All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

As configured, the transform will match and discard all events that do not start with NO_CLIENT_SITE. An event starting with SOMEDATA (any string that isn't NO_CLIENT_SITE) would be discarded. Was th... See more...
As configured, the transform will match and discard all events that do not start with NO_CLIENT_SITE. An event starting with SOMEDATA (any string that isn't NO_CLIENT_SITE) would be discarded. Was that your intent?
Try filtering before the stats command
Couldn't you just have one drop down? Environment Log source Server /test/log/path/server1.log TEST /test/log/path/testserver1.log QA /test/log/path/qaserver1.log PROD /test/log/... See more...
Couldn't you just have one drop down? Environment Log source Server /test/log/path/server1.log TEST /test/log/path/testserver1.log QA /test/log/path/qaserver1.log PROD /test/log/path/prodserver1.log  
I recently updated the apps on a dev search head and got this new error showing up in my _internal logs.  I don`t have any inputs configured currently in the add-on . Has anyone else seen this ? ... See more...
I recently updated the apps on a dev search head and got this new error showing up in my _internal logs.  I don`t have any inputs configured currently in the add-on . Has anyone else seen this ? root@raz-spldevsh:/opt/splunk/etc/apps# tail -n5000 /opt/splunk/var/log/splunk/splunkd.log |grep -E "ERROR" 04-05-2024 11:26:08.663 +0000 ERROR ExecProcessor [690962 ExecProcessor] - Invalid user admin, provided in passAuth argument, attempted to execute command /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_ta_o365/bin/conf_migration.py 04-05-2024 11:26:08.686 +0000 ERROR ExecProcessor [690962 ExecProcessor] - Invalid user admin, provided in passAuth argument, attempted to execute command /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_ta_o365/bin/conf_migration.py 04-05-2024 11:26:08.699 +0000 ERROR ExecProcessor [690962 ExecProcessor] - Invalid user admin, provided in passAuth argument, attempted to execute command /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_ta_o365/bin/conf_migration.py Splunk 9.0.3 App version: 4.5.1    
eg. i have in drop down i have server and cloud.  if i select Server - the path would be  source="/test/log/path/server1.log"   if i select cloud the path would be vary for each region. for TEST... See more...
eg. i have in drop down i have server and cloud.  if i select Server - the path would be  source="/test/log/path/server1.log"   if i select cloud the path would be vary for each region. for TEST -  source="/test/log/path/testserver1.log" for QA -   source="/test/log/path/qaserver1.log" for PROD -   source="/test/log/path/prodserver1.log"   so i kept the first drop down list to select server and cloud. And then environment drop down lsit. and remaining panels load based on the server/cloud drop down list and env .drop down list
Thanks in Advance Hi Guys, I need to extract limited values from fields: Query : index="mulesoft" applicationName="s-concur-api" environment=PRD priority timestamp | search NOT message IN ("API:... See more...
