All Posts

Top

All Posts

So, I am running a job and I can see all my jobs and all the users jobs. However, the other users/power users cannot see my jobs that are running. What could cause that?    Some users cannot see my... See more...
So, I am running a job and I can see all my jobs and all the users jobs. However, the other users/power users cannot see my jobs that are running. What could cause that?    Some users cannot see my dashboard panels that includes my loadjobs because they don't have the permissions, when I have both read and write enabled for everyone, why could that be so?
So you have previous alerts which send email successfully, but when you make new alerts, they do not send email?
Assuming you are only cim-normalizing Change->Account Management, you could filter the logs to object_type=user Make an eventtype with search string: <yoursearch> | search object_type=user ```Or pu... See more...
Assuming you are only cim-normalizing Change->Account Management, you could filter the logs to object_type=user Make an eventtype with search string: <yoursearch> | search object_type=user ```Or put the above search filter in the first line of your search``` And set the tags to "change,account" Then you can make the action field cim-compliant by making a calculated field: Name: action Eval expression: case(action="create","created",action="delete","deleted",1=1,action)
I am getting a message that our splunk certificate is expired when I scan our systems. However, I cannot find the certicate anywhere in Windows Certificates. I also searched C:\Program Files\Splunk\e... See more...
I am getting a message that our splunk certificate is expired when I scan our systems. However, I cannot find the certicate anywhere in Windows Certificates. I also searched C:\Program Files\Splunk\etc\auth\mycerts and it is empy also the config in Checked \Splunk\etc\system\local and the webconfig doesnt have anything about a cert in there. How can I find this cert and where is it coming from? It's on our web port.
Alert when end-users has logged onto the VPN entry point more than 5 times in a day. A fail-to-ban feature of IP address if their login fails more than 3times in 1hr. A weekly report of the end-us... See more...
Alert when end-users has logged onto the VPN entry point more than 5 times in a day. A fail-to-ban feature of IP address if their login fails more than 3times in 1hr. A weekly report of the end-users IP address logging attempting to log into the VPN entry point.
I am trying to set some token values when a dashboard loads or when the page is refreshed.   The documentation gives the following example: "defaults": { "dataSources": { "ds.search": { ... See more...
I am trying to set some token values when a dashboard loads or when the page is refreshed.   The documentation gives the following example: "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } }, "tokens": { "default": { "tokenName": { "value": "1986" } } } }, This my code: "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } }, "tokens": { "default": { "Slot1_TailNum": { "value": "false" } } } }, Which is not working.  I am using the "Interactions" Set tokens to set the value of the "Slot1_TailNum" token to something other than false to hide/show a table, which works fine.  However when reloading the Dashboard or refreshing the page the table is still displayed, it does not seem to be setting the value to false when loading. Any help would be greatly appreciated, I can run a zoom if required it you want/need to see.   Thanks David  
We want to add a host drop down in a dashboard  please find the host details below. dev1 appdev1host logdev1host cordev1host dev2  appdev2host logdev2host cordev2host dev3 appdev3hos... See more...
We want to add a host drop down in a dashboard  please find the host details below. dev1 appdev1host logdev1host cordev1host dev2  appdev2host logdev2host cordev2host dev3 appdev3host logdev3host cordev4host dev4 appdev4host logdev4host cordev4host sit1 appsit1host logsit1host corsit1host sit2 appsit2host logsit2host corsit2host sit3 appsit3host logsit3host corsit3host sit4 appsit4host logsit4host corsit4host drop down in dashboard should  have only 8 drop downs . For example: if i choose dev1 it should capture all the hosts mentioned for dev1(appdev1host, logdev1host,cordev1host) dev1 dev2 dev3 dev4 sit1 sit2 sit3 sit4
I have some JSON output that is in key value structure (protobuf3 formatted--this is OTLP data going into Splunk Enterprise events) and it has multiple values in each field. There are multiple key va... See more...
