All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

+1 to what @richgalloway wrote - the official requirements are a bit... imprecise here and noone really knows how to interpret them. From my personal experience, it means that: 1) All cluster membe... See more...
+1 to what @richgalloway wrote - the official requirements are a bit... imprecise here and noone really knows how to interpret them. From my personal experience, it means that: 1) All cluster members should be running on the same operating systems - 100% Linux cluster or 100% windows cluster 2) All member should run on the same architecture (I don't remember if there are 32-bit versions available anymore but back when they were it might have mattered so you mustn't mix 32-bit and 64-bit; and of course don't try to add to the mix any ARMs if/when they become available) 3) As long as the cluster members are properly set up on each respective OS they should work but it is a good practice to keep things homogenous - it saves you on maintenance and troubleshooting. Also Splunk Support can reject cases if you have mixed environment especially if an issue is present on one OS and not showing on another.
in the props.conf, the original_host extraction won't work for the majority of users  - EXTRACT-original_host = \d+-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[\+\-]\d{2}:\d{2}\s(?<original_host>\S+) origina... See more...
in the props.conf, the original_host extraction won't work for the majority of users  - EXTRACT-original_host = \d+-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[\+\-]\d{2}:\d{2}\s(?<original_host>\S+) original_host is I believe a crucial fiield, so all datamodels can work as expected
Honestly? I have no idea what you're talking about. Could you be more specific?
It's a bit vague what you're trying to do. You can't get two separate result sets from one search.
First you have to think what exactly components in your dashboard would search for. Then you have to check if you have data to search from. After that comes time to write searches which do search f... See more...
First you have to think what exactly components in your dashboard would search for. Then you have to check if you have data to search from. After that comes time to write searches which do search for those things. Last step is making the results from those searches into some visualizations or make them dynamic based on dashboard inputs contents. So where are you in this process?
Hi colleague , Iam having this issue , were you able to resolve it?
Hi @Ravi.Rajangam,  I updated the link above. If this ever happens again, just look at the last bit of the URL, it shows you the title of the doc and you can search for the title in docs. https:/... See more...
Hi @Ravi.Rajangam,  I updated the link above. If this ever happens again, just look at the last bit of the URL, it shows you the title of the doc and you can search for the title in docs. https://docs.appdynamics.com/appd/24.x/24.4/en/application-monitoring/administer-app-server-agents/request-agent-log-files
Tried below query:  Where is no data for any Msgs it displaying zero only for 1st 3 rows remaining rows are displaying null. index=app-index source=application.logs |rex field= _raw "application :\... See more...
Tried below query:  Where is no data for any Msgs it displaying zero only for 1st 3 rows remaining rows are displaying null. index=app-index source=application.logs |rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" |chart count over Application by Msgs |rename "Initial message received with below details" as Income, "Letter published correctley to ATM subject" as ATM, "Letter published correctley to DMM subject" as DMM, "Letter rejected due to: DOUBLE_KEY" as Reject, "Letter rejected due to: UNVALID_LOG" as Rej_log, "Letter rejected due to: UNVALID_DATA_APP" as Rej_app |table Income Rej_app ATM DMM Reject Rej_log Rej_app |appendcols [| makeresults format=csv data="Income, Rej_app, ATM, DMM, Reject, Rej_log, Rej_app ,,,,, ,,,,, ,,,,," | fillnull] output: Application ATM DMM Income Rej_app Rej_log Reject Login 10 0 0 2 0 0 Success 12 0 0 1 0 0 Error 23 0 0 11 0 0 Debug 2     3     logout 1     50     error-state 61     20     normal-state 1     10    
The above link takes you to the root documentation home page of AppDynamics?
It looks like, you have the data, why not go through some training on creating some generic stuff, this is free online guide, good starting point, you learn some basics concepts, you can apply the pr... See more...
It looks like, you have the data, why not go through some training on creating some generic stuff, this is free online guide, good starting point, you learn some basics concepts, you can apply the principles to the AD data, and then further develop your skills by looking formal training ones.  https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchTutorial/WelcometotheSearchTutorial
This appears to be a duplicate of this question splunk dashboard studio result variance - Splunk Community
It is not clear what your events look like, but you could try something like this | stats count by field1, field2
Hi, I have two panels with two different search results. Say, Panel A and Panel B both panels just return/shows single value. I want to get the difference of these panels in other panel but it sho... See more...
Hi, I have two panels with two different search results. Say, Panel A and Panel B both panels just return/shows single value. I want to get the difference of these panels in other panel but it should check whether the  panel A and Panel B finalized results before doing difference. please could you suggest ? Thanks, Selvam.
It worked Thank you @phanTom 
Hello all,   Can someone Please help me, regarding my qwery,  "base | stats count by field 1" I am using this qwery but i would like to add field2 also in this qwery as form of table, Please ... See more...
Hello all,   Can someone Please help me, regarding my qwery,  "base | stats count by field 1" I am using this qwery but i would like to add field2 also in this qwery as form of table, Please provide your valuable suggestions      
Original_host Filed extraction should be aligned if a Syslog server have different date/time format. The current filed extraction is defined based on your syslog server and I am positive that this ap... See more...
Original_host Filed extraction should be aligned if a Syslog server have different date/time format. The current filed extraction is defined based on your syslog server and I am positive that this app works only for a couple of Splunk customers.
@harishlnu just leave the command field empty and put the full SPL in the query field and it will work. It may complain about the command field not being populated but IMO that was a silly addition t... See more...
@harishlnu just leave the command field empty and put the full SPL in the query field and it will work. It may complain about the command field not being populated but IMO that was a silly addition to the app action. -- Hope this helps! If it does please mark as a solution for the future. Happy SOARing! --
Hi Team, Could you please help me on running query in Splunk, The query starts with | ldapsearch. run query only have command search,tstats,eval,savedsearch,stats Could you please guide me on t... See more...
Hi Team, Could you please help me on running query in Splunk, The query starts with | ldapsearch. run query only have command search,tstats,eval,savedsearch,stats Could you please guide me on this Thanks in advance   Regards, Harisha  
The OS requirement is somewhat flexible to allow for OS upgrades, patches, etc.  In my mind, it means Linux vs Windows more than Ubuntu vs CentOS.  That said, every effort should be made to have the ... See more...
The OS requirement is somewhat flexible to allow for OS upgrades, patches, etc.  In my mind, it means Linux vs Windows more than Ubuntu vs CentOS.  That said, every effort should be made to have the CM and indexers on the same release. You should have no problems adding the Ubuntu indexers to the cluster.
@richgalloway wrote: I think you have right idea on all counts.  Migrating the CM is similar to migrating a SH.  Do migrate the CM before the indexers. Working on this project. I have the new... See more...
@richgalloway wrote: I think you have right idea on all counts.  Migrating the CM is similar to migrating a SH.  Do migrate the CM before the indexers. Working on this project. I have the new CM stood up on Ubuntu 22 and it has replaced the Centos 7 CM which is now offline. The Indexers are still on Centos 7. I see in the docs that the CM and indexers need to be the same OS. Is this true? The cluster seems to be working fine so far and I'm working on the new Ubuntu indexers that will be added to the cluster. Still safe to proceed or will I run into issues adding the Ubuntu indexers to the cluster? Found under "Operating system requirements" "All indexer cluster nodes (manager node, peer nodes, and search heads) must run on the same operating system and version." System requirements and other deployment considerations for indexer clusters - Splunk Documentation