Thanks in Advance Hi Guys, I need to extract limited values from fields: Query : index="mulesoft" applicationName="s-concur-api" environment=PRD priority timestamp | search NOT message IN ("API: START: /v1/expense/extract/ondemand/accrual*") | spath content.payload{} | mvexpand content.payload{} |stats values(content.SourceFileName) as SourceFileName values(content.JobName) as JobName values(content.loggerPayload.archiveFileName) as ArchivedFileName values(message) as message min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time by correlationId | rex field=message max_match=0 "Expense Extract Process started for (?<FileName>[^\n]+)" | rex field=message max_match=0 "API: START: /v1/expense/extract/ondemand/(?<OtherRegion>[^\/]+)\/(?<OnDemandFileName>\S+)" | eval OtherRegion=upper(OtherRegion) | eval OnDemandFileName=rtrim(OnDemandFileName,"Job") | eval "FileName/JobName"= coalesce(OnDemandFileName,JobName) | eval JobType=case(like('message',"%Concur Ondemand Started%"),"OnDemand",like('message',"%API: START: /v1/expense/extract/ondemand%"),"OnDemand",like('message',"Expense Extract Process started%"),"Scheduled") | eval Status=case(like('message' ,"%Concur AP/GL File/s Process Status%"),"SUCCESS", like('tracePoint',"%EXCEPTION%"),"ERROR") | eval Region= coalesce(Region,OtherRegion) | eval OracleRequestId=mvappend("RequestId:",RequestID,"ImpConReqid:",ImpConReqId) | eval Response= coalesce(message,error,errorMessage) | eval StartTime=round(strptime(Logon_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval EndTime=round(strptime(Logoff_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval ElapsedTimeInSecs=EndTime-StartTime | eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S") | eval match=if(SourceFileDTLCount=TotalAPGLRecordsCountStaged,"Match","NotMatch") | rename Logon_Time as Timestamp | table Status JobType Response ArchivedFileName ElapsedTimeInSecs "Total Elapsed Time" correlationId | fields - ElapsedTimeInSecs priority match | where JobType!=" " | search Status="*" In the response field i want to show only.I dont care about the rest : PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 376 Company Code: 200 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 375 Company Code: 209 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 374 Company Code: 210 Operating Unit: US_AB_OU Status Response ArchiveFileName correlationId Success API: START: /v1/expense/extract After calling flow archive-ConcurExpenseFile-SubFlow Before calling flow archive-ConcurExpenseFile-SubFlow Calling s-ebs-api for AP Import process Concur AP/GL File/s Process Status Concur Ondemand Started Expense Extract Processing Starts Extract has no GL Lines to Import into Oracle PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 376 Company Code: 200 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 375 Company Code: 209 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 374 Company Code: 210 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL File/s Process Status - APAC Records Count Validation Passed EMEA_concur_expenses_ 49cde170-e057-11ee-8125-de5fb5
What do you currently have in your dropdown?
Hello all, SynApp: 3.0.3 OS: RHEL8 FIPS Splunk 9.0.x I configured this app and changed the index IPs in the local inputs.conf but it isn't working. Obviously there are a lot of things that coul... See more...
Hello all, SynApp: 3.0.3 OS: RHEL8 FIPS Splunk 9.0.x I configured this app and changed the index IPs in the local inputs.conf but it isn't working. Obviously there are a lot of things that could be wrong but I am really not seeing any app logging. Is there anyway to configure that? Does this app have a FIPS incompatibility?  The only thing I am finding are these logs in splunkd.log: ERROR ExecProcessor [1044046 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Synack/bin/assessment_data.py" obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ERROR ExecProcessor [1044046 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Synack/bin/vuln_data.py" json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Upgrade is not an option for now. furthermore, everything goes OK with DB Connect. it will be upgraded with the whole system. I did ask this question precisely because could not find the checkpoin... See more...
Upgrade is not an option for now. furthermore, everything goes OK with DB Connect. it will be upgraded with the whole system. I did ask this question precisely because could not find the checkpoint values persistence files for our enable DB Input in folder: /opt/splunk/var/lib/splunk/modinputs/server/splunk_app_db_connect
this is perfect, thanks @spavin !
can u pls.s give some sample. my requiremnt is i do have two differnt paths index=test (source="/test/log/path/test1.log" ) index=test (source="/test/log/path/test2.log" ) based on dropdownlist v... See more...
can u pls.s give some sample. my requiremnt is i do have two differnt paths index=test (source="/test/log/path/test1.log" ) index=test (source="/test/log/path/test2.log" ) based on dropdownlist value the above the path should be taken in Search string
@kamlesh_vaghela ,  When I add for second column the solution is not working. How is find("a") related? 
Hi @CheongKing168 , installing the old version you know that the issue is on the environment and not on the new version. Windows 2016 is a certified  OS, so this shouldn't be the issue. Disabling ... See more...
