All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Solution: Please check if analytics is enabled from Machine agent: <APPDYNAMICS_HOME>/<Machine_Agent>/monitors/analytics-agent/monitor.xml <enabled>true</enabled> Thanks.
Hi, The code is like index=main host=server10 (EventCode=4624 OR  EventCode=4634) Logon_Type=3 NOT user="*$" NOT user "ANONYMOUS LOGON" | dedup user | where NOT MsgID==AUT22673 | eval LoginTime=_t... See more...
Hi, The code is like index=main host=server10 (EventCode=4624 OR  EventCode=4634) Logon_Type=3 NOT user="*$" NOT user "ANONYMOUS LOGON" | dedup user | where NOT MsgID==AUT22673 | eval LoginTime=_time | table user LoginTime   The output will list active RDP user.  No idea how to fix the rest of it, either 1: If number of user == 0, then print "No Remote desktop user" 2: Or put number of user into a Single Value, Radial Gauge (not username) Sounds so easy but I cannot figure out how to fix it.  Too little Splunk experience. Rgds Geir
  | makeresults | eval _raw="id;x;y;z;k a;1;;; a;;1;; a;;;1; a;2;;; a;;2;; a;;;;1 b;1;;; b;;1;; b;;;1; b;2;;; b;;2;; b;;;;1 a;;1;; a;;;1; a;2;;; a;;2;; a;;;;1 b;1;;; b;;1;; b;;;1; b;2;;; b;;2;; b;;;... See more...
  | makeresults | eval _raw="id;x;y;z;k a;1;;; a;;1;; a;;;1; a;2;;; a;;2;; a;;;;1 b;1;;; b;;1;; b;;;1; b;2;;; b;;2;; b;;;;1 a;;1;; a;;;1; a;2;;; a;;2;; a;;;;1 b;1;;; b;;1;; b;;;1; b;2;;; b;;2;; b;;;;1" | multikv forceheader=1 | fields id x y z k | table id x y z k | stats first(*) AS * BY id   I have date of the following form, where the usual variables Z and K (might) have multiple measurements that are not unique, so I use "| stats first()" to aggregate them to the ID. However there are variables X and Y that do contain multiple unique values (which might also repeat). In the end I would like to obtain a table like so:   id x1 x2 y1 y2 z k a 1 2 1 2 1 1 b 1 2 1 2 1 1   Where (ideally) the fields of X and Y are numbered for each unique value (NOT the value in the field) so that if 3 unique values are in the data it would yield X1,2,3.
@bowesmana  Can you please guide what changes I should made  Should I need to change cron schedule expression or I need to make change in my queries    Please guide
      I am appending results from below query,which will display difererent objectype suppliedMaterial: index="" source="" "suppliedMaterial" AND "reprocess event" |stats count | rename ... See more...
      I am appending results from below query,which will display difererent objectype suppliedMaterial: index="" source="" "suppliedMaterial" AND "reprocess event" |stats count | rename count as ReProcessAPICall | appendcols "" "suppliedMaterial" AND "data not found for Ids"| eval PST=_time-28800 | eval PST_TIME3=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=dataNotFoundIds path=dataNotFoundIds{}| stats values(*) as * by _raw | table dataNotFoundIds{},dataNotFoundIdsCount, PST_TIME3 | sort- PST_TIME3 ] | appendcols [search index="" source="*" "suppliedMaterial" AND "sqs sent count" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath sqsSentCount output=sqsSentCount | stats values(*) as * by _raw | table sqsSentCount PST_TIME4 | sort- PST_TIME4 ] | appendcols [search index="" source="" "suppliedMaterial" AND "request body" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=version path=eventBody.version | spath output=objectType path=eventBody.objectType | stats values(*) as * by _raw | table version, objectType ] | table objectType version dataNotFoundIdsCount sqsSentCount ReProcessAPICall For Material index="" source="" material" AND "reprocess event" |stats count | rename count as ReProcessAPICall | appendcols*" "material" AND "data not found for Ids"| eval PST=_time-28800 | eval PST_TIME3=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=dataNotFoundIds path=dataNotFoundIds{}| stats values(*) as * by _raw | table dataNotFoundIds{},dataNotFoundIdsCount, PST_TIME3 | sort- PST_TIME3 ] | appendcols [search index="" source="*" "material" AND "sqs sent count" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath sqsSentCount output=sqsSentCount | stats values(*) as * by _raw | table sqsSentCount PST_TIME4 | sort- PST_TIME4 ] | appendcols [search index="" source="" "material" AND "request body" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=version path=eventBody.version | spath output=objectType path=eventBody.objectType | stats values(*) as * by _raw | table version, objectType ] | table objectType version dataNotFoundIdsCount sqsSentCount ReProcessAPICall My actual is : objectType version dataNotFoundIdsCount sqsSentCount ReProcessApiCall suppliedMaterial all 4 15 12 suppliedMaterial latest 2 19   suppliedMaterial all 3 11   Material latest 6 10   Material latest 5 4   Material all 4 1   Material all 2 3     My Expected is : Basically I needed to count the two fields (dataNotFoundIdsCount & ssqsSentCount based on what version whether 'all' or 'latest') from the previous queries .  