All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: How to extract filename from inputlookup csv file with query

by in Splunk Search
‎11-29-2023 01:23 AM
‎11-29-2023 01:23 AM
Thanks for your response. It's really helpful and knowledgeable. Your rest query can get the lookupfilename as title. Actually, my original search query is - | inputlookup abc.csv | rename f... See more...
Thanks for your response. It's really helpful and knowledgeable. Your rest query can get the lookupfilename as title. Actually, my original search query is - | inputlookup abc.csv | rename field1 as new_field | append [| inputlookup def.csv | rename field1 as new_field] | table new_field   When I put rest query that you provided, "rest" must be the first place in search. I do want to know how to combine my original query and rest query to get the new_field and lookupfilename.

Re: Data Model

by SplunkTrust in Security
‎11-29-2023 01:22 AM
‎11-29-2023 01:22 AM
hi @Mohamad_Alaa , when you choose an add-on from splunkbase, you should check the CIM compliance level. about population searches, you should see in each Data Model the contrains, this is the popu... See more...
hi @Mohamad_Alaa , when you choose an add-on from splunkbase, you should check the CIM compliance level. about population searches, you should see in each Data Model the contrains, this is the population scheduled search you should try to run these searches and see if you have results,these results are the records in the DataModel. Ciao. Giuseppe

Re: tstats distinct_count returns an incorrect value on high cardinality source field

by in Splunk Search
‎11-29-2023 01:04 AM
‎11-29-2023 01:04 AM
Sadly setting chunk_size doesn't make a difference. I've since tried playing around with limits.conf on both search heads and indexers to no avail. Also, the queries does seem to work on the indexe... See more...
Sadly setting chunk_size doesn't make a difference. I've since tried playing around with limits.conf on both search heads and indexers to no avail. Also, the queries does seem to work on the indexers (when querying there directly, rather than using the search head). Another note that might be helpful - the query works on Splunk 7.3 but not on 8.2.2.  

Re: How to extract filename from inputlookup csv file with query

by SplunkTrust in Splunk Search
‎11-29-2023 12:40 AM
1 Karma
‎11-29-2023 12:40 AM
1 Karma
Hi you get filename with rest e.g. | rest /services/data/lookup-table-files search="abc.csv" | fields title eai:appName eai:data r. Ismo 

Unable to query Events Api.

by in Splunk AppDynamics
‎11-29-2023 12:33 AM
‎11-29-2023 12:33 AM
Hi there everyone. I am struggling to get the Events Api to accept a query for some metrics I want to query. I followed the instructions on https://docs.appdynamics.com/appd/21.x/21.6/en/extend-a... See more...
Hi there everyone. I am struggling to get the Events Api to accept a query for some metrics I want to query. I followed the instructions on https://docs.appdynamics.com/appd/21.x/21.6/en/extend-appdynamics/appdynamics-apis/analytics-events-api and have setup the postman request with the required fields. I have made sure to give the api_key the correct permissions but I when querying the fra-ana controller I am hit with a 403.  I cannot see why I am being hit with his error or find any documentation to help me debug it. `My query looks like the following: curl -X POST "http://fra-ana-api.saas.appdynamics.com/events/query" -header "X-Events-API-AccountName: <global_account_name>"  -header "X-Events-API-Key: <api_key>"  -header "Content-Type: application/vnd.appd.events+text;v=2"  -header "Accept: application/vnd.appd.events+json;v=2"  -data "SELECT * FROM logs" I have tried this command in postman and in Powershell both returning the same 403.
Labels

How to extract filename from inputlookup csv file with query

by in Splunk Search
‎11-29-2023 12:26 AM
‎11-29-2023 12:26 AM
I want to get my inputlookup csv filename with the query. | inputlookup abc.csv | stats count by inputlookup_filename  ```<= the result I needed is "abc"``` Or | table inputlookup_filename ```<... See more...
I want to get my inputlookup csv filename with the query. | inputlookup abc.csv | stats count by inputlookup_filename  ```<= the result I needed is "abc"``` Or | table inputlookup_filename ```<= the result I needed is "abc"```
Labels

Re: Data Model

by in Security
‎11-29-2023 12:24 AM
‎11-29-2023 12:24 AM
can you elaborate more regarding this point  "you should check if the population scheduled searches are running and if they have results" How i can check it? i installed CIM 5.2.0 and yes i instal... See more...
can you elaborate more regarding this point  "you should check if the population scheduled searches are running and if they have results" How i can check it? i installed CIM 5.2.0 and yes i installed TA-addons but not sure about compatibility, do you recommend download to 4.x?

