All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

daily_count should be a multivalue field at the time of invoking the | foreach mode=multivalue daily_count probably something like this | inputlookup direct_deposit_changes_v4_1_since_01012020... See more...
daily_count should be a multivalue field at the time of invoking the | foreach mode=multivalue daily_count probably something like this | inputlookup direct_deposit_changes_v4_1_since_01012020.csv | eval _time = strptime(_time,"%Y-%m-%d") | stats count as daily_count by _time | mvcombine daily_count ```Your code: renamed nums to daily_count.``` | eval cnt=0 | foreach mode=multivalue daily_count [| eval summation_json=if( mvcount(mvindex(daily_count,cnt,cnt+2))==3, mvappend( 'summation_json', json_object( "set", mvindex(daily_count,cnt,cnt+2), "sum", sum(mvindex(daily_count,cnt,cnt+2)) ) ), 'summation_json' ), cnt='cnt'+1 ] ```My code: Part 2``` | rex field="summation_json" "sum\"\:(?<sum_daily_count>\d+)\}" | fields sum_daily_count | mvexpand sum_daily_count
Thanks,  @dtburrows3  To format the results as we need them, I’m using this code, which works perfectly. ```My code: Part 2``` | rex field="summation_json" "sum\"\:(?<nums_expanded>\d+)\}" | field... See more...
Thanks,  @dtburrows3  To format the results as we need them, I’m using this code, which works perfectly. ```My code: Part 2``` | rex field="summation_json" "sum\"\:(?<nums_expanded>\d+)\}" | fields nums_expanded | mvexpand nums_expanded However, when I replace your makeresults with my inputlookup of 3 million records, ```My code: Part 1``` | inputlookup direct_deposit_changes_v4_1_since_01012020.csv | eval _time = strptime(_time,"%Y-%m-%d") | stats count as daily_count by _time | eval daily_count = daily_count."," | mvcombine daily_count | eval daily_count = mvjoin(daily_count,"") ```Your code: renamed nums to daily_count.``` | eval cnt=0 | foreach mode=multivalue daily_count [| eval summation_json=if( mvcount(mvindex(daily_count,cnt,cnt+2))==3, mvappend( 'summation_json', json_object( "set", mvindex(daily_count,cnt,cnt+2), "sum", sum(mvindex(daily_count,cnt,cnt+2)) ) ), 'summation_json' ), cnt='cnt'+1 ] ```My code: Part 2``` | rex field="summation_json" "sum\"\:(?<sum_daily_count>\d+)\}" | fields sum_daily_count | mvexpand sum_daily_count I end up with this error. When I run My code: Part 1, these are the results. Running this at the end of My code: Part 1, proves there are over 1465 values (all values from my stats count by _time command). | eval mv_cnt = mvcount(split(daily_count,","))-1 Thanks and God bless, Genesius        
I have written and tested some rules using "Ingest Actions". I used the "Sample" indexed data and everything seems fine, so I saved my rules.  There is a button "Deploy" with one option, Export for ... See more...
I have written and tested some rules using "Ingest Actions". I used the "Sample" indexed data and everything seems fine, so I saved my rules.  There is a button "Deploy" with one option, Export for Manual Deployment. Do I have to do that?
Hi @Beshoy.Shaher, The Community is peer-to-peer. I do my best to help share relevant or helpful information. Since the Community has not jumped in to help out. I would recommend contacting AppD Su... See more...
Hi @Beshoy.Shaher, The Community is peer-to-peer. I do my best to help share relevant or helpful information. Since the Community has not jumped in to help out. I would recommend contacting AppD Support, or even your AppD Rep.How do I submit a Support ticket? An FAQ  If you do find a solution by any means, please come back and share what you learned as a reply to this post. Knowledge sharing is what makes the community valuable for all members. 
Sorry, your initial post made it sound like you already have the tokens $Numerator$ and $Denominator$ ready to go. I'm a bit lost on the error you are describing. But just going off your initial p... See more...
