All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@bowesmana  I like this logic but could be hectic to use in my current environment. thanks.     Regards,
Hi team, I have the following search code, and I want to trigger an alert when the condition is 'OFFLINE'. Note that we receive logs every 2 minutes, and the alert should be triggered only once; sub... See more...
Hi team, I have the following search code, and I want to trigger an alert when the condition is 'OFFLINE'. Note that we receive logs every 2 minutes, and the alert should be triggered only once; subsequent alerts should be suppressed. Similarly, when the condition becomes 'ONLINE', I want to trigger an alert only once, with subsequent alerts being suppressed. I hope my requirement is clear. index= "XXXX" invoked_component="YYYYY" "Genesys system is available" | spath input=_raw output=new_field path=response_details.response_payload.entities{} | mvexpand new_field | fields new_field | spath input=new_field output=serialNumber path=serialNumber | spath input=new_field output=onlineStatus path=onlineStatus | where serialNumber!="" | lookup Genesys_Monitoring.csv serialNumber | where Country="Egypt" | stats count(eval(onlineStatus="OFFLINE")) AS offline_count count(eval(onlineStatus="ONLINE")) AS online_count | fillnull value=0 offline_count | fillnull value=0 online_count | eval condition=case( offline_count=0 AND online_count>0,"ONLINE", offline_count>0 AND online_count=0,"OFFLINE", offline_count>0 AND online_count>0 AND online_count>offline_count, "OFFLINE", offline_count>0 AND online_count>0 AND offline_count>online_count, "OFFLINE", offline_count=0 AND online_count=0, "No data") | search condition="OFFLINE" OR condition="ONLINE" | table condition  
You can't combine Splunk columns inside a Splunk table, but you can make second and subsequent duplicates clear, like this example | makeresults format=csv data="VM,col1,col2 vm1,car,sedan vm2,car,s... See more...
You can't combine Splunk columns inside a Splunk table, but you can make second and subsequent duplicates clear, like this example | makeresults format=csv data="VM,col1,col2 vm1,car,sedan vm2,car,sedan vm3,plane,Priv vm4,bike,Fazer vm5,bike,thunder" | stats values(col*) as col* by VM | streamstats count as c1 by col1 | streamstats count as c2 by col2 | eval col1=if(c1>1, null(), col1) | eval col2=if(c2>1, null(), col2) | fields - c1 c2
@jianzgao - If you are just starting to work on a new solution, I won't recommend using C# as its been no changes to that for a long time. So you would have to end-up maintaining the library yourself... See more...
@jianzgao - If you are just starting to work on a new solution, I won't recommend using C# as its been no changes to that for a long time. So you would have to end-up maintaining the library yourself, fixing all the issues similar to this one. I have personally used Python SDK and its most widely used one if you are comfortable using it.   I hope this helps!!! Kindly upvote if this helps you!!!
@Muthu_Vinith - If the answer helps you, kindly upvote, and if it resolves your question accept by clicking on "Accept as Solution".
@bowesmana  Ok, Thanks for your reply. I understand. Appreciated for your reply. VM shouldn't be in values and combine, rest of the column's should combine if result values match, and show visualiz... See more...
@bowesmana  Ok, Thanks for your reply. I understand. Appreciated for your reply. VM shouldn't be in values and combine, rest of the column's should combine if result values match, and show visualize.  I'm still looking for some alternative options here.    Regards,
@jamos_bt - Here are some key pointers to keep in mind as a developer of App Search head cluster meaning, 3 or more SHs being in sync with each other for configuration and lookups. Splunk handles ... See more...
@jamos_bt - Here are some key pointers to keep in mind as a developer of App Search head cluster meaning, 3 or more SHs being in sync with each other for configuration and lookups. Splunk handles the configuration sync automatically as far as you follow the practice, detailed below. Your App will be installed from another Splunk machine called "Deployer". You can ask the user to make some config on the deployer directly, but you don't need to as far as your configs are getting synced properly. To ensure the configuration is in sync keep this in mind: Do not make config file modifications directly on the system, use Splunk Rest endpoints to make changes to config files. Including your App's configuration page if any should only make changes via Rest endpoint. Do not make lookup file modifications directly on the system, use either Splunk rest endpoints or outputlookup command to make changes to lookups. Your alerts will be executed only on 1 instance, decided by the SHC captain at runtime. And it could be different all the time. Your dashboard should work as is as long as you are not doing anything crazy.   I hope this helps!!!
Hello, Is it possible to get the serial numbers of windows/linux machines being ingested to splunk using the splunk add-on for windows or linux?   Thanks  
You can't merge a single column across 2 other columns, as in your vm4/vm4 example. You can do | stats values(VM) as VMs by col1 col2 | sort VMs but it will give you separate rows for vm4/vm5
@bowesmana  For more simplify it for you, split by VM and I'm looking to merge the values into one, example. I have two values as 'car' those should be into one value and in single box. as like sam... See more...
