All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Giuseppe,   Thank you for the response. Its coming from one of our device and these logs has been already uploaded to splunk and indexed already . now i want to write SPL query to merge the line... See more...
Hi Giuseppe,   Thank you for the response. Its coming from one of our device and these logs has been already uploaded to splunk and indexed already . now i want to write SPL query to merge the line items
Hi Giuseppe,   Thank you for the response. Its coming from one of our device and these logs has been already uploaded to splunk and indexed already . now i want to write SPL query to merge the line... See more...
Hi Giuseppe,   Thank you for the response. Its coming from one of our device and these logs has been already uploaded to splunk and indexed already . now i want to write SPL query to merge the line items 
Hi @ckarthikin , where do your logs come from? which technology? did you used a standard add-on or not? it seems to be a parsing error. youshould try adding to your sourcetype SHOULD_LINEMERGE = ... See more...
Hi @ckarthikin , where do your logs come from? which technology? did you used a standard add-on or not? it seems to be a parsing error. youshould try adding to your sourcetype SHOULD_LINEMERGE = True, in this way you configure a multiline sourcetype. Ciao. Giuseppe  
failed to start kv store process. see mongod.log and splunkd.log for details.@Splunk
No it's not a trial. But it was working correctly so why would AppD devs ship out a breaking change without notifying us ? We haven't touched the controller in months
Hi, Some of my events doesn't have an timestamp and its has been written as multiple line items in the log. I want to merge the multiple line items into previous line item Below are the ex... See more...
Hi, Some of my events doesn't have an timestamp and its has been written as multiple line items in the log. I want to merge the multiple line items into previous line item Below are the examples, i want to merge the line items which doesn't have a timestamp, need to add it with previous line  2024-05-24 14:11:51.7212|INFO|Services.Voice.VoiceManager|Wake word detected. hey_mentor 2024-05-24 14:11:51.7212|INFO|Services.Sound.SoundManager|Playing Sound.VoiceStart_TEMP 2024-05-24 14:11:53.9271|INFO|Services.Voice.VoiceManager|Received command Spoken text: hey mentor turn off L E D Intent Name: ChangeImageTransformOnOff Intent Value: turn { OnOff off } { ImageTransformsOnOff L E D } Slot 1: OnOff=off Slot 2: ImageTransformsOnOff=L E D 2024-05-24 14:11:53.9271|INFO|NotificationService|Notify: [Illumination set to Off] 2024-05-24 14:11:59.5010|INFO|Services.Voice.VoiceManager|Wake word detected. hey_mentor 2024-05-24 14:11:59.5010|INFO|Services.Sound.SoundManager|Playing Sound.VoiceStart_TEMP 2024-05-24 14:12:01.8935|INFO|Services.Voice.VoiceManager|Received command Spoken text: hey mentor turn on L E D Intent Name: ChangeImageTransformOnOff Intent Value: turn { OnOff on } { ImageTransformsOnOff L E D } Slot 1: OnOff=on Slot 2: ImageTransformsOnOff=L E D 2024-05-24 14:12:01.8935|INFO|NotificationService|Notify: [Illumination set to On] 2024-05-24 14:12:01.8935|INFO|Services.Sound.SoundManager|Playing Sound.VoiceStop_TEMP 2024-05-24 14:12:06.7081|INFO|Controls.Live.LiveModel|IsReady=True, Pause <<  ------- Could any please help me how to write a query to achieve this.
Hi, is this a production instance or a trial? I just used your exact curl command, and updated with my values and it works. Don't see an issue with the Command. I believe there is a limitation on... See more...
Hi, is this a production instance or a trial? I just used your exact curl command, and updated with my values and it works. Don't see an issue with the Command. I believe there is a limitation on using the API if using a trial, but if it is not a trial, you need to contact AppD Support to have a look at your controller to see what the issue is.
I want to use an autoencoder model in Splunk for anomaly detection. I have already built my own model, and I did not use a scaler during the process. However, I still encountered the following error.... See more...
