All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @sajo.sam, I did some digging and found this info. We can see 401 when there is an issue either in the access key or in the account name   kubectl -n appdynamics create secret generic cl... See more...
Hi @sajo.sam, I did some digging and found this info. We can see 401 when there is an issue either in the access key or in the account name   kubectl -n appdynamics create secret generic cluster-agent-secret --from-literal=controller-key="myaccount access key valid" Can you please check and confirm if the access key you have used to create the secret is same with the access key under Settings#licenses#Account.   If not the same then please pass the same and repeat the steps of creating a secret and create yaml .
Hi @Ryan.Paredez  I tried but I'm stuck with another issue. The logs given below show it faces some errors with "Failed to send agent registration request: Post "accountname.saas.appdynamics.com:... See more...
Hi @Ryan.Paredez  I tried but I'm stuck with another issue. The logs given below show it faces some errors with "Failed to send agent registration request: Post "accountname.saas.appdynamics.com:8080/sim/v2/agent/clusterRegistration ": context deadline exceeded (Client.Timeout exceeded while awaiting headers)" [ERROR]: 2024-04-09 11:20:38 - secretconfig.go:68 - Problem With Getting /opt/appdynamics/cluster-agent/secret-volume/api-user Secret: open /opt/appdynamics/cluster-agent/secret-volume/api-user: no such file or directory [INFO]: 2024-04-09 11:20:38 - main.go:78 - Kubernetes version: v1.29.0 [INFO]: 2024-04-09 11:20:38 - main.go:236 - Registering cluster agent with controller host : accountname.saas.appdynamics.com controller port : 8080 account name : accountname [WARNING]: 2024-04-09 11:20:38 - agentregistrationmodule.go:352 - "default" is not a valid namespace in your kubernetes cluster [INFO]: 2024-04-09 11:20:38 - agentregistrationmodule.go:356 - Established connection to Kubernetes API [INFO]: 2024-04-09 11:20:38 - agentregistrationmodule.go:68 - Cluster name: fromKube [INFO]: 2024-04-09 11:20:38 - agentregistrationmodule.go:119 - Initial Agent registration [ERROR]: 2024-04-09 11:21:08 - agentregistrationmodule.go:131 - Failed to send agent registration request: Post "accountname.saas.appdynamics.com:8080/sim/v2/agent/clusterRegistration": context deadline exceeded (Client.Timeout exceeded while awaiting headers) [ERROR]: 2024-04-09 11:21:08 - agentregistrationmodule.go:132 - clusterId: -1 [ERROR]: 2024-04-09 11:21:08 - agentregistrationmodule.go:134 - Registration properties: {} [INFO]: 2024-04-09 11:21:38 - agentregistrationmodule.go:119 - Initial Agent registration ^ Post edited by @Ryan.Paredez to remove mentions and links to Account name. For security and privacy reasons, please redact the name of your Account in Community posts.
Hi @Sagar.Nalawade, Did you get a chance to review the links I sent above? Did they help out or did you find a solution you can share here?
There are many formats that someone would consider "normal".  Almost none of them require rex.  Use the strptime and strftime functions to convert one time format to another. | eval ts = strftime(st... See more...
There are many formats that someone would consider "normal".  Almost none of them require rex.  Use the strptime and strftime functions to convert one time format to another. | eval ts = strftime(strptime(ts, "%Y-%m-%dT%H:%M:%S.%9N%Z"), "<<your 'normal' format>>")  
Hi @sajo.sam, Did you get a chance to check out the TKB article or have you found a solution you can share?
Hi @Osama.Abbas, I'm still waiting to hear back from our Docs team. Have you found a solution or any new info in the meantime?
You are correct.  Use the singular form.
Hi @Amit.Bisht, I know it's been a while since you asked your question. I wanted to followup to see if you found a solution or if you had a chance to look at @Ranjith.Kumarkar reply and perhaps tha... See more...
