All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes, like form 25th Nov we are able to see the logs for the sourcetype so please guide how to check where to check.
Ciao @gcusello , Maybe I didn't explain myself correctly. I meant that when the deployer moves the apps to /opt/splunk/var/run/splunk/deploy/apps it created the apps with "-local" But i just discove... See more...
Ciao @gcusello , Maybe I didn't explain myself correctly. I meant that when the deployer moves the apps to /opt/splunk/var/run/splunk/deploy/apps it created the apps with "-local" But i just discovered that it was for a misconfiguration in the app.conf file deploy mode. I already fixed it and now  the SHs have all the ITSI apps on the etc/apps directory. But I'm facing a new problem, when I start ITSI I got this message But it has no sense because it is the first installation... Thanks for your response and time
Hi on your cloud instantance on left side is app called "Universal Forwarder" which contains UF package and instructions how to use it to send events to your SC instance. r. Ismo
Hi you are probably using wrong acronyms as DDAS is active searchable data. You could see those e.g. https://www.splunk.com/en_us/blog/platform/dynamic-data-data-retention-options-in-splunk-cloud.ht... See more...
Hi you are probably using wrong acronyms as DDAS is active searchable data. You could see those e.g. https://www.splunk.com/en_us/blog/platform/dynamic-data-data-retention-options-in-splunk-cloud.html?locale=en_us see also https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Setting_data_retention_rules_in_Splunk_Cloud_Platform Could you check from where you want to restore and update this question based on it? r. Ismo
Hello, https://docs.appdynamics.com/appd/21.x/latest/en/infrastructure-visibility/monitor-kubernetes-with-the-cluster-agent/install-the-cluster-agent/validate-the-cluster-agent-installation 1.Valid... See more...
Hello, https://docs.appdynamics.com/appd/21.x/latest/en/infrastructure-visibility/monitor-kubernetes-with-the-cluster-agent/install-the-cluster-agent/validate-the-cluster-agent-installation 1.Validate the Cluster Agent Installation 2.we  have deployed appdynamics using EKS on AWS 3.we have succefully deployed it using helm chart 4.but in the dashboard it says no data available 5.We have installed cluster agent and Visibility infra using the above documentation and we are not able to get the visual data in the console and in the metrics browser it just says no data available. We are using EKS cluster 1.25 version with 2 nodes and we have deployed bank-of-anothos application in our cluster 6.# To install InfraViz   installInfraViz: true # AppDynamics controller info controllerInfo:   url: https://cat202312051119163.saas.appdynamics.com:443   account: My account name   username: My username   password: My password   accessKey: my access key    globalAccount: my account name # Infra Viz config infra Viz:   nodeOS: "linux"   enableMasters: true   stdoutLogging: true   enableContainerHostId: true enable Server viz : true   enable Docker viz : false # Net viz config net Viz:   enabled: true   net Viz Port: 3892 screenshot link: Screenshot 2023-12-13 at 3.07.16 PM.png  Please tell Work around for above issues. Thanks
Hi @gcusello  we have status field in the last search, however it is not produced the results Just for checking even better understanding and quicker results, do you have some other information r... See more...
Hi @gcusello  we have status field in the last search, however it is not produced the results Just for checking even better understanding and quicker results, do you have some other information required please let me know happy to provide. 
Just add this the end of query | where Process != "C:\\ProgramFiles\\notepad.exe"
I want to show only identical process name values in the table "Process" because these logs come in  repeated format. If any other process name value is different from notepad.exe then it can logged ... See more...
I want to show only identical process name values in the table "Process" because these logs come in  repeated format. If any other process name value is different from notepad.exe then it can logged in the "Process" table otherwise it can be skipped.
Hi If this always ended with ". Now" then you can use  ... | rex "from process name: (?<Process>.+)\. Now" | table Process If there can be anything then this is not working and you must use someth... See more...
Hi If this always ended with ". Now" then you can use  ... | rex "from process name: (?<Process>.+)\. Now" | table Process If there can be anything then this is not working and you must use something else based on the rest of line. r. Ismo 
Hi Team, We received a requirement to monitor the Webservices Utilities: Message monitor in SAP systems. PFA screenshot for reference. Please confirm do we have option in SAP ABAP agent to monitor t... See more...
Hi Team, We received a requirement to monitor the Webservices Utilities: Message monitor in SAP systems. PFA screenshot for reference. Please confirm do we have option in SAP ABAP agent to monitor the below error/log messages. Thanks Selvan
Hi @parthiban, sorry I wasn't clear: running the last reduced search, which values (not field names) have you for the "status" field? have you the waited values: "offline", "online", etc... that we... See more...
Hi @parthiban, sorry I wasn't clear: running the last reduced search, which values (not field names) have you for the "status" field? have you the waited values: "offline", "online", etc... that we use for the checks? Ciao. Giuseppe
Hi @Jagat, this regex works for the sample you shared (without spaces in the process name and path). | rex "process name:\s+(?<process_name>[^ ]+)" that you can test at https://regex101.com/r/b1oa... See more...
