All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Do not treat structured data such as XML as string text is my usual advice.  Splunk's built-in routines designed to process XML (e.g., spath) is much more robust than any regex you can construct. If... See more...
Do not treat structured data such as XML as string text is my usual advice.  Splunk's built-in routines designed to process XML (e.g., spath) is much more robust than any regex you can construct. If you have difficulty with using spath and such, post sample/mock data (anonymize as needed) and explain what search you use and what result you get, how the result is different from your desires.
   I think append had some limits to append it, so if we are handling with large volumes of data set like 2lakhs events, which command will be useful! This is why my first reply hinted that rest... See more...
   I think append had some limits to append it, so if we are handling with large volumes of data set like 2lakhs events, which command will be useful! This is why my first reply hinted that restructuring the searches could be a better option.  You did mention each of the two macros were simple index searches with different sourcetype constraints.  It is much more efficient to combine the two searches into one, then stats over their differences.  If you observe how the search I constructed before had to manufacture a field named "source" (which obviously is not your data field named source), you would draw a parallel. Based on pseudo code of your macros, here is an example of what you can use instead: index=sap sourcetype IN (1A*, 2A*) | eval sourcetype = if(match(sourcetype, "^1A"), "1A...", "2A...") | stats values(sourcetype) as sourcetype by host | where mvcount(sourcetype) < 2 AND sourcetype == "1A..." | stats dc(host) as count_diff
I like it. I added some sed commands to pull out the parenthesis as it was causing issues searching once the values were passed via token. but once I did that the rest of the panels worked. Thank... See more...
I like it. I added some sed commands to pull out the parenthesis as it was causing issues searching once the values were passed via token. but once I did that the rest of the panels worked. Thanks!  
Hi @Rajkumar.Varma, There might be a way of doing it. You can check out AppDynamics APIs here - https://docs.appdynamics.com/appd/23.x/latest/en/extend-appdynamics You can also try contacting Sup... See more...
Hi @Rajkumar.Varma, There might be a way of doing it. You can check out AppDynamics APIs here - https://docs.appdynamics.com/appd/23.x/latest/en/extend-appdynamics You can also try contacting Support How do I submit a Support ticket? An FAQ if you want to dive deeper into the report question.
Hi @tharun.santosh, Unfortunately, Support is only available to customers with a paid license, which is why I suggested filling out that form and getting in touch with Sales. I don't know what thei... See more...
Hi @tharun.santosh, Unfortunately, Support is only available to customers with a paid license, which is why I suggested filling out that form and getting in touch with Sales. I don't know what their SLA is with a follow-up. 
Hi @Tomasz.Nawojczyk, Extensions moved to an Open Source Model in late 2021. Since the Community has not chimed in yet, you may want to try contacting Support or reaching out to your AppD Rep. h... See more...
Hi @Tomasz.Nawojczyk, Extensions moved to an Open Source Model in late 2021. Since the Community has not chimed in yet, you may want to try contacting Support or reaching out to your AppD Rep. https://docs.appdynamics.com/paa/appdynamics-support-advisories/support-advisory-changes-to-extensions-support-model How do I submit a Support ticket? An FAQ 
Thanks @VatsalJagani 
Hi @AL3Z, yes except the first, they are all paid courses. Ciao. Giuseppe
@Jayaraman I'm having the same issue, did you find a solution?
Check out the format command.  It will put the available fields into a sequence of OR clauses. index=db source=MSGTBL MSG_src="XXXX" MSG_DOMAIN="CCCCCCCC" "<messageType>AAA</messageType>" | fields ... See more...
Check out the format command.  It will put the available fields into a sequence of OR clauses. index=db source=MSGTBL MSG_src="XXXX" MSG_DOMAIN="CCCCCCCC" "<messageType>AAA</messageType>" | fields MSGID | format  
Hi @gcusello  I already mention right If condition is "Offline" alert mail need to be sent (only one alert, rest all alert need to be suppressed.) If condition is become "online" alert needs to be s... See more...