Re: notable exist but incident review has no values

by in Security
‎11-29-2023 12:19 AM
‎11-29-2023 12:19 AM
kindly find the screenshot for the full correlation search and notable configuration

Re: notable exist but incident review has no values

by SplunkTrust in Security
‎11-29-2023 12:11 AM
‎11-29-2023 12:11 AM
hi @Mohamad_Alaa , which time period did you used in the Correlation Search? Ciao. Giuseppe

Re: Joining two index searches and print the common results

by SplunkTrust in Splunk Search
‎11-29-2023 12:10 AM
‎11-29-2023 12:10 AM
Hi @parthiban , yes, sorry, I forgot a parenthesis in the eval command: (index = Test1 invoked_component="XXXX" "genesys" correlation_id="*" message="Successfully received") OR (index = Test2 inv... See more...
Hi @parthiban , yes, sorry, I forgot a parenthesis in the eval command: (index = Test1 invoked_component="XXXX" "genesys" correlation_id="*" message="Successfully received") OR (index = Test2 invoked_component="YYYY" correlation_id="*" message IN ("Successfully created" , "Successfully updated")) | stats count(eval(index="Test1")) AS Test1_count count(eval(index="Test2")) AS Test2_count count BY correlation_id Ciao. Giuseppe

Re: Data Model

by SplunkTrust in Security
‎11-29-2023 12:07 AM
‎11-29-2023 12:07 AM
Hi @Mohamad_Alaa , you should check if the population scheduled searches are running and if they have results. It seems that these scheduled searches are running, but they always have empty results... See more...
Hi @Mohamad_Alaa , you should check if the population scheduled searches are running and if they have results. It seems that these scheduled searches are running, but they always have empty results. Are you using CIM>4.X compliant add-ons? Ciao. Giuseppe

Re: Not getting incident from Splunk on time

by in Dashboards & Visualizations
‎11-28-2023 11:45 PM
‎11-28-2023 11:45 PM
@bowesmana  This is my current query: index= "abc" "pace api iaCode - YYY no valid pace arrangementId as response!!!" OR "pace api iaCode - ZZZ no valid pace arrangementId as response!!!" source!... See more...
@bowesmana  This is my current query: index= "abc" "pace api iaCode - YYY no valid pace arrangementId as response!!!" OR "pace api iaCode - ZZZ no valid pace arrangementId as response!!!" source!="/var/log/messages" sourcetype=600000304_gg_abs_ipc1| rex "-\s+(?<Exception>.*)" | table Exception source host sourcetype _time And My cron schedule is shown as below:   @bowesmana can you please suggest me what changes I need to make in my query and cron to get incidents and email on time

Data Model

by in Security
‎11-28-2023 11:38 PM
‎11-28-2023 11:38 PM
is the output of the attached image right? i can see data model per run duration but by size has no values

Re: notable exist but incident review has no values

by in Security
‎11-28-2023 11:30 PM
‎11-28-2023 11:30 PM
yes exactly the same, the only different they used deep search but i didn't Noting that notable already exist so the trigger is working and the response is working by creating a notable The severit... See more...
yes exactly the same, the only different they used deep search but i didn't Noting that notable already exist so the trigger is working and the response is working by creating a notable The severity is high for this notable Any other advice?

Re: Joining two index searches and print the common results

by in Splunk Search
‎11-28-2023 10:23 PM
‎11-28-2023 10:23 PM
Hi @gcusello  the correlation_ID is a unique value for each record, and each record has distinct messages for each lambda. Yes, I want to correlate both Test1 and Test2, but the result with the c... See more...
Hi @gcusello  the correlation_ID is a unique value for each record, and each record has distinct messages for each lambda. Yes, I want to correlate both Test1 and Test2, but the result with the common correlation_ID is printed only in Test2. I have already shared the example. the below mentioned query is not working throwing  error  mismatch quotes  and/or parenthesis error.