I am thinking to use the version as dynamic values , and bring conditional check  in those queries to add the field values for each version and name it as dataNotFoundIdsCount_all ,dataNotFoundIdsCount_latest. Finally in the last query again check the version and show the sum Please advise if there's a easy way of doing this ..  objectType version dataNotFoundIdsCount sqsSentCount ReProcessApiCall suppliedMaterial all 4 15 12 suppliedMaterial latest 2 19   Material all 3 11   Material latest 6 10  
Hi,  It's not working. It results all the logs for sourcetype=accesslogs. But our aim is to join the 2 sourcetypes to get userId for failure logs
Hi Splunk gurus, Just wanted to enquire if anyone has seen any correlation between high IOWait and CPU utilization? I have a client that is experiencing some search performance issues after upgradin... See more...
Hi Splunk gurus, Just wanted to enquire if anyone has seen any correlation between high IOWait and CPU utilization? I have a client that is experiencing some search performance issues after upgrading from version 8.2.9 to version 9.0.6. Their users are complaining about search lag and overall slowness in Splunk Web when running searches. Just curious if anyone has encountered this? Thank you in advance for any answers given   Mikhael
I have two kinds of input, I want to make only one of the two inputs work at one time, what should do?
Pro tips: Post data (real or emulated) in text. Post how you want the result to be in text. Explain the logic between the two. The last screenshot is impossible.  Your search is "| stats count ... See more...
Pro tips: Post data (real or emulated) in text. Post how you want the result to be in text. Explain the logic between the two. The last screenshot is impossible.  Your search is "| stats count by matching" but the results table has header "matchingFields" instead.  Additionally, your very first screenshot looks like part of a spreadsheet; there is no space after comma, and no square brackets ([ and ]) on two ends.  Is this "match" text field bounded by brackets?  Are spaces present in this text field?  Further more, if "match" text exists in raw events, why not filter directly in index search?  There are only two possible combinations of MobileNumber and CountryCode.  You can do something like index="source*" match IN ("[MobileNumber, CountryCode]", "[ContryCode, MobileNumber]") | stats count by match Bottom line, you need to describe and illustrate data precisely (anonymize as needed but keep characteristics accurate), and illustrate desired results clearly, then state your logic clearly.  
Hello @woodcock, i'm have a bit similar scenario, but my old SH having installed ES version 6.0 and the new SH which is in migration stage ES is version is 7.2, can i copy the $SPLUNK_HOME/etc/Splun... See more...
Hello @woodcock, i'm have a bit similar scenario, but my old SH having installed ES version 6.0 and the new SH which is in migration stage ES is version is 7.2, can i copy the $SPLUNK_HOME/etc/SplunkEnterpriseSecuritySuite directory into new SH, will this work with.??  
Hi, May i know if i can push data from splunk to Dynatrace through this API https://docs.trustar.co/api/v20/index.html#tag/Submission/operation/searchSubmissions ? We're looking to have just one da... See more...
Hi, May i know if i can push data from splunk to Dynatrace through this API https://docs.trustar.co/api/v20/index.html#tag/Submission/operation/searchSubmissions ? We're looking to have just one dashboard through Dynatrace. Hence the need to ingest data from Splunk. Thanks
Hello Team, By refering below attach screenshot. I updated Splunk from 8.1.1 to 9.1.0.2 . Below are the failed messages I can ( attached screenshot). Please let me know how I can overcome or fix thi... See more...
