All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I was getting this error from a scripted input after upgrading from 8.2.10 to 9.0.6, and resolved it by removing python.version = python2 from the restmap.conf file that someone had manually added.
Look for both install and uninstall events from the same machine/program and keep the most recent event for each.  If the latest event is "uninstall" and it's been more than 30 minutes then trigger a... See more...
Look for both install and uninstall events from the same machine/program and keep the most recent event for each.  If the latest event is "uninstall" and it's been more than 30 minutes then trigger an alert. index=main source=<custom_source> (Message="<program_name> is uninstalled" OR Message="<program_name> is installed") | dedup host <program_name> Message | where Message="<program_name> is uninstalled" AND _time<relative_time(now(), "-30m")
Hi! I am faced with the following task and do not understand which way to go. I want to create an alert that will be triggered when a certain application is deleted. For example:       inde... See more...
Hi! I am faced with the following task and do not understand which way to go. I want to create an alert that will be triggered when a certain application is deleted. For example:       index=main source=<custom_source> Message="<program_name> is uninstalled"       Everything works as it should, I use the internal event type and that's not the question. Some software generates 2 events when UPDATING OR UPGRADING, the first: the program is uninstalled and the second: the program is installed. Therefore, in this case, my alert gives a false alarm. I have generated the following alert logic to correct false positives:     Search events for the last 30 Minutes: index=main source=<custom_source> Message="<program_name> is uninstalled" Next we need to check whether there were installation events: index=main source=<custom_source> Message="<program_name> is installed" on the machines from the first request. And if there was no installation event on the machine after the uninstalled event in the last 30 minutes, then issue an alert.      I cant create a query from this logic. If you could help me with advice, I would be very grateful. P.S. We looked in the direction of events from the application log and MSI Installer Logs, but in our case this is not applicable and we must use custom source.   Thanks for you help, have a nice day.
Is that the only way to get the data in? This is a production server and I don't think I will be able to disable/stop firewalld.
I updated JSON and can see documentation updated as well summary.data.*.result string   that key "result" is available per action test {"identifier": "list_zones", "result_data": [{"data":... See more...
I updated JSON and can see documentation updated as well summary.data.*.result string   that key "result" is available per action test {"identifier": "list_zones", "result_data": [{"data": [{"result":...   But still in VPE I can see only 'status' and 'message' I haven't found anything special in existing apps 
I have a CSV file that populates a standard dropdown . The selection made, in this standard dropdown, then populates the second dropdown which is a Multi-Select. I then use the token, from the Mu... See more...
I have a CSV file that populates a standard dropdown . The selection made, in this standard dropdown, then populates the second dropdown which is a Multi-Select. I then use the token, from the Multi-Select, to perform my search. This works great when there is only one item selected in the Multi-Select dropdown, however, when multiple items are selected it returns incorrect results. Any help would be most appreciated! This is my source code:   <form version="1.1"> <label>JRD AUR Divert Zone Multi Dropdown (CSV) Counts by Downtime</label> <description>Testing for CSV Dropdown Functionality</description> <fieldset submitButton="false" autoRun="false"> <input type="time" token="field1" searchWhenChanged="true"> <label>Time Selection</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Locationid_tok" searchWhenChanged="false"> <label>Select Bins Location</label> <fieldForLabel>Locationid</fieldForLabel> <fieldForValue>Locationid</fieldForValue> <search> <query>| inputlookup AUR_Bin_Divert_Zones.csv | dedup Locationid | table "Locationid"</query> <earliest>0</earliest> <latest></latest> </search> <choice value="*">All</choice> </input> <input type="multiselect" token="Zoneid_tok" searchWhenChanged="true"> <label>Select Divert Zone(s)</label> <fieldForLabel>Zoneid</fieldForLabel> <fieldForValue>Zoneid</fieldForValue> <search> <query>| inputlookup AUR_Bin_Divert_Zones.csv | search Locationid="$Locationid_tok$" | table "Zoneid"</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <choice value="*">All</choice> <delimiter> OR </delimiter> </input> </fieldset> <row> <panel> <table> <search> <query>index=5_ip_cnv sourcetype=ftae_hmi_alarms $Zoneid_tok$ |eval Time=_time |transaction Alarm startswith=*$Zoneid_tok$",1,0,192" endswith=*$Zoneid_tok$",0,0,192" maxevents=2 |eval Downtime = strftime(duration, "%M:%S") |makemv delim=";" Message |eval EventType=mvindex(Message,0) |rename Description as EventLocation |eval Date=lower(strftime(_time,"%+")) |eval date_wday=lower(strftime(_time,"%A")) |eval date_hour_EST=tonumber(strftime(_time, "%H")) |where NOT (date_wday="saturday" OR date_wday="sunday") |where (date_hour_EST&gt;=9 AND date_hour_EST&lt;19) |rename Downtime as "Downtime in Minutes:Seconds" |sort +Time |table Date EventType EventLocation "Downtime in Minutes:Seconds" </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">60</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <format type="number" field="Time"> <option name="precision">3</option> <option name="useThousandSeparators">false</option> </format> </table> </panel> </row> </form>
Need help to write a generic query to capture PII Data ( social security numbers / credit card numbers /  email addresses )  from  application log ?
