All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@alanzchan  Were you able to find a solution to your problem ?
Hi @gcusello , Unfortunately, I am not in control of the application layer. Web logs could be in any directory on any drive. With a script to check and overwrite the inputs.conf, that will only req... See more...
Hi @gcusello , Unfortunately, I am not in control of the application layer. Web logs could be in any directory on any drive. With a script to check and overwrite the inputs.conf, that will only require a local splunk restart if the location changes so. That usually happens rarely, but we need to capture it. 1. check log location 2. compare with current setting in inputs.conf 3. if different only - update & restart Kind Regards Andre
Yeh for reference I've got that kinda thing, it's super simple. What I'm wondering is, if theres an easy way or even any way, to replicate the popup bubble, so that it'd look like this: C... See more...
Yeh for reference I've got that kinda thing, it's super simple. What I'm wondering is, if theres an easy way or even any way, to replicate the popup bubble, so that it'd look like this: Cause that would be a million times better. It's clear enough I could forget the 5x1m rows... and it's like being handed out for free instantly when clicking on any field in a search...
I don't know CloudWatch but from what I'm reading it uses either its own agent or you're pushing data to its API endpoint. Splunk's UF is obviously not a CloudWatch agent and it can only send out a s... See more...
I don't know CloudWatch but from what I'm reading it uses either its own agent or you're pushing data to its API endpoint. Splunk's UF is obviously not a CloudWatch agent and it can only send out a simple syslog (or syslog-like) output. So your best bet would be probably using two separate agents. Watching the same file should not be that much of a problem (except for rare situations when monitoring a file with just one agent would be problematic).
I'm trying to install the Qualys Technology Add-on (TA) (https://splunkbase.splunk.com/app/2964)  into Splunk Cloud.  I tried downloading from splunkbase and uploading to splunkcloud but received an ... See more...
I'm trying to install the Qualys Technology Add-on (TA) (https://splunkbase.splunk.com/app/2964)  into Splunk Cloud.  I tried downloading from splunkbase and uploading to splunkcloud but received an error stating "This app is available for installation directly from Splunkbase. To install this app, use the App Browser page in Splunk Web." When I try the "Browse More Apps" method, I cannot locate the Qualys TA.  I DO see other Qualys apps such as Qualys FIM, Qualys VM, Qualys CSAM, etc., but I don't see the TA.   What am I missing?
1. Be careful with the append command. It spawns a subsearch and therefore is limited by subsearch constraints (and can get finalized silently without producing full results). In your case you could ... See more...
1. Be careful with the append command. It spawns a subsearch and therefore is limited by subsearch constraints (and can get finalized silently without producing full results). In your case you could either use multisearch since you have only streaming comands or a single search with conditional assignment or evaluation to get EventId properly assigned. index=index1 OR (index=index2 sourcetype=something) | eval EventId=coalesce(EventId,Number__c) (That's assuming that when you have Number__c in your event, you don't have EventId; if it's not the case, you have to use if() or case() with your eval). 2. To not only find if there are two matching events but which of them is missing if there is only one, you have to do it slightly differently. Firstly classify your events | eval classifier=if(index=index1,1,2) Now you can do | stats sum(classifier) by EventId This way you'll get a value of 3 when there are both events, 1 if there is only an event from index1 or 2 if there is only an event from index2.  
Tenable is a company. The right add-on depends on which Tenable products/services you are using.
It doesn't work like that. Parentheses group search conditions only. You can't spawn separate post-processing command for part of your data this way. You would need to use multisearch or append. But ... See more...
It doesn't work like that. Parentheses group search conditions only. You can't spawn separate post-processing command for part of your data this way. You would need to use multisearch or append. But in your case it's probably not needed. Just do your rex command after the initial search. Unrelated note - don't use wildcards at the beginning of your search term unless you really can't avoid it.
Hi, Im trying to use an OR function in the below query trying to combine two indexes and then use stats function like an alternate for join command (index=serverdata sourcetype="server:stats" | rex... See more...
Hi, Im trying to use an OR function in the below query trying to combine two indexes and then use stats function like an alternate for join command (index=serverdata sourcetype="server:stats" | rex "app_code=\"(?<application_code>[|w.\"]*)" ) OR (index="hostapp" source=hostDB_Table dataasset="*host_Data*") i have tried to use escape characters but its still not working thanks     
I would recommend the Tenable TA at https://splunkbase.splunk.com/app/4060 for getting the data in to Splunk which uses Splunk Modular Inputs to connect to your Tenable service and pull the data. Yo... See more...
