All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, regex _raw is here the wrong command… regex - Splunk Documentation but rex seems wrong too rex - Splunk Documentation because it can't do a key value extraction in search. I found an odd ... See more...
Hi, regex _raw is here the wrong command… regex - Splunk Documentation but rex seems wrong too rex - Splunk Documentation because it can't do a key value extraction in search. I found an odd way tho handle this: | spath | rename _raw AS temp date AS _raw | extract pairdelim="|" kvdelim="=" | rename _raw as date temp as _raw reference: extract - Splunk Documentation Is this what you are searching for? Kind Regards
Hi All, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging ... See more...
Hi All, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging the issue? Appropriate permissions are provided for the salesforce user.
I haven't found a definitive answer in any of the docs yet.  Is it possible to utilize Splunk Smartstore when everything is in Splunk Cloud and we do not have an on-prem Enterprise?
The subsearch derived the Member field from TeamMember so it would seem the main search, which uses the same index and sourcetype, would expect a field called "TeamMember" to come from the subsearch.... See more...
The subsearch derived the Member field from TeamMember so it would seem the main search, which uses the same index and sourcetype, would expect a field called "TeamMember" to come from the subsearch.  For a join to work properly, both sides must use the same field name(s).  This can be done using rename in the subsearch. Run the subsearch by itself with | format appended to see what the subsearch turns into.  That resulting string, inserted into the main search, is what produces the final result set.  Adjust the subsearch (or the join command itself) appropriately to get the results you want.
Done
If you edit your earlier answer to correct the syntax, I'll be able to mark it as the solution...
Hi @sajo.sam, I did some digging and found this info. We can see 401 when there is an issue either in the access key or in the account name   kubectl -n appdynamics create secret generic cl... See more...
Hi @sajo.sam, I did some digging and found this info. We can see 401 when there is an issue either in the access key or in the account name   kubectl -n appdynamics create secret generic cluster-agent-secret --from-literal=controller-key="myaccount access key valid" Can you please check and confirm if the access key you have used to create the secret is same with the access key under Settings#licenses#Account.   If not the same then please pass the same and repeat the steps of creating a secret and create yaml .
Hi @Ryan.Paredez  I tried but I'm stuck with another issue. The logs given below show it faces some errors with "Failed to send agent registration request: Post "accountname.saas.appdynamics.com:... See more...
Hi @Ryan.Paredez  I tried but I'm stuck with another issue. The logs given below show it faces some errors with "Failed to send agent registration request: Post "accountname.saas.appdynamics.com:8080/sim/v2/agent/clusterRegistration ": context deadline exceeded (Client.Timeout exceeded while awaiting headers)" [ERROR]: 2024-04-09 11:20:38 - secretconfig.go:68 - Problem With Getting /opt/appdynamics/cluster-agent/secret-volume/api-user Secret: open /opt/appdynamics/cluster-agent/secret-volume/api-user: no such file or directory [INFO]: 2024-04-09 11:20:38 - main.go:78 - Kubernetes version: v1.29.0 [INFO]: 2024-04-09 11:20:38 - main.go:236 - Registering cluster agent with controller host : accountname.saas.appdynamics.com controller port : 8080 account name : accountname [WARNING]: 2024-04-09 11:20:38 - agentregistrationmodule.go:352 - "default" is not a valid namespace in your kubernetes cluster [INFO]: 2024-04-09 11:20:38 - agentregistrationmodule.go:356 - Established connection to Kubernetes API [INFO]: 2024-04-09 11:20:38 - agentregistrationmodule.go:68 - Cluster name: fromKube [INFO]: 2024-04-09 11:20:38 - agentregistrationmodule.go:119 - Initial Agent registration [ERROR]: 2024-04-09 11:21:08 - agentregistrationmodule.go:131 - Failed to send agent registration request: Post "accountname.saas.appdynamics.com:8080/sim/v2/agent/clusterRegistration": context deadline exceeded (Client.Timeout exceeded while awaiting headers) [ERROR]: 2024-04-09 11:21:08 - agentregistrationmodule.go:132 - clusterId: -1 [ERROR]: 2024-04-09 11:21:08 - agentregistrationmodule.go:134 - Registration properties: {} [INFO]: 2024-04-09 11:21:38 - agentregistrationmodule.go:119 - Initial Agent registration ^ Post edited by @Ryan.Paredez to remove mentions and links to Account name. For security and privacy reasons, please redact the name of your Account in Community posts.
Hi @Sagar.Nalawade, Did you get a chance to review the links I sent above? Did they help out or did you find a solution you can share here?
There are many formats that someone would consider "normal".  Almost none of them require rex.  Use the strptime and strftime functions to convert one time format to another. | eval ts = strftime(st... See more...
There are many formats that someone would consider "normal".  Almost none of them require rex.  Use the strptime and strftime functions to convert one time format to another. | eval ts = strftime(strptime(ts, "%Y-%m-%dT%H:%M:%S.%9N%Z"), "<<your 'normal' format>>")  
Hi @sajo.sam, Did you get a chance to check out the TKB article or have you found a solution you can share?
Hi @Osama.Abbas, I'm still waiting to hear back from our Docs team. Have you found a solution or any new info in the meantime?
You are correct.  Use the singular form.
Hi @Amit.Bisht, I know it's been a while since you asked your question. I wanted to followup to see if you found a solution or if you had a chance to look at @Ranjith.Kumarkar reply and perhaps tha... See more...
