Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-07-2023
04:54 AM
This looks like your events might be in JSON format. Please share your unformatted raw events in a code block </> to preserve the formatting in your events, so we might be able to assist you.
11-07-2023
04:41 AM
Hi @seemanshu , Thanks for your response! Can you help me here with using condition, there are some existing query which is defined for single value input radio button, I would like to use ...
See more...
Hi @seemanshu , Thanks for your response! Can you help me here with using condition, there are some existing query which is defined for single value input radio button, I would like to use the same <condition match="$tok1$=="v1"> <set token="value1">true</set> <condition match=="v2"> <set token="value2">true</set> but this is not working , if i use 2 values <condition match="$tok1$=="v1" AND $tok1$=="v2" > <set token="value1">value1 OR value2</set> Thanks in Advance!
Hi @suresh401 , I need to send the entity/host information like "kubernetes_node" which we get from the correlation search as a payload to my jenkins to trigger a job that can restart that perticular...
See more...
Hi @suresh401 , I need to send the entity/host information like "kubernetes_node" which we get from the correlation search as a payload to my jenkins to trigger a job that can restart that perticular node. How can I get those payload automatically populated with 'kubernetes node address' and get passed to the Jenkins?
11-07-2023
04:11 AM
| stats count(Tran) as count , Avg( responstime) as avgrt by Tran
| rex field=Tran "(?<temp>^[A-Z]{3})"
| lookup TransctionDetails.csv Tran_lookup as temp OUTPUT Transaction_Details
| fields Count ,T...
See more...
| stats count(Tran) as count , Avg( responstime) as avgrt by Tran
| rex field=Tran "(?<temp>^[A-Z]{3})"
| lookup TransctionDetails.csv Tran_lookup as temp OUTPUT Transaction_Details
| fields Count ,Tran, Transaction_Details, avgrt I extract the first three letters from the Tran field and put it in a separate field. Then I make the lookup against the file with the new field.
11-07-2023
03:51 AM
Thank you. It worked. However i was reviewing index data Splunk index has data like below with versions of Tran. But lookup file only has ABC and CDE as Transaction_Details is same for all versions ...
See more...
Thank you. It worked. However i was reviewing index data Splunk index has data like below with versions of Tran. But lookup file only has ABC and CDE as Transaction_Details is same for all versions of Tran. Such cases where there are multiple versions of Tran and 1 value of Transaction_Details is coming is empty. Is there a way lookup file can be searched for Prefix or some other way? Tran ABC ABCVersion1 ABCVersion2 ABCVersion3 CDE CDE CDEVersion1 CDEVersion2
11-07-2023
03:06 AM
| stats count(Tran) as count , Avg( responstime) as avgrt by Tran
| lookup TransctionDetails.csv Tran_lookup as Tran OUTPUT Transaction_Details
| fields Count ,Tran, Transaction_Details, avgrt ...
See more...
| stats count(Tran) as count , Avg( responstime) as avgrt by Tran
| lookup TransctionDetails.csv Tran_lookup as Tran OUTPUT Transaction_Details
| fields Count ,Tran, Transaction_Details, avgrt if you only want the Events that have matching Transaction_Details add: | where isnotnull(Transaction_Details) My Expectation in the Example is that the Lookup is inside of Splunk and correctly configured.
11-07-2023
02:53 AM
Look up file name is TransctionDetails.csv if look at my initial post I have another query of stats to which I need to append stats count(Tran) as count , Avg( responstime) as avgrt by Tran where T...
See more...
Look up file name is TransctionDetails.csv if look at my initial post I have another query of stats to which I need to append stats count(Tran) as count , Avg( responstime) as avgrt by Tran where Tran_lookup matches with Tran in index. Expected output is ( Corresponding Transaction Details should be added to stats output). Count ,Tran, Transaction_Details, avgrt
11-07-2023
02:44 AM
Assuming each event contains the timestamp line, followed by a header line, then lines for each process, you could try something like this | eval process=mvindex(split(_raw,"
"),2,-1)
| mvexpand ...
See more...
Assuming each event contains the timestamp line, followed by a header line, then lines for each process, you could try something like this | eval process=mvindex(split(_raw,"
"),2,-1)
| mvexpand process
| rex field=process "(?<USER>[^\s]+)\s+(?<PID>[^\s]+)\s+(?<CPU>[^\s]+)\s+(?<MEM>[^\s]+)\s+(?<VSZ>[^\s]+)\s+(?<RSS>[^\s]+)\s+(?<TTY>[^\s]+)\s+(?<STAT>[^\s]+)\s+(?<START>[^\s]+)\s+(?<TIME>[^\s]+)\s+(?<COMMAND>.*)"
| chart max(CPU) max(MEM) by _time PID
11-07-2023
02:38 AM
Hello do these steps hold true for a https://www.splunk.com/ account?
11-07-2023
02:38 AM
With the lookup command I mentioned in my first reply you can do so. You have to replace "<lookup_name>" with the name of your lookup. If the field names you mentioned are correct then the query sho...
See more...
With the lookup command I mentioned in my first reply you can do so. You have to replace "<lookup_name>" with the name of your lookup. If the field names you mentioned are correct then the query should work. Just add the line after the current result. If it still doesnt work pls provide more information like the name of the lookup file, the exact names of the fields in the result and the exact names of the fields in the lookup file.
