All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I have an air-gapped Splunk AppDynamics (25.1) HA on-premises instance deployed, fleet management service enabled, and smart agents installed on the VMs to manage the app server agents. I wa... See more...
Hello, I have an air-gapped Splunk AppDynamics (25.1) HA on-premises instance deployed, fleet management service enabled, and smart agents installed on the VMs to manage the app server agents. I want to be able to download the agents directly from AppDynamics Downloads from the controller UI instead of downloading manually (i.e. Using AppDynamics Portal), but I don't know which URLs should be whitelisted on the firewall. Can anyone help me with this? Thanks, Osama
I tried it again, usign the same method you suggested, deployed and configured the app on deployer and pushed the config bundle, but its still the same
Wait. As far as I remember (it's been some time since I did it last time) you don't manually copy anything. When you run the installer in deployer mode it takes care of preparing the shcluster bundle... See more...
Wait. As far as I remember (it's been some time since I did it last time) you don't manually copy anything. When you run the installer in deployer mode it takes care of preparing the shcluster bundle. That's why you run it exactly as described - upload the app to the deployer, run the installer on the deployer, apply shcluster-bundle. No manual copying stuff anywhere.
I followed these steps, installed ES on deployer, configured it. Mission control is not working on deployer, then I copied ES to shcluster/apps and pushed the configuration. now all DA-ESS and SA app... See more...
I followed these steps, installed ES on deployer, configured it. Mission control is not working on deployer, then I copied ES to shcluster/apps and pushed the configuration. now all DA-ESS and SA apps are present in apps of each SHC member, but still when I click ES app or mission control app on cluster member it says continue to setup page.   not sure why
@Nawab  Installing ES on a Search Head Cluster Deployer: 1. On the Splunk toolbar, select Apps > Manage Apps and click Install app from file 2. Click Choose File and select the Splunk Enterprise ... See more...
@Nawab  Installing ES on a Search Head Cluster Deployer: 1. On the Splunk toolbar, select Apps > Manage Apps and click Install app from file 2. Click Choose File and select the Splunk Enterprise Security file 3. Click Upload to begin the installation 4. Click Continue to app setup page 5. Click Start Configuration Process, and wait for it to complete 6. Use the Deployer to deploy ES to the cluster members. From the Deployer run: /opt/splunk/bin/splunk apply shcluster-bundle 
Followed every thing exactly described in docs
@Nawab  -  Please make sure that you followed all pre-requisites for SHC and ES on SHC.  https://docs.splunk.com/Documentation/ES/8.0.2/Install/InstallSplunkESinSHC 
I have installed ES on deployer as suggested by splunk docs, then transfered this app to /opt/splunk/etc/shcluster/apps and pushed the apps to my cluster. but still when I open ES on any search head... See more...
I have installed ES on deployer as suggested by splunk docs, then transfered this app to /opt/splunk/etc/shcluster/apps and pushed the apps to my cluster. but still when I open ES on any search head it still says Post instal configurations and when I click configure it says you can not do it on SHC member
Ah @PickleRick yes spot on. Sorry hadnt seen your reply but seems like we are thinking along the same lines!
That's more or less what I was talking about
Then, where does the dashboard get those strings? In other words, what is the code in that dashboard that prints those strings?
Hi @RebeccaKeller  No, as of version 3.18.2, Splunk DB Connect does not officially support DB2 on z/OS (mainframe). The documentation only states that "IBM DB2 is supported when the database is run... See more...
Hi @RebeccaKeller  No, as of version 3.18.2, Splunk DB Connect does not officially support DB2 on z/OS (mainframe). The documentation only states that "IBM DB2 is supported when the database is running on Linux. Splunk doesn't test or support DB2 on AS/400 or Windows."  However technically, DB2 offers a universal JDBC driver that can (in theory) communicate with DB2 on z/OS. Some tools can connect this way if the correct configuration and drivers are used—but official vendor support is another matter.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
The old connector didn't support Db2 on Z.   Wondering if the latest version in Splunk base now supports mainframe Db2 on z/OS.   Thanks.
Hi @avikc100  Were you able to try my previous example (see below)? If there is an issue with this i'd be happy to try and resolve for you. Thanks @livehybrid wrote: Hi @avikc100  You can cre... See more...
