All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

You should change this like  index=index2 dev_ip IN ([search index=index1 service IN (22, 53, 80, 8080) | table src_ip | rename src_ip as search]) |table dev_ip, OS_Type  
You should remember that if any of those target stop to work this leads quite soon that also another targets will stop as soon as queues of stalled target will be full.
We are having this exact issue - were you able to find a solution?
Hi @Shashwat .Pandey, I found this AppD Docs page. Search the page for "Volume" to jump to the right sections. https://docs.appdynamics.com/appd/22.x/latest/en/infrastructure-visibility/server-v... See more...
Hi @Shashwat .Pandey, I found this AppD Docs page. Search the page for "Volume" to jump to the right sections. https://docs.appdynamics.com/appd/22.x/latest/en/infrastructure-visibility/server-visibility/machine-agent-settings-for-server-visibility
Hi @Amit.Bisht, I found an older post that has the same error you did. It may not be fully relevant, but I wanted to share it just in case it helps direct you in the right direction.  https://com... See more...
Hi @Amit.Bisht, I found an older post that has the same error you did. It may not be fully relevant, but I wanted to share it just in case it helps direct you in the right direction.  https://community.appdynamics.com/t5/Java-Java-Agent-Installation-JVM/Machine-Agent-Bundle-64-bit-not-reporting-machine-info/m-p/27332
Those are the two main reasons.  Are you sure the assumptions are valid?  Have you checked splunkd.log on the UF?  What makes you think it's a monitor problem?  Could it be a search problem?
Have you validate those already in single server instead of in distributed environment?
below response from Antony Bowesman on Slack Channel worked like a charm for Simple XML Dashboard! The challenge you have it to set the colour depending on the values from two different columns, w... See more...
below response from Antony Bowesman on Slack Channel worked like a charm for Simple XML Dashboard! The challenge you have it to set the colour depending on the values from two different columns, which is not possible without a hack or JS. The hack is something like this         <panel> <html depends="$hidden$"> <style> #coloured_cell2 table tbody td div.multivalue-subcell[data-mv-index="1"]{ display: none; } </style> </html> <table id="coloured_cell2"> <title>Colouring a table cell based on it's relative comparison to another cell</title> <search> <query>| makeresults | fields - _time | eval r=mvrange(1,6,1) | mvexpand r | eval cust="Cust".r | fields - r | eval sla=random() % 100 | eval type=case((match(cust,"Cust1|Cust3|Cust4") AND sla&gt;=90) OR (match(cust,"Cust2|Cust5") AND sla&gt;=95), 0, (match(cust,"Cust1|Cust3|Cust4") AND sla&gt;=85 AND sla&lt;90) OR (match(cust,"Cust2|Cust5") AND sla&gt;=90 AND sla&lt;95), 1, (match(cust,"Cust1|Cust3|Cust4") AND sla&lt;85) OR (match(cust,"Cust2|Cust5") AND sla&lt;90), 2) | eval sla=mvappend(sla, type) | table cust sla type</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="sla"> <colorPalette type="expression">case(mvindex(value, 1) == "0", "#00FF00", mvindex(value, 1) == "1", "#FFFF00", true(), "#FF0000")</colorPalette> </format> <drilldown> <set token="explode_search_id">coloured_cell2</set> </drilldown> </table> </panel>         what this shows is that you have to make the column you want to colour a multivalue field, where you set the second value of that field the other condition you want to check with the expression. The second value of the field is 'hidden' through the use of CSS (note id=coloured_cell). You will need to set the colour type in the search, as there are problems handling complex multivalue statements in the colorPalette expressions, so here it is 0 for green, 1 for amber and 2 for red. ------------------------------------------------------ below response from Lizzy Li on Slack Channel worked like a charm for DS Dashboard!   I would recommend doing that logic in the search and adding another column which specifies the color. Then you make it so that sla is colored based on the value in the color field here i am coloring the product field based on whether there is inventory available. source code looks something like this:   { "type": "splunk.table", "dataSources": { "primary": "ds_khzrqtty" }, "title": "Table hiding internal fields - colored by inventory", "options": { "columnFormat": { "_inventory": { "data": "> table | seriesByName(\"_inventory\") | formatByType(_inventoryColumnFormatEditorConfig)", "rowColors": "> table | seriesByName(\"_inventory\") | rangeValue(_inventoryRowColorsEditorConfig)" }, "product": { "data": "> table | seriesByName(\"product\") | formatByType(productColumnFormatEditorConfig)", "rowColors": "> table | seriesByName(\"_inventory\") | rangeValue(_inventoryRowColorsEditorConfig)" } }, "showInternalFields": false }, "context": { "_inventoryColumnFormatEditorConfig": { "number": { "thousandSeparated": false, "unitPosition": "after" } }, "_inventoryRowColorsEditorConfig": [ { "value": "#D41F1F", "to": 1 }, { "value": "#118832", "from": 1 } ], "productColumnFormatEditorConfig": { "string": { "unitPosition": "after" } } }, "description": "Has inventory = green", "showProgressBar": false, "showLastUpdated": false, "hideWhenNoData": false }   as you can see, i also made _inventory an internal field so that i could hide it from the display but still use it to color other fields   Thank you.
