app-index source=application.logs $host$ ( "Initial message received with below details" OR "Letter published correctley to ATM subject" OR "Letter published correctley to DMM subject" OR "Letter rejected due to: DOUBLE_KEY" OR "Letter rejected due to: UNVALID_LOG" OR "Letter rejected due to: UNVALID_DATA_APP" ) | rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" | chart count over Application by Msgs | rename "Initial message received with below details" AS Income, "Letter published correctley to ATM subject" AS ATM, "Letter published correctley to DMM subject" AS DMM, "Letter rejected due to: DOUBLE_KEY" AS Reject, "Letter rejected due to: UNVALID_LOG" AS Rej_log, "Letter rejected due to: UNVALID_DATA_APP" AS Rej_app | table Income Rej_app ATM DMM Reject Rej_log Rej_app </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form> Ciao. Giuseppe
Thanks for the response @yuanliu  May I know what this block is doing?  | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g" I don't see lines starting with startswith ... See more...
Thanks for the response @yuanliu  May I know what this block is doing?  | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g" I don't see lines starting with startswith but see correct lines ending with endswith   when I run this command separately  |inputlookup messages.csv | fields Messages | rename Messages as search | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g" I see a column with name search and value (""field1"") Do we need to have field1 inside parentheses and two double quotes?
Hi @apomona , with my search you have the list of servers where the EventCode 4776 is't present in the last two minutes. The other time is required to have (if present) the last occurrence of the e... See more...
Hi @apomona , with my search you have the list of servers where the EventCode 4776 is't present in the last two minutes. The other time is required to have (if present) the last occurrence of the event: index="ad_windows" EventCode=4776 earliest=-60m@m | eval period=if(_time>now()-120,"Last","Previous") | stats count(eval(period="Last")) AS count latest(_time) AS _time BY host | append [ | inputlookup DomainController.csv | eval count=0 | fields host count ] | stats sum(count) AS total latest(_time) AS _time BY host | where total=0 | eval _time=if(_time=0,"No events in the period",_time) | table host _time Ciao. Giuseppe
Thank you, found the authentication.conf with LDAP Configuration on our indexers
At a high level: You need to find a method of the Jmeter application to either dump/send/ftp/scripts  etc the csv files into a folder and create an inputs.conf with the required config(props.conf) ... See more...
At a high level: You need to find a method of the Jmeter application to either dump/send/ftp/scripts  etc the csv files into a folder and create an inputs.conf with the required config(props.conf) file to monitor the csv files. Where the csv files will be located you will need a UF configured so that it sends to the Indexers. The csv files should contain a time stamp, this should comes from the Jmeter application, and hopefully it does,  otherwise it will use default mod time. In the inputs.conf there's an option to monitor the files and then delete them, this is the batch option so once it monitors the csv file, it sends it to the sinkhole (deletes it), other wise use the normal monitor option, your choice. The it’s the goal is achievable, needs some setup/config/testing/refining/data checking.
This is a Jmeter question, then.  Other than manual export, what other capabilities/interfaces does Jmeter provide?  Any API call that will allow you to query all test cases? (Scripted input.)  Any w... See more...
This is a Jmeter question, then.  Other than manual export, what other capabilities/interfaces does Jmeter provide?  Any API call that will allow you to query all test cases? (Scripted input.)  Any way to trigger export after each test?  Or simply allow scheduled export? (File input.)  Is there a hook-like mechanism to trigger an arbitrary script after test? (HEC, file input, scripted input.)  There can be other possibilities.  If you know the answer but are unfamiliar with Splunk mechanisms, What data can I index? is a good place to start.  If you do not, present the documentation to a Jmeter expert and ask. Additionally, this is a search forum.  The subject is more suitable in Getting Data In.  Even there, I doubt if many people will be intimately familiar with Jmeter.
Yes, unfortunately this is the way it works - I have never fully worked out why this is the case - but most of the time it doesn't really matter as - I have used techniques to solve this where I need... See more...
Yes, unfortunately this is the way it works - I have never fully worked out why this is the case - but most of the time it doesn't really matter as - I have used techniques to solve this where I needed to only get the fields that pertained to the particular event, but that involved quite a bit of other work You can do something simple like search bla | transpose 0 | where isnotnull('row 1') | transpose 0 header_field=column | fields - column If this is just about data investigation and looking for things. Give us more on any use case where this is an issue and we can see if there is a way to solve it.  
