All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, we got following error by setting up AbuseIPDB Api Key setup Page: (Splunk Version 9.0.6)   Is there another way to put in the api key     chears     
Your example seems to change the underscore to a hyphen (I have assumed that this is a typo). Also, your criteria is not very precise, so I have assumed that you mean not an underscore, followed by a... See more...
Your example seems to change the underscore to a hyphen (I have assumed that this is a typo). Also, your criteria is not very precise, so I have assumed that you mean not an underscore, followed by an underscore, followed by not an underscore somewhere in the name. | eval APP=if(match(name,"[^_]_[^_]"),name,null()) | eval Host=if(match(name,"[^_]_[^_]"),null(),name)  You may need to adjust the match expression if the criteria I have  used is not what you meant. 
I can't make it work. I found some explanation here: https://community.splunk.com/t5/Getting-Data-In/How-to-replace-characters-in-logs-using-SEDCMD-in-props-conf-in/m-p/392306 but they said the ch... See more...
I can't make it work. I found some explanation here: https://community.splunk.com/t5/Getting-Data-In/How-to-replace-characters-in-logs-using-SEDCMD-in-props-conf-in/m-p/392306 but they said the change should be made in HF props.conf I need to make it work on UF for Splunk Cloud
After some help. Is there any way to get this to use a custom port for the 2 server that use a non 443 port? | makeresults | eval dest="url1,url2,url3", dest = split (dest,",") | mvexpand dest | ... See more...
After some help. Is there any way to get this to use a custom port for the 2 server that use a non 443 port? | makeresults | eval dest="url1,url2,url3", dest = split (dest,",") | mvexpand dest | lookup sslcert_lookup dest OUTPUT ssl_subject_common_name ssl_subject_alt_name ssl_end_time ssl_validity_window | eval ssl_subject_alt_name = split(ssl_subject_alt_name,"|") | eval days_left = round(ssl_validity_window/86400) | table ssl_subject_common_name ssl_subject_alt_name days_left ssl_issuer_common_name | sort days_left   I tried adding the port to the first eval e.g. | eval dest="url1,url2,url3",  dest_port=8443 , dest = split (dest,",")   Would be great if both the standard and custom could be returned together.
Hi _JP   Thanks for the response. Yes, the instance is an indexer.  I have read the linked documents and I understand more of the detail about the indexer and how it stores various stages of data. ... See more...
Hi _JP   Thanks for the response. Yes, the instance is an indexer.  I have read the linked documents and I understand more of the detail about the indexer and how it stores various stages of data. I'll review and in the meantime we will be adding additional FS space.   Thank You
Hi @gcusello , When do logs arrive in Splunk after a user has performed an activity
@Splunkerninja there are many way to achieve this, for example like below: | makeresults | eval name="ft_name_1" | eval underscorematch=if(match(name,".\_."),"Yes","No") | eval name_value=if(unde... See more...
@Splunkerninja there are many way to achieve this, for example like below: | makeresults | eval name="ft_name_1" | eval underscorematch=if(match(name,".\_."),"Yes","No") | eval name_value=if(underscorematch="Yes",name,"NA") | table name underscorematch name_value
Looks like the dynatrace tenant is not comlete. There is missing the part after the tenant: /e/<your_envirohnment>
Hi @AL3Z , could you better describe your question? logs are indexed when they arrive in Splunk. Are you speaking of Splunk Enterprise or Enterprise Security? Anyway, when an alert is triggered t... See more...
Hi @AL3Z , could you better describe your question? logs are indexed when they arrive in Splunk. Are you speaking of Splunk Enterprise or Enterprise Security? Anyway, when an alert is triggered the alert is written in an indexor in the triggered alerts list or in a lookup depending on the action the you defined for that alert. Ciao. Giuseppe
Hi, I am checking for underscore in field values and if it present then capture that value. For Example: if name has underscore in it then value should get assigned to APP field and if it does not ... See more...
Hi, I am checking for underscore in field values and if it present then capture that value. For Example: if name has underscore in it then value should get assigned to APP field and if it does not have underscore in it then value should get assigned to Host field name         APP           Host ftr_score ftr-score  NA terabyte   NA              terabyte I have tried using case and like statement but it does not work as expected  
Hi, I'm curious to know when the logs will be indexed after the incident triggered in Splunk. Thanks  
@meekahHope you've figured out on how to ingest salesforce logs, but just in case please try to Turn Off "Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows" check... See more...
@meekahHope you've figured out on how to ingest salesforce logs, but just in case please try to Turn Off "Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows" checkbox in your Connected App's settings. It is located under the Scopes and Callback URLs (at least in old UI).   Have found different topics with same problem and same resolution
I have a requirement to check if a employee shift roster(lookup in Splunk) covers 24 hours in a day for each team. If it doesn't cover, I need to send out an alert to the respective team notifying th... See more...