Are you sure that DS initiates connection. If you disable 8089 port on UF still UF is able to phone home to DS and receive app. How can DS initiate connection if UF does not even have a listening por... See more...
Are you sure that DS initiates connection. If you disable 8089 port on UF still UF is able to phone home to DS and receive app. How can DS initiate connection if UF does not even have a listening port. It seems communication is initiated from UF to DS.
What are some reasons why a UF wouldn't monitor a windows file assuming there is nothing wrong with any configs and the virtual account has full access to the file I'm trying to monitor?
Hi @isoutamo , both of them! Ciao. Giuseppe
I have two SPL #1  index=index1 service IN (22, 53, 80, 8080) | table src_ip #2 index=index2 dev_ip IN ( value from #1 src_ip) |table dev_ip, OS_Type ---------------------- I try to... See more...
I have two SPL #1  index=index1 service IN (22, 53, 80, 8080) | table src_ip #2 index=index2 dev_ip IN ( value from #1 src_ip) |table dev_ip, OS_Type ---------------------- I try to create a single SPL with sub search I.e.  index=index2 dev_ip IN ([search index=index1 service IN (22, 53, 80, 8080) | table src_ip]) |table dev_ip, OS_Type I get an error message Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals. '(src_ip = "130.197.32.155")' is not a literal. Thank you.
Smells like a bug to me.  Consider reporting it to Splunk Support and/or https://ideas.splunk.com
+1 and please tell to us what they answer to you
Another old post to migrate individual splunk linux box into new one https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/528064/highlight/true
You said that you have CLONE_SOURCETYPE in use. Are you applied these transforms to original or cloned ST?
Ahhh ok, so the reason it wasn't working is because the ASRT and ATOT_ALDT were part of the same event, the example was effectively the events tabled. So now I have split the two timestamps into two ... See more...
Ahhh ok, so the reason it wasn't working is because the ASRT and ATOT_ALDT were part of the same event, the example was effectively the events tabled. So now I have split the two timestamps into two separate events, your code works (couple of typos in the streamstats line, but sorted those). This is what I did. Thanks for all your help! | eval asrt_epoch = strptime(ASRT,"%Y-%m-%d %H:%M:%S"), runway_epoch = strptime(ATOT_ALDT,"%Y-%m-%d %H:%M:%S"), event="ASRT_".asrt_epoch.","."ATOT_ALDT_".runway_epoch, event=if(isnull(event),"ATOT_ALDT_".runway_epoch,event) | makemv event delim="," | mvexpand event | rex field=event "^(?P<event>(ATOT_ALDT|ASRT))_(?P<_time>.+)$" | sort _time | streamstats count(eval(if(event="ATOT_ALDT",1,null()))) as times_busy | stats values(event) as states values(times_busy) as busy values(ATOT_ALDT) as ATOT_ALDT by displayed_flyt_no | sort ATOT_ALDT | where states="ASRT" AND states="ATOT_ALDT" | eval queue=(max(busy)-1)-(min(busy))
Once you find the big lookup files, use admin commands/UI to delete them.  Or use the Lookup File Editor to modify them.  You also can upload an app containing a distsearch.conf file to put a file on... See more...
Once you find the big lookup files, use admin commands/UI to delete them.  Or use the Lookup File Editor to modify them.  You also can upload an app containing a distsearch.conf file to put a file on the deny list.
Check out the fillnull and filldown commands.
Thanks for the search, is there an spl to trim or archive it?