Error Db agent

by in Splunk AppDynamics
‎11-28-2023 10:20 PM
‎11-28-2023 10:20 PM
good day, please help. DB agent has a problem with connecting more detailed metrics. I restarted and reinstalled the agent but the error persists #|2023-11-28T13:37:39.480+0100|SEVERE|glassfish 4.1... See more...
good day, please help. DB agent has a problem with connecting more detailed metrics. I restarted and reinstalled the agent but the error persists #|2023-11-28T13:37:39.480+0100|SEVERE|glassfish 4.1|com.sun.jersey.spi.container.ContainerResponse|_ThreadID=56;_ThreadName=http-listener-1(6);_TimeMillis=17011750594 80;_LevelValue=1000;|The RuntimeException could not be mapped to a response, re-throwing to the HTTP container RestException(statusCode=500, code=Unknown, errorMessage=Unknown server error., developerMessage=null, logCorrelationId=5041de7e-2229-4c14-a847-5e8cd4703df6) at com.appdynamics.analytics.client.common.exceptions.RestExceptionFactory.makeException(RestExceptionFactory.java:56) at com.appdynamics.analytics.client.common.RestClientUtils.validateResponse(RestClientUtils.java:278) at com.appdynamics.analytics.client.common.RestClientUtils.resolve(RestClientUtils.java:85) at com.appdynamics.analytics.client.common.GenericHttpRequestBuilder.executeAndReturnRawResponseString(GenericHttpRequestBuilder.java:287) at com.appdynamics.analytics.shared.rest.client.eventservice.DefaultEventServiceClient.searchEvents(DefaultEventServiceClient.java:479) at sun.reflect.GeneratedMethodAccessor20202.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.singularity.ee.controller.beans.analytics.client.AccountCreatingAnalyticsClient$ProxyingEventServiceClient.invoke(AccountCreatingAnalyticsClient.java:10 4) at com.sun.proxy.$Proxy620.searchEvents(Unknown Source) at com.appdynamics.analytics.shared.rest.client.DefaultAnalyticsClient.searchEvents(DefaultAnalyticsClient.java:68) at com.appdynamics.ui.dbmon.impl.query.QueryHelper.search(QueryHelper.java:165) at com.appdynamics.ui.dbmon.impl.esHelpers.DBReportsHelper2.getWaitStateInfoForDB(DBReportsHelper2.java:28) at com.appdynamics.ui.dbmon.impl.services.dashboard.DBServerDashboardUiServiceImpl.getWaitStateData(DBServerDashboardUiServiceImpl.java:215) at sun.reflect.GeneratedMethodAccessor22351.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java :185) at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:540) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:715) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:286) at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:276) at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:181) at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:135) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.filter.RestSessionFilter.doFilter(RestSessionFilter.java:209) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.CsrfFilter.doFilter(CsrfFilter.java:139) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.AgentRejectionFilter.doFilter(AgentRejectionFilter.java:59) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.RequestOriginMarkingFilter.lambda$doFilter$0(RequestOriginMarkingFilter.java:26) at com.appdynamics.platform.RequestOrigin.runAs(RequestOrigin.java:64) at com.singularity.ee.controller.servlet.RequestOriginMarkingFilter.doFilter(RequestOriginMarkingFilter.java:24) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:65) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.UnsecuredUrlsRejectFilter.doFilter(UnsecuredUrlsRejectFilter.java:78) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734) at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:678) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:416) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:283) at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:206) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:180) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:539) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573) at java.lang.Thread.run(Thread.java:748)
Labels

Re: Splunk

by SplunkTrust in Splunk Search
‎11-28-2023 09:51 PM
‎11-28-2023 09:51 PM
hi @Muthu_Vinith , using my search, you have the count for each status, so you can sum thre three values using eval and calculate the percentage, this is a simplified version: <your_search> | stats... See more...
hi @Muthu_Vinith , using my search, you have the count for each status, so you can sum thre three values using eval and calculate the percentage, this is a simplified version: <your_search> | stats count(eval(status="Completed")) AS Completed_count count(eval(status!="Completed")) AS Not_Completed_count BY status | eval perc=(Completed_count/Not_Completed_count/*100 without eventual missing statuses. Ciao. Giuseppe

Re: Splunk

by in Splunk Search
‎11-28-2023 09:37 PM
‎11-28-2023 09:37 PM
My requirement is I need to show chart completed vs target my target value is 100 based on this I need to show what is the query for that @gcusello 

Re: Joining two index searches and print the common results

by SplunkTrust in Splunk Search
‎11-28-2023 09:34 PM
‎11-28-2023 09:34 PM
Hi @parthiban  let me understand: you said the you want to correlate the count of Correrlation_IDs in the two searches, is it correct? I don't understand where are correlation_IDs in your results a... See more...
Hi @parthiban  let me understand: you said the you want to correlate the count of Correrlation_IDs in the two searches, is it correct? I don't understand where are correlation_IDs in your results and what's the rule  please try this: (index = Test1 invoked_component="XXXX" "genesys" correlation_id="*" message="Successfully received") OR (index = Test2 invoked_component="YYYY" correlation_id="*" message IN ("Successfully created" , "Successfully updated")) | stats count(eval(index="Test1") AS Test1_count count(eval(index="Test2") AS Test2_count count BY correlation_id in this way, you have the results of both searches for corre.atio_ID. Ciao Giuseppe

The Speakatoo API functions properly in POSTMAN but faces issues in my integration.

by in Other Usage
‎11-28-2023 09:33 PM
‎11-28-2023 09:33 PM
While the Speakatoo API performs as expected in POSTMAN, it encounters challenges when integrated into my system.
Labels