OK, I can see what you mean now.  And I can confirm with this emulation   | makeresults format=csv data="a,b,c,d va,vb ,,vc,vd" | head 1   a b c d va vb     With little informatio... See more...
OK, I can see what you mean now.  And I can confirm with this emulation   | makeresults format=csv data="a,b,c,d va,vb ,,vc,vd" | head 1   a b c d va vb     With little information from its official documentation, I can argue either way as to this is a feature or a bug.  But you must have a use case in mind.  How will head be used in your application, and what is your expected result?
You can check via the below REST command in the Splunk search bar on the Deployment Server to see the settings  | rest splunk_server=local /services/configs/conf-serverclass | fields crossServer... See more...
You can check via the below REST command in the Splunk search bar on the Deployment Server to see the settings  | rest splunk_server=local /services/configs/conf-serverclass | fields crossServerChecksum, disabled, endpoint, filterType, id, repositoryLocation, restartSplunkWeb, restartSplunkd, splunk_server, stateOnClient, targetRepositoryLocation, title, whitelist.0 | rename title AS server_class_name | table server_class_name, whitelist.0, crossServerChecksum, disabled, endpoint, filterType, id, repositoryLocation, restartSplunkWeb, restartSplunkd, splunk_server, stateOnClient, targetRepositoryLocation
We have a requirement to have a splunk dashboard which shows all the testcases that we have run from Jmeter for visibility purpose. I want to understand how can we achieve this. Jmeter gives the opt... See more...
We have a requirement to have a splunk dashboard which shows all the testcases that we have run from Jmeter for visibility purpose. I want to understand how can we achieve this. Jmeter gives the option to export the detailed reports in csv format which can be uploaded to splunk but that would be manual approach, every time uploading csv file would be time consuming one. Is there anyway we can integrate Jmeter with Splunk which allows to dump the reports on splunk. The limitation here is since its a project in an organization, any external app or plugin can not be installed which is not approved by the organization.
Hello To integrate AppDynamics with Zabbix  you can check below steps: Use the AppDynamics REST API. Explore middleware or integration platforms. Develop custom connectors or plugins. Evaluate ... See more...
Hello To integrate AppDynamics with Zabbix  you can check below steps: Use the AppDynamics REST API. Explore middleware or integration platforms. Develop custom connectors or plugins. Evaluate third-party solutions. Hope it helps Thank you stevediaz
Hello @SampathkumarK , When you whitelist or blacklist a particular host for a serverclass from the web UI, it creates the configuration in serverclass.conf config file with the respective parameter... See more...
Hello @SampathkumarK , When you whitelist or blacklist a particular host for a serverclass from the web UI, it creates the configuration in serverclass.conf config file with the respective parameters. You can match the regex for whitelist/blacklist with the required pattern and validate if the host is matching the pattern or not. Also, phoneHome happens with every phoneHome interval that has been defined. You can find the detailed explanation in the following document - https://docs.splunk.com/Documentation/Splunk/9.2.1/Updating/Useserverclass.conf   Thanks, Tejas.
Screencaptures for clarification
You need to qualify your question with dataset (mockup or sanitized), SPL, and results.  I cannot reproduce what you described based on my mind-reading of your question.  But you must not rely on vol... See more...
You need to qualify your question with dataset (mockup or sanitized), SPL, and results.  I cannot reproduce what you described based on my mind-reading of your question.  But you must not rely on volunteers reading your mind. (It is never good to force people to read your mind.)
The following may look like voodoo but give it a try:-) index="test1" source="test2" run="test3" | transaction source run startswith IN [inputlookup messages.csv | fields Messages | ren... See more...
The following may look like voodoo but give it a try:-) index="test1" source="test2" run="test3" | transaction source run startswith IN [inputlookup messages.csv | fields Messages | rename Messages as search | format "(" "\"" "" "\"" "," ")" | rex field=search mode=sed "s/ *\" */\"/g"] endswith="status: PASS" #forematmagic
Is this intended behavior? After selecting only a single event with "head 1" fields from excluded events that occurred at the same time can be seen in a table when using wildcards in example "table ... See more...
Is this intended behavior? After selecting only a single event with "head 1" fields from excluded events that occurred at the same time can be seen in a table when using wildcards in example "table _time,tags.* values.*"