I have some JSON output that is in key value structure (protobuf3 formatted--this is OTLP data going into Splunk Enterprise events) and it has multiple values in each field. There are multiple key value attributes stored under an attributes parent, and then its fields are under a metric parent. I want to take the host.name attribute and map it to every metrics value I see. Here is working example of the raw json:     { "resourceMetrics": [ { "resource": { "attributes": [ { "key": "host.name", "value": { "stringValue": "myname1" } }, { "key": "telemetry.sdk.name", "value": { "stringValue": "my_sdk" } } ] }, "scopeMetrics": [ { "metrics": [ { "name": "hw.host.energy", "gauge": { "dataPoints": [ { "timeUnixNano": "1712951030986039000", "asDouble": 359 } ] } }, { "name": "hw.host.power", "gauge": { "dataPoints": [ { "timeUnixNano": "1712951030986039000", "asDouble": 26 } ] } } ] } ] }, { "resource": { "attributes": [ { "key": "host.name", "value": { "stringValue": "myname2" } }, { "key": "telemetry.sdk.name", "value": { "stringValue": "my_sdk" } } ] }, "scopeMetrics": [ { "metrics": [ { "name": "hw.host.energy", "gauge": { "dataPoints": [ { "timeUnixNano": "1712951030987780000", "asDouble": 211 } ] } } ] } ] } ] }     There may be multiple attributes, in various order, but I am only interested in grabbing the host.name value from there, and then associating host.name to all metrics under the metrics parent within the resource parent. The metrics parent may contain multiple metrics in the array. And then new resources (with new host.name and new metrics) would show up as the next resource entry in the resources array. So what I want is something like this in a row-based format of host.name.value > metric: host.name metric host.name,myname1 hw.host.energy,359 host.name,myname1 hw.host.power,26 host.name,myname2 hw.host.energy,211   The problem I am having is I don't want the other attributes from the attribute parent, which in the example is the telemetry.sdk.name key and value. But since they are there, I can't figure out how to zip and expand properly, as the telemetry.sdk.name value gets associated to legit metrics, looking something like below, which would mean if I drop row 2 I lose the power metric = 26 for myname1. Parsing some spaths, the structure looks something like this: attr_zip metric_zip host.name,myname1 hw.host.energy,359 telemetry.sdk.name,my_sdk hw.host.power,26 host.name,myname2 hw.host.energy,211 telemetry.sdk.name,my_sdk     I looked at mvfilter but can't seem to find a way to handle a variable amount of attributes that may show up in the left column attr_zip, as it seems I ned to know how many values I fill down in the field, and I am not sure how to get a count of the values fro the right column metric_zip to know how many values down in attr_zip to fill. In JSON, all the metrics values share the same resource so I should logically be able to reference the parent resource.attribute.host.name.value, and concatenate that to every metric value. Here's my current SPL, where I can get the columns concatenated properly, but would need to drop the rows in attr_zip that don't match the key of host.name:     | spath output=host_name path=resourceMetrics{}.resource.attributes{} | mvexpand host_name | spath output=attribute path=resourceMetrics{}.resource.attributes{}.key | spath output=attribute_value path=resourceMetrics{}.resource.attributes{}.value.stringValue | spath output=time resourceMetrics{}.scopeMetrics{}.metrics{}.gauge.dataPoints{}.timeUnixNano | spath output=metric_name resourceMetrics{}.scopeMetrics{}.metrics{}.name | spath output=metric_value resourceMetrics{}.scopeMetrics{}.metrics{}.gauge.dataPoints{}.asDouble | eval attr_zip=mvzip(attribute, attribute_value) | eval metric_zip=mvzip(metric_name, metric_value) | table attribute,attribute_value, attr_zip, metric_zip       Anyone able to offer some guidance?
It's a race condition between two threads trying to  create snapshot. The error is harmless as all it's indicating is that snapshot already exists( as other thread already created).
Fixed by 9.1.4/9.2.1
I have signed up and validated my account but I cannot get access to the free trial. When I click on the free trial button, it says they are gonna send me an email but I am not receiving anything, I ... See more...
I have signed up and validated my account but I cannot get access to the free trial. When I click on the free trial button, it says they are gonna send me an email but I am not receiving anything, I have checked my spam box.
Thanks @ITWhisperer . I also found an issue, if I run this query for yesterday I am getting the result as 44Million count but when I run the search for last 7 days I am getting only 23Million resul... See more...
Thanks @ITWhisperer . I also found an issue, if I run this query for yesterday I am getting the result as 44Million count but when I run the search for last 7 days I am getting only 23Million results. Any suggestion to fix? index=hello sourcetype=welcome | stats max(DATETIME) as LatestTime | map search="search index=hello sourcetype=welcome DATETIME=$$LatestTime$$" | stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count
Hi, I was trying the below token logic to get the results count from two different panels and find the variance between results. However, it gives error message as in snapshot. Note: Panel A and ... See more...
Hi, I was trying the below token logic to get the results count from two different panels and find the variance between results. However, it gives error message as in snapshot. Note: Panel A and Panel B i have enabled the set token ( basically tic marked "Use search results or job status as tokens") Also, please suggest how to draw line not just horizontally but also vertically or custom? SPL: | makeresults | eval variance=$A:result.count$ - $B:result.count$ | table variance Error:   Thanks, Selvam.
