All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Daryl.Mercadel, Thanks for asking your question on the Community. Here are some APIs you can look into: https://docs.appdynamics.com/appd/onprem/24.x/latest/en/extend-appdynamics/splunk-appdyna... See more...
Hi @Daryl.Mercadel, Thanks for asking your question on the Community. Here are some APIs you can look into: https://docs.appdynamics.com/appd/onprem/24.x/latest/en/extend-appdynamics/splunk-appdynamics-apis
Try something like this | spath properties | spath input=properties attributes
Hi @Manel.Benabid, Thank you for asking your question on the Community. It seems after a few days the community has not jumped in.  Have you found a solution or any new information you can share... See more...
Hi @Manel.Benabid, Thank you for asking your question on the Community. It seems after a few days the community has not jumped in.  Have you found a solution or any new information you can share here? If you are still needing help, you can contact AppDynamics Support: How do I open a case with AppDynamics Support? 
Hi, I need to ingest some logs into splunk, so file&dirs data input its my choice. Also new index was created , _json as sourcetype. Now im trying to use spath in search to parse JSON data with mul... See more...
Hi, I need to ingest some logs into splunk, so file&dirs data input its my choice. Also new index was created , _json as sourcetype. Now im trying to use spath in search to parse JSON data with multifields and no luck yet. Just checked my json file - valid json. Here we have some parsed json, but i want to get email, first_name,last_name from properties.attributes to be able parse or filter by any of this fields in future   Appreciate any help. Small source file: https://paste2.org/OsEXkgbJ   Here is what i tried : index=ep_log event=created | spath properties.attributes index=erp_log event=created | spath properties and so on
@livehybrid For your information. I have found the solution in Splunk known issues in 9.1.1 version and after applying ; it starts working fine.
@kiran_panchavat Thanks for your response.  My concern is that it worked fine in Splunk Enterprise 8.1.1, but after upgrading to version 9.1.1, I am encountering fatal errors and “bad allocation... See more...
@kiran_panchavat Thanks for your response.  My concern is that it worked fine in Splunk Enterprise 8.1.1, but after upgrading to version 9.1.1, I am encountering fatal errors and “bad allocation” issues for the same scheduled search.
Try this | spath | search message="*Unit state update from cook client target*"
Hi @alucarddjin  I have the same issue as you. Did you solve this problem? If so, could you share how you fixed it? I’d really appreciate your help. Thanks! #universal configuration console (UC... See more...
Hi @alucarddjin  I have the same issue as you. Did you solve this problem? If so, could you share how you fixed it? I’d really appreciate your help. Thanks! #universal configuration console (UCC) #UCC framework
No data extracted at all, and the data is JSON formatted. I normally start my rex expressions with field=message "(rex expression)"
I would like to get a count of events of all data ingested for 2024.  I have hundreds of indexes and all data over 90 days goes to DDAA.  I can use "eventcounts" for the searchable data and just mult... See more...
I would like to get a count of events of all data ingested for 2024.  I have hundreds of indexes and all data over 90 days goes to DDAA.  I can use "eventcounts" for the searchable data and just multiply by 4 for an estimate.   Using:  | eventcount summarize=false index=* | stats sum(count) as total_events by index | fieldformat total_events=tostring(total_events,"commas") | addcoltotals   Is there a way to get eventcounts for archived data?
Hi @nkavouris , what's the behavior of this regex: it extract too data or nothing? it seems to be correct using the sample you shared. Anyway, this seems to be a log in json format, did you tried ... See more...
Hi @nkavouris , what's the behavior of this regex: it extract too data or nothing? it seems to be correct using the sample you shared. Anyway, this seems to be a log in json format, did you tried to use INDEXED_EXTRACTIONS=JSON or spath? Ciao. Giuseppe  
Grazie giuseppe, but this does not work in splunk unfortunately  
Hi @nkavouris, please try this: | rex "hw_state:\sElements\(temp:\s(?<temp>\d+)" that you can test at https://regex101.com/r/FhThZf/1 Ciao. Giuseppe
I need help building a proper rex expression to extract the bold text from the following raw data {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type... See more...
I need help building a proper rex expression to extract the bold text from the following raw data {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"city":"XXXX","country":"XXXX","latitude":XXXX,"longitude":XXXX,"state":"XXXX"},"log_level":"info", "message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: 500°F, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: 500°F, [D, D, D, D, D, F: 115])\u0000", "model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}  I have tried; rex field=message "(?=[^h]*(?:hw_state:|h.*hw_state:))^(?:[^\(\n]*\(){2}\w+:\s+(?P<set_temp>\d+) rex field=message ".*hw_state: Elements\(temp:(?<set_temp>\d+),.*"|  with no results yielded. What is the proper rex expression to extract 500 from the message field
Hello, Does anyone know when this app will become cloud compliant?
here is the raw event    {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"... See more...
here is the raw event    {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"city":"XXXX","country":"XXXX","latitude":XXXX,"longitude":XXXX,"state":"XXXX"},"log_level":"info", "message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\u0000", "model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}
Hi @Raja_Selvaraj , use delta command ( https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta ). <your_search> | timechart span=1d count BY column | delta columnA AS new_co... See more...
Hi @Raja_Selvaraj , use delta command ( https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta ). <your_search> | timechart span=1d count BY column | delta columnA AS new_columnA | delta columnB AS new_columnC | delta columnC AS new_columnC | eval deltaA=new_columnA-columnA, deltaB=new_columnB-columnB, deltaC=new_columnC-columnC Ciao. Giuseppe  
Hi WIl, For the confirmation On UF - inputs.conf [monitor://C:\beheer\SCCM\abc*.txt] index=main sourcetype=Windows:SCCM:KBNummers ON Index-cluster - props.conf [Windows:SCCM:KBNummer... See more...
Hi WIl, For the confirmation On UF - inputs.conf [monitor://C:\beheer\SCCM\abc*.txt] index=main sourcetype=Windows:SCCM:KBNummers ON Index-cluster - props.conf [Windows:SCCM:KBNummers] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured - Input file [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]   Reagrds, Harry
Hi Everyone, Can someone please help me with Splunk query to show difference of two values in timechart for the period of time. The sample result which i get from the query with Column A with time r... See more...
Hi Everyone, Can someone please help me with Splunk query to show difference of two values in timechart for the period of time. The sample result which i get from the query with Column A with time range and other columns with the respective host values. Column A Column B Column C Column D 02/22/2025  10         12               14 02/23/2025   11         13               15 02/24/2025   12         15               17  02/25/2025    16         20              21 I need the difference of values of Column B C D from previous time period and show it one time chart. Let me know if any other details are required.
@omcollia- On Splunk Cloud -> You are not allowed to update JS from some other JS file in any way (programatically or manually not allowed). So the only option you have is: If App is build by you,... See more...
@omcollia- On Splunk Cloud -> You are not allowed to update JS from some other JS file in any way (programatically or manually not allowed). So the only option you have is: If App is build by you, you can update the JS and publish the new version of the App. If the App is built by someone else, ask the Developer for the change if they can do that.   I hope this helps!!!