Hi @avikc100  Were you able to try my previous example (see below)? If there is an issue with this i'd be happy to try and resolve for you. Thanks @livehybrid wrote: Hi @avikc100  You can create a search that calculates the relevant dates which set tokens and then use the tokens: <search id="days"> <query>| makeresults | eval dayMinus0=strftime(now(), "%d/%m/%Y") | eval dayMinus1=strftime(now()-86400, "%d/%m/%Y") | eval dayMinus2=strftime(now()-(86400*2), "%d/%m/%Y") | eval dayMinus3=strftime(now()-(86400*3), "%d/%m/%Y") | eval dayMinus4=strftime(now()-(86400*4), "%d/%m/%Y") | eval dayMinus5=strftime(now()-(86400*5), "%d/%m/%Y")</query> <done> <set token="dayMinus0">$result.dayMinus0$</set> <set token="dayMinus1">$result.dayMinus1$</set> <set token="dayMinus2">$result.dayMinus2$</set> <set token="dayMinus3">$result.dayMinus3$</set> <set token="dayMinus4">$result.dayMinus4$</set> <set token="dayMinus5">$result.dayMinus5$</set> </done> </search> Then use $dayMinusN$ for each Title - where N is the number of days, like this:   Below is the full XML example of that dashboard above for you to play with if it helps: <dashboard version="1.1" theme="light"> <label>SplunkAnswers1</label> <search id="days"> <query>| makeresults | eval dayMinus0=strftime(now(), "%d/%m/%Y") | eval dayMinus1=strftime(now()-86400, "%d/%m/%Y") | eval dayMinus2=strftime(now()-(86400*2), "%d/%m/%Y") | eval dayMinus3=strftime(now()-(86400*3), "%d/%m/%Y") | eval dayMinus4=strftime(now()-(86400*4), "%d/%m/%Y") | eval dayMinus5=strftime(now()-(86400*5), "%d/%m/%Y")</query> <done> <set token="dayMinus0">$result.dayMinus0$</set> <set token="dayMinus1">$result.dayMinus1$</set> <set token="dayMinus2">$result.dayMinus2$</set> <set token="dayMinus3">$result.dayMinus3$</set> <set token="dayMinus4">$result.dayMinus4$</set> <set token="dayMinus5">$result.dayMinus5$</set> </done> </search> <search id="baseTest"> <query>|tstats count where index=_internal by _time, host span=1d | eval daysAgo=floor((now()-_time)/86400)</query> <earliest>-7d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <row> <panel> <table> <title>$dayMinus0$</title> <search base="baseTest"> <query>| where daysAgo=0 | table host count</query> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <table> <title>$dayMinus1$</title> <search base="baseTest"> <query>| where daysAgo=1 | table host count</query> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <table> <title>$dayMinus2$</title> <search base="baseTest"> <query>| where daysAgo=2 | table host count</query> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <table> <title>$dayMinus3$</title> <search base="baseTest"> <query>| where daysAgo=3 | table host count</query> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <table> <title>$dayMinus4$</title> <search base="baseTest"> <query>| where daysAgo=4 | table host count</query> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <table> <title>$dayMinus5$</title> <search base="baseTest"> <query>| where daysAgo=5 | table host count</query> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </dashboard>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi @Ram2  Another approach would be to use a single query without any subsearch/apppend etc: index=test-index (("ERROR" Code=OPT OR Code=ONP) OR ("WARN" "User had issues with code" Code=OPT OR Code... See more...
Hi @Ram2  Another approach would be to use a single query without any subsearch/apppend etc: index=test-index (("ERROR" Code=OPT OR Code=ONP) OR ("WARN" "User had issues with code" Code=OPT OR Code=ONP code_ip IN(1001, 1002, 1003, 1004)) OR ("INFO" "POST" NOT "GET /authenticate/mmt" Code=OPT OR Code=ONP code_data IN(iias, iklm, oilk))) | bin _time span=1d | eval TOATL_ONIP1=if(match(_raw, "ERROR") AND (Code="OPT" OR Code="ONP"), 1, 0) | eval TOATL_ONIP2=if(match(_raw, "WARN") AND match(_raw, "User had issues with code") AND (Code="OPT" OR Code="ONP") AND code_ip IN(1001, 1002, 1003, 1004), 1, 0) | eval TOATL_ONIP3=if(match(_raw, "INFO") AND match(_raw, "POST") AND NOT match(_raw, "GET /authenticate/mmt") AND (Code="OPT" OR Code="ONP") AND code_data IN(iias, iklm, oilk), 1, 0) | stats sum(TOATL_ONIP1) as TOATL_ONIP1 sum(TOATL_ONIP2) as TOATL_ONIP2 sum(TOATL_ONIP3) as TOATL_ONIP3 by Code _time | eval Start_Date=strftime(_time, "%Y-%m-%d") | table Start_Date Code TOATL_ONIP1 TOATL_ONIP2 TOATL_ONIP3 This determines the ONIP number based on fields in the event and then does a stats to count each ONIP by Code.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Please provide the source code for your dashboard in a code block using the </> button to insert the text.
sorry for confusion! i want system date here in this test area in the dashboard.  
Verified in production , Smartstore will support upload and searching of reduced buckets. You need to turn off tsidx reduction for that index before enabling Smartstore config on it of course. 
I don't recall ever seeing dbconnect configured so that it sends to a HEC input outside of the HF it's running on. Theoretically it's possible - see https://docs.splunk.com/Documentation/DBX/3.18.2/D... See more...
I don't recall ever seeing dbconnect configured so that it sends to a HEC input outside of the HF it's running on. Theoretically it's possible - see https://docs.splunk.com/Documentation/DBX/3.18.2/DeployDBX/settingsconfspec but I must say I've never seen it configured this way. Anyway, first check your config., then debug apropriate HEC inputs.
Hi, I try to display the number of events per day from multiple indexes. I wrote the below SPL, but when all index values are null for a specific date, the line itself is not displayed. 複数のindexから、... See more...
Hi, I try to display the number of events per day from multiple indexes. I wrote the below SPL, but when all index values are null for a specific date, the line itself is not displayed. 複数のindexから、nullには0を代入し、1日ごとのイベント件数を表示させたいです。 chartコマンドを使いイベント件数を表示、特定indexの値がnullの場合はisnullで0を代入できたのですが、特定の日にちだけ全てのindexの値がnullの時、その日の行自体が表示されません。 index IN (index1, index2, index3, index4) | bin span=1d _time | chart count _time over index | eval index4=if(isnull(index4), 0, index4)   How to display a line of 4/2 by substituting 0 like the below table, when all indexes value of 4/2 are null? 下記の表のように4/2の値がなくとも、0を代入して4/2の行を表示させる方法はないでしょうか。   index1 index2 index3 index4 4/1 12 3 45 0 4/2 0 0 0 0 4/3 16 7 34 0