All Posts

Top

All Posts

I need to identify hosts with errors, but only in block mode MY SPL --------- index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block] | dedup host | ... See more...
I need to identify hosts with errors, but only in block mode MY SPL --------- index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block] | dedup host | table event_type, host, ip   ------------------ each search works separately, but combined it seating on "parsing job"  with no result for long time. Thank you 
What does the $AccountType$ token expand to?
| stats count by query
After configuring content pack for VMware. I repeatedly get "duplicate entity aliases found". We are also collecting for TA-Nix. How can I fix the duplicate entity alias issue. I am running ITE 4.18.... See more...
After configuring content pack for VMware. I repeatedly get "duplicate entity aliases found". We are also collecting for TA-Nix. How can I fix the duplicate entity alias issue. I am running ITE 4.18.1 and Splunk app for content packs 2.10
Are these multivalue fields within the same event? By "empty" do you mean they contain the word "empty" or that they have no value (empty string) or that they don't exist? Please share some sample ... See more...
Are these multivalue fields within the same event? By "empty" do you mean they contain the word "empty" or that they have no value (empty string) or that they don't exist? Please share some sample (anonymised) events to illustrate what you mean.
Hey! I still get the same error. But thank you for trying! Let me know if something else clicks. Thank you.
The IN operator only works in the search command.  In where you must use the in function. | loadjob savedsearch="name:search:cust_info" | where in(AccountType,$AccountType$)  
Hi @mbozbura, I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend tha... See more...
Hi @mbozbura, I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
So I am creating a dashboard and I keep getting this error:  Error in 'where' command: The expression is malformed. Expected ). This is what I have: | loadjob savedsearch="name:search:cust_info... See more...
So I am creating a dashboard and I keep getting this error:  Error in 'where' command: The expression is malformed. Expected ). This is what I have: | loadjob savedsearch="name:search:cust_info" | where AccountType IN ($AccountType$)   I created a multiselect filter on AccountType and I want the SPL to query on those selected.  What could I be missing or another way to achieve this query to filter on AccountType?
I have the same issue i have a valid stix2, did you find a solution for this?
Thank you so much! That worked! 
The eval is trying to divide a string literal ("SumBalances") by a field, which won't work.  Replace the double quotes with single quotes or remote the double quotes.
I am getting this error:   Error in 'EvalCommand': Type checking failed. '/' only takes numbers.   Here is lines of SPL: | stats count as "Count of Balances", sum(BALANCECHANGE) as "SumBalances"... See more...
I am getting this error:   Error in 'EvalCommand': Type checking failed. '/' only takes numbers.   Here is lines of SPL: | stats count as "Count of Balances", sum(BALANCECHANGE) as "SumBalances" by balance_bin | eventstats sum("SumBalances") as total_balance | eval percentage_in_bin = round(("SumBalances" / total_balance) *100, 2) What could be causing this? Is there a way to olve this without the / symbol? 
In my mv field nameas  errortype.In the error type the counts shows file not found as 4 and empty as 2 .I want to exclude the empty values from the mv fields
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance Monitoring In today's digital landscape, the adoption of Splunk Real User Monitoring (RUM) and S... See more...
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance Monitoring In today's digital landscape, the adoption of Splunk Real User Monitoring (RUM) and Splunk Application Performance Monitoring (APM) is pivotal for organizations aiming to enhance their web presence and user experience. RUM is diligently employed to monitor the genuine interactions of users with web and mobile applications, providing a granular view of user experience in real-time. Concurrently, APM is harnessed to investigate application performance, offering critical insights into transaction speeds and system health. Both are integral components of an observability suite that caters to the multifaceted nature of modern digital ecosystems, which encompass on-premise, hybrid, and multi-cloud environments. The integration of RUM and APM is showcased as a strategic move within a growth engineering team, underscoring its significant role in improving marketing operations and public-facing websites. By using observability tools, we can take a preemptive and informed approach to delivering digital services. This shifts incident management from reactive to showcasing digital resilience and excellence.   Understanding Splunk RUM and APM in Observability Practices     Driving Customer Experience With Splunk Observability: A Growth Engineering Team's Story Learn  how the growth engineering team at Splunk adopted Splunk Observability to improve incident detection, resolution, and customer experience. Real User Monitoring (RUM) and Application Performance Monitoring (APM) are essential components of Splunk's observability suite. Their adoption by Splunk's growth engineering team signifies a strategic move towards enhancing the company's marketing operations and public-facing websites. RUM is integral for monitoring the actual experiences of users interacting with web and mobile applications, while APM focuses on the performance of applications, offering insights into transaction speeds, error rates, and system health. Splunk's observability products offer a unified solution for monitoring digital ecosystems that span across on-premise, hybrid, and multi-cloud environments, addressing the complexities that come with integrating multiple technologies and services. By