All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Multiple events i sent for three correlationId 43b856a1,19554d60,9a1219f2
Tried changing to different base search and it did not work.  My dashboard has other graphs too so changing to classic is big task, but will sure give a try, Thank you!
Hi @sajo.sam, I found this TKB article. Please check it out and see if it helps. https://community.appdynamics.com/t5/Knowledge-Base/How-do-I-debug-common-Linux-Private-Synthetic-Agent-issues/ta-p... See more...
Hi @sajo.sam, I found this TKB article. Please check it out and see if it helps. https://community.appdynamics.com/t5/Knowledge-Base/How-do-I-debug-common-Linux-Private-Synthetic-Agent-issues/ta-p/51547
Hi @Jerg.Weick, I've shared this with the PM, and it's being investigated whether it's a bug. I will report back here when I have any new information. ^ Posted was edited by @Ryan.Paredez to corr... See more...
Hi @Jerg.Weick, I've shared this with the PM, and it's being investigated whether it's a bug. I will report back here when I have any new information. ^ Posted was edited by @Ryan.Paredez to correct my initial reply. 
Is this a single event or multiple events?
Hi @Umesh.Pawar, Did you get the help you needed from someone at AppDynamics? I noticed an email chain was started. 
regex101.com is a good site to test and understand regular expressions I have set this one up to show your extraction https://regex101.com/r/mBRfJF/1  
{ "correlationId" : "43b856a1", "message" : "Post - Expense Extract processing to Oracle", "tracePoint" : "FLOW", "priority" : "INFO" } { "correlationId" : "43b856a1", "message" : "After ... See more...
{ "correlationId" : "43b856a1", "message" : "Post - Expense Extract processing to Oracle", "tracePoint" : "FLOW", "priority" : "INFO" } { "correlationId" : "43b856a1", "message" : "After calling flow SubFlow", "tracePoint" : "FLOW", "priority" : "INFO" } { "correlationId" : "43b856a1", "message" : "PRD(SUCCESS): Concur AP/GL Extract- Expense Report. Concur Batch ID: 450 Company Code: 725 Operating Unit: AB_OU", "tracePoint" : "FLOW", "priority" : "INFO" } { "correlationId" : "19554d60", "message" : "PRD(SUCCESS): Concur AP/GL Extract - Expense Report. Concur Batch ID: 398 Company Code: 755 Operating Unit: BZ_OU", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "19554d60", "message" : "Concur AP/GL File/s Process Status", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "19554d60", "message" : "PRD(SUCCESS): Concur AP/GL Extract - Expense Report. Concur Batch ID: 398 Company Code: 725 Operating Unit: AB_OU", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "19554d60", "message" : "Before calling flow post-PInvoice-SubFlow", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "Before calling flow post-APInvoice-SubFlow", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "PRD(SUCCESS): Concur AP/GL Extract - AP Expense Report. Concur Batch ID: 95", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "Post - Expense Extract processing to Oracle", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "Concur Process Status", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "ISG AP Response", "tracePoint" : "FLOW", "priority" : "INFO", } { "correlationId" : "9a1219f2", "message" : "After calling flow post-APInvoice-SubFlow", "tracePoint" : "FLOW", "priority" : "INFO", }
thanks, it worked   One more request, since I am new to splunk, could you please help me understand how this regular expression works, I mean what does this means in a regex expression: | rex fie... See more...
thanks, it worked   One more request, since I am new to splunk, could you please help me understand how this regular expression works, I mean what does this means in a regex expression: | rex field=TeamWorkTimings "(?<TeamStart>[^-]+)-(?<TeamEnd>.*)"
It looks like a script in the splunk_ta_o365 app is attempting to use a nonexistent "admin" user. Does your dev instance have an "admin" user?
Please can you share some sample events that we can test with - please share them in a code block
Same result its not showing any values in the table
The issue has been resolved. Turned out I fat-fingered the entry in Azure Event Hub Input configuration for the 'Event Hub Name' once that was corrected all errors have been resolved and data is inge... See more...
The issue has been resolved. Turned out I fat-fingered the entry in Azure Event Hub Input configuration for the 'Event Hub Name' once that was corrected all errors have been resolved and data is ingesting as expected.
Another option you could try is converting the dashboard to Classic
Does it work if you create two base searches rather than 1 base search and two chained searches?
2 things to check. 1 - I've seen instances where firewall devices inject private cert on outbound traffic causing error messages like this.  Adding an exception for the Splunk forwarder resolved the... See more...
2 things to check. 1 - I've seen instances where firewall devices inject private cert on outbound traffic causing error messages like this.  Adding an exception for the Splunk forwarder resolved the issue. 2 - if you are using self-signed or internal certs, you may need to add the cert to the add-on's trust list. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/lib/certifi Edit cacert.pem file Append the contents of your root certificate to this file Restart Splunk
Try filtering like this index="mulesoft" applicationName="s-concur-api" environment=PRD "*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: * Company Code: * Operating Unit: *" OR "*(SUCC... See more...
Try filtering like this index="mulesoft" applicationName="s-concur-api" environment=PRD "*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: * Company Code: * Operating Unit: *" OR "*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: *"
Yes, I have tried diff timeframes (Last 15minutes option too) but no luck. Actually, my agenda is to find the response time and counts for the same time frame.  If we are seeing the counts then by de... See more...
Yes, I have tried diff timeframes (Last 15minutes option too) but no luck. Actually, my agenda is to find the response time and counts for the same time frame.  If we are seeing the counts then by default it should show the response time too. But when I click on magnifying glass icon(open in search) in view mode it is giving results for other API's too.
@ITWhisperer  As mentioned i filter before stats.But in the events its showing the values correctly but not showing any table values Query: index="mulesoft" applicationName="s-concur-api" environme... See more...
@ITWhisperer  As mentioned i filter before stats.But in the events its showing the values correctly but not showing any table values Query: index="mulesoft" applicationName="s-concur-api" environment=PRD (*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: * Company Code: * Operating Unit: *) OR (*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: *) | search NOT message IN ("API: START: /v1/expense/extract/ondemand/accrual*") | spath content.payload{} | mvexpand content.payload{} | stats values(content.SourceFileName) as SourceFileName values(content.JobName) as JobName values(content.loggerPayload.archiveFileName) as ArchivedFileName values(content.payload{}) as response values(content.Region) as Region values(content.ConcurRunId) as ConcurRunId values(content.HeaderCount) as HeaderCount values(content.SourceFileDTLCount) as SourceFileDTLCount values(content.APRecordsCountStaged) as APRecordsCountStaged values(content.GLRecordsCountStaged) as GLRecordsCountStaged values(content.TotalAPGLRecordsCountStaged) as TotalAPGLRecordsCountStaged values( content.ErrorMsg) as errorMessage values(content.errorMsg) as error values("content.payload{}.AP Import flow processing results{}.requestID") as RequestID values("content.payload{}.GL Import flow processing results{}.impConReqId") as ImpConReqId values(message) as message min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time by correlationId  
not sure about that, but we are having major issues after the upgrade to 9.2.1 with both of our Deployment Servers (running on Windows Server 2019)  one server is only supposed to show us Servers ... See more...
not sure about that, but we are having major issues after the upgrade to 9.2.1 with both of our Deployment Servers (running on Windows Server 2019)  one server is only supposed to show us Servers and the other is only supposed to show us our Workstations but now they are comingled on both, this poses a major problem as apps meant for servers may end up being installed on the Workstations and vice versa  we opened a Technical Support case on this a week ago and will let you know how it goes, so far their work arounds are not fixing anything for us