Hi @Amit.Bisht, I know it's been a while since you asked your question. I wanted to followup to see if you found a solution or if you had a chance to look at @Ranjith.Kumarkar reply and perhaps that helped. 
Hi @Rohit.Sharma, Can you confirm if either of the replies has answered your question? If so, please click on the 'Accept as Solution' button or reply to the thread keeping the conversation going. 
Oh, I see... But should not it be $result.Level$ -- that is, singular "result", not plural "results"? Thanks!
I have a timestamp with this format "2024-01-01T20:00:00.190000000Z" I can convert this to normal format using rex, however, I want to know is there a alternative to convert to normal time format?
@ITWhisperer  Here is the source code of trellis single value visualization {     "type": "splunk.singlevalue",     "options": {         "numberPrecision": 0,         "sparklineDisplay": "belo... See more...
@ITWhisperer  Here is the source code of trellis single value visualization {     "type": "splunk.singlevalue",     "options": {         "numberPrecision": 0,         "sparklineDisplay": "below",         "trendDisplay": "absolute",         "unitPosition": "after",         "shouldUseThousandSeparators": true,         "trellisMinColumnWidth": 120,         "trellisRowHeight": 68,         "majorValue": "> sparklineValues | lastPoint()",         "trendValue": "> sparklineValues | delta(-2)",         "sparklineValues": "> primary | seriesByName('Number of Scenarios')",         "trellisSplitBy": "Page",         "splitByLayout": "trellis",         "trellisPageCount": 1000,         "backgroundColor": "#d41f1f",         "majorColor": "#FAF9F6",         "trellisBackgroundColor": "#FAF9F6"     },     "context": {         "convertedColorRange": [             {                 "from": 100,                 "value": "#dc4e41"             },             {                 "from": 70,                 "to": 100,                 "value": "#f1813f"             },             {                 "from": 30,                 "to": 70,                 "value": "#f8be34"             },             {                 "from": 0,                 "to": 30,                 "value": "#0877a6"             },             {                 "to": 0,                 "value": "#53a051"             }         ]     },     "dataSources": {         "primary": "ds_P7P9WCoL_ds_TheWXmJx_ds_ionW1KZM"     },     "eventHandlers": [         {             "type": "drilldown.linkToDashboard",             "options": {                 "app": "search",                 "dashboard": "reliability_layer_3_insight_application_dashboard__thaa_proper",                 "newTab": true,                 "tokens": []             }         },         {             "type": "drilldown.setToken",             "options": {                 "tokens": [                     {                         "token": "stepTok",                         "key": "trellis.value"                     }                 ]             }         }     ],     "showProgressBar": false,     "showLastUpdated": false,     "hideWhenNoData": false }   Here is the datasource used for the this visualization.   index="xxx" appID="APP-xxx" environment=xxx tags="*Parm*" OR "*Batch*" stepName="*" status=PASSED | rex field=stepName "^(?<Page>[^\:]+)" | rex field=stepName "^\'(?<Page>[^\'\:]+)" | eval Page=upper(Page) | stats count(scenario) as "Number of Scenarios" by Page | sort - "Number of Scenarios"
I just checked our Searchheads for this issue: We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3. Kind Regards
Hi. I'm trying to use the subsearch, but I'm not what I am doing wrong. First the inner search is a list of account like this one. index=main sourcetype=vpacmanagement |eval DateStamp3= strptime(D... See more...
