All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

In the props.conf example, when it says "REPORT-file_name = url_domain", what should I replace file_name with? I'll stay tuned, thank you very much.
Greetings!    Im unable to start appdynamics-machine-agent following the same install instructions that work with rhel 7. Machine Agent Bundle - 64-bit linux (rpm)    24.3.0 installed. I update... See more...
Greetings!    Im unable to start appdynamics-machine-agent following the same install instructions that work with rhel 7. Machine Agent Bundle - 64-bit linux (rpm)    24.3.0 installed. I updated the config file to match the same controller/settings/etc as the rhel 7 servers. Upon starting the service I see the status is failed, and the logs say: Could not initialize class com.sun.jna.Native   /opt/appdynamics/machine-agent/logs/startup.out OUTPUT  2024-04-16 11:15:53.430 Using Agent Version [Machine Agent v24.3.0.4127 GA compatible with 4.4.1.0 Build Date 2024-03-20 05:00:40] ERROR StatusLogger Reconfiguration failed: No configuration found for '10dba097' at 'null' in 'null' 2024-04-16 11:15:55.037 [INFO] Agent logging directory set to: [/opt/appdynamics/machine-agent/logs] 2024-04-16 11:15:53.468 Could not start up the machine agent due to: Could not initialize class com.sun.jna.Native 2024-04-16 11:15:53.468 Please see startup.log in the current working directory for details.   /opt/appdynamics/machine-agent/startup.log OUTPUT Tue Apr 16 11:15:55 CDT 2024 java.lang.NoClassDefFoundError: Could not initialize class com.sun.jna.Native at oshi.jna.platform.linux.LinuxLibc.<clinit>(LinuxLibc.java:22) at oshi.software.os.linux.LinuxOperatingSystem.<clinit>(LinuxOperatingSystem.java:97) at oshi.hardware.platform.linux.LinuxCentralProcessor.initProcessorCounts(LinuxCentralProcessor.java:166) at oshi.hardware.common.AbstractCentralProcessor.<init>(AbstractCentralProcessor.java:65) at oshi.hardware.platform.linux.LinuxCentralProcessor.<init>(LinuxCentralProcessor.java:57) at oshi.hardware.platform.linux.LinuxHardwareAbstractionLayer.createProcessor(LinuxHardwareAbstractionLayer.java:43) at oshi.util.Memoizer$1.get(Memoizer.java:61) at oshi.hardware.common.AbstractHardwareAbstractionLayer.getProcessor(AbstractHardwareAbstractionLayer.java:48) at com.appdynamics.agent.sim.properties.MachineLicensePropertiesProvider.getOshiBasedLicenseCpuInfo(MachineLicensePropertiesProvider.java:75) at com.appdynamics.agent.sim.properties.MachineLicensePropertiesProvider.getLicenseCpuInfo(MachineLicensePropertiesProvider.java:44) at com.appdynamics.agent.sim.properties.MachineLicensePropertiesProvider.get(MachineLicensePropertiesProvider.java:106) at com.appdynamics.agent.sim.properties.MachineLicensePropertiesProvider.get(MachineLicensePropertiesProvider.java:25) at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:86) at com.google.inject.internal.BoundProviderFactory.provision(BoundProviderFactory.java:72) at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:60) at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:59) at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:40) at com.google.inject.internal.RealMultibinder$RealMultibinderProvider.doProvision(RealMultibinder.java:253) at com.google.inject.internal.RealMultibinder$ExtensionRealMultibinderProvider.doProvision(RealMultibinder.java:307) at com.google.inject.internal.RealMultibinder$ExtensionRealMultibinderProvider.doProvision(RealMultibinder.java:289) at com.google.inject.internal.InternalProviderInstanceBindingImpl$Factory.get(InternalProviderInstanceBindingImpl.java:113) at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:40) at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:60) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300) at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:58) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45) at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:40) at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:60) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45) at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:213) at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:186) at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:113) at com.google.inject.Guice.createInjector(Guice.java:87) at com.google.inject.Guice.createInjector(Guice.java:69) at com.appdynamics.voltron.FrameworkBootstrap.createInjector(FrameworkBootstrap.java:107) at com.appdynamics.voltron.FrameworkBootstrap.start(FrameworkBootstrap.java:162) at com.appdynamics.voltron.FrameworkBootstrap.startAndRun(FrameworkBootstrap.java:120) at com.appdynamics.voltron.FrameworkApplication.start(FrameworkApplication.java:31) at com.appdynamics.agent.sim.Main.startSafe(Main.java:64) at com.appdynamics.agent.sim.bootstrap.Bootstrap.main(Bootstrap.java:48)
Your trigger condition is the same it was before? | where is_maintenance window = 0 AND is_server_down=1 Im assuming your maintenance window is on a specific day of the week ? April 23rd is a T... See more...