I want to use an autoencoder model in Splunk for anomaly detection. I have already built my own model, and I did not use a scaler during the process. However, I still encountered the following error. Here is my code:   I want to check the fields returned by my func in the search bar. What syntax can I use to verify this? this is my python code       def apply(model, df, param): X = df[param['feature_variables']].copy() # 1. 類型轉換 X = X.replace({True: 1, False: 0}) # 2. 處理特殊字符/缺失值 X = X.apply(pd.to_numeric, errors='coerce') # 將無法轉換的值設為NaN X = X.fillna(0) # 3. 類型統一 X = X.astype('float32').values """ 应用模型进行异常检测(无标准化) """ # X = df[param['feature_variables']].values # 重建预测 X_reconstructed = model.predict(X) # 计算重建误差 reconstruction_errors = np.mean(np.square(X - X_reconstructed), axis=1) # 异常阈值设置 threshold_percentile = param.get('options', {}).get('params', {}).get('threshold_percentile', 95) threshold = np.percentile(reconstruction_errors, threshold_percentile) # 构建结果 df_result = df.copy() df_result['reconstruction_error'] = reconstruction_errors filtered_errors_1 = df_result.loc[df_result['is_work'] == 1, 'reconstruction_error'] filtered_errors_0 = df_result.loc[df_result['is_work'] == 0, 'reconstruction_error'] threshold_1 = np.percentile(filtered_errors_1, threshold_percentile) if not filtered_errors_1.empty else np.nan threshold_0 = np.percentile(filtered_errors_0, threshold_percentile) if not filtered_errors_0.empty else np.nan df_result['threshold'] = np.where(df_result['is_work'] == 1, threshold_1, threshold_0) df_result['is_anomaly'] = (reconstruction_errors > threshold).astype(int) # 可选隐藏层特征 if param.get('options', {}).get('params', {}).get('return_hidden', False): intermediate_model = Model(inputs=model.inputs, outputs=model.layers[1].output) hidden = intermediate_model.predict(X) hidden_df = pd.DataFrame(hidden, columns=[f"hidden_{i}" for i in range(hidden.shape[1])]) df_result = pd.concat([df_result, hidden_df], axis=1) return df_result       I used apply to call this model, but I want to see the threshold field returned in df_result.      
As I said, the CURL command from the docs doesn't work. It already has a content-type header: https://docs.appdynamics.com/appd/24.x/24.12/en/extend-cisco-appdynamics/cisco-appdynamics-apis/api-clien... See more...
As I said, the CURL command from the docs doesn't work. It already has a content-type header: https://docs.appdynamics.com/appd/24.x/24.12/en/extend-cisco-appdynamics/cisco-appdynamics-apis/api-clients#id-.APIClientsv24.10-GeneratetheTokenThroughtheOAuthAPIaccess-token-oauth-api Not even mentioning there's two different commands in the example, one with basic auth added. I've tried all combinations of my username, domain, API client and still getting 401. $ curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" "https://mothership2019052316285110.saas.appdynamics.com/controller/api/oauth/access_token" \ -d 'grant_type=client_credentials&client_id=EnterpriseTest@mothership2019052316285110&client_secret=<secret>' HTTP/1.1 401 Unauthorized Content-Type: text/html; charset=UTF-8 Content-Length: 204 Connection: keep-alive x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block cache-control: must-revalidate,no-cache,no-store last-modified: Tue, 28 Jan 2025 08:17:18 GMT accept-ranges: bytes x-envoy-upstream-service-time: 13 date: Mon, 03 Feb 2025 22:38:47 GMT server: istio-envoy x-envoy-decorator-operation: pdx-p-con-437-svc.pdx-p-con-437.svc.cluster.local:8079/* <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Unauthorized</title> </head> <body> HTTP Error 401 Unauthorized <p/> This request requires HTTP authentication </body> </html>%
I restarted the Universal Forwarder (UF) and will now post the current log. UF 02-04-2025 09:39:14.415 +0000 WARN SSLOptions [0 MainThread] - server.conf/[sslConfig]/sslVerifyServerCert is false... See more...