adopting Splunk observability, organizations can achieve digital resilience, enabling them to recover swiftly from disruptions, adopt new operating models quickly, and ensure reliable and outstanding digital experiences for their customers. The growth engineering team within Splunk's marketing organization is a prime example of how internal teams are leveraging these tools to improve efficiency, detect incidents faster, and align business priorities. The team's journey to utilizing RUM and APM has led to impressive results, such as faster page load times, increased engineering efficiency, and significant improvements in core web vitals. These improvements are a testament to the power of a comprehensive observability strategy, which can transform reactive incident management into a foresighted approach to digital service delivery. The Growth Engineering Team's Path to Digital Resilience     Leveraging Splunk Observability for Complex Technology Stacks Explore how Splunk transitions its AEM stack to the cloud and leverages Splunk Observability to manage complex technology ecosystems and deliver exceptional customer experiences. The Growth Engineering Team at Splunk has embarked on a digital resilience journey, with the mission to maintain public-facing websites and internal portals. Their objective is to provide a world-class customer experience by leveraging the power of Splunk products. To achieve this goal, the adoption of observability tools became imperative to address inefficiencies and the apparent lack of service health visibility. With the introduction of Real User Monitoring (RUM) and Application Performance Monitoring (APM), the team is now equipped to detect incidents, isolate and prioritize events, and accelerate root cause analysis effectively. This strategic move has enabled the team to transform from a reactive to a forward-thinking approach, enhancing their ability to recover quickly from disruptions and adopt new operating models seamlessly. The adoption of Splunk's observability tools has proven to be a critical step in the team's journey towards digital resilience. Observability has provided the team with end-to-end visibility, allowing them to monitor the health of their services and correlate events across different teams and microservices. This unified perspective is essential for resolving issues rapidly and efficiently. As a result of these efforts, the team has reported significant improvements in key performance indicators, including faster page load times, increased engineering efficiency, and improved core web vitals. The team's utilization of RUM has been particularly impactful, allowing them to track automated user sessions across websites and applications. For instance, when trial sign-ups on the website were failing, RUM enabled the engineering team to quickly identify and resolve the issue, minimizing the potential impact on users. Similarly, APM has been instrumental in ensuring the performance of business-critical workflows. During a product release, APM allowed the team to address an outage alert swiftly, maintaining a 99.9% uptime and boosting engineering productivity by 50%. Overall, the integration of RUM and APM has set the stage for a more resilient digital presence, empowering the Growth Engineering Team to deliver superior customer experiences and drive business success. This journey towards digital resilience serves as a testament to the power of observability tools in optimizing user experience and operational efficiency.   Maximizing Digital Resilience: The Power of APM and RUM in Action     Comprehensive Application Performance Monitoring and User Experience Analysis With Splunk APM and RUM Discover how Splunk APM provides distributed tracing and detailed error capture, while RUM offers real-time user experience monitoring and error tracking. Application Performance Monitoring (APM) and Real User Monitoring (RUM) are crucial for ensuring service health and optimizing user experiences. Internally, Splunk leverages its own suite of products, including APM and RUM, to monitor and enhance its service offerings. The utilization of these tools within the growth engineering team is shared, demonstrating the tangible advantages of APM and RUM. APM and RUM collectively provide comprehensive visibility into how services perform and how users interact with applications. By integrating both front-end and back-end monitoring, teams can rapidly identify and resolve issues, often before they significantly impact users. These tools offer capabilities ranging from detailed waterfall charts of user interactions to real-time correlation of traces, which are instrumental in accelerating troubleshooting efforts. Splunk's internal stories serve as a testament to the effectiveness of APM and RUM. One case study highlights the ability of RUM to detect and address a failure in website sign-up forms, allowing for a swift resolution that was three times faster, thereby preserving the company's brand reputation. Another example showcases how APM enabled the back-end engineering team to maintain a 99.9% uptime and improve engineering productivity by 50% despite increased traffic. The integration of APM with RUM is particularly beneficial, as it connects front-end user experiences with back-end service performance, providing a holistic view of the system. This end-to-end visibility is crucial for monitoring complex ecosystems, such as Splunk.com, with its multitude of endpoints. By using APM and RUM in unison, teams can now monitor and optimize Splunk's digital ecosystem more efficiently. The success of APM and RUM integration at Splunk is quantifiable, with impressive key performance indicators (KPIs) such as a 50% faster page load times, a 25% increase in engineering efficiency, and a 60% improvement in core web vitals. These statistics underline the transformative impact of Splunk's observability tools in creating resilient digital experiences and fostering a forward-thinking approach to service health management.   