Hi @jmrubio, did you disabled firewalld? systemctl stop firewalld systemctl disable firewalld Ciao. Giuseppe
Yes, you don't need that - it is just a habit I have when using makeresults as it is the only field that is automatically added by makeresults.
Genius! Thank you! I spent WAY too much time trying to find out how to do that. I skipped the "fields - _time" section. I'm not sure what that's for? It seems to work well without it.
This helped. Thanks @ITWhisperer 
Hello @gcusello, I tried ss -na | grep 8000 and it returned: tcp  LISTEN  0  128  *:8000  *:*
Thanks for the feedback.  I'll see if that works for me.
@irom77 for each field/key you output you need to add to the JSON.  "action_result.data" is just the array after you get the results from the REST call from the App.  You need to add "action_result... See more...
@irom77 for each field/key you output you need to add to the JSON.  "action_result.data" is just the array after you get the results from the REST call from the App.  You need to add "action_result.data.*.<key>" for each value you want to use downstream in a playbook into the JSON for it to be visible as a selectable option.  You can still use the values in a playbook but you need to add the ".*.<key>" to the end of your datapath in the Playbook. But if you want it to be selectable you need to map it in the JSON outputs section.  If unsure, you can look at any of the Out of the Box apps JSON files to see how they do it. 
Hello @isoutamo , Sorry for the late response. So in the splunkd.logs all of the messages are - WARN TcpOutputProc [16779 indexerPipe] - The TCP output processor has paused the data flow. Forwarding... See more...
Hello @isoutamo , Sorry for the late response. So in the splunkd.logs all of the messages are - WARN TcpOutputProc [16779 indexerPipe] - The TCP output processor has paused the data flow. Forwarding to host_dest=<IP> inside output group default-autolb-group from host_src=Splunk_Heavy_Forwarder has been blocked for blocked_seconds=355350. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.  And the last message in the splunkd_access.log is from June  : ( I am trying to connect to the HF through the web, and the cURL command returned a 303 error "The resource has moved temporarily"
Hi team, I am not able to import the health rules using the API access token method or by my username and password. Whenever I try to import it using either of the methods, the response comes as "nu... See more...