I restarted the Universal Forwarder (UF) and will now post the current log. UF 02-04-2025 09:39:14.415 +0000 WARN SSLOptions [0 MainThread] - server.conf/[sslConfig]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security 02-04-2025 09:39:14.419 +0000 INFO ServerConfig [0 MainThread] - SSL session cache path enabled 0 session timeout on SSL server 300.000 02-04-2025 09:39:14.419 +0000 INFO ServerConfig [0 MainThread] - disableSSLShutdown=0 02-04-2025 09:39:14.803 +0000 INFO ProxyConfig [16169 MainThread] - Successfully initialized enable_tls_proxy=0 from server.conf for splunkd. 02-04-2025 09:39:14.803 +0000 INFO loader [16169 MainThread] - TLS proxy is not enabled. Will not start the TLS proxy server. 02-04-2025 09:39:14.943 +0000 INFO TcpOutputProc [16248 parsing] - Initializing connection for non-ssl forwarding to 176.32.83.56:9997 02-04-2025 09:39:15.035 +0000 INFO loader [16205 HTTPDispatch] - Setting SSL configuration. 02-04-2025 09:39:15.035 +0000 INFO loader [16205 HTTPDispatch] - Server supporting SSL versions=TLS1.2   Indexer 02-04-2025 09:39:15.098 +0000 ERROR TcpInputProc [9178 FwdDataReceiverThread-0] - Error encountered for connection from src=57.180.248.191:34536. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
I executed the following command on the Indexer:   [root@f54fbdb70e7d mycerts]# $SPLUNK_HOME/bin/splunk cmd openssl verify -CAfile /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem /opt/splunk... See more...
I executed the following command on the Indexer:   [root@f54fbdb70e7d mycerts]# $SPLUNK_HOME/bin/splunk cmd openssl verify -CAfile /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem /opt/splunk/etc/auth/mycerts/myCombinedServerCertificate.pem /opt/splunk/etc/auth/mycerts/myCombinedServerCertificate.pem: OK     Then, I copied the contents of /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem to /opt/splunkforwarder/etc/auth/mycerts/myCertAuthCertificate.pem on the Universal Forwarder (UF). Why am I still getting the error "Verify return code: 19 (self signed certificate in certificate chain)"?
Hi @dmoberg , for my knowledge, this is the only solution, no automatic. Ciao. Giuseppe
Update your Content-Type to this and it will work again, it is mentioned in the release notes of the last Controller Update -  {"Content-Type": "application/x-www-form-urlencoded"}
Hello, Splunkers! Couple of days ago I was trying to test the Splunk UI Toolkit, but I couldn't connect to Splunk Cloud, I also couldn't find any documentation related to Cloud, so do you know how t... See more...
Hello, Splunkers! Couple of days ago I was trying to test the Splunk UI Toolkit, but I couldn't connect to Splunk Cloud, I also couldn't find any documentation related to Cloud, so do you know how to make it work?   I'll really appreciate your help and reply Maximiliano Lopes
I'm having the same issue and it started happening a few days ago. The CURL command from the docs still throws 401.
Yeah it works sorry i need to active the showDataLabels in the charting options. Thanks a lot
Errors from indexer.   02-04-2025 08:56:10.854 +0000 ERROR TcpInputProc [9178 FwdDataReceiverThread-0] - Error encountered for connection from src=57.180.248.191:52696. error:140760FC:SSL routines:... See more...
Errors from indexer.   02-04-2025 08:56:10.854 +0000 ERROR TcpInputProc [9178 FwdDataReceiverThread-0] - Error encountered for connection from src=57.180.248.191:52696. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
@gcusello, thanks but we need this to be automatically happening. It has to be some way to fix this?
And here it is working Please share your search and dashboard source (preferably in a code block </>) to see if there is something else going on
Hi @dmoberg , see if this my old answer solves your requirement: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-clear-reset-the-value-of-a-token/td-p/601208 Ciao. Giuseppe