Understanding APM and RUM Capabilities for Optimized User Experience     Maximizing User Satisfaction and Business Goals With APM and RUM Correlation Discover how the correlation of Application Performance Monitoring (APM) and Real User Monitoring (RUM) provides end-to-end visibility, effective root cause analysis, and improved performance optimization. Enhancing Digital Experiences with APM and RUM The implementation of Splunk Application Performance Monitoring (APM) and Splunk Real User Monitoring (RUM) within growth engineering teams has led to significant advancements in page load times and engineering efficiency. Through the implementation of these tools, businesses have observed a significant enhancement in core web vitals and the ability to proactively identify issues. This shift towards a more foresighted approach has been facilitated by the adoption of observability, resulting in a transformation of operational strategies. The integration of APM and RUM has empowered teams to gain comprehensive insights into both front-end and back-end systems, enabling a unified approach to issue resolution. This has led to a more efficient and effective method for addressing incidents, with teams now able to quickly zoom in on the performance of critical workflows and preemptively address potential issues before they escalate. The success stories shared emphasize how APM and RUM have revolutionized the monitoring and optimization of digital services, ensuring high availability and optimal performance. These tools not only provide real-time visibility into user experiences but also facilitate faster troubleshooting and resolution, ultimately enhancing the digital experience for both users and the organization. Conclusion  In conclusion, the implementation of Application Performance Monitoring (APM) and Real User Monitoring (RUM) is demonstrated to be essential for achieving digital resilience. Enhanced user experiences and operational efficiency are achieved through the adoption of these monitoring tools. Organizations are empowered to proactively identify and resolve issues, thereby maintaining high service uptime and improving core web vitals. The integration of APM and RUM enables a seamless correlation between user interactions and application performance, offering a comprehensive observability solution. This approach results in significant improvements in page load times and engineering productivity. By leveraging the capabilities of APM and RUM, a transformation in incident management is facilitated, transitioning from a reactive to a preemptive stance in digital service delivery. Speakers Sudhaker Adusumilly, Senior Director, Head of Growth Engineering, Splunk Sandeep Kampa, Sr DevOps Engineer, Growth Engineering, Splunk   Looking for More? Watch the full Demo here   In this demo, Sandeep Kampa, Sr DevOps Engineer at Splunk discusses the powerful capabilities of Splunk APM and RUM, demonstrating how they can revolutionize application performance and user experience. He showcases key features such as service maps, error tracking, and the correlation between APM and RUM for comprehensive front-end and back-end analysis. The walkthrough includes a practical example of troubleshooting a real-world issue with the integrated tools, highlighting their ability to reduce resolution time and improve operational efficiency.    Watch the full Tech Talk   
Thank you! Same issue here on Splunk 9.2.1 Splunk was NOT starting at boot-start (with init.d) but manually was starting correctly. After having commented the mentioned line is now properly booting... See more...
Thank you! Same issue here on Splunk 9.2.1 Splunk was NOT starting at boot-start (with init.d) but manually was starting correctly. After having commented the mentioned line is now properly booting with the VM (Oracle Linux). I am going to open a case to the support to inform them about it.
Solved by myself, underscores gives not problem.
I'll try to explain it with a basic example. As an output of a stats command I have: detection query search1 google.com yahoo.com search2 google.com bing.com ... See more...
I'll try to explain it with a basic example. As an output of a stats command I have: detection query search1 google.com yahoo.com search2 google.com bing.com   I want to get which queries are not being detected by both search1 and search 2. Or else, getting rid of the queries that are in both searches, either way work. Like ok, search1 is detecting yahoo.com whereas search2 isn't, and viceversa with bing.com I thought about grouping by query instead of by search,  the problem is I have dozens or even hundreds of queries. Any thoughts? Cheers
Hi Splunkers, I have a doubt about underscores and path in props.conf. Suppose, in my props.conf, I have: [source::/aaa/bbb/ccc_ddd] As you can see, in my path I have an underscore in path name. ... See more...
Hi Splunkers, I have a doubt about underscores and path in props.conf. Suppose, in my props.conf, I have: [source::/aaa/bbb/ccc_ddd] As you can see, in my path I have an underscore in path name. This could be a problem? I mean: can I put the underscore without problem or I have to use backslash to escape it?
I've had more consistent results by putting the trigger condition in the search and having the alert trigger if the number of results is not zero. | tstats count where index=cts-dcpsa-app sourcetype... See more...
I've had more consistent results by putting the trigger condition in the search and having the alert trigger if the number of results is not zero. | tstats count where index=cts-dcpsa-app sourcetype=app:dcpsa host_ip IN (xx.xx.xxx.xxx, xx.xx.xxx.xxx) by host | eval current_time=_time | eval excluded_start_time=strptime("2024-04-14 21:00:00", "%Y-%m-%d %H:%M:%S") | eval excluded_end_time=strptime("2024-04-15 04:00:00", "%Y-%m-%d %H:%M:%S") | eval is_maintenance_window=if(current_time >= excluded_start_time AND current_time < excluded_end_time, 1, 0) | eval is_server_down=if(count == 0, 1, 0) | where is_maintenance window = 0 AND is_server_down=1