Hi. I'm trying to use the subsearch, but I'm not what I am doing wrong. First the inner search is a list of account like this one. index=main sourcetype=vpacmanagement |eval DateStamp3= strptime(DateStamp, "%Y-%m-%d %H:%M:%S") | eval MemberName2 = split(TeamMember, "\\") | eval Member2 = mvindex(MemberName2,1) | eval Member2=upper(Member2) | where DateStamp3 > relative_time(now(), "-4d") AND like(Status, "%/%/%") AND Member2 = "ADMMICHAEL_HAYES3" |dedup WONumber | rename Member2 as Member | fields Member I get one account, all ok so far. But using the search in an outer search. index=main sourcetype=vpacmanagement|join Member[search index=main sourcetype=vpacmanagement |eval DateStamp3= strptime(DateStamp, "%Y-%m-%d %H:%M:%S") | eval MemberName2 = split(TeamMember, "\\") | eval Member2 = mvindex(MemberName2,1) | eval Member2=upper(Member2) | where DateStamp3 > relative_time(now(), "-4d") AND like(Status, "%/%/%") AND Member2 = "ADMMICHAEL_HAYES3" |dedup WONumber | rename Member2 as Member | fields Member] | eval DateStamp2= strptime(DateStamp, "%Y-%m-%d %H:%M:%S") | eval month = strftime(DateStamp2, "%m") | eval year = strftime(DateStamp2, "%Y") | eval GroupName = split(DomainGroup, "\\"), MemberName = split(TeamMember, "\\") | eval Name = mvindex(GroupName,1), Member = mvindex(MemberName,1) | eval RequestType = upper(RequestType), Name = upper(Name), Member=upper(Member) | where not like(Status, "%/%/%") and DateStamp2 > relative_time(now(), "-2d") |dedup RequestType,DomainGroup, TeamMember | fields WONumber, DateStamp, ResourceSteward, RequestType, Name, Member, Status | table WONumber, DateStamp, ResourceSteward, RequestType, Name,Member, Status | sort DateStamp2   If you see I made some calculation and I'm using Member field as value to make the join, but still is not getting any account from the outer, and in fact the element exists in the outer search, does anyone knows what am I missing? Thanks  
It doesn't have to be whole dashboard, but it should at least match the visualisation you shared earlier, or, if it doesn't then share the part that isn't working for you (so we can try and test it, ... See more...
It doesn't have to be whole dashboard, but it should at least match the visualisation you shared earlier, or, if it doesn't then share the part that isn't working for you (so we can try and test it, or our solutions, for you).
Have you tried "Subject: $result.Level$ app in $result.APPDIRS$"?
https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens#Result_tokens
Where is the web server actually installed to and ran from for SOAR in a RHEL environment? Unlike Splunk Web UI where I can modify the web.conf file, for SOAR I only see a massive amount of py files ... See more...
Where is the web server actually installed to and ran from for SOAR in a RHEL environment? Unlike Splunk Web UI where I can modify the web.conf file, for SOAR I only see a massive amount of py files everywhere. I need to figure out where it actually starts and sets it's paths. Specifically where SSL is chosen. Assume I have installed SOAR to /data   Thanks for any assistance!
Hi @ITWhisperer , Source code has huge lines so I am unable to paste it or attach as a file. Kindly advise.
I have an alert based on the below search (obfuscated):   ... | eval APPDIR=source | rex field=APPDIR mode=sed "s|/logs\/.*||g" | eventstats values(APPDIR) as APPDIRS | eval Level=if("/app/5000" IN... See more...
I have an alert based on the below search (obfuscated):   ... | eval APPDIR=source | rex field=APPDIR mode=sed "s|/logs\/.*||g" | eventstats values(APPDIR) as APPDIRS | eval Level=if("/app/5000" IN (APPDIRS), "PRODUCTION", "Non-production") | eval APPDIRS=mvjoin(APPDIRS, ",")   The idea is to discern the affected application-instance (there are multiple logs under each of the /app/instance/logs/) and then to determine, whether the instance is a production one or not. In the search-results all three new fields (APPDIR, APPDIRS, and Level) are populated as expected. But they don't show up in the e-mails. The "Subject: $Level$ app in $APPDIRS$" expands to mere "Subject:  app in ". Nor are the fields expanded in the body of the alert e-mail. Now, I understand, that event-specific fields -- like the singular APPDIR above -- cannot be expected to work in an alert. But the plural APPDIRS, as well as the Level, are aggregates, aren't they? What am I doing wrong, and how do I fix it?