@Jordan1 Hey Jordan, Can you please check your inputs.conf configuration files are properly configured to collect and forward these metrics. If it is possible, can you paste your inputs.conf here. Ma...
See more...
@Jordan1 Hey Jordan, Can you please check your inputs.conf configuration files are properly configured to collect and forward these metrics. If it is possible, can you paste your inputs.conf here. Make sure that the data from the Universal Forwarders is being routed to the correct index for performance metrics. Refer the below documents. https://community.splunk.com/t5/All-Apps-and-Add-ons/What-is-the-best-way-to-migrate-Windows-performance-monitoring/td-p/424349?_ga=2.129088268.1417683299.1710177855-984040655.1703927739&_gl=1*1j7oven*_ga*OTg0MDQwNjU1LjE3MDM5Mjc3Mzk.*_ga_GS7YF8S63Y*MTcxMDE3Nzg1NS4yOS4xLjE3MTAxNzk0NjQuNjAuMC4w*_ga_5EPM2P39FV*MTcxMDE3Nzg1NC4zMC4xLjE3MTAxNzk2NDUuMC4wLjA. https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration?_gl=1*41uap*_ga*OTg0MDQwNjU1LjE3MDM5Mjc3Mzk.*_ga_GS7YF8S63Y*MTcxMDE3Nzg1NS4yOS4xLjE3MTAxNzk0NjQuNjAuMC4w*_ga_5EPM2P39FV*MTcxMDE3Nzg1NC4zMC4xLjE3MTAxNzk2MjcuMC4wLjA.&_ga=2.129088268.1417683299.1710177855-984040655.1703927739#Collect_perfmon_data_and_wmi:uptime_data_in_metric_index
We want all the hosts in index=aws that are NOT in index=windows. Example : | tstats count where index=aws by host | table host | search NOT [| tstats count where index=windows by host | table...
See more...
We want all the hosts in index=aws that are NOT in index=windows. Example : | tstats count where index=aws by host | table host | search NOT [| tstats count where index=windows by host | table host]
Hi all, We have a Splunk Intermediate Forwarder (Heavy Forwarder) set up to receive logs from Universal Forwarders that sit in different networks. The Forwarding is working fine for logs as we ca...
See more...
Hi all, We have a Splunk Intermediate Forwarder (Heavy Forwarder) set up to receive logs from Universal Forwarders that sit in different networks. The Forwarding is working fine for logs as we can see the internal logs and Windows Events in our index cluster. This issue is with the Windows Performance Metrics which aren't in our performance metrics indexes. I can see the Universal Forwarders are collecting the metrics from the Internal logs as these are being forwarded successfully. Any suggestions would be helpful
@Stives Have you gone through this troubleshooting service now add-on document? https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Troubleshooting
Hi @sireesha.vadlamuru,
Thank you for asking your question on the Community. I'm not sure what you mean by the 'upgraded license file' - can you provide more info?
Try something below: index=<indexname> ("ess service") |transaction host startswith="The ess service entered the stopped state." endswith="The ess service entered the running state." maxspan=30m |...
See more...
Try something below: index=<indexname> ("ess service") |transaction host startswith="The ess service entered the stopped state." endswith="The ess service entered the running state." maxspan=30m |search NOT <field>="The ess service entered the running state." |table host
hello all, I would need the logs to be sent to my S3 bucket smartstorage after 1 month from my security index, but they should still be accessible for another 5 months.
How long are you prepared to wait for the service to come up again? - Within 10min, if service is not coming up then need alert. i.e. an event "The ess service entered into running state" will be l...
See more...
How long are you prepared to wait for the service to come up again? - Within 10min, if service is not coming up then need alert. i.e. an event "The ess service entered into running state" will be logged Are you looking to alert if all the servers don't come back up within a certain time, or if any one of them doesn't come back up? Any server out of 25, if the service is not running, then need alert Are events generated when the service is up, and how regularly do these events occur? As soon the service started an event will be generated, "The ess Service entered into running state" Can there be periods when no events are generated but the service is still to be considered up? No, there will be definitely an event will be generated once the service brought up
Who told you to create a new token? What problem are you trying to solve? I think I need a bigger picture so I understand what is happening and how to get it to work.
"its not working" doesn't tell me what's wrong so it's hard to offer a fix. It's possible, however, the regex needs improvement. Please try my updated answer.
OK got it so basically: UF gathers a lines and send to heavy forwarder/indexer Indexer drops all lines except those not matched by the reg ex. I'll give it a whirl! Thanks @PickleRick and @tscr...
See more...
OK got it so basically: UF gathers a lines and send to heavy forwarder/indexer Indexer drops all lines except those not matched by the reg ex. I'll give it a whirl! Thanks @PickleRick and @tscroggins
So how can i use <change> condition in my case. Any example queries would be greatly appreciated @richgalloway . They told to create a new token and pass it to filter and row.