Hi @gcusello  I already mention right If condition is "Offline" alert mail need to be sent (only one alert, rest all alert need to be suppressed.) If condition is become "online" alert needs to be sent (only one alert, rest all alert need to be suppressed.)   This search will run every 5 min and search the result for the past 5 min. This is my requirement... Please guide me.
@mstoro - I believe this should not be encrypted in the browser. It will be encrypted on the fly if you are using Splunk UI on HTTPS. 
Hi @parthiban, run this search in the search dashboard of the app where you want to store your alert. Be sure to use the correct time period. Then save it as an alert, adding the information for a... See more...
Hi @parthiban, run this search in the search dashboard of the app where you want to store your alert. Be sure to use the correct time period. Then save it as an alert, adding the information for alert execution (scheduling) and actions (email or other). Ciao. Giuseppe P.S.: Karma Points are appreciated
I wish I were more well-versed in the various deployment architectures for Splunk and what they mean as far as app / add-on deployment, but I'm not and am stuck at the moment. A customer has asked w... See more...
I wish I were more well-versed in the various deployment architectures for Splunk and what they mean as far as app / add-on deployment, but I'm not and am stuck at the moment. A customer has asked whether an app we have published to Splunkbase support Search Head Clustering.  Having read through some documentation on what it is and how it works, I'm still uncertain as to what that means with respect to my app.   Does anyone know (or can point me to a resource that I've yet to unearth) what does "support Search Head Clustering" mean and how would I know whether my app supports it / what must be done by an app developer to support it? I can say with certainty that we did not do anything special during the development process to support this, but that doesn't mean it isn't support inherently ... so I'm at a loss. 
@gcusello , Its look like a paid course by any chance it there any link of free course ?
@madhav_dholakia - What I'm aware of is Splunk _raw what's coming from the system unless you are explicitly writing config to make changes by props.conf, but otherwise Splunk has no functionality to ... See more...
@madhav_dholakia - What I'm aware of is Splunk _raw what's coming from the system unless you are explicitly writing config to make changes by props.conf, but otherwise Splunk has no functionality to make changes. To me it looks like, the actual value is 17.0, but preview is simplifing to 17 on both system.   I hope this helps!!!
Hi @gcusello Thanks for your support.   Final question How Can I implement this query into alert. Please suggest me.
Hi @AL3Z, this is the training: https://www.splunk.com/en_us/training/course-catalog.html?filters=filterGroup4SplunkEnterpriseSecurity Ciao. Giuseppe
Hi, you can group results by col1  (search) | stats values(VM) values(col2) by col1   ------------ If this was helpful, some karma would be appreciated.
Hi again,   You can backup one collection at a time. And yes, you have to "unshedule" all the report that fill your kvstore collections. That can be a bit long and painful. I only had 2 collection... See more...
Hi again,   You can backup one collection at a time. And yes, you have to "unshedule" all the report that fill your kvstore collections. That can be a bit long and painful. I only had 2 collections so it was not a strech in my case. I had to migrate the kvstore from one SH to another, and I used a backup file. Never tried to sync 2 instances sorry.   I would suggest you try to backup the kvstore in the state you are and then try to restore it on a test SH. If this works => clean both your kvstore SHs and restore there. If not, I'm afraid I would do it all over again : clean it all and then painfully fill again your collections with data. If you still possessed the pertaining data, you can calculate again the collection, at a fast pace for past periods even if it is long. There will definititely be a small service interruption for these collections, but in the end you'll win.   And for later, when you have succeeded to get you kvstore back up and running, I would suggest you add a backup task planned (each day for example).   On another matter : why is your kvstore failing to start ? There should be some insight in `/opt/splunk/var/log/splunk/mongod.log`. Maybe it's just a renew of the certificate for mongo that is needed (probably too easy that one, but who knows...)   Regards, Ema