I would recommend the Tenable TA at https://splunkbase.splunk.com/app/4060 for getting the data in to Splunk which uses Splunk Modular Inputs to connect to your Tenable service and pull the data. You can also download the Tenable App (https://splunkbase.splunk.com/app/4061) which is different to the TA in that it is more focussed on visualising the Tenable data. This utilises the data in the TA and the data you have ingested. Both of these Splunk apps are built and supported by Tenable themselves but assume you but assumes you're using Tenable's feature products - there are separate Splunkbase apps made by Tenable for WAS / EASM if you are using these products. Please let me know how you get on and consider upvoting/karma this answer if it has helped. Regards Will
Hi @tkwaller1 , You should be able to your search as follows:     (index=index1) OR (index=index2 sourcetype="api") | eval EventId=COALESCE(Number__c, EventId) | stats dc(index) as indexCount by ... See more...
Hi @tkwaller1 , You should be able to your search as follows:     (index=index1) OR (index=index2 sourcetype="api") | eval EventId=COALESCE(Number__c, EventId) | stats dc(index) as indexCount by EventId | where indexCount>1     Please let me know how you get on and consider upvoting/karma this answer if it has helped. Regards Will
Hello, I have 2 questions about Splunk AI Assistant(Cloud Version). If Customers sign the EULA and receive notification that app can be installed on their Stack, is the app possible for install on ... See more...
Hello, I have 2 questions about Splunk AI Assistant(Cloud Version). If Customers sign the EULA and receive notification that app can be installed on their Stack, is the app possible for install on all the customer stacks. In case Stack has premium products like ITSI and ES can app be used from Premium Search heads or it needs to be installed only on Adhoc SH and used only from there for its purposes? Thanks! Regards Darina Stoyanova-Mateva
Hi @secure as @gcusello stated you can have only one base search. What would it mean to have 2 in a panel?  The base search just returns the results so how could you use 2 together? I am not sure... See more...
Hi @secure as @gcusello stated you can have only one base search. What would it mean to have 2 in a panel?  The base search just returns the results so how could you use 2 together? I am not sure if this helps but you can have a base search use another base search.
Hello I have a search like     index=index1 | rename Number__c as EventId | append [search index=index2 sourcetype="api" ] | stats count by EventId | search count < 2     What it does is sear... See more...
Hello I have a search like     index=index1 | rename Number__c as EventId | append [search index=index2 sourcetype="api" ] | stats count by EventId | search count < 2     What it does is search 2 indexes for ids and counts them, expecting 2(1 from each index). What I would like to ensure is that when the count is less than the expected 2 that its only source is from the first search. Meaning that if there is only 1 record it is from the first portion of the search and not found in the second. In the table however I only want to show the EventId.   Thanks for the assistance!
@shaunm001 You can check the source-type along with index you are searching to it should’ve presence of MessageTrace, i can’t see much on your environment but if you still have confusion you can put ... See more...
@shaunm001 You can check the source-type along with index you are searching to it should’ve presence of MessageTrace, i can’t see much on your environment but if you still have confusion you can put down support case to get more help.
Yes new builds old cluster. Appreciate the info that was helpful.
Hi @danielbb  I used the TA below for a long time and it worked well. https://splunkbase.splunk.com/app/4060 
Splunk is there a way to dump out all ServiceNow add on setup for each/all alert? trying to grab all alerts that has this action and put in a table with all the setup it has : state, CI, contact  ... See more...
Splunk is there a way to dump out all ServiceNow add on setup for each/all alert? trying to grab all alerts that has this action and put in a table with all the setup it has : state, CI, contact  type, assignment group ,....ect    
Hello everyone! We have some exciting news -The Splunk AppDynamics Mobile Real User Monitoring (MRUM) Session Replay preview is now available (for MRUM users)! It's a feature within AppDynamics MRU... See more...
