All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi,  The requirement is that the user makes a dynamic selection (time range from time picker, environment from env dropdown and few more) and click submit button and as soon as hi clicks submit, a c... See more...
Hi,  The requirement is that the user makes a dynamic selection (time range from time picker, environment from env dropdown and few more) and click submit button and as soon as hi clicks submit, a csv file should be generated as per the user input selection and later on the user should be able to reference that csv in the dashboard panel to create different visualisations.  Is that possible in Splunk? 
| foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H) as d1 by f1 | eventstats dc(H) as d2 by f2 | eventstats dc(H) as d3 by f3 | eventstats dc(H) as d4 by f4 | st... See more...
| foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H) as d1 by f1 | eventstats dc(H) as d2 by f2 | eventstats dc(H) as d3 by f3 | eventstats dc(H) as d4 by f4 | stats values(d*) as d*
Hi @Muhammad Husnain.Ashfaq, It's been a few days and it seems the Community has not jumped in with a reply. Did you happen to make a discovery or find a solution you could share? If you have no... See more...
Hi @Muhammad Husnain.Ashfaq, It's been a few days and it seems the Community has not jumped in with a reply. Did you happen to make a discovery or find a solution you could share? If you have not, you can try contacting AppDynamics Support: How do I submit a Support ticket? An FAQ 
| regex permission="Permission12345"
OK so use eval with an if such that if the two fields are equal mvappend a value that the formatting picks up to change the colour to what you want. (See the example in the link I provided)
Hi @Marcie.Sirbaugh, Thanks for sharing that additional info and I'm glad upgrading helped solve the issue for you. 
Probably not - Splunk is a generalised tool for analysing logs not a windows-specific tool
Hi @Dean.Marchetti, If the reply from Terence helped answer your question, would you please take a quick moment to click the “Accept as Solution” button on the reply? This confirmation that the que... See more...
Hi @Dean.Marchetti, If the reply from Terence helped answer your question, would you please take a quick moment to click the “Accept as Solution” button on the reply? This confirmation that the question was answered alerts the community and helps build that bank of expertise for everyone in the community.  If the reply did not answer your question, jump back into the conversation to keep it going. 
Hi @Osama.Abbas, I shared your feedback with the Docs team! If I find any other information around your question, I'll share it here. 
New discovery if i refresh the page while the search is running you can see the search working but its still grey until the search finishes.
Hello Team, We are in process to setup DB monitoring using Appdynamics DB. Getting attached error while accessing (Activity,query,session etc) tabs.  1) How and where to enable Event Service (contr... See more...
Hello Team, We are in process to setup DB monitoring using Appdynamics DB. Getting attached error while accessing (Activity,query,session etc) tabs.  1) How and where to enable Event Service (controller or DB Coolector). 2) will there be any performance Impact on the existing setup if we enable the Event Service. Thanks
thank you, is there a remediation for that issue? I mean ok I monitored and an alert was fired, now what?
hello all,   I noticed that timestamp in activity log is in UTC, and also while using timer app and in the event name adding "$now()" ,the timestamp is also UTC. it is not the time zone I defined ... See more...
hello all,   I noticed that timestamp in activity log is in UTC, and also while using timer app and in the event name adding "$now()" ,the timestamp is also UTC. it is not the time zone I defined in the user settings nor in the administration/company settings. is there a way to change the time zone from UTC to different time?
After some more poking around it seems like the searches are NOT failing at all. They are running and completing but it just instantly times out when loading the search. If I go to Activity > Jobs an... See more...
After some more poking around it seems like the searches are NOT failing at all. They are running and completing but it just instantly times out when loading the search. If I go to Activity > Jobs and click any search I ran it gives me the results and everything works as expected. Its just the initial search that is causing this error. If I click a job that is not finished and still running it gives the same error but shows some results with the greyed out bottom portion (see screenshot above). It also says the job has failed in the activity while its running but once it finishes it changes to done.   
Hello  Can i get a regex that matches with this;  permission=Permission12345. I have tried to bring up one but its not working. Thanks in advance 
I'm trying to deploy a cluster agent in my Kubernetes cluster to monitor the infrastructure using the kubectl CLI. I've followed the steps and executed these commands: kubectl create -f cluster-age... See more...
I'm trying to deploy a cluster agent in my Kubernetes cluster to monitor the infrastructure using the kubectl CLI. I've followed the steps and executed these commands: kubectl create -f cluster-agent-operator.yaml kubectl -n appdynamics create secret generic cluster-agent-secret --from-literal=controller-key=<access-key> kubectl create -f cluster-agent.yaml However, the cluster agent pod is stuck in the "CrashLoopBackOff" state. The logs indicate an issue with the account access key: [ERROR]: 2024-04-03 18:29:45 - main.go:183 - Account accessKey is not specified [ERROR]: 2024-04-03 18:29:45 - main.go:184 - Please provide account accessKey before starting cluster-agent. Exiting... I've verified that the cluster-agent-secret contains the controller-key with the correct access key value. What could be causing this issue despite providing the access key in the secret? Are there any additional configuration steps I might be missing? Reference : https://docs.appdynamics.com/appd/22.x/latest/en/infrastructure-visibility/monitor-kubernetes-with-the-cluster-agent/install-the-cluster-agent/install-the-cluster-agent-with-the-kubernetes-cli
@abhi_2985you can refer to the below documents. Splunk Web Interface SSL Certificates – Microsoft AD CA (yaleman.org) How do I configure an SSL cert for Splunk Web on a... - Splunk Community
@ITWhisperer I want to compare two field values match.If does not match i want to colour both the fields. index="mulesoft" applicationName="s-concur-api" environment=PRD priority timestamp (tracePoi... See more...
