All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Felipe.Windmoller, You can submit feature requests on the Idea Exchange or reach out to your AppDynamics CSM. 
Hi Team, I extracted each webpage details which is dynamic based on the time range for one of our application. Is it possible to auto scale up/down the visualization panel (like single value) in the... See more...
Hi Team, I extracted each webpage details which is dynamic based on the time range for one of our application. Is it possible to auto scale up/down the visualization panel (like single value) in the splunk dashboard based on the output of the splunk query? For example, if suppose dev team added/removed the webpage or functionality, the visualization panel should be created/deleted automatically. Thank you in advance.
Still good after all these years
Yes, the list function is resource-intensive.  It makes a list of every value for the specified field so that takes time and memory.
So, @ITWhisperer and @richgalloway.  I combined both offered solutions into the following which did end up working: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) ... See more...
So, @ITWhisperer and @richgalloway.  I combined both offered solutions into the following which did end up working: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | rename jsonevent.external_ip as exip | rename aip as agentip | eval external_ip = coalesce(agentip, exip) | eventstats list(jsonevent.hostname) as Hostnames, list(jsonevent.Username) as Users by external_ip | eval hostuser = mvzip(Hostnames, Users) | mvexpand hostuser | eval HostUser = split(hostuser, ",") | eval Hostnames=mvindex(HostUser, 0), Users=mvindex(HostUser, 1) | rename AppVendor as Vendors, AppName as Applications, AppVersion as Version | where isnotnull(Vendors) | search Hostnames=*, Users=* | table external_ip, Hostnames, Users, Vendors, Applications, Version This gave me the result I wanted, but I also ended up with a caution that the list command reached a limit of 100 and had to truncate some events, and the search as a whole slows to a crawl. Is the list command that resource intensive?
I am showing index info(the following info) from mongodb log to splunk. namespace : tmp.agg_out.a35455454-f452-343434-b3eb-32630f67312b msg : Index build: done building   What does it mean( names... See more...
I am showing index info(the following info) from mongodb log to splunk. namespace : tmp.agg_out.a35455454-f452-343434-b3eb-32630f67312b msg : Index build: done building   What does it mean( namespace and msg) ?   
Our Ubuntu VMs are not reporting disk I/O and other metrics, and the "Partition Metric Name" shows up as "Unknown".  Further investigation suggest that the disk stats section of "linux-stats.sh" has ... See more...
Our Ubuntu VMs are not reporting disk I/O and other metrics, and the "Partition Metric Name" shows up as "Unknown".  Further investigation suggest that the disk stats section of "linux-stats.sh" has a regex that requires the device to end in a number, whereas the / mount uses "/dev/root".  Is anyone aware of an updated script that work with the newer OS or has anyone been able to modify the script to correlate correctly?
@pm2012Try this. We can do it in multiple ways.          
@Ryan.Paredez  I would like to make the suggestion of versioning the appdynamics Python module to allow us to pass the Proxy and Watch dog log levels as environment variables. Thanks
Hi, I have the following Link List input to provide a shortcut to other dashboards, when any of them are selected it would open a new tab to the specified dashboard. The issue is that when a link is... See more...
Hi, I have the following Link List input to provide a shortcut to other dashboards, when any of them are selected it would open a new tab to the specified dashboard. The issue is that when a link is selected it's being added as a parameter to the url, so the next time the page is refreshed it would trigger an input "change" and will immediately open a new tab to the link. What would be the best way to trigger only when it was selected? I've tried adding <set> and <unset> the input token after the <link> tag so it should be removed from the url once the new tab was opened, but it had no effect. <input id="linkToOtherDash" type="link" token="link_dash"> <label>View other Dashboard:</label> <choice value="dash1">Dashboard 1 ↗</choice> <choice value="dash2">Dashboard 2 ↗</choice> <choice value="dash3">Dashboard 3 ↗</choice> <change> <condition value="dash1"> <link target="_blank">https://example.com/dash1</link> <set token="link_dash">.</set> </condition> <condition value="dash2"> <link target="_blank">https://example.com/dash1</link> <set token="link_dash">.</set> </condition> <condition value="dash3"> <link target="_blank">https://example.com/dash1</link> <set token="link_dash">.</set> </condition> </change> </input>  
@sahityasweety  Check the Job Inspector. In the Inspector popup window, there is another link to the search.log that gives you some very detailed information. Another way to see more info about your... See more...
@sahityasweety  Check the Job Inspector. In the Inspector popup window, there is another link to the search.log that gives you some very detailed information. Another way to see more info about your errors is to open a plain search window and do a search like: index=_internal error Review your search query to ensure it is correctly formulated. Check for any typos, missing keywords, or syntax errors. Verify that the time range specified in your search covers the relevant data. Ensure that you are searching within the appropriate indexes. Check the Splunk logs (such as splunkd.log and search.log) for any errors or warnings related to your search. https://lantern.splunk.com/Splunk_Platform/Product_Tips/Searching_and_Reporting/Troubleshooting_and_investigating_searches https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Search/ViewsearchjobpropertieswiththeJobInspector If this reply helps you, Karma would be appreciated.