Hi @Jagat, this regex works for the sample you shared (without spaces in the process name and path). | rex "process name:\s+(?<process_name>[^ ]+)" that you can test at https://regex101.com/r/b1oavF/1  To be more sure, you shoud share more and different samples. Ciao. Giuseppe  
Hi have you look timewrap command? You could try something like  basesearch earliest=-1d@d latest=now | timechart span=15m count | timewrap d Your result shows little bit weird as yesterday you ... See more...
Hi have you look timewrap command? You could try something like  basesearch earliest=-1d@d latest=now | timechart span=15m count | timewrap d Your result shows little bit weird as yesterday you have a whole day, but today is only from midnight to now. r. Ismo 
Hi @gcusello  "response_details.response_payload.entities{}.onlineStatus"   Above field having status. 
I want to extract only the process name value from the logs and store in a table: Input Log: ------------- <30>1 2023-12-13T06:22:20.197Z 10.205.101.94 4 CGA3001I [sev="INFO" msg="Event" event="Da... See more...
I want to extract only the process name value from the logs and store in a table: Input Log: ------------- <30>1 2023-12-13T06:22:20.197Z 10.205.101.94 4 CGA3001I [sev="INFO" msg="Event" event="Data is getting from process name: C:\\ProgramFiles\\notepad.exe. Now we can try to write the logs. Mode: Operational"] Output: ---------- C:\\ProgramFiles\\notepad.exe I have tried with the command :- regex "(?<=Process name:).*?(?=\.\s+)" | table Process But didn't get any data
Hi @roberto_baggio, as I said, outside ES, you have to use the normal menu configuration form at: from the app that you want to modify menu: [Settings > User Interface > Navigation menu > default]. ... See more...
Hi @roberto_baggio, as I said, outside ES, you have to use the normal menu configuration form at: from the app that you want to modify menu: [Settings > User Interface > Navigation menu > default]. Then you can add your dashboard. For more infos see at https://dev.splunk.com/enterprise/docs/developapps/createapps/addnavsplunkapp/ or https://dev.splunk.com/enterprise/tutorials/module_getstarted/modifynavbar/ Ciao. Giuseppe
Hello, Giuseppe.  Thank you for you firm response.  You are right. In ES I can do so. But for example in AWS dashboard app there are no such option. So that means that I can`t to do so?  ... See more...
Hello, Giuseppe.  Thank you for you firm response.  You are right. In ES I can do so. But for example in AWS dashboard app there are no such option. So that means that I can`t to do so?   
I set up the Microsoft Teams Add-On For Splunk yesterday and am successfully ingesting data from our tenant. My query is regarding the relationship between the volume of incoming webhooks from Azure,... See more...
I set up the Microsoft Teams Add-On For Splunk yesterday and am successfully ingesting data from our tenant. My query is regarding the relationship between the volume of incoming webhooks from Azure, and the callrecord events: As I understand it (and this is likely the root cause ), Azure pushes a change notification to the Splunk webhook each time a call ends, containing the unique call ID. The Teams Call Record app/input runs on a schedule (in my case every five minutes) and retrieves all the call records it's received change notifications for since it last ran. I would, therefore, expect there to be an equal number of m365:webhook and m365:teams:callRecord events, but there aren't. I'm typically seeing a 3:2 ratio of webhook to callRecord events.  I believe the 'id' field in the webhook event and the callRecords matches (this is the identifier splunk uses to retrieve the callRecord using graphAPI) and I would have expected the id in each event type to be unique, but there appear to be many duplicates in both event types. If I look at my data for yesterday I can see: 4163 webhook events 3867 callRecord events But if I dedup on 'id', I see: 2614 webhook events 2586 callRecord events ...which still doesn't match (although it's much closer) and is a lot of duplicates. Any bright ideas, folks?
It's (almost) impossible to say what is your real issue based on these information what you have told. Normally you shouldn't create automatic indexes by your Add Ons etc. Just create separate SA (e... See more...
It's (almost) impossible to say what is your real issue based on these information what you have told. Normally you shouldn't create automatic indexes by your Add Ons etc. Just create separate SA (etc.) which is separate from your main Add On or App and install that part only on your indexers / MN. Probably it's best to remove that indexes definition on your SHC side and check if this helps. Also if your Add On create automatic that index on SH side, remove that part too. To be honest, I don't trust Chat GPT's instructions how and what to do with Splunk. Most of those instructions, which I have look are "scrap" and sends you to wrong direction / habits!
Hi @parthiban, if you run: index="XXXX" "Genesys system is available" | rename "response_details.response_payload.entities{}.onlineStatus" as status | where name="YYYY" which values have you for t... See more...
Hi @parthiban, if you run: index="XXXX" "Genesys system is available" | rename "response_details.response_payload.entities{}.onlineStatus" as status | where name="YYYY" which values have you for the status field? Ciao. Giuseppe