Hi all, I am trying to set up SAML with my Custom IDP but Splunk is returning an Unsupported algorithm error even if the algorithm type is correct in the SAML response. Can you kindly help/guide m...
See more...
Hi all, I am trying to set up SAML with my Custom IDP but Splunk is returning an Unsupported algorithm error even if the algorithm type is correct in the SAML response. Can you kindly help/guide me regarding how to troubleshoot this issue? I have attached my SAML response and SAML configuration settings in this Post. Error from Splunk Cloud: SAML configurations in Splunk Cloud Saml response <ns2:SignedInfo>
8 <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
9 <ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
10 <ns2:Reference URI="#id-S7lv9JFItlthO8Lzr">
11 <ns2:Transforms>
12 <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
13 <ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
14 </ns2:Transforms>
15 <ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
16 <ns2:DigestValue>
17 Kq/4Vh3rMrw0H/yFvAnmr0KH8qrAbqYrU+stI/WODZY=18 </ns2:DigestValue>
19 </ns2:Reference>
20 </ns2:SignedInfo> Thanks
- Tags:
- saml
Labels
- Labels:
-
authentication
-
SAML
-
SSO
11-07-2023
02:23 AM
hello, how can we combine stats and lookup on comparison of Tran and Look_Tran. Current Results: Tran Count avgrt Required Results (Matching Transaction_Details to be pulled based on Tra...
See more...
hello, how can we combine stats and lookup on comparison of Tran and Look_Tran. Current Results: Tran Count avgrt Required Results (Matching Transaction_Details to be pulled based on Tran from lookup) Tran Transaction_Details Count avgrt
11-07-2023
02:10 AM
If the search indexes are based on roles, then the search query should behave in same way with or without any commands (like statistical command, chart commands or any other functions). In my case, ...
See more...
If the search indexes are based on roles, then the search query should behave in same way with or without any commands (like statistical command, chart commands or any other functions). In my case, I am getting the empty logs whenever I run any of the below queries host=abc sourcetype=xyz |stats count
(or)
host=abc sourcetype=xyz |timechart count whereas, with the below query (without mentioning index) I am able to see the log events successfully. host=abc sourcetype=xyz
11-07-2023
01:58 AM
1 Karma
Sorry for the 4 year resurrection of the thread, but I was wondering if this lead anywhere. Working with lookups for assets and identities in ES and finding issues with the use / inconsistancies w...
See more...
Sorry for the 4 year resurrection of the thread, but I was wondering if this lead anywhere. Working with lookups for assets and identities in ES and finding issues with the use / inconsistancies with the way 'make_ip_cidr' operates. For ES population, I'm trying to use MV in KV stores of assets, as well as delimited csv lookups - but the cidr matching, make_ip_cidr and expandiprange and the lack of support of /32 is causing issues.
11-07-2023
01:56 AM
Try this: | rex field=_raw "(?<header>[^\n]+)"
| eval temp = split(_raw,"
")
| mvexpand temp
| regex temp="proc\d+"
| rex field=temp "(?<USER>[^\s]+)\s(?<PID>[^\s]+)\s(?<CPU>[^\s]+)\s(?<MEM>[^\s]...
See more...
Try this: | rex field=_raw "(?<header>[^\n]+)"
| eval temp = split(_raw,"
")
| mvexpand temp
| regex temp="proc\d+"
| rex field=temp "(?<USER>[^\s]+)\s(?<PID>[^\s]+)\s(?<CPU>[^\s]+)\s(?<MEM>[^\s]+)\s(?<VSZ>[^\s]+)\s(?<RSS>[^\s]+)\s(?<TTY>[^\s]+)\s(?<STAT>[^\s]+)\s(?<START>[^\s]+)\s(?<TIME>[^\s]+)\s(?<COMMAND>[^\s]+)"
| rename CPU as "%CPU" MEM as "%MEM"
| fields - temp You can then use transforming commands with the COMMAND field (procs). Also be careful to keep the new line in the query in the split command to split correctly. If that doesnt work try "\n" instead. EDIT: The Version from @ITWhisperer with mvindex is simpler...
11-07-2023
01:51 AM
Yes community Q&A forum is the place where such questions can be posted and we can get insights from AppDynamics experts.
11-07-2023
01:46 AM
Could any help or suggest me on this? Why am I getting blank events in the verbose mode when I run the search query without index field?
11-07-2023
01:39 AM
| lookup <lookup_name> Tran_lookup as Tran OUTPUT Transaction_Details Its recommended to create a lookup definition for your lookup files. If you do so you replace the lookup name with the name of ...
See more...
| lookup <lookup_name> Tran_lookup as Tran OUTPUT Transaction_Details Its recommended to create a lookup definition for your lookup files. If you do so you replace the lookup name with the name of the lookup definition. Hope this helps!
11-07-2023
01:29 AM
Hi @TISKAR , did you tried to clear the browser cache? Ciao. Giuseppe
11-07-2023
01:29 AM
Fair enough, even if I think that this capability that the user is asking for can be immediately clarified by an expert user of AppDynamics or some other technical guys which have worked for years on...
See more...
Fair enough, even if I think that this capability that the user is asking for can be immediately clarified by an expert user of AppDynamics or some other technical guys which have worked for years on the platform. Personally I would never contact support over some "can do" or "cannot do" question Best regards
