Hi @Yogesh.Joshi, We have quite a bit of existing content on Machine Agent. A lot of it is here in the Community. Here are the search results for "Machine Agent" in the Knowledge Base AppD Docs: https://docs.appdynamics.com/appd/onprem/latest/en/infrastructure-visibility/machine-agent/administer-the-machine-agent/faqs-and-troubleshooting-for-the-machine-agent

I have an Enterprise free trial system that I installed on an Ubuntu Server.  In the gui I went to the settings>forwarding and receiving>receiving>add new because I am going to try and set up a forwarder.   On the Add New page I entered 514 in the Listen on this port field.  I get the rror after I click save. I want to use this for gathering syslog data from my OPNsense router and then build a dashboard for it.   I also keep getting this message when trying change settings  CSRF validation failed

@gcusello I do not see an option for upload asset in Splunk Cloud in 9.x version. How to upload image in cloud through UI?Or if not how to refer an external image using href. My image isnt loading though the href sharepoint URL works properly It is just below 2 options Sorry for digging up old post

@scelikok No luck. I have attached outcome screenshot for your reference | search job_name=*Group06* OR job_name=*Group01* - This produce 2 events, 1st one belong to Group06 2nd event belong to Group01 | search job_name=*Group06* OR job_name=rerunGroup - This produce only 1 event belong to Group06   

There can be various reasons for this issue but here are the common ways to troubleshoot this error. First and foremost, - you need to track down the automatic lookup definition - record the lookup definition name being referenced - find the lookup definition and record the lookup table name and then go check the following:   Check if your lookup file exist - you can use the Lookup Editor app to check this or go to: Settings > Lookups > Lookup table files Check if your lookup definition exist - you can check this by going to Settings > Lookups > Lookup definition If you are using an automatic lookup check the following: Do you have the correct read permission to the lookup definition and lookup table? If the permissions are correct, check the lookup table size (see step #3) If you are using the lookup command: Do you have permission to the lookup table or lookup definition? Does your lookup definition exist? Does your search runs fine with adding local=true to your lookup command? This means that your lookup isn't being replicated to the indexer cluster, see step #4. Rare that this happens, but check the lookup table size for the lookup listed in the automatic lookup and check if it exceeds the size defined in [replicationSettings] in distsearch.conf. If the lookup table exceeds whatever size is defined there, the lookup error comes up. Check if the lookup being used is in the deny list under distsearch.conf btool distsearch list replicationBlacklist --debug btool distsearch list replicationDenylist--debug Update: - I installed SSE app v3.7.1 on a new Nix host with Splunk v9.1.1 and I didn't see any lookup errors when I run a search. So I recommend you follow the troubleshooting steps above since I can't replicate the issue with a fresh app and Splunk install.

Hi @Thulasiraman, Can you please try below?  index="jenkins" sourcetype="json:jenkins" job_name="$env$_Group*" event_tag=job_event type=completed | eval rerunGroup = case("$group$"=="Group06", "*Group01*", "$group$"=="Group07", "*Group02*", "$group$"=="Group08", "*Group03*", "$group$"=="Group09", "*Group04*", "$group$"=="Group10", "*Group05*",1==1, "???") |''' table rerunGroup - This shows Group01 in the table ''' | search job_name=*$group$* OR job_name=rerunGroup | head 2 | dedup build_number | stats sum(test_summary.passes) as Pass | fillnull value="Test Inprogress..." Pass

Hi @PickleRick , I changed something in the transforms.conf: # set host=host.name [set_hostname_logstash] REGEX = \"host\":\{\"name\":\"([^\"]+) FORMAT = host::$1 DEST_KEY = MetaData:Host # set source=log.file.path per linux_audit e linux_secure [set_source_logstash_linux] REGEX = \"log\":\{\"file\":\{\"path\":\"([^\"]+) FORMAT = source::$1 DEST_KEY = MetaData:Source [set_sourcetype_logstash_linux_audit] REGEX = . #REGEX = \"log\":\{\"file\":\{\"path\":\"(/var/log/audit/audit.log)\" CLONE_SOURCETYPE = linux_audit [set_sourcetype_logstash_linux_secure] #REGEX = \"log\":\{\"file\":\{\"path\":\"(/var/log/secure)\" REGEX = . CLONE_SOURCETYPE = linux_secure [drop_dead_linux_audit] REGEX = . #REGEX = sourcetype:linux_audit DEST_KEY = queue FORMAT = nullQueue [drop_dead_linux_secure] #REGEX = sourcetype:linux_secure REGEX = . DEST_KEY = queue FORMAT = nullQueue [drop_dead_all] REGEX = . DEST_KEY = queue FORMAT = nullQueue [keep_matching_events_linux_audit] #REGEX = sourcetype:linux_audit REGEX = \"log\":\{\"file\":\{\"path\":\"(/var/log/audit/audit.log)\" DEST_KEY = queue FORMAT = indexQueue [keep_matching_events_linux_secure] REGEX = \"log\":\{\"file\":\{\"path\":\"(/var/log/secure)\" #REGEX = sourcetype:linux_secure DEST_KEY = queue FORMAT = indexQueue [cut_most_of_the_event_linux_audit] REGEX = (?ms).*\"message\":\"([^\"]+).* FORMAT = $1 DEST_KEY = _raw WRITE_META = true [cut_most_of_the_event_linux_secure] REGEX = (?ms).*\"message\":\"([^\"]+).* FORMAT = $1 DEST_KEY = _raw WRITE_META = true and now linux_audit is rcorrectly running, instead linux_secure sometimes loses the extra contents removal. I'm working to understand why. One additional question: when I'll have other data flows, they will be removed or they will remain with the original sourcetype(logstash)? Ciao and thank you very much for your help. Giuseppe

Try something like this | tstats earliest(_time) as earliest_event where earliest=-6mon latest=now [search index=_internal source=/opt/splunk/var/log/splunk/cloud_monitoring_console.log* TERM(logResults:splunk-ingestion) | rename data.* as * | fields idx | rename idx as index] by index