Hello sir/madam, I tried to migrate data from Events services 4.5.x to 23.x and I followed steps mentioned in https://docs.appdynamics.com/appd/onprem/23.2/en/events-service-deployment/data-migration-from-events-service-4-5-x-to-23-x/migrate-events-service-from-version-4-5-x-to-23-x. When I finished those steps, an error occured in the log files . After that, I submited the new events service in  admin.jsp and then some data lost. You can observe the thrown exception in the attahced image. @Ryan.Paredez  I look forward to hearing from you. Regards Hamed

We are using Microsoft Graph Security API Add-On to ingest all security alerts for our org using the Microsoft Graph Security API. Recently access token became invalid and the data paused. We renewed the secret key and updated with new one. Till then data ingestion is paused and no backfill happened after that. Is there any way I can backfill that paused one week data. Any help or point of contacts or link to read would be beneficial? Is that something to do in source end to re-ingest the data via Add-On again?

Hi there, I have this query: index=_internal source="*license_usage.log" | eval bytes=b | eval GB = round(bytes/1024/1024/1024,3) | timechart span=1d sum(GB) by h This query shows results like this: _time host1 .... 2023-11-10     2023-11-11     ...       And I want results like this: Host 2023-11-10 .... host1     host2     ...       How I can do this?

Hello, I have a problem, how do I get a fourth value from a table and scatterplot to use the value in a token? We have a table with 4 columns and a scatterplot chart for display. article, value, calculate category and PartnerId Unfortunately, the PartnerId is not displayed in the scatterplot chart. Can I somehow read out the fourth value to display further details on a PartnerID in a dashboard?

Sometimes, running the same search generates different orders when trellis visualization is used.  For example,   ((sourcetype=A field1=*) OR (sourcetype=B user=* field2=*)) clientip=* earliest="01/24/2023:02:00:00" latest="01/24/2023:08:00:00" | fields clientip user field1 field2 | eval user = mvindex(split(user, ":"), 1) | eventstats values(user) as user by clientip | eval clientip = clientip . if(isnull(user), "/", "/" . mvjoin(user, ",")) | timechart span=5m limit=19 count(field1) as s1 count(field2) as s2 by clientip   Here, field1 only exist in sourcetype A, user and field2 only exist in sourcetype B; search period is fixed in the past.  This means that search result cannot change.  But the following are two screenshots of two consecutive executions.   They show the same number of trellis with exact same clientip titles; each clientip's graph is also the same across the two runs.  But obviously the order is rearranged. (In Statistics view, columns are arranged in lexicographic order of "s1:clientip" and "s2:clientip".) Is there some way to be certain of the order?

Greetings, I have Splunk 9.1.1 trying to import an aruba 7210 into splunk using the aruba app with udp 514. Sourcetype: aruba:syslog. I have other devices (cisco) going into the same splunk instance and they are reporting ok.  the splunk server can ping the aruba and vice versa.  should i try any other source types?  anything else I should look for to search under the hood to see why communication is not occurring? Thank you,

I have a use case that requires logging to be captured and have following this document here: How do I set up the ForgeRock Identity Cloud app for Splunk? Which references --> https://splunkbase.splunk.com/app/6272 ForgeRock Identity Cloud App for Splunk captures audit and debug logs from ForgeRock Identity Cloud tenants. A sample dashboard is included to graphically illustrate various captured metrics, for example, authentication events, identity registrations, and top-active users. Sample searches are also included to extend or modify the sample dashboard. Problem is the app should not be calling the following endpoint: /monitoring/logs/tail  It should be calling the following endpoint as noted in the ForgeRock Product Documentation-> /monitoring/logs To reduce unwanted stresses on the system, Identity Cloud limits the number of requests you can make to the /monitoring/logs endpoint in a certain timeframe: The page-size limit is 1000 logs per request. The request limit is 60 requests per minute. The theoretical upper rate limit is therefore 60,000 logs per minute. The reason this needs to be changed is when  using the Logs tail endpoint The /monitoring/logs/tail endpoint has the same limits and response headers as the /monitoring/logs endpoint described above. However, the endpoint also has a limit of 20,000 lines per request, which supersedes the page-size limit of 1000 logs per request. Because calls to the /monitoring/logs/tail endpoint do not always fetch all logs, use this endpoint for debugging only. Use the /monitoring/logs endpoint when you need to fetch all logs. I did find: grep -i -R "/tail" forgerock/   Which pointed me to :   forgerock//bin/input_module_forgerock.py:        response = helper.send_http_request(forgerock_id_cloud_tenant_url + "/monitoring/logs/tail", 'GET', parameters=parameters, payload=None, headers=headers, cookies=None, verify=True, cert=None, timeout=60, use_proxy=False)   Lines 51-52 of input_module_forgerock.py shows:   # The following examples send rest requests to some endpoint. response = helper.send_http_request(forgerock_id_cloud_tenant_url + "/monitoring/logs/tail", 'GET', parameters=parameters, payload=None, headers=headers, cookies=None, verify=True, cert=None, timeout=60, use_proxy=False) I suspect updating this to the following /monitoring/logs may resolve this and restarting the app:   # The following examples send rest requests to some endpoint. response = helper.send_http_request(forgerock_id_cloud_tenant_url + "/monitoring/logs", 'GET', parameters=parameters, payload=None, headers=headers, cookies=None, verify=True, cert=None, timeout=60, use_proxy=False) But when trying to grab logs its failing: 2023-11-16 15:33:34,178 DEBUG pid=261576 tid=MainThread file=connectionpool.py:_make_request:461 | https://openam-testxyz.id.forgerock.io:443 "GET /monitoring/logs?source=am-authentication%2Cam-access%2Cam-config%2Cidm-activity&_pagedResultsCookie=eyJfc29ydEzbnRpY25Il19fQ HTTP/1.1" 500 74 2023-11-16 15:33:34,179 INFO pid=261576 tid=MainThread file=base_modinput.py:log_info:295 | Unexpected response from ForgeRock: 500 2023-11-16 15:33:34,179 ERROR pid=261576 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Login Traceback (most recent call last): File "/opt/splunk/etc/apps/forgerock/bin/forgerock/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/forgerock/bin/forgerock.py", line 76, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/forgerock/bin/input_module_forgerock.py", line 60, in collect_events response.raise_for_status() File "/opt/splunk/etc/apps/forgerock/bin/forgerock/aob_py3/requests/models.py", line 943, in raise_for_status raise HTTPError(http_error_msg, response=self) Hoping someone has an idea @jknight