Hi team, I am not able to import the health rules using the API access token method or by my username and password. Whenever I try to import it using either of the methods, the response comes as "null". Could you please guide me as to where I am going wrong? The command I am using while pushing using the access token(I have all the default permissions set for my client id)(not working):  curl -X POST "https://customername.saas.appdynamics.com/controller/healthrules/application_name" -F file=@test.xml -H "Authorization: Bearer <access_token>" Note: I am fetching the access token using the below command, which is working fine curl -X POST -H "Content-Type: application/x-www-form-urlencoded" "https://customername.saas.appdynamics.com/controller/api/oauth/access_token" -d 'grant_type=client_credentials&client_id=<client_id>@<account_name>&client_secret=<client_secret>' Command I am using while pushing using username, password(not working):  curl -X POST --user username@accountname:password https://customername.saas.appdynamics.com/controller/healthrules/Application_name -F file=@test.xml The health rule xml file below contains seven health rules related to Average Response time, Calls, CPU, Error, Garbage collection, Heap, and Memory. The XML file of health rules: <health-rules> <health-rule> <name>APM_Average_Response_Time_x_tier_name</name> <type>NODE_HEALTH_TRANSACTION_PERFORMANCE</type> <description/> <enabled>true</enabled> <is-default>false</is-default> <always-enabled>true</always-enabled> <duration-min>30</duration-min> <wait-time-min>30</wait-time-min> <affected-entities-match-criteria> <affected-infra-match-criteria> <type>SPECIFIC_TIERS</type> <application-components> <application-component>x_tier_name</application-component> </application-components> </affected-infra-match-criteria> </affected-entities-match-criteria> <critical-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Average Response time (ms)</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>9.0</condition-value> <operator>EQUALS</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Average Response Time (ms)</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </critical-execution-criteria> <warning-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Average Response time (ms)</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>7.0</condition-value> <operator>EQUALS</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Average Response Time (ms)</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </warning-execution-criteria> </health-rule> <health-rule> <name>APM_Calls_x_tier_name</name> <type>NODE_HEALTH_TRANSACTION_PERFORMANCE</type> <description/> <enabled>true</enabled> <is-default>false</is-default> <always-enabled>true</always-enabled> <duration-min>30</duration-min> <wait-time-min>30</wait-time-min> <affected-entities-match-criteria> <affected-infra-match-criteria> <type>SPECIFIC_TIERS</type> <application-components> <application-component>x_tier_name</application-component> </application-components> </affected-infra-match-criteria> </affected-entities-match-criteria> <critical-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Calls Per Minute</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>5.0</condition-value> <operator>EQUALS</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Calls per Minute</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </critical-execution-criteria> <warning-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Calls Per Minute</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>3.0</condition-value> <operator>EQUALS</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Calls per Minute</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </warning-execution-criteria> </health-rule> <health-rule> <name>APM_CPU_x_tier_name</name> <type>INFRASTRUCTURE</type> <description/> <enabled>true</enabled> <is-default>false</is-default> <always-enabled>true</always-enabled> <duration-min>30</duration-min> <wait-time-min>30</wait-time-min> <affected-entities-match-criteria> <affected-infra-match-criteria> <type>SPECIFIC_TIERS</type> <application-components> <application-component>x_tier_name</application-component> </application-components> </affected-infra-match-criteria> </affected-entities-match-criteria> <critical-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>CPU | % Busy</display-name> <short-name>A</short-name> <condition-value-type>ABSOLUTE</condition-value-type> <condition-value>90.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>false</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Hardware Resources|CPU|%Busy</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </critical-execution-criteria> <warning-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>CPU | % Busy</display-name> <short-name>A</short-name> <condition-value-type>ABSOLUTE</condition-value-type> <condition-value>75.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>false</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Hardware Resources|CPU|%Busy</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </warning-execution-criteria> </health-rule> <health-rule> <name>APM_Errors_x_tier_name</name> <type>NODE_HEALTH_TRANSACTION_PERFORMANCE</type> <description/> <enabled>true</enabled> <is-default>false</is-default> <always-enabled>true</always-enabled> <duration-min>30</duration-min> <wait-time-min>30</wait-time-min> <affected-entities-match-criteria> <affected-infra-match-criteria> <type>SPECIFIC_TIERS</type> <application-components> <application-component>x_tier_name</application-component> </application-components> </affected-infra-match-criteria> </affected-entities-match-criteria> <critical-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Errors per minute</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>5.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Errors per Minute</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </critical-execution-criteria> <warning-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Errors per minute</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>3.