Hi All, I have data like below with three fields : srcip,dstip and title . When I execute below query  .........| stats count by srcip,dstip,title Result : srcip        dstip           title s... See more...
Hi All, I have data like below with three fields : srcip,dstip and title . When I execute below query  .........| stats count by srcip,dstip,title Result : srcip        dstip           title srcip1     dstip1         title srcip1     dstip2       title srcip2     dstip2        title1 srcip2      dstip3       title1 srcip1       dstip2       title2   So we required to alert separate on basis title values.  For all events of one title, there should be one alert. So above example there should be trigger 3 separate alerts .   Thank you ! in Advance  
Is there anybody who can help me here ?
The overall difficulty of this whole exercise will depend on your logstash configuration and the use case - if you have just one sourcetype to ingest - maybe you can do it relatively reasonably. But ... See more...
The overall difficulty of this whole exercise will depend on your logstash configuration and the use case - if you have just one sourcetype to ingest - maybe you can do it relatively reasonably. But if you want to send multiple sourcetypes over a single connection, that can be tricky to separate on the receiving side. You could send multiple sourcetypes using multiple tokens so they are received into separate indexes/with separate sourcetypes but it's getting complicated and - as I said before - needs proper configuration on the logstash side. Anyway - it's still up to logstash to filter events before sending.
Executive Summary  AppDynamics is joining with Cisco to provide user identity (sign-in credentials) capabilities for all SAAS AppDynamics-based products and services.  Users whose passwords are ver... See more...
Executive Summary  AppDynamics is joining with Cisco to provide user identity (sign-in credentials) capabilities for all SAAS AppDynamics-based products and services.  Users whose passwords are verified by the AppDynamics Identity Platform (not user accounts that sign in using their company’s SSO credentials) will be moved to the Cisco Customer Identity platform (id.cisco.com) for verification. This will be a minimal-impact change and should not affect a user’s access to Cisco AppDynamics and Observability Platform products.   In this article Overview Overview Impact The following user accounts will be directed to id.cisco.com for their password entry The following user accounts will NOT be impacted by this change Understanding the identity change What do you mean by identity? How is it changing? What will be the impact on my user account? How can I tell if I am affected? What will I need to do? How is this better? Do I have a choice? Navigating the transition Could I be blocked from access to AppDynamics? Why do I need to reset my password? How do I set a new password for my account? What if I use a password manager? Will I still have SSO between various AppDynamics Products and Services? Why do I see the AppDynamics password page and not the Cisco password page? I do not see a "Forgot password" link, only a "Reset Password" link. Why? What if I am a user of AppDynamics Support? What if I sign in using my company's SSO credentials today? What if I am only an AppDynamics On-Premise product user? Cisco Identity migration support Reset your password Still having issues? For AppDynamics Product Issues Overview  Cisco’s Customer Identity platform and AppDynamics’ Customer Identity both serve customer identity needs. However, AppDynamics Customer Identity is limited to AppDynamics-based products only. To consolidate user accounts and provide a seamless experience with other Cisco products, AppDynamics user identities will be moved to the Cisco Customer Identity platform.   Starting in May 2024, users added to AppDynamics SaaS products via the Accounts Management Portal and Controller will have their identities stored and verified using Cisco Customer Identity. This only affects “local” users —user accounts that are not using their company’s SSO credentials through a federation with AppDynamics.   These new local users will still receive a welcome email with getting started instructions as usual. They will still set up their password and provide user profile data. However, that information will be stored and verified by Cisco’s Customer Identity platform instead of the AppDynamics Customer Identity platform. When these users enter their email on the AppDynamics login page and click Next, they will enter their password on the id.cisco.com login page instead of the login.appdynamics.com login page.   At the same time, we will move existing user identities in the AppDynamics Identity platform over to the Cisco Identity platform. Cisco will then store and verify the user identity information going forward. These existing users will receive an email when their account has moved instructing them to set a new password to continue.   If you sign in using your company’s SSO credentials through a federation, there will be no change to your access to AppDynamics products.   Impact The following user accounts will be directed to id.cisco.com for their password entry:  AppDynamics SAAS users who currently sign in using the AppDynamics Identity platform using their email address as a username  Cisco Observability Platform and Cisco Cloud Observability (COP and CCO) users who currently sign in using the AppDynamics Identity platform using their email address as a username   Accounts Management Portal users who currently sign in using the AppDynamics Identity platform using their email address as a username  The following user accounts will NOT be impacted by this change:  AppDynamics On-premises users  AppDynamics SAAS users who currently sign in using a legacy “local” user (a user that does not use email address as their username)   AppDynamics SAAS users who sign in to their AppDynamics SaaS tenant using their company credentials (SSO) through federation   Cisco Observability Platform and Cisco Cloud Observability (COP and CCO) users who currently sign in using their company credentials through federation  Accounts Management Portal users who currently sign in using their company credentials through federation.  