Hi @Amit.Bisht, I know it's been a while since you asked your question. I wanted to followup to see if you found a solution or if you had a chance to look at @Ranjith.Kumarkar reply and perhaps that helped. 
Hi @Rohit.Sharma, Can you confirm if either of the replies has answered your question? If so, please click on the 'Accept as Solution' button or reply to the thread keeping the conversation going. 
Oh, I see... But should not it be $result.Level$ -- that is, singular "result", not plural "results"? Thanks!
I have a timestamp with this format "2024-01-01T20:00:00.190000000Z" I can convert this to normal format using rex, however, I want to know is there a alternative to convert to normal time format?
@ITWhisperer  Here is the source code of trellis single value visualization {     "type": "splunk.singlevalue",     "options": {         "numberPrecision": 0,         "sparklineDisplay": "belo... See more...
@ITWhisperer  Here is the source code of trellis single value visualization {     "type": "splunk.singlevalue",     "options": {         "numberPrecision": 0,         "sparklineDisplay": "below",         "trendDisplay": "absolute",         "unitPosition": "after",         "shouldUseThousandSeparators": true,         "trellisMinColumnWidth": 120,         "trellisRowHeight": 68,         "majorValue": "> sparklineValues | lastPoint()",         "trendValue": "> sparklineValues | delta(-2)",         "sparklineValues": "> primary | seriesByName('Number of Scenarios')",         "trellisSplitBy": "Page",         "splitByLayout": "trellis",         "trellisPageCount": 1000,         "backgroundColor": "#d41f1f",         "majorColor": "#FAF9F6",         "trellisBackgroundColor": "#FAF9F6"     },     "context": {         "convertedColorRange": [             {                 "from": 100,                 "value": "#dc4e41"             },             {                 "from": 70,                 "to": 100,                 "value": "#f1813f"             },             {                 "from": 30,                 "to": 70,                 "value": "#f8be34"             },             {                 "from": 0,                 "to": 30,                 "value": "#0877a6"             },             {                 "to": 0,                 "value": "#53a051"             }         ]     },     "dataSources": {         "primary": "ds_P7P9WCoL_ds_TheWXmJx_ds_ionW1KZM"     },     "eventHandlers": [         {             "type": "drilldown.linkToDashboard",             "options": {                 "app": "search",                 "dashboard": "reliability_layer_3_insight_application_dashboard__thaa_proper",                 "newTab": true,                 "tokens": []             }         },         {             "type": "drilldown.setToken",             "options": {                 "tokens": [                     {                         "token": "stepTok",                         "key": "trellis.value"                     }                 ]             }         }     ],     "showProgressBar": false,     "showLastUpdated": false,     "hideWhenNoData": false }   Here is the datasource used for the this visualization.   index="xxx" appID="APP-xxx" environment=xxx tags="*Parm*" OR "*Batch*" stepName="*" status=PASSED | rex field=stepName "^(?<Page>[^\:]+)" | rex field=stepName "^\'(?<Page>[^\'\:]+)" | eval Page=upper(Page) | stats count(scenario) as "Number of Scenarios" by Page | sort - "Number of Scenarios"
I just checked our Searchheads for this issue: We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3. Kind Regards
Hi. I'm trying to use the subsearch, but I'm not what I am doing wrong. First the inner search is a list of account like this one. index=main sourcetype=vpacmanagement |eval DateStamp3= strptime(D... See more...
Hi. I'm trying to use the subsearch, but I'm not what I am doing wrong. First the inner search is a list of account like this one. index=main sourcetype=vpacmanagement |eval DateStamp3= strptime(DateStamp, "%Y-%m-%d %H:%M:%S") | eval MemberName2 = split(TeamMember, "\\") | eval Member2 = mvindex(MemberName2,1) | eval Member2=upper(Member2) | where DateStamp3 > relative_time(now(), "-4d") AND like(Status, "%/%/%") AND Member2 = "ADMMICHAEL_HAYES3" |dedup WONumber | rename Member2 as Member | fields Member I get one account, all ok so far. But using the search in an outer search. index=main sourcetype=vpacmanagement|join Member[search index=main sourcetype=vpacmanagement |eval DateStamp3= strptime(DateStamp, "%Y-%m-%d %H:%M:%S") | eval MemberName2 = split(TeamMember, "\\") | eval Member2 = mvindex(MemberName2,1) | eval Member2=upper(Member2) | where DateStamp3 > relative_time(now(), "-4d") AND like(Status, "%/%/%") AND Member2 = "ADMMICHAEL_HAYES3" |dedup WONumber | rename Member2 as Member | fields Member] | eval DateStamp2= strptime(DateStamp, "%Y-%m-%d %H:%M:%S") | eval month = strftime(DateStamp2, "%m") | eval year = strftime(DateStamp2, "%Y") | eval GroupName = split(DomainGroup, "\\"), MemberName = split(TeamMember, "\\") | eval Name = mvindex(GroupName,1), Member = mvindex(MemberName,1) | eval RequestType = upper(RequestType), Name = upper(Name), Member=upper(Member) | where not like(Status, "%/%/%") and DateStamp2 > relative_time(now(), "-2d") |dedup RequestType,DomainGroup, TeamMember | fields WONumber, DateStamp, ResourceSteward, RequestType, Name, Member, Status | table WONumber, DateStamp, ResourceSteward, RequestType, Name,Member, Status | sort DateStamp2   If you see I made some calculation and I'm using Member field as value to make the join, but still is not getting any account from the outer, and in fact the element exists in the outer search, does anyone knows what am I missing? Thanks