Sorry, your initial post made it sound like you already have the tokens $Numerator$ and $Denominator$ ready to go. I'm a bit lost on the error you are describing. But just going off your initial post, Two searches feeding two radial gauges using a "| stats count" to transforms the searches into a single value in a field named "count".  I would use a done tag in the XML to set the resulting field "count" value of search1 to a token named "Numerator" and another done tag for search2 to set resulting field "count" value to token "Denominator". With these two tokens set based on the results of the two searches, they can be used elsewhere on the dashboard, including getting injected into an eval expression directly after a generating command "| makeresults" Here is an example of this methodology used here. And a snippet of XML used to do this. Obviously you would need to put your own searches into the radial gauge panels. <row> <panel> <chart> <title>Search to generate numerator</title> <search> <query> | makeresults count=173 ``` search1 goes here - replace the makeresults above with your own search ``` | stats count as count </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="Numerator">$result.count$</set> </done> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[0,250,500,1000]</option> <option name="charting.chart.style">shiny</option> <option name="charting.gaugeColors">["0x118832","0xcba700","0xd41f1f"]</option> </chart> </panel> <panel> <chart> <title>Search to generate denominator</title> <search> <query> | makeresults count=1026 ``` search2 goes here - replace the makeresults above with your own search ``` | stats count as count </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="Denominator">$result.count$</set> </done> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[0,250,500,1000]</option> <option name="charting.gaugeColors">["0x118832","0xcba700","0xd41f1f"]</option> </chart> </panel> </row> <row> <panel> <title>01/09/2024 - dashboard component show fraction of two search results as percentage</title> <single> <search> <query>| makeresults | eval result=round((tonumber("$Numerator$")/tonumber("$Denominator$"))*100)."%" | fields - _time</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="height">181</option> </single> </panel> </row>  The reason for showing you this is to demonstrate setting tokens based on results of another search by use of the "<done>" and "<set>" tags. Anytime you have a single result in the final output of a search on a dashboard, your should be able to tokenize this value by using these (<done>|<progress>)(<condition>)?(<set>|<eval>) and referencing $result.<fieldname>$ where <fieldname> is the fieldname of the valiue you are trying to tokenize from the search. Apologies if this isn't helpful but I am struggling to follow your questions without more context. And as for the usage of the "fields" command, I was just removing the _time field (| fields - _time) from results as it is not required to display the percentage result on the dashboard panel.
Hi @Anusha.RP, Sorry for the late reply here, but let me know if this helps. https://docs.appdynamics.com/appd/onprem/latest/en/application-monitoring/install-app-server-agents/python-agent/install... See more...
Hi @Anusha.RP, Sorry for the late reply here, but let me know if this helps. https://docs.appdynamics.com/appd/onprem/latest/en/application-monitoring/install-app-server-agents/python-agent/install-the-python-agent
Hi @Harikiran.Kanuru, Thanks for asking your question on the Community. If the Community does not give you a suggestion here, I would also recommend reaching out to your AppD Rep, or perhaps AppD P... See more...
Hi @Harikiran.Kanuru, Thanks for asking your question on the Community. If the Community does not give you a suggestion here, I would also recommend reaching out to your AppD Rep, or perhaps AppD Professional Services.  https://community.appdynamics.com/t5/Knowledge-Base/A-guide-to-AppDynamics-help-resources/ta-p/42353#call-a-consultant
Did you ever figure out how to automate the download in PowerShell? Looking for something similar.
I have a dashboard built with Dashboard Studio with several Single Value Visualizations. When I enable showLastUpdated, the "Open in Search", "Layers", "Clone" and "Delete" options are lost for the v... See more...
I have a dashboard built with Dashboard Studio with several Single Value Visualizations. When I enable showLastUpdated, the "Open in Search", "Layers", "Clone" and "Delete" options are lost for the visualizations on the left side of the browser window because the hover-over option menu is cut off by the edge of the window.  I have attempted to adjust the zoom level but that does not change the issue. This is happening in both Safari and Chrome::     For now, the work-around of disabling showLastUpdated is the only way of resolving this, but I would like to have it enabled and to see the full options bar.   Thanks!  -SR 
How/why are you using the fields operator here?
