All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Splunk gurus, Just wanted to enquire if anyone has seen any correlation between high IOWait and CPU utilization? I have a client that is experiencing some search performance issues after upgradin... See more...
Hi Splunk gurus, Just wanted to enquire if anyone has seen any correlation between high IOWait and CPU utilization? I have a client that is experiencing some search performance issues after upgrading from version 8.2.9 to version 9.0.6. Their users are complaining about search lag and overall slowness in Splunk Web when running searches. Just curious if anyone has encountered this? Thank you in advance for any answers given   Mikhael
I have two kinds of input, I want to make only one of the two inputs work at one time, what should do?
Pro tips: Post data (real or emulated) in text. Post how you want the result to be in text. Explain the logic between the two. The last screenshot is impossible.  Your search is "| stats count ... See more...
Pro tips: Post data (real or emulated) in text. Post how you want the result to be in text. Explain the logic between the two. The last screenshot is impossible.  Your search is "| stats count by matching" but the results table has header "matchingFields" instead.  Additionally, your very first screenshot looks like part of a spreadsheet; there is no space after comma, and no square brackets ([ and ]) on two ends.  Is this "match" text field bounded by brackets?  Are spaces present in this text field?  Further more, if "match" text exists in raw events, why not filter directly in index search?  There are only two possible combinations of MobileNumber and CountryCode.  You can do something like index="source*" match IN ("[MobileNumber, CountryCode]", "[ContryCode, MobileNumber]") | stats count by match Bottom line, you need to describe and illustrate data precisely (anonymize as needed but keep characteristics accurate), and illustrate desired results clearly, then state your logic clearly.  
Hello @woodcock, i'm have a bit similar scenario, but my old SH having installed ES version 6.0 and the new SH which is in migration stage ES is version is 7.2, can i copy the $SPLUNK_HOME/etc/Splun... See more...
Hello @woodcock, i'm have a bit similar scenario, but my old SH having installed ES version 6.0 and the new SH which is in migration stage ES is version is 7.2, can i copy the $SPLUNK_HOME/etc/SplunkEnterpriseSecuritySuite directory into new SH, will this work with.??  
Hi, May i know if i can push data from splunk to Dynatrace through this API https://docs.trustar.co/api/v20/index.html#tag/Submission/operation/searchSubmissions ? We're looking to have just one da... See more...
Hi, May i know if i can push data from splunk to Dynatrace through this API https://docs.trustar.co/api/v20/index.html#tag/Submission/operation/searchSubmissions ? We're looking to have just one dashboard through Dynatrace. Hence the need to ingest data from Splunk. Thanks
Hello Team, By refering below attach screenshot. I updated Splunk from 8.1.1 to 9.1.0.2 . Below are the failed messages I can ( attached screenshot). Please let me know how I can overcome or fix thi... See more...
Hello Team, By refering below attach screenshot. I updated Splunk from 8.1.1 to 9.1.0.2 . Below are the failed messages I can ( attached screenshot). Please let me know how I can overcome or fix this errors. ?
When i click on Sync with ThousandEyes button in User Experience i got the error message Sync with ThousandEyes failed.Please try again by inspecting the page, i found a 500 HTTP error to   "http... See more...
When i click on Sync with ThousandEyes button in User Experience i got the error message Sync with ThousandEyes failed.Please try again by inspecting the page, i found a 500 HTTP error to   "https://cisco-thousandeyes.saas.appdynamics.com/controller/restui/network/fullsync" [HTTP/1.1 500 Internal Server Error 3755ms] I used my AOuth token from ThousandEyes in the Integration settings in AppD and i can receive Alerts in AppD from ThousandEyes, so this error is not related to the token, and it looks more an internal error from AppD server side
If you have logic that can convert serveraaaname to AAA then you can write the SPL to do extract that name and show it as system name. If you want to take any characters between the two words server ... See more...
If you have logic that can convert serveraaaname to AAA then you can write the SPL to do extract that name and show it as system name. If you want to take any characters between the two words server and name, then it's simply | rex field=blabla "server(?<systemname>.*)name" | eval systemname = upper(systemname)  
Copy/Paste this example into your search window | makeresults | eval _raw="http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO REQEST XML http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO Op... See more...
