All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

{ "correlationId" : "43b856a1", "message" : "Post - Expense Extract processing to Oracle", "tracePoint" : "FLOW", "priority" : "INFO" } { "correlationId" : "43b856a1", "message" : "After ... See more...
{ "correlationId" : "43b856a1", "message" : "Post - Expense Extract processing to Oracle", "tracePoint" : "FLOW", "priority" : "INFO" } { "correlationId" : "43b856a1", "message" : "After calling flow SubFlow", "tracePoint" : "FLOW", "priority" : "INFO" } { "correlationId" : "43b856a1", "message" : "PRD(SUCCESS): Concur AP/GL Extract- Expense Report. Concur Batch ID: 450 Company Code: 725 Operating Unit: AB_OU", "tracePoint" : "FLOW", "priority" : "INFO" } { "correlationId" : "19554d60", "message" : "PRD(SUCCESS): Concur AP/GL Extract - Expense Report. Concur Batch ID: 398 Company Code: 755 Operating Unit: BZ_OU", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "19554d60", "message" : "Concur AP/GL File/s Process Status", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "19554d60", "message" : "PRD(SUCCESS): Concur AP/GL Extract - Expense Report. Concur Batch ID: 398 Company Code: 725 Operating Unit: AB_OU", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "19554d60", "message" : "Before calling flow post-PInvoice-SubFlow", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "Before calling flow post-APInvoice-SubFlow", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "PRD(SUCCESS): Concur AP/GL Extract - AP Expense Report. Concur Batch ID: 95", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "Post - Expense Extract processing to Oracle", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "Concur Process Status", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "ISG AP Response", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "After calling flow post-APInvoice-SubFlow", "tracePoint" : "FLOW", "priority" : "INFO", }
thanks, it worked   One more request, since I am new to splunk, could you please help me understand how this regular expression works, I mean what does this means in a regex expression: | rex fie... See more...
thanks, it worked   One more request, since I am new to splunk, could you please help me understand how this regular expression works, I mean what does this means in a regex expression: | rex field=TeamWorkTimings "(?<TeamStart>[^-]+)-(?<TeamEnd>.*)"
It looks like a script in the splunk_ta_o365 app is attempting to use a nonexistent "admin" user. Does your dev instance have an "admin" user?
Please can you share some sample events that we can test with - please share them in a code block
Same result its not showing any values in the table
The issue has been resolved. Turned out I fat-fingered the entry in Azure Event Hub Input configuration for the 'Event Hub Name' once that was corrected all errors have been resolved and data is inge... See more...
The issue has been resolved. Turned out I fat-fingered the entry in Azure Event Hub Input configuration for the 'Event Hub Name' once that was corrected all errors have been resolved and data is ingesting as expected.
Another option you could try is converting the dashboard to Classic
Does it work if you create two base searches rather than 1 base search and two chained searches?
2 things to check. 1 - I've seen instances where firewall devices inject private cert on outbound traffic causing error messages like this.  Adding an exception for the Splunk forwarder resolved the... See more...
2 things to check. 1 - I've seen instances where firewall devices inject private cert on outbound traffic causing error messages like this.  Adding an exception for the Splunk forwarder resolved the issue. 2 - if you are using self-signed or internal certs, you may need to add the cert to the add-on's trust list. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/lib/certifi Edit cacert.pem file Append the contents of your root certificate to this file Restart Splunk
Try filtering like this index="mulesoft" applicationName="s-concur-api" environment=PRD "*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: * Company Code: * Operating Unit: *" OR "*(SUCC... See more...
Try filtering like this index="mulesoft" applicationName="s-concur-api" environment=PRD "*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: * Company Code: * Operating Unit: *" OR "*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: *"
Yes, I have tried diff timeframes (Last 15minutes option too) but no luck. Actually, my agenda is to find the response time and counts for the same time frame.  If we are seeing the counts then by de... See more...
Yes, I have tried diff timeframes (Last 15minutes option too) but no luck. Actually, my agenda is to find the response time and counts for the same time frame.  If we are seeing the counts then by default it should show the response time too. But when I click on magnifying glass icon(open in search) in view mode it is giving results for other API's too.
@ITWhisperer  As mentioned i filter before stats.But in the events its showing the values correctly but not showing any table values Query: index="mulesoft" applicationName="s-concur-api" environme... See more...