This query results in the component having the "Set token value to..." error.  I'm wondering what your data sources look like? Both of mine end with "stats count".  I tried to change the reference... See more...
This query results in the component having the "Set token value to..." error.  I'm wondering what your data sources look like? Both of mine end with "stats count".  I tried to change the reference to "$Numerator.result$" because that was suggested in a hover-over, however, the query still did not work ("Set token value to...")
Hi @AL3Z , In Splunk Cloud you can create your own App, and Splunk automaticall creates the folder structure, but you cannot download the app, you can use only on Splunk Cloud. If you want to creat... See more...
Hi @AL3Z , In Splunk Cloud you can create your own App, and Splunk automaticall creates the folder structure, but you cannot download the app, you can use only on Splunk Cloud. If you want to create your own App, you have to use an on premise Splunk, also on your pc. Ciao. Giuseppe
@gcusello , Can we do this process in the splunk cloud as I dnt have the enterprise version ?
Hi @jalbarracinklar , About the use of two HFs as concentrators I always use them in architectures like your. Remember to use two HFs if you need HA, otherwise one is sufficient. I always prefer t... See more...
Hi @jalbarracinklar , About the use of two HFs as concentrators I always use them in architectures like your. Remember to use two HFs if you need HA, otherwise one is sufficient. I always prefer to use a Deployment Server to manage Forwarders configurations. For 20 clients you don't need a dedicated server and you could use one of the two Heavy Forwarders used as Concentrators, Even if a dedicated server is always better if you haven't problems in server availability. Ciao. Giuseppe
Hi @AL3Z, sorry I missed the url: https://dev.splunk.com/enterprise/tutorials/quickstart_old/createyourfirstapp/ here you can find all the infos you need. Ciao. Giuseppe
I'm speaking about the Splunk Enterprise.  Via that site: System requirements for use of Splunk Enterprise on-premises - Splunk Documentation, it looks like all versions of SPlunk (up to 9.1.2) will ... See more...
I'm speaking about the Splunk Enterprise.  Via that site: System requirements for use of Splunk Enterprise on-premises - Splunk Documentation, it looks like all versions of SPlunk (up to 9.1.2) will work on Linux 3.x and 4.x kernels.  My concern about the 8.2.x is that SPlunk clearly says this is no longer supported since 9/30/23.
Hi @dcfrench3 , you can put both the searches in the main search and then use stats By the search keys to correlate events, something like this: (index="iis_logs" sourcetype="iis" s_port="443" sc_s... See more...
Hi @dcfrench3 , you can put both the searches in the main search and then use stats By the search keys to correlate events, something like this: (index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD") OR (index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe") | eval c_ip=coalesce(Source_Network_Address,c_ip) | stats dc(index) AS index_count values(*) AS * BY c_ip | where index_count=2 I don't know which fields you need, so I used values(*) AS * but you can use the fields you need. Ciao. Giuseppe
Exactly what I was looking for. Thank you!
Ciao Giuseppe! Thank you a lot for your answer! We finally saw it was something related to a configuration on our firewall because we couldn't even see our IP going to Splunk through the firewal... See more...
Ciao Giuseppe! Thank you a lot for your answer! We finally saw it was something related to a configuration on our firewall because we couldn't even see our IP going to Splunk through the firewall and the services were up and running on the server with Splunk Universal Forwarder installed. Regarding the Deployment server, we have ~20 servers with Splunk Universal Forwarder installed on them. Should we have a deployment server in the same environment to be able to manage all of those Splunk UFs? Do you have any recommendation on this?   Thanks again! Juanma  
Why I can't  I see data on Splunk ES Non-corporate Web Uploads? When I click on the user, I get mariangelie.rodriguez+castellano is not a known identity.