Hello everyone! We have some exciting news -The Splunk AppDynamics Mobile Real User Monitoring (MRUM) Session Replay preview is now available (for MRUM users)! It's a feature within AppDynamics MRUM that allows you to visually replay recordings of actual user interactions within your mobile application. Key Details: • Requires controller version 25.1 and MRUM agent upgrade • Free preview starts Feb 2025 (20,000 session replays/month) • Helps teams reduce MTTR, optimize UX, and understand user behavior Check out these FAQs for additional details:   FAQs General Overview Questions What is AppDynamics MRUM Session Replay? AppDynamics MRUM Session Replay is a feature within AppDynamics Mobile Real User Monitoring that allows you to visually replay recordings of actual user interactions within your mobile application. It captures a user's journey through the app, showing their taps, swipes, and other actions, providing a video-like representation of their experience. This feature is currently in public preview, with general availability expected soon. What problems does MRUM Session Replay solve? AppDynamics MRUM Session Replay solves several key problems related to mobile app development, troubleshooting, and user experience optimization: Faster Troubleshooting (Reduced MTTR): Session replay helps developers and DevOps teams quickly identify the root cause of crashes, Application Not Responding (ANR) errors, performance issues, and other errors. By visualizing the user's actions leading up to the problem, they can pinpoint the exact moment the issue occurred and understand the context, significantly reducing mean time to resolution (MTTR). Improved User Experience (UI/UX Optimization): Product managers, developers, and designers can use session replay to understand how users actually interact with the app. By observing real user behavior, they can identify friction points, confusing navigation, or areas where the UI/UX could be improved. This data-driven approach helps optimize the user experience, leading to increased engagement and satisfaction.   Understanding User Behavior: Session replay provides valuable insights into how users navigate and use the app. This understanding can inform design decisions, feature prioritization, and overall app strategy. Seeing the app through the user's eyes helps teams understand what's working and what's not.   Reproducing Issues: Replicating user-reported bugs can be challenging. Session replay eliminates this difficulty by providing a clear, visual record of the user's actions, making it easier to reproduce and fix the issue. What are the benefits of MRUM Session Replay, and why should you care about it? MRUM Session Replay offers two key benefits that directly impact customer satisfaction and business outcomes: Enable Faster Troubleshooting: Session replay drastically reduces the time it takes to diagnose and fix issues in your mobile app. By providing a visual recording of the user's actions leading up to a crash, error, or performance bottleneck, developers can quickly pinpoint the root cause. This eliminates the guesswork and back-and-forth communication often associated with traditional debugging methods. Faster troubleshooting translates to quicker resolution times for bugs and issues. This means less disruption for users, fewer negative app store reviews, and ultimately, a more stable and reliable app experience. A happy user is more likely to continue using your app and recommend it to others. Optimize the End-User Experience on Mobile Application: Session replay offers invaluable insights into how users actually interact with your app. By watching real user sessions, you can identify friction points, confusing navigation, and areas where the UI/UX could be improved. This data-driven approach to optimization allows you to make informed decisions about design changes and feature prioritization. A seamless and intuitive user experience is crucial for app success. By optimizing the user experience, you can increase user engagement, reduce churn, and improve customer satisfaction. A positive user experience is a key differentiator in the competitive mobile app market. Ultimately, a better user experience can lead to increased app usage, higher conversion rates, and improved business outcomes.   Product Specific Questions What controller version is required?   You need controller version 25.1 to use MRUM Session Replay. Do mobile agents need to be upgraded to use this feature? Yes MRUM agents must be upgraded to 25.1 to use Session Replay. Are admin rights needed to enable Session Replay? Yes, users with admin permission to configure MRUM can enable session replay How is the preview enabled?  Prerequisite Mobile Session replay (Early preview) will be available for customers with controller version 25.1 or above. ◦ Upgrade the agent SDK ◦ Provide blob service endpoint ◦ Provide session replay module dependency (Only for Android) Configuration Enable Session replay in Mobile App Group Configuration -> Session replay. (Need admin permission for mobile configuration) How long is the preview available? The MRUM Session Replay free preview will be available for all active MRUM customers starting in February 2025. During the free trial, each account will get 20,000 session replays per month. What happens after the preview is over? After the preview ends, the feature will be available only for those with a Session Replay license. How much will the Session Replay feature cost? Pricing is not finalized yet for this feature. Will I lose my data after the free preview? Yes, you may. Your Session Replay data will be available for 8 days.  After 8 days, that data will be lost. When the GA version is available, you can purchase and extend storage to lengthen the duration of data availability.