@ITWhisperer I want to compare two field values match.If does not match i want to colour both the fields. index="mulesoft" applicationName="s-concur-api" environment=PRD priority timestamp (tracePoint="EXCEPTION") OR ("Concur Ondemand Started*") OR (message="Expense Extract Process started for jobName :*") OR ("Before Calling flow archive-Concur*") OR (message="*(SUCCESS): Concur AP/GL Extract V*") OR (message="Records Count Validation*") OR (message="API: START: /v1/expense/extract/ondemand*" OR message="API: START: /v1/fin*") OR (message="Post - Expense Extract processing to Oracle*") OR (message="Concur AP/GL File/s Process Status") OR (message="*(ERROR):*") | search NOT message IN ("API: START: /v1/expense/extract/ondemand/accrual*") | spath content.payload{} | mvexpand content.payload{} | transaction correlationId | rename content.SourceFileName as SourceFileName content.JobName as JobName content.loggerPayload.archiveFileName AS ArchivedFileName content.payload{} as response content.Region as Region content.ConcurRunId as ConcurRunId content.HeaderCount as HeaderCount content.SourceFileDTLCount as SourceFileDTLCount content.APRecordsCountStaged as APRecordsCountStaged content.GLRecordsCountStaged as GLRecordsCountStaged content.TotalAPGLRecordsCountStaged as TotalAPGLRecordsCountStaged content.ErrorMsg as errorMessage content.errorMsg as error content.errorMsg as error "content.payload{}.AP Import flow processing results{}.requestID" as RequestID "content.payload{}.GL Import flow processing results{}.impConReqId" as ImpConReqId | rex field=message max_match=0 "Expense Extract Process started for (?<FileName>[^\n]+)" | rex field=message max_match=0 "API: START: /v1/expense/extract/ondemand/(?<OtherRegion>[^\/]+)\/(?<OnDemandFileName>\S+)" | eval OtherRegion=upper(OtherRegion) | eval OnDemandFileName=rtrim(OnDemandFileName,"Job") | eval "FileName/JobName"= coalesce(OnDemandFileName,JobName) | eval JobType=case(like('message',"%Concur Ondemand Started%"),"OnDemand",like('message',"%API: START: /v1/expense/extract/ondemand%"),"OnDemand",like('message',"Expense Extract Process started%"),"Scheduled") | eval Status=case(like('message' ,"%Concur AP/GL File/s Process Status%"),"SUCCESS", like('tracePoint',"%EXCEPTION%"),"ERROR") | eval Region= coalesce(Region,OtherRegion) | eval OracleRequestId=mvappend("RequestId:",RequestID,"ImpConReqid:",ImpConReqId) | eval CheckMatch = if(isnull(SourceFileDTLCount) OR isnull(TotalAPGLRecordsCountStaged), "not matched", "matched") | eventstats min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time by correlationId | eval StartTime=round(strptime(Logon_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval EndTime=round(strptime(Logoff_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval ElapsedTimeInSecs=EndTime-StartTime | eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S") | eval sign=if(SourceFileDTLCount == TotalAPGLRecordsCountStaged,"GREEN", "YELLOW") | rename Logon_Time as Timestamp | table Status JobType "FileName/JobName" Timestamp Region ConcurRunId HeaderCount SourceFileDTLCount APRecordsCountStaged GLRecordsCountStaged TotalAPGLRecordsCountStaged ArchivedFileName ElapsedTimeInSecs "Total Elapsed Time" OracleRequestId correlationId | join correlationId type=left [ search index="mulesoft" applicationName="s-concur-api" (message="*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: * Company Code: * Operating Unit: *") | eval Message=case(like('message',"%(SUCCESS): Concur AP/GL Extract V.3.02 - %. Concur Batch ID: % Company Code: % Operating Unit: %"),message) | table Message correlationId ] | eval Response= coalesce(error,errorMessage,Message) | table Status JobType "FileName/JobName" Timestamp CheckMatch Region ConcurRunId HeaderCount SourceFileDTLCount APRecordsCountStaged GLRecordsCountStaged TotalAPGLRecordsCountStaged ArchivedFileName ElapsedTimeInSecs "Total Elapsed Time" sign OracleRequestId Response correlationId | fields - ElapsedTimeInSecs priority | where JobType!=" " | search Status="*"
It looks like there are no newlines between events so the LINE_BREAKER is not matching.  Try these settings: [iis] LINE_BREAKER = ([\r\n]*)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} SHOULD_LINEMERGE = fals... See more...
It looks like there are no newlines between events so the LINE_BREAKER is not matching.  Try these settings: [iis] LINE_BREAKER = ([\r\n]*)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} SHOULD_LINEMERGE = false TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19
Try loginType=Splunk