All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @Aditya Kumar.Maddala, Please check out AppD Docs site for PHP Supported Environments.  https://docs.appdynamics.com/appd/22.x/latest/en/application-monitoring/install-app-server-agents/php... See more...
Hello @Aditya Kumar.Maddala, Please check out AppD Docs site for PHP Supported Environments.  https://docs.appdynamics.com/appd/22.x/latest/en/application-monitoring/install-app-server-agents/php-agent/php-supported-environments
Splunk and its apps do not handle networking directly.  There is no reason why they will not do the job if the destination is addressable by the operating system's networking stack, IPv6 or IPv4.
Hi @Yann.Buccellato, I heard back from the Docs team.  The field is formatted in SAP-specific type TIMS and the value is presented in HH:MI:SS format. The documentation pages will be updated afte... See more...
Hi @Yann.Buccellato, I heard back from the Docs team.  The field is formatted in SAP-specific type TIMS and the value is presented in HH:MI:SS format. The documentation pages will be updated after the upcoming 23.11.0 release to reflect this information. Does this help?
You haven't provided sufficient information for anyone to be able to determine why your search picked up events which you weren't expecting, or why you search failed to exclude these from your alert.... See more...
You haven't provided sufficient information for anyone to be able to determine why your search picked up events which you weren't expecting, or why you search failed to exclude these from your alert. It is like me asking you, why did my search fail?
I haven't been able to find any documentation stating whether or not DB Connect is IPv6 compatible.  My customer has a requirement to migrate to IPv6 and I need to know if this app will still be able... See more...
I haven't been able to find any documentation stating whether or not DB Connect is IPv6 compatible.  My customer has a requirement to migrate to IPv6 and I need to know if this app will still be able pull data from an MS-SQL DB once the protocol changes.
thanks for your answer even if it's not really easy to understand the data are approximatively indexed every 20 minutes so concerning my problem i dont understand why my last related event vs my al... See more...
thanks for your answer even if it's not really easy to understand the data are approximatively indexed every 20 minutes so concerning my problem i dont understand why my last related event vs my alert happened last Friday and why my alert has occurend once again today
Please help me on below things: Requirements: Once 3 events meets, immediately next event should published.if event is not published after 5 min ,need alert. Example : We have one customerno.for ... See more...
Please help me on below things: Requirements: Once 3 events meets, immediately next event should published.if event is not published after 5 min ,need alert. Example : We have one customerno.for the customer number ,I have to search whether 3 events meets logs available in the splunk log or not  Ex: index= 1 source type ="abc" "s1 event received" and "s2 event received" and "s3 event received"     When I search above query ,I will be getting like S1 received for 12345 customer S2 received for 12345 customer S3 received for 12345 customer   If for one customer,all 3 event are met,next i want to search "created" message available in the splunk for same customer (12345) Here "created" message index and source type is different If "created" message not available for 12345 customer no after 5 min once all 3 events meets,I need alert.pls help on this query.
Alerts have throttles but that's at the alert level, not at the event which have been looked at. As I said, it depends on your search and your data. For example, if you are searching over 25 hours, ... See more...
Alerts have throttles but that's at the alert level, not at the event which have been looked at. As I said, it depends on your search and your data. For example, if you are searching over 25 hours, every 24 hours, there will be an overlap of 1 hour. Having said that, it depends how quickly your data is indexed, real lag, and how far behind your timestamp field (_time) is to actual time, extended lag. In order to fashion a search which takes these factors into account, you need to understand your data, how it is indexed, when it is indexed, etc. When you know this, you might have a chance at eliminating events which you have (or may have) already looked at. Another way you might approach this is to copy the events you have looked at into a summary index and then ignore any events which are already in your summary index.
Understood.  Thanks again!
Have you an example to filter events that have already looked at? Is there any alert customization for doing that like throttle or expiration?
Your search has to be able to filter out the events you don't want, or have already looked at. This will depend on your search and your data.
* doesn't work (as a wildcard) for where only search
Hi I use a splunk alert with a 24 hours slottime what is strange is that this alert show me an event older than 24 hours so I have 2 questiosn 1) How is it possible that an alert occurs with an e... See more...
Hi I use a splunk alert with a 24 hours slottime what is strange is that this alert show me an event older than 24 hours so I have 2 questiosn 1) How is it possible that an alert occurs with an event outside the slot time specified? 2) How to customize the alert for being sure that it shows only new events and not events already shown?  It means that I need the alert occurs just one time when an event is detected thanks
Hello, Thanks for your correction and your help. So this is what I am looking for:    | where (isnotnull(vuln) AND isnotnull(score) AND len(company)>0)) OR (isnotnull(vuln)) OR len(company>0)  An... See more...
Hello, Thanks for your correction and your help. So this is what I am looking for:    | where (isnotnull(vuln) AND isnotnull(score) AND len(company)>0)) OR (isnotnull(vuln)) OR len(company>0)  Any idea why * didn't work? It seems like "where" is faster than "search"  Thank you
Not so easy, because you have said your lookup contains wildcards, you could append the list of sources from your lookup and count the occurrences, but you might get false positives/negatives where y... See more...
Not so easy, because you have said your lookup contains wildcards, you could append the list of sources from your lookup and count the occurrences, but you might get false positives/negatives where you found a source which matched the wildcard | append [| inputlookup pvs_source_list | table source] | stats count by source | where count < 2
Hi @inventsekar - you guessed it right! I'm only looking to use Splunk for a small Network Forensics project where I need to demo an attack on an internal network. For this purpose, I need to log the... See more...
Hi @inventsekar - you guessed it right! I'm only looking to use Splunk for a small Network Forensics project where I need to demo an attack on an internal network. For this purpose, I need to log the events and ensure that one such events sends out an Event Alert from Splunk. This will aid in investigating the attack. It's not a huge network, the project only requires about 5-6 devices in the internal network.
My goodness.  That is exactly what I am looking for.  I should've known that!  I was definitely over complicating it.  THANK YOU!! How would I be able to list the files in the lookup that are NOT ... See more...
My goodness.  That is exactly what I am looking for.  I should've known that!  I was definitely over complicating it.  THANK YOU!! How would I be able to list the files in the lookup that are NOT logging?
Hi, on the weekend we had an electric problem on our secondary datacenter and currently dont have energy. One indexer was on that datacenter, it was on cluster with another indexer.  There are any t... See more...
Hi, on the weekend we had an electric problem on our secondary datacenter and currently dont have energy. One indexer was on that datacenter, it was on cluster with another indexer.  There are any tasks that i must do in the meantime? the estimated recovery time for the datacenter is 3 to 4 days, maybe put the indexers on maintenance mode? i've read this https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Whathappenswhenapeergoesdown but only talks about what happens with bucket fixing Regards.
Hi Dietrich, Yes another reason to get this error . Thanks for letting me know.
Assuming you lookup has a column called source, try something like this index=pvs [| inputlookup pvs_source_list | table source] | stats latest(_time) as TimeAx by source