@ITWhisperer  As mentioned i filter before stats.But in the events its showing the values correctly but not showing any table values Query: index="mulesoft" applicationName="s-concur-api" environment=PRD (*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: * Company Code: * Operating Unit: *) OR (*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: *) | search NOT message IN ("API: START: /v1/expense/extract/ondemand/accrual*") | spath content.payload{} | mvexpand content.payload{} | stats values(content.SourceFileName) as SourceFileName values(content.JobName) as JobName values(content.loggerPayload.archiveFileName) as ArchivedFileName values(content.payload{}) as response values(content.Region) as Region values(content.ConcurRunId) as ConcurRunId values(content.HeaderCount) as HeaderCount values(content.SourceFileDTLCount) as SourceFileDTLCount values(content.APRecordsCountStaged) as APRecordsCountStaged values(content.GLRecordsCountStaged) as GLRecordsCountStaged values(content.TotalAPGLRecordsCountStaged) as TotalAPGLRecordsCountStaged values( content.ErrorMsg) as errorMessage values(content.errorMsg) as error values("content.payload{}.AP Import flow processing results{}.requestID") as RequestID values("content.payload{}.GL Import flow processing results{}.impConReqId") as ImpConReqId values(message) as message min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time by correlationId  
not sure about that, but we are having major issues after the upgrade to 9.2.1 with both of our Deployment Servers (running on Windows Server 2019)  one server is only supposed to show us Servers ... See more...
not sure about that, but we are having major issues after the upgrade to 9.2.1 with both of our Deployment Servers (running on Windows Server 2019)  one server is only supposed to show us Servers and the other is only supposed to show us our Workstations but now they are comingled on both, this poses a major problem as apps meant for servers may end up being installed on the Workstations and vice versa  we opened a Technical Support case on this a week ago and will let you know how it goes, so far their work arounds are not fixing anything for us
Try changing the timeframe for the search to a shorter time frame - does the graph work then?
The Message Trace input requires an additional step that isn't needed for the other inputs.  Did you add the Azure AD app registration to one of the following IAM roles? Exchange Administrator Glo... See more...
The Message Trace input requires an additional step that isn't needed for the other inputs.  Did you add the Azure AD app registration to one of the following IAM roles? Exchange Administrator Global Administrator Global Reader role (recommended) https://docs.splunk.com/Documentation/AddOns/released/MSO365/Configureinputmessagetrace
Warning: "This usually indicates problems with underlying storage performance." But this warning is showing for other graph too.
Hi All, I have one log that is ABC and it is present in sl-sfdc api and have another log EFG that is present in sl-gcdm api now I want to see the properties and error code fields which is present ... See more...
Hi All, I have one log that is ABC and it is present in sl-sfdc api and have another log EFG that is present in sl-gcdm api now I want to see the properties and error code fields which is present in EFG log but it has many other logs coming from different apis also . I only want the log which is having the correlationId same in ABC then it should check the other log .And then I will use this regular expression to get the fields, like spath. Currently I am using this query  index=whcrm ( sourcetype=xl-sfdcapi ("Create / Update Consents for gcid" OR "Failure while Create / Update Consents for gcid" OR "Create / Update Consents done") ) OR ( sourcetype=sl-gcdm-api ("Error in sync-consent-dataFlow:") ) | rename properties.correlationId as correlationId | rex field=_raw "correlationId: (?<correlationId>[^\s]+)" | eval is_success=if(match(_raw, "Create / Update Consents done"), 1, 0) | eval is_failed=if(match(_raw, "Failure while Create / Update Consents for gcid"), 1, 0) | eval is_error=if(match(_raw, "Error in sync-consent-dataFlow:"), 1, 0) | stats sum(is_success) as Success_Count, sum(is_failed) as Failed_Count, | eval Total_Consents = Success_Count + Failed_Count | table Total_Consents, Success_Count, Failed_Count first one is the ABC log and second is the EFG also I want to use this regular expression in between to get the details  | rex field=message "(?<json_ext>\{[\w\W]*\})" | spath input=json_ext Or there can be any other way to write the query and get the counts please help . Thanks in Advance
To get Microsoft Defender XDR data into Splunk, use the Splunk Add-on for Microsoft Security => https://splunkbase.splunk.com/app/6207 All the Microsft Defender XDR incidents, alerts, entities, evid... See more...
To get Microsoft Defender XDR data into Splunk, use the Splunk Add-on for Microsoft Security => https://splunkbase.splunk.com/app/6207 All the Microsft Defender XDR incidents, alerts, entities, evidence, etc. are collected by this add-on.
Try something like this | rex field=TeamWorkTimings "(?<TeamStart>[^-]+)-(?<TeamEnd>.*)"
You have an orange triangle warning symbol in the top right of your chart. What does this message say?