Hi Yash
Obs (observed value): Average of all data points seen for that interval. For a cluster or a time rollup, this represents the weighted average across nodes or over time.
Min: Minimum da...
See more...
Hi Yash
Obs (observed value): Average of all data points seen for that interval. For a cluster or a time rollup, this represents the weighted average across nodes or over time.
Min: Minimum data point value seen for that interval.
Max: Maximum data point value seen for that interval.
Sum: Sum of all data point values seen for that interval. For the Percentile Metric for the App Agent for Java, this is the result of the percentile value multiplied by the Count.
Count: Number of data points generated for the metric in that interval. The collection interval for infrastructure metrics varies by environment.
Remember if you wish immediate response, It's better to file a Support ticket with Splunk AppD Support team.
Hi Kiran, Thanks for the info. I did post my solution earlier today. And, I think it pretty much mirrors what you've got. So, at least I know I am on the right wavelength.
I have attached the raw data to the post. I am trying the following query to identify the ResourceTypes and the count but it is not giving me any results :
index=app_shared source=aws.config | stat...
See more...
I have attached the raw data to the post. I am trying the following query to identify the ResourceTypes and the count but it is not giving me any results :
index=app_shared source=aws.config | stats count by resourceType | table resourceType
I think we can also narrow down to only - "detail-type": "Config Configuration Item Change"
| stats values(type) as types values(_time) as times by displayId Note that this will give you the times in internal format (number of seconds since the beginning of 1970) If you want the times for...
See more...
| stats values(type) as types values(_time) as times by displayId Note that this will give you the times in internal format (number of seconds since the beginning of 1970) If you want the times formatted, you should create a field with the formatted version and collect those values.
@danielbb Create `inputs.conf` and `outputs.conf` on the Heavy Forwarder (HF) if you want to forward data directly from the HF to the indexers. Alternatively, create `inputs.conf` and `outputs.conf...
See more...
@danielbb Create `inputs.conf` and `outputs.conf` on the Heavy Forwarder (HF) if you want to forward data directly from the HF to the indexers. Alternatively, create `inputs.conf` and `outputs.conf` on the Universal Forwarder (UF) to send data to the HF, which will then forward it to the indexers. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@danielbb Hello Daniel, Please follow the below steps. 1. Install Splunk on all the required instances. 2. Enable the receiving port `9997` on the indexer. 3. If you are forwarding data from a Uni...
See more...
@danielbb Hello Daniel, Please follow the below steps. 1. Install Splunk on all the required instances. 2. Enable the receiving port `9997` on the indexer. 3. If you are forwarding data from a Universal Forwarder (UF) to a Heavy Forwarder (HF) and then to the indexer, ensure the receiving port is open on both the Heavy Forwarder and the indexer. 4. Ensure the following ports are open: 9997: UF to HF and HF to Indexer 8089: Management port between Indexers and Search Heads 8000: Web port for HF and Search Head (optional for indexers in production environments) 5. Add your indexer to the Search Head: - Navigate to Settings > Distributed Search > Distributed Search Setup - Enable distributed search, then go to Settings > Distributed Search > Search Peers - Add the indexer details here and restart the Splunk instance. 6. If required, open port `8000` for the web interface on the Heavy Forwarder and Search Head. While optional for indexers, this port is typically not opened on production indexers. Note:Before configuring Splunk, perform a telnet test to verify port connectivity: - From UF to HF: `telnet <HF_IP_Address> 9997` - From HF to Indexer: `telnet <Indexer_IP_Address> 9997` - From Indexers to Search Heads: Ensure the management port `8089` is open. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
I'm in the process of creating a small Splunk installation and I would like to know from where I would download the syslog-ng Linux Ubuntu installation for version 20.x.
I got expected result using your solution , rest I will change condition according to my requirement. index=ABC source=XYX | extract | fillnull value="Sending message to Common Booked topic" ty...
See more...
I got expected result using your solution , rest I will change condition according to my requirement. index=ABC source=XYX | extract | fillnull value="Sending message to Common Booked topic" type | stats values(type) as types by displayId | where mvcount(types) = 4 Just one more help I need how to add Time also in table. Tried adding this but time is not printing. |table _time, displayId, types
No, it's a custom configured syslog-ng instance. that I set up. After looking at the logs arriving, I saw that the logs that previously had the metadata part included, now have nothing instead and t...
See more...
No, it's a custom configured syslog-ng instance. that I set up. After looking at the logs arriving, I saw that the logs that previously had the metadata part included, now have nothing instead and the separators (~~~EM~~~ and ~~~SM~~~) are missing too.
I have attached the raw data to the post. I am trying the following query to identify the ResourceTypes and the count but it is not giving me any results : index=app_shared source=aws.config | stats...
See more...
I have attached the raw data to the post. I am trying the following query to identify the ResourceTypes and the count but it is not giving me any results : index=app_shared source=aws.config | stats count by resourceType | table resourceType I think we can also narrow down to only - "detail-type": "Config Configuration Item Change"
If I am using below query I am getting all Ids in output which are having all 3 types. index=ABC source=XYX | stats values(type) as types by displayId | where mvcount(types) = 3 displayId...
See more...
If I am using below query I am getting all Ids in output which are having all 3 types. index=ABC source=XYX | stats values(type) as types by displayId | where mvcount(types) = 3 displayId types ABC0000001; Posting Transfer Message ABC0000001; Posting Transfer Message ABC0000003; Posting Transfer Message But if I am adding this 2 condition , not getting any result. |fillnull value="SENDING" type where mvcount(types) != 4 or types != "SENDING"