Hello Team, By refering below attach screenshot. I updated Splunk from 8.1.1 to 9.1.0.2 . Below are the failed messages I can ( attached screenshot). Please let me know how I can overcome or fix this errors. ?
When i click on Sync with ThousandEyes button in User Experience i got the error message Sync with ThousandEyes failed.Please try again by inspecting the page, i found a 500 HTTP error to   "http... See more...
When i click on Sync with ThousandEyes button in User Experience i got the error message Sync with ThousandEyes failed.Please try again by inspecting the page, i found a 500 HTTP error to   "https://cisco-thousandeyes.saas.appdynamics.com/controller/restui/network/fullsync" [HTTP/1.1 500 Internal Server Error 3755ms] I used my AOuth token from ThousandEyes in the Integration settings in AppD and i can receive Alerts in AppD from ThousandEyes, so this error is not related to the token, and it looks more an internal error from AppD server side
If you have logic that can convert serveraaaname to AAA then you can write the SPL to do extract that name and show it as system name. If you want to take any characters between the two words server ... See more...
If you have logic that can convert serveraaaname to AAA then you can write the SPL to do extract that name and show it as system name. If you want to take any characters between the two words server and name, then it's simply | rex field=blabla "server(?<systemname>.*)name" | eval systemname = upper(systemname)  
Copy/Paste this example into your search window | makeresults | eval _raw="http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO REQEST XML http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO Op... See more...
Copy/Paste this example into your search window | makeresults | eval _raw="http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO REQEST XML http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,062 INFO Operation started http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,112 ERROR Operation error .WsdlFault: Failed to process CALL STACk http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 INFO Operation failed http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 INFO request processed http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 ERROR exception thrown regarding {ABCDEFGH-IJKL} http-nio-8080-exec-6 nteg 2023-11-14T10:30:30,118 ERROR exception thrown regarding {ABCDEFGH-IJKL} http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO REQEST XML http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO Operation started http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO Operation Success http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO request processed http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO Processed {1234-6789}" | multikv noheader=t | eval _raw=Column_1.if(len(Column_2)>0,",".Column_2,"") | table _raw | rex "(?<t>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3})" | eval _time=strptime(t, "%FT%T,%Q") ``` Your data set up above ``` | rex "http-nio-8080-exec-(?<id>\d+).* (?<status>INFO|ERROR) (?<message>.*)" | rex field=message "\{(?<op_id>\w+-\w+)" | eval status=case(message="Operation failed", "Failed", message="Operation Success", "Success", true(), null()) | stats min(eval(if(message="Operation started", _time, null()))) as Op_Started values(op_id) as op_id values(status) as status by id It takes your example data and assumes the first part is some kind of thread id and then does some extractions to join the data together. If that thread id can occur more than once in your search range, then this won't work
So I have various alerts which have the system name somehow embedded in any place. I am looking for a query which says , " if system name is found anywhere in the alert (upper or lower case) it shou... See more...
So I have various alerts which have the system name somehow embedded in any place. I am looking for a query which says , " if system name is found anywhere in the alert (upper or lower case) it should output the appropriate"system name" in the "system_name" field.
Your example will not work as I understand Jname comes from index=jedi and Sname comes from index=sith, so unless you aggregate the events together, Jname and Sname will never exist in the same event... See more...
Your example will not work as I understand Jname comes from index=jedi and Sname comes from index=sith, so unless you aggregate the events together, Jname and Sname will never exist in the same event, so try my example.
Does this mean anything http-nio-8080-exec-6 is that some kind of thread id?  
Just the Jname and Sname need to match and all the other columns will coalesce.  Because of the sheer size of the Sname (I set it up as our windows log index)index it worries me. However if I can fi... See more...
Just the Jname and Sname need to match and all the other columns will coalesce.  Because of the sheer size of the Sname (I set it up as our windows log index)index it worries me. However if I can find a way to drill down and expedite. index IN (jedi AND sith) | table saber_color, Jname, Sname, strengths, saber_color | where Jname=Sname That is what I am trying. I'll give it a shot with your method. @bowesmana 
In case of success the info is  http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO REQEST XML http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO Operation started http-nio-8080-exec-14 n... See more...
In case of success the info is  http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO REQEST XML http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,062 INFO Operation started http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO Operation Success http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO request processed http-nio-8080-exec-14 nteg 2023-11-14T10:33:30,118 INFO Processed {1234-6789}