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Errors per Minute</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </warning-execution-criteria> </health-rule> <health-rule> <name>APM_Memory_x_tier_name</name> <type>INFRASTRUCTURE</type> <description/> <enabled>true</enabled> <is-default>false</is-default> <always-enabled>true</always-enabled> <duration-min>30</duration-min> <wait-time-min>30</wait-time-min> <affected-entities-match-criteria> <affected-infra-match-criteria> <type>SPECIFIC_TIERS</type> <application-components> <application-component>x_tier_name</application-component> </application-components> </affected-infra-match-criteria> </affected-entities-match-criteria> <critical-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Memory | Used (%)</display-name> <short-name>A</short-name> <condition-value-type>ABSOLUTE</condition-value-type> <condition-value>90.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>false</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Hardware Resources|Memory|Used %</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </critical-execution-criteria> <warning-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Memory | Used (%)</display-name> <short-name>A</short-name> <condition-value-type>ABSOLUTE</condition-value-type> <condition-value>75.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>false</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>Hardware Resources|Memory|Used %</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </warning-execution-criteria> </health-rule> <health-rule> <name>APM_Heap_JVM_x_tier_name</name> <type>INFRASTRUCTURE</type> <description/> <enabled>true</enabled> <is-default>false</is-default> <always-enabled>true</always-enabled> <duration-min>30</duration-min> <wait-time-min>30</wait-time-min> <affected-entities-match-criteria> <affected-infra-match-criteria> <type>SPECIFIC_TIERS</type> <application-components> <application-component>x_tier_name</application-component> </application-components> </affected-infra-match-criteria> </affected-entities-match-criteria> <critical-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Memory:Heap|Used %</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>5.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>JVM|Memory:Heap|Used %</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </critical-execution-criteria> <warning-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>Memory:Heap|Used %</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>3.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>JVM|Memory:Heap|Used %</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </warning-execution-criteria> </health-rule> <health-rule> <name>APM_Garbage_Collection_JVM_x_tier_name</name> <type>INFRASTRUCTURE</type> <description/> <enabled>true</enabled> <is-default>false</is-default> <always-enabled>true</always-enabled> <duration-min>30</duration-min> <wait-time-min>30</wait-time-min> <affected-entities-match-criteria> <affected-infra-match-criteria> <type>SPECIFIC_TIERS</type> <application-components> <application-component>x_tier_name</application-component> </application-components> </affected-infra-match-criteria> </affected-entities-match-criteria> <critical-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>GC Time spent per min (ms)</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>5.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>JVM|Garbage Collection|GC Time Spent Per Min (ms)</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </critical-execution-criteria> <warning-execution-criteria> <condition-aggregation-type>ALL</condition-aggregation-type> <entity-aggregation-scope> <type>ANY</type> <value>0</value> </entity-aggregation-scope> <policy-condition> <type>leaf</type> <display-name>GC Time spent per min (ms)</display-name> <short-name>A</short-name> <condition-value-type>BASELINE_STANDARD_DEVIATION</condition-value-type> <condition-value>3.0</condition-value> <operator>GREATER_THAN</operator> <condition-expression/> <use-active-baseline>true</use-active-baseline> <trigger-on-no-data>false</trigger-on-no-data> <enable-triggers>false</enable-triggers> <min-triggers>15</min-triggers> <metric-expression> <type>leaf</type> <function-type>VALUE</function-type> <value>0</value> <is-literal-expression>false</is-literal-expression> <display-name>null</display-name> <metric-definition> <type>LOGICAL_METRIC</type> <logical-metric-name>JVM|Garbage Collection|GC Time Spent Per Min (ms)</logical-metric-name> </metric-definition> </metric-expression> </policy-condition> </warning-execution-criteria> </health-rule> </health-rules>   Thank you Regards, Mohammed Saad
I set   I set "action_result.data" in the app's json file (short one like below), but it didn't help and was gone when I tried to edit it again. { "data_path": "action_result.data", ... See more...
I set   I set "action_result.data" in the app's json file (short one like below), but it didn't help and was gone when I tried to edit it again. { "data_path": "action_result.data", "data_type": "string" }, Is it something I have to update manually all the time after making any changes?  
Hi there!  I am attempting to set up the Microsoft Security Add-On on our Splunk Cloud (Victoria Experience).  I was able to install the app on the Splunk Cloud Platform, and understand my next ste... See more...
Hi there!  I am attempting to set up the Microsoft Security Add-On on our Splunk Cloud (Victoria Experience).  I was able to install the app on the Splunk Cloud Platform, and understand my next step is to configure the app to connect to Azure AD.  I receive the following errors on the Configuration and Inputs tabs:   I confirmed that the sc_admin role has all the needed permissions, and that my account has the role sc_admin. I also confirmed that the list_inputs permission is assigned (the closest post I could find on Splunk Answers said to check this).  Any ideas what I should check next? Thank you!    
Hi @ChaoticMike, if you can, please vote for this idea at https://ideas.splunk.com/ideas/EID-I-1731 Ciao. Giuseppe
Booo!   But thank you for the answer, it wil lsave me looking for a thing that doesn't exist!