Hello, The UI of my search head is not loading ...I am seeing only a white screen with no error message as such ..Splunkd is also running ...Kindly suggest?
Hi Hardik, Actually, this is not a syntax error, after "FROM" you specify the data source and there is no data source like "DB5". You have to use "dbmon_wait_time" this comes from event service shar...
See more...
Hi Hardik, Actually, this is not a syntax error, after "FROM" you specify the data source and there is no data source like "DB5". You have to use "dbmon_wait_time" this comes from event service shards. Another thing is (sorry this is my fault ) I accidentally removed "count" before " (`wait-state-id`) " that is bolded below. Btw this query is based on a controller that has only 1 DB collector, if you have more than 1 collector you need to specify 'server-id' column with "WHERE" clause. SELECT `wait-state-id`, count(`wait-state-id`) FROM dbmon_wait_time Thanks Cansel
I am a beginner in splunk and I have created a new app in the Splunk Enterprise.I am not able to see appserver folder in the newly created app? How can I add that directory?
Hi Sikka, SaaS platform serving as a multitenant controller it is really hard to manage this kind operation if you dont have any real technical issue. So you can kindly ask this to support team or...
See more...
Hi Sikka, SaaS platform serving as a multitenant controller it is really hard to manage this kind operation if you dont have any real technical issue. So you can kindly ask this to support team or your account manager with a support ticket. Based my older experience it is not impossible but it can charge additional cost for you just because professional service. Thanks Cansel
Hi, 1- All Analytics data include Log Analytics stored in your SaaS Event service (based on your controller type you can also store in on-prem.) 2-Storege Management default for SaaS based on your...
See more...
Hi, 1- All Analytics data include Log Analytics stored in your SaaS Event service (based on your controller type you can also store in on-prem.) 2-Storege Management default for SaaS based on your license type. If you have ; * PoC license default 8 days analytic retention period * Prod (paid) license default retention for analytics 30days * You can also increase this retention up to 90 days if you paid additionaly per license. This values are constant on SaaS if you are using on-prem default retention value is also same but you can reduce retention day based on your storage size. 3- there is no way to increase your your default retention orher than license type and yes ypu can only"reduce" your retention period "only" on-prem event service. Thanks Cansel
It was perfect . I ended up doing it like this because of how the logs are stored in our environment. index=c account=1 env=lower source="logfiles" ("destination" OR "received") | eval logtype =...
See more...
It was perfect . I ended up doing it like this because of how the logs are stored in our environment. index=c account=1 env=lower source="logfiles" ("destination" OR "received") | eval logtype = if(like(_raw, "destination%"),"logb","loga")
| rex field=_raw filename in loga| rex field=_raw filename in logb| stats count min(_time) as Starttime max(_time) as Endtime values(logtype) as logtype by filename
| where count=2 AND logtype="loga" AND logtype="logb"
| eval diff = Endtime - Starttime
| stats avg(diff)
Have you seen the Admin's Little Helper app (https://splunkbase.splunk.com/app/6368). It includes a btool command that lets you see your configurations on both SH and indexers using SPL. While many...
See more...
Have you seen the Admin's Little Helper app (https://splunkbase.splunk.com/app/6368). It includes a btool command that lets you see your configurations on both SH and indexers using SPL. While many configurables can be loaded safely on either/both SH and indexer, others cannot. Inputs and outputs are good examples. Clustering settings are another.
I have created two queries : The below is for the correct outage window And the second one with any random date to see if alert is triggered when one of server goes down Both has ...
See more...
I have created two queries : The below is for the correct outage window And the second one with any random date to see if alert is triggered when one of server goes down Both has same trigger condition set : | where is_maintenance_window=0 AND is_server_down=1
When your testing just keep in mind that this is the time from the log event. | eval current_time=_time While this is the current time now, when the alert is running. So, depending upon your lookb...
See more...
When your testing just keep in mind that this is the time from the log event. | eval current_time=_time While this is the current time now, when the alert is running. So, depending upon your lookback period (earliest= latest=) you might be picking up log events outside (prior or after) your outage window start time/end time. | eval current_time=now() But, if you dont want any alerts during the outage window now() should be the correct time to be using for your triggering conditions
If you use loadjob, it always loads an existing, previously run job. If you run | savedsearch ... then it will run a new search. If that new search returns the wrong results, then it would seem li...
See more...
If you use loadjob, it always loads an existing, previously run job. If you run | savedsearch ... then it will run a new search. If that new search returns the wrong results, then it would seem likely that the search has not changed
OK, I'm unsure where the time will get extracted, but have you looked at this document https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/EdgeProcessor/TimeExtractionPipeline
Hi @KendallW , The error is "Invalid username or password. However, I am able to connect using other applications to the same database with that username and password in the Identity and that i...
See more...
Hi @KendallW , The error is "Invalid username or password. However, I am able to connect using other applications to the same database with that username and password in the Identity and that is what I am using in the jdbc url to access.
I did what you explained to me but it still doesn't work, when I check the zscaler logs apun the url_domain field does not appear. It is important to mention that I am implementing this from a custo...
See more...
I did what you explained to me but it still doesn't work, when I check the zscaler logs apun the url_domain field does not appear. It is important to mention that I am implementing this from a custom app for zsacaler.
@sjringo - This is the result when servers are taking traffic . I am going to test it tonight when servers goes down if alert is getting triggered outside window as well as alert not triggered durin...
See more...
@sjringo - This is the result when servers are taking traffic . I am going to test it tonight when servers goes down if alert is getting triggered outside window as well as alert not triggered during window . In both cases atleast one server is down.