Understanding the identity change  What do you mean by identity?  Identity is how your user account is verified for use at a service, like when you sign in to AppDynamics. Typically, this is in the form of a set of credentials like username and password. AppDynamics and Cisco use email addresses as usernames. With this change, users whose email and password have been verified by AppDynamics at login.appdynamics.com or login.fso.cisco.com will now be verified by id.cisco.com instead.   How is it changing?  User identities stored within the AppDynamics Identity platform will be moved to the Cisco Identity platform. Existing users will need to set up a new password within the Cisco Identity system – we will send an email with instructions when this is ready to be completed.   When a user accesses AppDynamics or Cisco Observability Platform, they will be prompted to sign in using their email. After clicking Next, they will be directed to Cisco for password verification, then be taken into the requested product.   What will be the impact on my user account?  There are two impacts to your user account:  You will need to set up a new password for your email address.  Your login process will include a stop at id.cisco.com for password entry and verification.  That is really it. Access will remain unchanged. The most important change is where your password lives.  How can I tell if I am affected?  Go to https://login.appdynamics.com and enter your email address as username, then click Next If you see a password field, your user account is impacted If you enter your email address, click Next and land in your company sign-in screen, you are not impacted.   You can also check with your company admin to see if your user account is “Authenticated by AppDynamics.” If it is, you will be impacted.  What will I need to do?  Not too much – all you need to do is set up a new password with Cisco Customer Identity. Keep an eye out for an email in May 2024 indicating that your account now utilizes Cisco Identity and follow the instructions to set up a password.   If you already have a Cisco Identity that you use with other Cisco products, then you will just start using that identity (the same password!) when signing in to AppDynamics products.  How is this better?  AppDynamics services, such as Community, University (Now Cisco U.), and Support have either already moved to Cisco equivalents or will be moving this year.  All these services require a Cisco account. This move will ensure that you can access AppDynamics SAAS products, Cisco Observability Platform products, and all these services with the same email and password.  You will have single sign-on to all these capabilities, as well as any other Cisco products you use that are part of the Cisco Identity platform.  Do I have a choice?  No, for ongoing security and convenience, these identities will be moving as Cisco is the new home for all such identities.   Navigating the transition Could I be blocked from access to AppDynamics?  Yes, it is possible if your account is affiliated with embargoed countries. Cisco enforces global trade compliance, so some user accounts may be blocked to comply with regulations. If your user account utilizes email belonging to an embargoed country, your account will be blocked, and product access will be lost.  If you are not part of an embargoed country and in the unlikely event that your account is put on hold, you will receive an email from Cisco with instructions to request a release.  Why do I need to reset my password?  Your password will not be moved to the Cisco Identity platform from the AppDynamics identity platform.  Passwords are secure when they are stored at both Cisco and AppDynamics, protecting them such that they can’t be preserved in a usable way between systems.  The first time you try to sign in after being notified that your account is now authenticated by Cisco, you will need to simply use the Forgot Password? Flow to set a new one.   How do I set a new password for my account?  There are two ways:  Use https://id.cisco.com directly.   Start with signing in to AppDynamics.  1. Using id.cisco.com directly:  Using your browser, navigate to https://id.cisco.com Enter your email address and click Next At the bottom of the password page, you will see the Forgot password? link (see figure 1 below) Follow the instructions and complete the process Upon completion, you will be logged in to Cisco and be presented with your Cisco profile page.    2. Start with signing in to AppDynamics:   Using your browser, navigate to an AppDynamics product, like your Cisco Observability Platform tenant or your AppDynamics CSaaS tenant, or even https://accounts.appdynamics.com Enter your email address and click Next You will be redirected to the id.cisco.com password page At the bottom of the password page, you will see the “Forgot password?” link (see figure 1, below) Follow the instructions and complete the process Upon completion, you will be logged in to both Cisco and AppDynamics and be presented with the original AppDynamics product you were trying to sign in to.  Figure 1, Cisco password page   What if I use a password manager?  Do you already have a Cisco user account to sign in at id.cisco.com? If yes, then your password manager will work if you have stored your Cisco password, and you will not need to set up a new password.   