Your trigger condition is the same it was before? | where is_maintenance window = 0 AND is_server_down=1 Im assuming your maintenance window is on a specific day of the week ? April 23rd is a Tuesday, is your maintenance window is every Tuesday night/Wed morning ? Introduce a new attribute for day of the week: | tstats count where index=cts-dcpsa-app sourcetype=app:dcpsa host_ip IN (xx.xx.xxx.xxx, xx.xx.xxx.xxx) by host | eval current_time=strftime(now(), "%H%M") | eval aDayNumber = strftime(now(), "%w") | eval is_maintenance_window=if((aDayNumber = 2 AND current_time >= 2100) OR (aDayNumber = 3 AND current_time < 0400), 1, 0) | eval is_server_down=if(count == 0, 1, 0) | where is_maintenance window = 0 AND is_server_down=1  
@KothariSurbhi  Yes I have developed an app and placed them in the default ui[prefs.conf and after app vetting process also it didnt worked. Need your inputs on the same please. I have also restarte... See more...
@KothariSurbhi  Yes I have developed an app and placed them in the default ui[prefs.conf and after app vetting process also it didnt worked. Need your inputs on the same please. I have also restarted the Splunk cloud search head instance but still the same.  
Hi @Fadil.Chalakandy, I was told after the Ops team ran a report they saw nothing reporting to TLS versions 1.0 and 1.1
Hi @VatsalJagani , I am not looking in any logs specifically because I need to create multiple Custom View and configure them with different Xpath queries.  So I am looking on an approach to monit... See more...
Hi @VatsalJagani , I am not looking in any logs specifically because I need to create multiple Custom View and configure them with different Xpath queries.  So I am looking on an approach to monitor with WinEventLog these CustomViews. In the photo an example of CustomView is "Test" folder. But in the path C:\Windows\System32\winevt\Logs I could not find any reference to this "Test" CustomView. To recap: "Test" CustomView works fine in the EventViewer and it is updated live with the execution of my query. It contains all the events I am interested (not important which one). However I could not find any path connected to it, where the logs are stored and ready to be collected by a Splunk WinEventLog monitor. Thanks,  
resolved this.. by adding " --platform=linux/amd64 while pulling the image.. for instance  use  FROM --platform=linux/amd64 tiangolo/uvicorn-gunicorn-fastapi:python3.10 instead of  FROM tia... See more...
resolved this.. by adding " --platform=linux/amd64 while pulling the image.. for instance  use  FROM --platform=linux/amd64 tiangolo/uvicorn-gunicorn-fastapi:python3.10 instead of  FROM tiangolo/uvicorn-gunicorn-fastapi:python3.10 
Hello @anandhalagaras1 , If you're creating a custom app, you'll need to write the configuration in your default directory; otherwise, it will give you an error during validation, and the app won'... See more...
Hello @anandhalagaras1 , If you're creating a custom app, you'll need to write the configuration in your default directory; otherwise, it will give you an error during validation, and the app won't pass the vetting process in Splunk Cloud.
Hello! I know this is an older post, but, I just tried the latest version of getwatchlist in Splunk Cloud, and your query works as expected now. Thanks!
Hi Can anyone please suggest where I can submit a bug report for dashboard visualisations? Thanks
Thanks for the response. Im not getting any matches though. Everything is coming back as count=0 even though there are entries in the lookup that should match.
Have you tried my suggestion?
Yes, Microsoft generates incident IDs that are unique and collision-free for each incident. I'm going to try to disable it
Sounds like you are doing everything right, having said that, I don't use throttling by incident id, so perhaps there is an issue there? Are the incident ids completely unique? Is there a pattern to ... See more...
Sounds like you are doing everything right, having said that, I don't use throttling by incident id, so perhaps there is an issue there? Are the incident ids completely unique? Is there a pattern to the incidents which are getting missed?
@yuanliu wrote: This ask could have two interpretations.  The simple one is extremely simple.  Let me give you the formula first.   | inputlookup pod_name_lookup where NOT [search index=ab... See more...