Hi @CheongKing168 , installing the old version you know that the issue is on the environment and not on the new version. Windows 2016 is a certified  OS, so this shouldn't be the issue. Disabling McAfee, this isn't the issue. I suppose that you already checked the available disk space and the grants of the user used for the installation. as I said, the only hint is to open a case to Splunk Support: they can analyze the installation logs to understand where's the issue. Ciao. Giuseppe  
This is my current otel config:   --- service: telemetry: logs: level: "debug" metrics: level: detailed address: ":8888" pipelines: metrics: receivers: ... See more...
This is my current otel config:   --- service: telemetry: logs: level: "debug" metrics: level: detailed address: ":8888" pipelines: metrics: receivers: - prometheus exporters: - splunk_hec receivers: prometheus: config: scrape_configs: - job_name: jira_dev scrape_interval: 60s static_configs: - targets: [<hidden>:8060] exporters: debug: verbosity: detailed sampling_initial: 5 sampling_thereafter: 200 splunk_hec: token: "<hidden>" endpoint: "https://<hidden>:8088/services/collector" source: "toolchainotel" sourcetype: "toolchain:test:metric" index: "onboarding_metric" tls: insecure_skip_verify: true
You might be able to use the change stanza for the input to set up multiple tokens based on the value selected. For example, your value in the drop down could have 3 parts delimited by some character... See more...
You might be able to use the change stanza for the input to set up multiple tokens based on the value selected. For example, your value in the drop down could have 3 parts delimited by some character, e.g. colon. The change stanza would then process the value and set 3 different tokens based on the 3 parts of the value.
Based on drop down list value how to change search string in each panel eg  for panel to load the search string will vary as below: index=test (source="/test/log/path/test1.log" $param1$ c="$p... See more...
Based on drop down list value how to change search string in each panel eg  for panel to load the search string will vary as below: index=test (source="/test/log/path/test1.log" $param1$ c="$param2$" $dropdownlistvalue1$ $dropdownlistvalue1$) As log path is different all my params vary. so how can i change index based of drop down list value?
@ITWhisperer @scelikok I created below two regex and I think it is working fine from UI. | rex field=_raw mode=sed "s/Password\>([A-Za-z0-9]+)/Placeholder/g" | rex field=_raw mode=sed "s/UserId\>([... See more...
@ITWhisperer @scelikok I created below two regex and I think it is working fine from UI. | rex field=_raw mode=sed "s/Password\>([A-Za-z0-9]+)/Placeholder/g" | rex field=_raw mode=sed "s/UserId\>([A-Za-z0-9]+)/UserID/g" One question, shall I apply in the same regex in transforms.conf ?
You are right, I missed to filter again for exceptions. Please try below, you should see only correlationId exceptions that have no SUCCESS. index="mulesoft" applicationName="s-concur-api" environme... See more...
You are right, I missed to filter again for exceptions. Please try below, you should see only correlationId exceptions that have no SUCCESS. index="mulesoft" applicationName="s-concur-api" environment=PRD | eventstats values(tracePoint) as TracePoints values(message) as Messages by correlationId | search TracePoints="EXCEPTION" Messages!="*(SUCCESS)*" | fields - TracePoints - Messages | search tracePoint="EXCEPTION" | transaction correlationId | rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.ErrorType as Error content.errorType as errorType content.errorMsg as ErrorMsg content.ErrorMsg as errorMsg | eval ErrorType=if(isnull(Error),"Unknown",Error) | dedup CorrelationId | eval errorType=coalesce(Error,errorType) | eval Errormsg=coalesce(ErrorMsg,errorMsg) | table CorrelationId,Timestamp, applicationName, locationInfo.fileName, locationInfo.lineInFile, errorType, message,Errormsg | sort -Timestamp  
@scelikok  Yes its working But its showing all the timestamp and all the messages. Just i want to show error message not all transaction messages for the correlationId
Could you please share your current otel config with us?