All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have below query to calculate average response times. For some reason some times the value is coming as '0'. i wanted to remove those values from my calculation.  | mstats sum(calc:service.thaa_s... See more...
I have below query to calculate average response times. For some reason some times the value is coming as '0'. i wanted to remove those values from my calculation.  | mstats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" ,avg(calc:service.thaa_stress_requests_lr_tags) As "Response" where index=itsi_im_metrics by Dimension.id | eval Response=round((Response/1000000),2), Count=round(Count,0) | search Dimension.id IN ("*Process.aspx") -- Sample Values  metric_name:calc:service.thaa_stress_requests_lr_tags: 4115725 metric_name:calc:service.thaa_stress_requests_lr_tags: 0 metric_name:calc:service.thaa_stress_requests_lr_tags: 3692799
You can simply remove the backslashes like this | rex field=_raw mode=sed "s/\\\//g" However, I suspect this is not what you want, but what you want it unclear since all your data is "context". Are... See more...
You can simply remove the backslashes like this | rex field=_raw mode=sed "s/\\\//g" However, I suspect this is not what you want, but what you want it unclear since all your data is "context". Are you expecting Field1 to be "context,context,context", or something else?
Hi, my event has unstructured data i.e. few strings than xml part than few more strings and another xml follow by few more strings. How do I extract only the xml parts from the event when there is ... See more...
Hi, my event has unstructured data i.e. few strings than xml part than few more strings and another xml follow by few more strings. How do I extract only the xml parts from the event when there is no pattern  to the string i.e. number of lines before and after the xml nor the string content has a pattern.    
This technique doesn't appear to work in 9.2.0. Is there a new technique to mirror dashboards from one app to another? I did have to navigate deeper and into the .../ui/views folder but just assumed ... See more...
This technique doesn't appear to work in 9.2.0. Is there a new technique to mirror dashboards from one app to another? I did have to navigate deeper and into the .../ui/views folder but just assumed that is due to this post being five years old. TIA! $SPLUNK_HOME/etc/apps/<source app>/local/data/ui/views/<source dahsboard>.xml  
Hi @ChrisG  The link is mentioned by you is not working now and still we unable to find any Splunk universal forwarder for AIX 6.1 in the previous version list . Kindly check once again . 
Trying to figure out how to extract a field using regex to capture the entire string.  Only problem is there are a bunch of slashes throughout.  Sometimes one, sometimes 3, etc.  I've tried variation... See more...
Trying to figure out how to extract a field using regex to capture the entire string.  Only problem is there are a bunch of slashes throughout.  Sometimes one, sometimes 3, etc.  I've tried variations of commands I found in the documentation but no luck.  is this possible? Example String of Field I want to extract with all the context appended to one another minus the slashes: \"\\\"Field1\\\":\"context"\\\",\\\:"\"context"\\\",\\\:"\"context"\\\",\\\:"\"context"\\\",\\\:"\"context"\\\"context\\\\\\\context\\\\\\\\Field2 Want it to be extracted like this: Field1="context","context" etc so slashes are eliminated.  Appreciate any help.
I tried it, but it didn't work. splunk does not create the events with the information between the delimiters: ## MONIT_DOC_START .... ..... ## MONIT_DOC_END   Any ideas? I have also tr... See more...
I tried it, but it didn't work. splunk does not create the events with the information between the delimiters: ## MONIT_DOC_START .... ..... ## MONIT_DOC_END   Any ideas? I have also tried this (unsuccessful) :   BR
Hello, Looking into the solution I am facing an issue when I do base-search. When I use the regex in SPL code and when it gets converted to xml. My code is not working. If I change my xml code I get... See more...
Hello, Looking into the solution I am facing an issue when I do base-search. When I use the regex in SPL code and when it gets converted to xml. My code is not working. If I change my xml code I get unvalidated tag . Is there a way to get it working in base search Example: IN SPL code: | rex field="log.mess" ".*\"Category\":\"(?<Category>[^\"]+)" In xml: | rex field="log.mess" ".*\"Category\":\"(?&amp;lt;Category&amp;gt;[^\"]+)"
1.Please help me to add hover affect to a text box in glasstable ? 2. Please help me to add color coding based on value in a glasstable ?
do i need to config rsyslog?
ok, but also nothing in SCP
Wait a second. You're looking for events on the HF? It doesn't (at least shouldn't) work that way. A forwarder, as the name says, is a component which forwards data from input(s) to output(s). If pro... See more...
Wait a second. You're looking for events on the HF? It doesn't (at least shouldn't) work that way. A forwarder, as the name says, is a component which forwards data from input(s) to output(s). If properly configured, HF should not index events locally.
Hi here is the new MASA diagram where you could look where to put those and in which server https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf?origin_team=T047WPASC&origin_chan... See more...
Hi here is the new MASA diagram where you could look where to put those and in which server https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf?origin_team=T047WPASC&origin_channel=Psearch r. Ismo
Hi here is some old answers about this: https://community.splunk.com/t5/Installation/Upgrading-and-migrating-to-a-new-host-how-to-migrate-large/m-p/601048#M11615 https://community.splunk.com/t5/S... See more...
Hi here is some old answers about this: https://community.splunk.com/t5/Installation/Upgrading-and-migrating-to-a-new-host-how-to-migrate-large/m-p/601048#M11615 https://community.splunk.com/t5/Splunk-Enterprise/Migration-of-Splunk-to-different-server-same-platform-Linux-but/m-p/538069#M4823 https://community.splunk.com/t5/Installation/What-are-the-steps-for-Splunk-enterprise-migration-physical-to/m-p/648565/highlight/true when something goes wrong. r. Ismo
Maybe you should check this? [udp://<remote server>:<port>] * Similar to the [tcp://] stanza, except that this stanza causes the Splunk instance to listen on a UDP port. * Only one stanza per port... See more...
Maybe you should check this? [udp://<remote server>:<port>] * Similar to the [tcp://] stanza, except that this stanza causes the Splunk instance to listen on a UDP port. * Only one stanza per port number is currently supported. * Configures the instance to listen on a specific port. * If you specify <remote server>, the specified port only accepts data from that host. * If <remote server> is empty - [udp://<port>] - the port accepts data sent from any host. * The use of <remote server> is not recommended. Use the 'acceptFrom' setting, which supersedes this setting. * Generates events with source set to udp:portnumber, for example: udp:514 * If you do not specify a sourcetype, generates events with sourcetype set to udp:portnumber. Even the example shows that : is not mandatory if you have only port definition, I would like to test it like [udp://:1514] to ensure that this is not an issue. 
I see that index in Heavy Forwarder is empty
And at same time it convert that field (result of case) to multivalue field which contains both those values. As @yuanliu said, you must provide sample data which produce that "error", if you want th... See more...
And at same time it convert that field (result of case) to multivalue field which contains both those values. As @yuanliu said, you must provide sample data which produce that "error", if you want that we can help you.
Hi Team, Thanks for being there! I hope you all are doing great! I was working on the requirement to install and monitor Kubernetes using AppDyanamics  I have gone through the video from Cisco ... See more...
Hi Team, Thanks for being there! I hope you all are doing great! I was working on the requirement to install and monitor Kubernetes using AppDyanamics  I have gone through the video from Cisco U https://www.youtube.com/watch?v=RTzMJxzSa9I But I have a question. Do we not need a cluster agent as I don't seem to have used or taken the name of a cluster agent in the process? Could you help me with this?
Please share the searches which are failing