However, if you do not have a Cisco account, and since password managers typically work based on the sign in domain, it will not be able to recall a password for id.cisco.com. You will want to use your password manager features when you set your new password for id.cisco.com.  Will I still have SSO between various AppDynamics Product and Services?  Yes, you can still move between AppDynamics SaaS tenants, Cisco Observability Platform tenants, and Accounts Management Portal using SSO. In fact, you will also gain SSO into Cisco products and services as well.  Why do I see the AppDynamics password page and not the Cisco password page?   If you still see the AppDynamics password page (see figure 2 below) when you enter your email address at login.appdynamics.com and click Next, it is because we have not yet moved your account to Cisco. You can continue to login using your existing AppDynamics password until you receive a notification that we have transitioned your account to Cisco.  Figure 2, AppDynamics password page I do not see a “Forgot password?” link, only a “Reset Password” link. Why?  If you see the “Reset Password” link after entering your email and clicking next (see Figure 2, above), you are still on the AppDynamics sign-in screen. This is because we have not yet moved your account to Cisco. You can continue to sign in using your existing AppDynamics password until you receive a notification that we have transitioned your account to Cisco.    What if I am a user of AppDynamics support?  It happens that AppDynamics Support is moving to Cisco Support at or around the same time as the user migration. Once the support process changes, your only means of logging into support will be through Cisco identity. This identity change will facilitate your use of Cisco based support tools later. One change will be that your user profile will be required to include a physical address. On signing in to the support system, you will be prompted to establish an address in your personal profile. A separate email will be sent to Support users with more information about this change.   What if I sign in using my company’s SSO credentials today?  You will continue to use your company’s SSO credentials to access AppDynamics products. However, services like University (Cisco U.), and Support will require a Cisco identity.  As part of our migration, we will create accounts for you in Cisco and they will be waiting for you to use.  Simply go to https://id.cisco.com, enter your email and use the "Forgot password?” link to set a password. If your company admin has federated with Cisco directly, then your company credentials will work there as well.    What if I am only an AppDynamics On-Premises product user?  Your product access to AppDynamics On-Premises will remain unchanged, signing in with whatever credentials you use today. However, to have used AppDynamics University, AppDynamics Community, or AppDynamics Support in the past, you would have had an account that was part of our AppDynamics Identity provider. This user account is being moved to Cisco and will be impacted by this change.  Are you having trouble logging in? We want to remind you that AppDynamics is transitioning user identities to Cisco’s identity (sign-in credentials). The migration began on May 15th and is expected to be completed by June 14th. To ensure you’re up to date with this change, please check your inbox (and spam folder) for an email from no-reply@portal.appdynamics.com. This email will confirm whether your identity has been migrated. If you find this email, simply reset your password on your next login. Detailed instructions are available in our AppD CCO Migration Community Article. If you haven’t received the email yet, don’t worry – your identity migration is coming soon. Experiencing Login Issues? If you're having trouble logging into AppDynamics during this migration period, it’s likely because your identity has been migrated, and you need to reset your password. Follow these steps: Reset Your Password If you received the migration email, reset your password using the link provided. If you didn’t receive the email, your migration is still in progress. Check back later.  Still Having Issues? If resetting your password doesn’t resolve the issue, here’s where you can get help: You can submit an inquiry to the CCO ID team by going to web-help.cisco.com. You can also find a “Contact Support” link at the bottom of the login screen, which directs you to the same email. For AppDynamics Product Issues Open a case at appdynamics.com/support or reach out via email at: appd-support@cisco.com  We appreciate your patience during this transition and are here to help with any issues you might encounter.
Try doubling up the $'s as single $ are for tokens in dashboards. index=hello sourcetype=welcome | stats max(DATETIME) as LatestTime | map search="search index=hello sourcetype=welcome DATETIME=$$La... See more...
Try doubling up the $'s as single $ are for tokens in dashboards. index=hello sourcetype=welcome | stats max(DATETIME) as LatestTime | map search="search index=hello sourcetype=welcome DATETIME=$$LatestTime$$" | stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count
Assuming you already have the fields extracted: <your index search> | stats count by Name Version host | eventstats count by Name Version | eventstats max(count) as top | where count=top
Hi, if i run this query in simple search bar it works fine. However, when i create panel and add the below, i'm getting error as waiting for input. Please could you advise? index=hello sourcety... See more...
Hi, if i run this query in simple search bar it works fine. However, when i create panel and add the below, i'm getting error as waiting for input. Please could you advise? index=hello sourcetype=welcome | stats max(DATETIME) as LatestTime | map search="search index=hello sourcetype=welcome DATETIME=$LatestTime$" | stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count Thanks, selvam.