I have a requirement to check if a employee shift roster(lookup in Splunk) covers 24 hours in a day for each team. If it doesn't cover, I need to send out an alert to the respective team notifying them that their respective shift roster is not configured properly. Can anybody help me out as to how I can proceed in this. The employee_shift_roster.csv looks something like this: Start time End time Team Employee Name Available 8:00 5:30 Team A Roger Y 5:30 8:00 Team A Federer Y 8:00 5:30 Team B Novak Y 5:30 7:00 Team B Djokovic Y   Now the alert should go out to Team B stating that their shift roster is not configured properly because 24 hours are not cover in shift. Thanks in advance for the help
Hello, I am using Apache Tomcat for my application. Using AppDynamics console, I downloaded the Java Agent for my application. After adding the agent path under setenv.bat for Apache Tomcat and runn... See more...
Hello, I am using Apache Tomcat for my application. Using AppDynamics console, I downloaded the Java Agent for my application. After adding the agent path under setenv.bat for Apache Tomcat and running the server. I do get a notification saying "Started AppDynamics Java Agent Successfully". However, when I navigate to Applications tab in AppDynamics console, I don't see any metrics, also under application Agents, I dont see any agent registered. I verified the controller-info.xml file for the agent and it consists all the parameters to send details to my instance. But the metrics are not reported. Please help.
Machine agent is not starting. I downloaded the machine agent using AppDynamics login, which provided me with pre-configured setup for my account. When I try to run the Agent using java - Machineagen... See more...
Machine agent is not starting. I downloaded the machine agent using AppDynamics login, which provided me with pre-configured setup for my account. When I try to run the Agent using java - Machineagent.jar, I only see below details. The agent is not initializing: 2023-11-20 11:27:49.417 Using Java Version [11.0.20] for Agent 2023-11-20 11:27:49.417 Using Agent Version [Machine Agent v23.10.0.3810 GA compatible with 4.4.1.0 Build Date 2023-10-30 07:13:09] Earlier the agent was starting but was not reporting CPU, Disk and Memory metrics. It only showed the running process but no metrics data. Please suggest
Below query is producing the results  index="jenkins" sourcetype="json:jenkins" job_name="$env$_Group*" event_tag=job_event type=completed | search job_name=*"Group06"* OR job_name=*"Group01"* ... See more...
Below query is producing the results  index="jenkins" sourcetype="json:jenkins" job_name="$env$_Group*" event_tag=job_event type=completed | search job_name=*"Group06"* OR job_name=*"Group01"* | head 2 | dedup build_number | stats sum(test_summary.passes) as Pass | fillnull value="Test Inprogress..." Pass but not this query. $group$ - dropdown selected option is Group06 index="jenkins" sourcetype="json:jenkins" job_name="$env$_Group*" event_tag=job_event type=completed | eval rerunGroup = case("$group$"=="Group06", "Group01", "$group$"=="Group07", "Group02", "$group$"=="Group08", "Group03", "$group$"=="Group09", "Group04", "$group$"=="Group10", "Group05",1==1, "???") |''' table rerunGroup - This shows Group01 in the table ''' | search job_name=*$group$* OR job_name=*rerunGroup* | head 2 | dedup build_number | stats sum(test_summary.passes) as Pass | fillnull value="Test Inprogress..." Pass No big difference except Eval statement and passing the variable value.  Can someone please help
Hello Experts,   I was wondering if you can help me figure out how do I show the merged values in a field as 'unmerged' when use 'values' in stats command   (DETAILS_SVC_ERROR) and (FARE/... See more...
Hello Experts,   I was wondering if you can help me figure out how do I show the merged values in a field as 'unmerged' when use 'values' in stats command   (DETAILS_SVC_ERROR) and (FARE/PRCNG/AVL-MULT. RSNS) are different values .... coming as merged as an example, its merging all values in one when used "Values" OR "List" how to unmerge same If I use 'mvexpand' it then expands to single count even if the values are same   Thanks in advance Nishant
This doesnt show you the Total, Total should mean here (txnStatus=FAILED+txnStatus="SUCCEEDED")  With above solution the Total is only the total of 'FAILED' in txnStatus I want total to be the ... See more...
This doesnt show you the Total, Total should mean here (txnStatus=FAILED+txnStatus="SUCCEEDED")  With above solution the Total is only the total of 'FAILED' in txnStatus I want total to be the absolute total (FAILED + SUCCEEDED)
I, too, found this very helpful. Thanks guys.
Hi @richgalloway  I have changed the stanza to script from monitor but still unable to see any data in splunk? Is there anything else I have to check?