Copy/Paste this example into your search window | makeresults | eval _raw="http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO REQEST XML http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO Operation started http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,112 ERROR Operation error .WsdlFault: Failed to process CALL STACk http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 INFO Operation failed http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 INFO request processed http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 ERROR exception thrown regarding {ABCDEFGH-IJKL} http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 ERROR exception thrown regarding {ABCDEFGH-IJKL} http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO REQEST XML http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO Operation started http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO Operation Success http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO request processed http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO Processed {1234-6789}" | multikv noheader=t | eval _raw=Column_1.if(len(Column_2)>0,",".Column_2,"") | table _raw | rex "(?<t>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3})" | eval _time=strptime(t, "%FT%T,%Q") ``` Your data set up above ``` | rex "http-nio-8080-exec-(?<id>\d+).* (?<status>INFO|ERROR) (?<message>.*)" | rex field=message "\{(?<op_id>\w+-\w+)" | eval status=case(message="Operation failed", "Failed", message="Operation Success", "Success", true(), null()) | stats min(eval(if(message="Operation started", _time, null()))) as Op_Started values(op_id) as op_id values(status) as status by id It takes your example data and assumes the first part is some kind of thread id and then does some extractions to join the data together. If that thread id can occur more than once in your search range, then this won't work
So I have various alerts which have the system name somehow embedded in any place. I am looking for a query which says , " if system name is found anywhere in the alert (upper or lower case) it shou... See more...
So I have various alerts which have the system name somehow embedded in any place. I am looking for a query which says , " if system name is found anywhere in the alert (upper or lower case) it should output the appropriate"system name" in the "system_name" field.
Your example will not work as I understand Jname comes from index=jedi and Sname comes from index=sith, so unless you aggregate the events together, Jname and Sname will never exist in the same event... See more...
Your example will not work as I understand Jname comes from index=jedi and Sname comes from index=sith, so unless you aggregate the events together, Jname and Sname will never exist in the same event, so try my example.
Does this mean anything http-nio-8080-exec-6 is that some kind of thread id?  
Just the Jname and Sname need to match and all the other columns will coalesce.  Because of the sheer size of the Sname (I set it up as our windows log index)index it worries me. However if I can fi... See more...
Just the Jname and Sname need to match and all the other columns will coalesce.  Because of the sheer size of the Sname (I set it up as our windows log index)index it worries me. However if I can find a way to drill down and expedite. index IN (jedi AND sith) | table saber_color, Jname, Sname, strengths, saber_color | where Jname=Sname That is what I am trying. I'll give it a shot with your method. @bowesmana 
In case of success the info is  http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO REQEST XML http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO Operation started http-nio-8080-exec-14 n... See more...
In case of success the info is  http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO REQEST XML http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO Operation started http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO Operation Success http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO request processed http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO Processed {1234-6789}
OK, so you don't have any correlation in the lookup to match against the event... So, If you have a field 'Subject' containing the string "File system alert on ..." then you can get the system nam... See more...
OK, so you don't have any correlation in the lookup to match against the event... So, If you have a field 'Subject' containing the string "File system alert on ..." then you can get the system name from that like this | rex field=Subject "File system alert on (?<system>.*)" which will work for AAA and BBB, but I am not sure how you would map 'server serveraaaname' to AAA in your example - what is the rule for that mapping?  
Thanks @bowesmana , for looking into this. Good point that Success/failed message relates to specific id or not , that is why I am trying to map to the time stamp of success/fail to that processed i... See more...
Thanks @bowesmana , for looking into this. Good point that Success/failed message relates to specific id or not , that is why I am trying to map to the time stamp of success/fail to that processed id and as well as filter to a host to compare. the actual log info is  http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO REQEST XML http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO Operation started http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,112 ERROR Operation error .WsdlFault: Failed to process CALL STACk http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 INFO Operation failed http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 INFO request processed http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 ERROR exception thrown regarding {ABCDEFGH-IJKL} http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 ERROR exception thrown regarding {ABCDEFGH-IJKL} Thanks  
I don't see any new line character. I have attached a snippet of the event. Please let me know how can I send event file (.json file). json is not supported attachment here.  
I use Splunk UBA 5.3.0 when I try to add data source with splunk direct, raw events it will be error "There was an error processing your request. It has been logged (ID ...)" How to fix it? Splunk ... See more...
I use Splunk UBA 5.3.0 when I try to add data source with splunk direct, raw events it will be error "There was an error processing your request. It has been logged (ID ...)" How to fix it? Splunk Enterprise I use 9.0.0 (Splunk Enterprise and Splunk UBA are fresh install) Thanks for help.
How do you know that the success/failed message relates to a specific id? In your example, the status comes before the message id event. What you have more than one event id coming and they are out ... See more...
How do you know that the success/failed message relates to a specific id? In your example, the status comes before the message id event. What you have more than one event id coming and they are out of sync?
If you have a known max limit of keys, then you can do it without the mvexpand, which if you have a large dataset, can hit memory issues. | makeresults | eval field_id="/key1/value1/key2/value2/key3... See more...
If you have a known max limit of keys, then you can do it without the mvexpand, which if you have a large dataset, can hit memory issues. | makeresults | eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4" | rex field=field_id max_match=0 "/(?<k>[^/]*)/(?<v>[^/]*)" | foreach 0 1 2 3 4 5 6 7 8 9 10[ eval _k=mvindex(k, <<FIELD>>), {_k}=mvindex(v, <<FIELD>>) ] Just put in the foreach statement the maximum number of possible key/value pairs you have.