@bowesmana  For more simplify it for you, split by VM and I'm looking to merge the values into one, example. I have two values as 'car' those should be into one value and in single box. as like same if the result values matches should come. | stats values(col1) values(col2) is not helping as which is combination of values coming.   Regards, 
To split by VM, just change it like this | stats values(col*) as col* by VM  
Hi @glc_slash_it  Thanks for your reply, It is giving a combination of several fields, but duplicates are showing up. I want to get rid of duplicates where two values matches and to show up as a si... See more...
Hi @glc_slash_it  Thanks for your reply, It is giving a combination of several fields, but duplicates are showing up. I want to get rid of duplicates where two values matches and to show up as a single result value instead of two combinations. And I want to display it by VM (in my example, VM columns will always be unique).   Regards,
I'm not here to help, sorry man. I have the same problem. Did you have the solution now? TIA
@VatsalJagani Thank you for your quick reply. But as a .net platform soft engine, I would like perfer to use the C# SDK. I feel so confuse why deprecate the C# SDK.  We plan to use C# SDK of splu... See more...
@VatsalJagani Thank you for your quick reply. But as a .net platform soft engine, I would like perfer to use the C# SDK. I feel so confuse why deprecate the C# SDK.  We plan to use C# SDK of splunk to implement some new features.  Seem like we have to change the solution.  Thank you again. 
Sounds like you may have the old version still lingering around in <app>/local/data/ui/views/
Our custom app had changes to the views and these changes are not getting updated. I have zipped the custom app and followed the install from file process. The custom app passed the AppInspection ver... See more...
Our custom app had changes to the views and these changes are not getting updated. I have zipped the custom app and followed the install from file process. The custom app passed the AppInspection version 3.0.3 after I figured out how to run the slim generate-manifest command. It took a few tries to get it correct, but I have uploaded this custom app to Splunk Cloud. When I use the app, I expect the latest xml code for our custom views to be used, but the data is not displaying correctly in the chart. When I click on Open in search icon, I get an old version of the view search query, so that explains why the chart looks funny.  Has anyone dealt with this before? Are there tricks to clearing out the obsolete views when uploading a new version? I have incremented the minor and release versions, based on other reasons. I do know the cloud expects the versions to increment. Our last working version was 1.0.115 and my current version is 1.1.7. 
my Linux webserver is running Apache and I'd like to Splunk to analyze the logs. I'm using the "Splunk App for Web Analytics". I followed the documentation and imported my Apache log files and instal... See more...
my Linux webserver is running Apache and I'd like to Splunk to analyze the logs. I'm using the "Splunk App for Web Analytics". I followed the documentation and imported my Apache log files and installed the "Splunk Add-on for Apache Web Server". My Apache logs are getting properly parsed in Splunk and updated the eventtype web-traffic to point to the logs  by source type. I'm running into a problem configuring the Web Analytics app. It found two log files (access_log and ssl_access_log) and i pointed them to the site's domain. access_log appears to be configured correctly but ssl_access_log gives the error "Site not configured". lastly, running "Generate user sessions" and "generate pages" shows zero events. There are no results in any of the App dashboard menus, but i do see plenty of logs in the raw search. Any idea what's going on? Here are two screen shots of my configs:
It is correct somewhat, I'm trying to 1:1 for the two specific columns. The use it just to start with the two columns matching at first, then another where they do not. Where Qui-gonn Jinn is in both... See more...
It is correct somewhat, I'm trying to 1:1 for the two specific columns. The use it just to start with the two columns matching at first, then another where they do not. Where Qui-gonn Jinn is in both Sith and Jedi indexes and listed in both columns. For some reason I thinking I might be making this more difficult than it needs to be. If the two IDs match in both columns then they are listed with the rest. Hopefully that clear is up. I am still trying to relearn the whole search in Splunk currently so I do apologize.
Hi @tharun.santosh , Please use the relative path in the Dashboard setting. Please try this path Please use Hardware Resources|Cluster|Pods count for value in above screenshot. Seems like ... See more...
Hi @tharun.santosh , Please use the relative path in the Dashboard setting. Please try this path Please use Hardware Resources|Cluster|Pods count for value in above screenshot. Seems like you are using some incorrect path in path as in the above screenshot. Please use "Hardware Resources|Cluster|Pods count" Relative path documentation https://docs.appdynamics.com/appd/21.x/21.3/en/appdynamics-essentials/alert-and-respond/configure-health-rules/define-custom-metrics-for-multiple-entities Thanks, Satbir
Hi @Rajkumar.Varma , As of now, it does not look like we have any functionality to send such details as a report. However, please check if the below helps- 1. You can view the license usage on t... See more...
Hi @Rajkumar.Varma , As of now, it does not look like we have any functionality to send such details as a report. However, please check if the below helps- 1. You can view the license usage on the controller as per the below documentation. https://docs.appdynamics.com/21.9/en/appdynamics-essentials/appdynamics-licensing/observe-license-usage 2. You can also use our REST APIs to get the details of the usage of the licenses. Please refer to the below article. https://docs.appdynamics.com/21.9/en/extend-appdynamics/appdynamics-apis/license-api Thanks, Satbir