@yuanliu wrote: This ask could have two interpretations.  The simple one is extremely simple.  Let me give you the formula first.   | inputlookup pod_name_lookup where NOT [search index=abc sourcetype=kubectl | eval pod_name = mvindex(split(pod_name, "-"), 0) | stats values(pod_name) as pod_name] | stats dc(pod_name) as count values(pod_name) as pod_name by importance   This query gets me really close. The one edge case I did not bring up is that some pods have multiple parts of the expected name that are also split by dashes. For example, I would have this in the lookup: podd-unique-name critical   and need to match podd-unique-name-h98erg-n2439f Running critical from the results.   Yes the "importance" in both will match exactly, but it is only important in the lookup field. The goal of this is to display pods that are not found in the search results compared to the inputlookup, and using the "importance" field from the lookup display the missing pod name and importance.
Something in my solution is not right. It works for only one condition (one or another) but combined produced zero events --------- Events reported  ----------- index=firewall (sourcetype=coll... See more...
Something in my solution is not right. It works for only one condition (one or another) but combined produced zero events --------- Events reported  ----------- index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block |table event_type, hostname, ip ------------- Events reported ----------- index=firewall (sourcetype=collector OR sourcetype=metadata) event_type="error" |table event_type, hostname, ip ------------ No events reported index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block event_type="error" |table event_type, hostname, ip
@sjringo - what should be my trigger condition ?  Also how your query will identify which date as I don't want alert not to be triggered everyday from 21:00 to 4:00 am. I want just specific date whi... See more...
@sjringo - what should be my trigger condition ?  Also how your query will identify which date as I don't want alert not to be triggered everyday from 21:00 to 4:00 am. I want just specific date which is going to be 23rd april from 9 pm to 24th april 4 am   
Oh, I have put a lot of information about it like the example I gave. I have put the search query, an example of an event, the alert configuration, etc. They are events ingested by the Microsoft secu... See more...
Oh, I have put a lot of information about it like the example I gave. I have put the search query, an example of an event, the alert configuration, etc. They are events ingested by the Microsoft security API, coming from the Defender, and the queries are basic, if the title of the events is x, it is triggered. It is already desperation, because if you run the search normally, it detects the event it should but the alert has not been generated. So the only option I can think of is the indexing time, but I understand that if the search runs every 5 minutes and searches the entire previous hour, there should be no problem and there still is. These alerts are very important to me, and they must appear no matter what. In the example I mentioned at the beginning: TimeIndexed = 2024-04-04 01:01:59 _time=04/04/2024 00:56:08.600
Assuming Invetory is spelled (in)correctly, you could try this - the rex at the end is required because this date has an embedded space and it is the last field in the message | makeresults | eval ... See more...
Assuming Invetory is spelled (in)correctly, you could try this - the rex at the end is required because this date has an embedded space and it is the last field in the message | makeresults | eval _raw="{\"id\":\"0\",\"severity\":\"Information\",\"message\":\"CPWTotal=749860, SEQTotal=1026137, EASTotal=1062804, VRSTotal=238, CPWRemaining=5612, SEQRemaining=32746, EASRemaining=15, VRSRemaining=0, InvetoryDate=4/16/2024 7:34:25 PM\"}" | spath | rename message as _raw | extract | rex "InvetoryDate=(?<InvetoryDate>.*)" If the fields were re-ordered or an extra field was in the message (without an embedded space),  then the rex would not be required | makeresults | eval _raw="{\"id\":\"0\",\"severity\":\"Information\",\"message\":\"CPWTotal=749860, SEQTotal=1026137, EASTotal=1062804, VRSTotal=238, CPWRemaining=5612, SEQRemaining=32746, EASRemaining=15, VRSRemaining=0, InvetoryDate=4/16/2024 7:34:25 PM, Tail=True\"}" | spath | rename message as _raw | extract
Thank you so much for prompt reply. Below is the fixed format of the data. Please help me on this.  {"id":"0","severity":"Information","message":"CPWTotal=749860, SEQTotal=1026137, EASTotal=1062804,... See more...
Thank you so much for prompt reply. Below is the fixed format of the data. Please help me on this.  {"id":"0","severity":"Information","message":"CPWTotal=749860, SEQTotal=1026137, EASTotal=1062804, VRSTotal=238, CPWRemaining=5612, SEQRemaining=32746, EASRemaining=15, VRSRemaining=0, InvetoryDate=4/16/2024 7:34:25 PM"}  Need to extract fields in below format. Your help really appreciated.   CPW Total SEQ Total EAS Total VRS Total CPW Remaining SEQ Remaining EAS Remaining VRS Remaining InvetoryDate 844961 244881 1248892 238 74572 22 62751 0 4/15/2024 6:16:07 AM