What do you want from the alert? What problem are you trying to solve? Once we know the objective we can help you tune the alert. As it stands now, the alert is triggered for every PowerShell or c...
See more...
What do you want from the alert? What problem are you trying to solve? Once we know the objective we can help you tune the alert. As it stands now, the alert is triggered for every PowerShell or command line process, anything launched by one of those processes, or any service. That's a lot of processes, not all of which are interesting.
You can add anything you like to any perfmon stanza, but that doesn't mean it will work. Only the documented (in Settings->Data input->Local performance monitoring) counters will work.
Hi, Could anyone please help me in fine tuning this search as it is raising lot of alerts | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Proc...
See more...
Hi, Could anyone please help me in fine tuning this search as it is raising lot of alerts | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | rename Processes.* as * | eval firstTime = strftime(firstTime, "%F %T") | eval lastTime = strftime(lastTime, "%F %T") thanks
Hi @Keerthi, you have to dedup for the firld that you display, in the first search you dedup for two fields. so it could be possible that you have duplicated values for the displayed field. Insteda...
See more...
Hi @Keerthi, you have to dedup for the firld that you display, in the first search you dedup for two fields. so it could be possible that you have duplicated values for the displayed field. Insteda in the second search, I don't see any dedup command. Add a dedup row dedupping for the field to display. Ciao. Giuseppe
Hi @Rao_KGY , there's a difference in the first row of the searches: in the first search you have: com.thehartford.pl.model.exception.CscServiceException: in the second one, you have: com.thehartf...
See more...
Hi @Rao_KGY , there's a difference in the first row of the searches: in the first search you have: com.thehartford.pl.model.exception.CscServiceException: in the second one, you have: com.thehartford.pl.model.exception.CscService Exception: in other words, there's an additional space in the second search, maybe this is the reason. Ciao. Giuseppe
@gcusello even timechart command also not working for me. JFYI I did try to create new dashboard by adding these queries to panel but I was getting same error. I have created multiple dashboard b...
See more...
@gcusello even timechart command also not working for me. JFYI I did try to create new dashboard by adding these queries to panel but I was getting same error. I have created multiple dashboard before but never faced such issue. Following is the source code of errored dashboard.
<dashboard version="1.1" theme="light">
<label>CSC Impacted Services Health</label>
<row>
<panel>
<title>Build Profile Failures-CIAM Service Impact</title>
<chart>
<search>
<query>index=app_pl Appid-APP-3515 Environment="PROD" "com.thehartford.pl.model.exception.CscServiceException: null
at com.thehartford.pl.rest.UserProfileController.builduserProfile"
| timechart count As Failure span=1h</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_self">search?q=index%3Dapp_p1%20Appid%3DAPP-3515%20Environment%3D%22PROD%22%20%22com.thehartford.pl.mo
.rest.UserProfileController.buildUserProfile%22%0A%7Crex%20%22CIAMSESSION%20%3A%20(%3F%3Cciamsession%3E%5B%5Cw%5Cs%
(%3F%3Cuserid%3E%5B%5C%5C%40%5C.%5D%2B) %22%0A%7C%20bin%20span%3D1h%20_time%20%0A%60%60%60%7C%20table%20ciamsession
me& earliest-$field1.earliest$& latest-$field1.latest$</link>
</drilldown>
</chart>
</panel>
<panel>
<title>Build Profile Failures- CIAM Service Impact</title>
<table>
<search>
<query>index=app_pl Appid=APP-3515 Environment="PROD" "com.thehartford.pl.model.exception.CscService Exception: null
at com.thehartford.pl.rest.UserProfileController.buildUserProfile"
| bin span=1h _time
l stats count as Failure by _time</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</row>
</dashboard>
</search>
<option name="count">50</option>
<option name="dataoverlayMode">none</option>
<option name="drilldown">none</option>.
<option name="percentages Row">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
@richgalloway Thanks for your suggestion. Does the creation or mapping of the existing users with LDAP will impact on existing reports , dashboards, macros etc created by different users ?
Hi @snowee, for my knowledge, splunk doesen't restart itself, probably you're watching a fork of a running process. Anyway, open a case to Splunk Support. Ciao. Giuseppe
Hi @Keerthi, in the results of the search you are using to populate the dropdown, there are some duplicated values, so you have to dedup your results fo the field that you're using for displaying. ...
See more...
Hi @Keerthi, in the results of the search you are using to populate the dropdown, there are some duplicated values, so you have to dedup your results fo the field that you're using for displaying. If you could share your dropdown search I could be more detailed. Ciao. Giuseppe
Hi @richgalloway, Can we add "% Committed Bytes In Use" to Perfmon : Process?? Because I could see % Committed Byes In Use counter in Perfmon : Memory I already tried to add that counter to ...
See more...
Hi @richgalloway, Can we add "% Committed Bytes In Use" to Perfmon : Process?? Because I could see % Committed Byes In Use counter in Perfmon : Memory I already tried to add that counter to Process source but no luck... is there any way to add?? Thanks
Hi @sigma , as @richgalloway said, on Linux usually Splunk is installed on /opt and it's a best practice to ha file system separated from root and this location is configured in an enviromental vari...
See more...
Hi @sigma , as @richgalloway said, on Linux usually Splunk is installed on /opt and it's a best practice to ha file system separated from root and this location is configured in an enviromental variable called %SPLUNK_HOME. For data it's possible to setup a variable (called $SPLUNK_DB) that indicates the location of the file system containing the data folders. not the $SPLUNK_HOME/var folder, that's a best practice to set up in a different and larger file system. So you can go in $SPLUNK_HOME/etc/splunk-launch.conf and configure $SPLUNK_HOME variable for your system. Obviously this action is only for Indexers or stand-alone Splunk systems, not for the other roles. Ciao. Giuseppe
Hey @gcusello @ITWhisperer Thanks for the information. JFYI I'm using same timeframe (i.e. 24Hrs ) for both the panel & span is also same 1hr. @gcusello as per your suggestion I tried "timechart" ...
See more...
Hey @gcusello @ITWhisperer Thanks for the information. JFYI I'm using same timeframe (i.e. 24Hrs ) for both the panel & span is also same 1hr. @gcusello as per your suggestion I tried "timechart" but again same issue, "NO Result Found". But same query is working fine while putting it in separate search. And you're right I shouldn't use "table" command but since nothing was working so just for workaround I tried to use it.