OracleRequestId is empty because your eval doesn't take into account that ImpConReqId is not present in some of your events - either use fillnull on this field or modify the eval to take care when th... See more...
OracleRequestId is empty because your eval doesn't take into account that ImpConReqId is not present in some of your events - either use fillnull on this field or modify the eval to take care when this field is null
Did you run the search again and get the same message?  If so, what did you find in search.log?
I am getting this error, may have returned partial results try running your search again.if you see this error repeatedly, review search.log for details or contact your Splunk administration Can i ... See more...
I am getting this error, may have returned partial results try running your search again.if you see this error repeatedly, review search.log for details or contact your Splunk administration Can i please get solution for this     Thanks, sahitya
Ah, backups.  Splunk has this documented, so I'll just point you to their docs on "Backup and restore Splunk DB Connect version 3.10.0 or higher" Hope that helps! -Rich
Excellent point.  My answer should use list rather than values.
I used this search and it did work, however, something that I probably should have mentioned earlier is that multiple hosts and users are linked to the same external ip, so I am now getting multivalu... See more...
I used this search and it did work, however, something that I probably should have mentioned earlier is that multiple hosts and users are linked to the same external ip, so I am now getting multivalue fields for the Hostnames and Users. Anything that can be done for that? Or should I combine the two fields beforehand, then split them after the eventstats command?
Thank you for the response! I had a try like this (maybe not exactly the same) before posting, and it didn't work. However, this time I pasted yours and after a slight change, it works! Now it's ... See more...
Thank you for the response! I had a try like this (maybe not exactly the same) before posting, and it didn't work. However, this time I pasted yours and after a slight change, it works! Now it's like: if(SDLC=="pm","ctpm",SDLC) So it seems I cannot use $ and quotes. After removing them, it's good!
Hi Guys, I want to show two field values into single column in a table .query and sample logs given below.   index="mulesoft" applicationName="api" |spath content.payload{} |mvexpand content.pay... See more...
Hi Guys, I want to show two field values into single column in a table .query and sample logs given below.   index="mulesoft" applicationName="api" |spath content.payload{} |mvexpand content.payload{}| transaction correlationId | rename "content.payload{}.AP Import flow processing results{}.requestID" as RequestID "content.payload{}.GL Import flow processing results{}.impConReqId" as ImpConReqId content.payload{} as response | eval OracleRequestId="RequestID: ".RequestID." ImpConReqId: ".ImpConReqId|table response OracleRequestId   Actual Result response        OracleRequestId GL Import flow related results : Extract has no GL records to Import into Oracle { "AP Import flow processing results" : [ { "concurBatchId" : "395", "requestID" : "101660728", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "72", "fileName" : "CONCUR_APAC_APINV_1711965640.csv" } ] }   { "AP Import flow processing results" : [ { "concurBatchId" : "393", "requestID" : "101572722", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "66", "fileName" : "CONCUR_APAC_APINV_1711620043.csv" } ] } { "GL Import flow processing results" : [ { "concurBatchId" : "393", "batchId" : "6409", "count" : "5", "impConReqId" : "101572713", "errorMessage" : null, "filename" : "CONCUR_APAC_GLJE_51711620043.csv" } ] } RequestID: 101572722 ImpConReqId: 101572713   Expected Result: response        OracleRequestId GL Import flow related results : Extract has no GL records to Import into Oracle { "AP Import flow processing results" : [ { "concurBatchId" : "395", "requestID" : "101660728", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "72", "fileName" : "CONCUR_APAC_APINV_1711965640.csv" } ] } requestID:101660728 { "AP Import flow processing results" : [ { "concurBatchId" : "393", "requestID" : "101572722", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "66", "fileName" : "CONCUR_APAC_APINV_1711620043.csv" } ] } { "GL Import flow processing results" : [ { "concurBatchId" : "393", "batchId" : "6409", "count" : "5", "impConReqId" : "101572713", "errorMessage" : null, "filename" : "CONCUR_APAC_GLJE_51711620043.csv" } ] } RequestID: 101572722 ImpConReqId: 101572713  
Hi @dondef , I know it is a couple years later but for someone that might need this I enable the Splunk integration manually and that worked successfully.  I would try to enable manually via the cur... See more...
Hi @dondef , I know it is a couple years later but for someone that might need this I enable the Splunk integration manually and that worked successfully.  I would try to enable manually via the curl call.  https://www.bitdefender.com/business/support/en/77211-171475-splunk.html