It still fails in that it appears that the if(payload.status==...) always evaluates to false, despite there being both "ok" and "degraded" events, so the sum is equal to the count of all events.
@splunklearner The Config Explorer app itself does not directly support running CLI commands, as it is primarily designed for managing configurations and validating them within Splunk’s web UI. T...
See more...
@splunklearner The Config Explorer app itself does not directly support running CLI commands, as it is primarily designed for managing configurations and validating them within Splunk’s web UI. This is an older link, and there isn’t any official Splunk documentation available for this specific topic. However, you can give it a try: https://community.splunk.com/t5/Deployment-Architecture/What-is-the-curl-command-used-on-the-deployer-to-apply-shcluster/td-p/202735?_gl=1zi5ycp_gcl_auMTQ4OTY1OTQ1MC4xNzM2MTkyNzY0FPAUMTQ4OTY1OTQ1MC4xNzM2MTkyNzY0_gaMTg5NTQwNDUzLjE3MzYxOTI3NjQ._ga_5EPM2P39FVMTczNjcwODUyNC4yLjEuMTczNjcwODY0Mi4wLjAuMTM1MTg2ODI4MA.._fplc*JTJCNEZ3U3B6Q0EycCUyQnd0dlR4ZVI0ekJXZlI3Y0kzQ3dEdDl1b3QyNGFRQ01pUCUyQlhXTmFRO If this reply helps you, Karma would be appreciated.
Hello everyone, I am in the process of installing a Java agent on Linux (RHEL8) for WebMethods. It's pretty straight forward in the documentation. However, there is a difference between the AppDynam...
See more...
Hello everyone, I am in the process of installing a Java agent on Linux (RHEL8) for WebMethods. It's pretty straight forward in the documentation. However, there is a difference between the AppDynamics documentation and the WebMethods one. In AppD, it says (and I am quoting here from webMethods Startup Settings) For webMethods servers that use the Tanuki Java service wrapper for start-up, you need to configure the agent in the wrapper.conf file. See Tanuki Service Wrapper Settings. Yet in WebMethods documentation (My webMethods Server Webhelp) There are some parameters that do not relate to My webMethods Server but to the JVM itself. You set custom JVM parameters in the custom_wrapper.conf file for My webMethods Server, using the following syntax: wrapper.java.additional.n=parameter Which configuration method is correct, and if both are correct which one is recommended? Can the AppD documentation be updated also to include the default paths/locations to the .conf files in WebMethods?
We are currently using config explorer app to update configurations across our deployments My doubt here is how can I run CLI command in config explorer? I need to give CLI command in Deployer to ...
See more...
We are currently using config explorer app to update configurations across our deployments My doubt here is how can I run CLI command in config explorer? I need to give CLI command in Deployer to deploy apps across SH cluster members? We don't have backend server access as of now. Is it possible to run CLI command through config explorer or do we need to have backend server access for that for sure?
@AFKunc Kindly verify if the JSON data has been onboarded correctly. I tested it using the same data you provided. Could you confirm if this is the data you were expecting? I hope this h...
See more...
@AFKunc Kindly verify if the JSON data has been onboarded correctly. I tested it using the same data you provided. Could you confirm if this is the data you were expecting? I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
Hi bud, Have you tried creating a <p> on the dashboard and telling the script to display it? <dashboard version="1.1" script="my_js.js">
<label>My JS Output</label>
<row>
<panel>
<html>
<input ty...
See more...
Hi bud, Have you tried creating a <p> on the dashboard and telling the script to display it? <dashboard version="1.1" script="my_js.js">
<label>My JS Output</label>
<row>
<panel>
<html>
<input type="button" value="Submit" id="submitButton" />
<h1>This is my output<h1>
<p id="my_script_output"></p
</html>
</panel>
</row>
</dashboard> Then your js: document.getElementById("submitButton").addEventListener("click", output);
function(output() {
let script_output = "This is my Output."
document.getElementById("my_script_output").innerHTML = script_output;
} Does depend on how complex you want it to be... Let me know how you get on with this Regards
@rohithvr19 Please check my answer below. https://community.splunk.com/t5/Dashboards-Visualizations/Can-I-call-a-Python-script-from-a-dashboard-and-output-its/m-p/398088 Thanks KV An upvote ...
See more...
@rohithvr19 Please check my answer below. https://community.splunk.com/t5/Dashboards-Visualizations/Can-I-call-a-Python-script-from-a-dashboard-and-output-its/m-p/398088 Thanks KV An upvote would be appreciated if any of my replies help you solve the problem or gain knowledge.
Currently there seems to be too many open questions how your environment and it’s deployments are done. For that reason you should sit down with someone who are managed this environment and go throug...
See more...
Currently there seems to be too many open questions how your environment and it’s deployments are done. For that reason you should sit down with someone who are managed this environment and go through and document the correct way to deploy changes into different servers. I suppose that they already have some automation or some defined processes how this has done. Of course we could told some technical tips and tricks to do a individual change etc but I’m quite sure that this is not the correct and long living solution for your problem!
Hello @isoutamo , We are trying to create a role (by using authorise.conf) in DS app under etc/deployment-apps and it will be pushed to deployer under shcluster/apps. From there how do I need to pu...
See more...
Hello @isoutamo , We are trying to create a role (by using authorise.conf) in DS app under etc/deployment-apps and it will be pushed to deployer under shcluster/apps. From there how do I need to push it to search head cluster members. There are 3 SHs. We don't have access to backend. From Splunk web I need to achieve this.? Because in SH when I am checking with roles section created role is not showing but in Deployer under shcluster/apps authorise.conf is updated when I push it from DS. Please help me in this?
Hi, I have json data structured as follows: {
"payload": {
"status": "ok", # or "degraded"
}
} I'm trying to use the stats command to count the "ok" and "degraded" events separa...
See more...
Hi, I have json data structured as follows: {
"payload": {
"status": "ok", # or "degraded"
}
} I'm trying to use the stats command to count the "ok" and "degraded" events separately. I am using the following query: index=whatever | eval is_ok=if(payload.status=="ok", 1, 0) | stats count as total, count(is_ok) as ok_count I have tried passing it through spath, , with "=" in the if condition, and several other approaches changes. What always happens is that both counts contain all elements, despite there being different numbers of them. Please help!
Is it possible to execute a script through a button click and display the script's output on a Splunk dashboard? Has anyone implemented something similar before? Any guidance would be greatly appreci...
See more...
Is it possible to execute a script through a button click and display the script's output on a Splunk dashboard? Has anyone implemented something similar before? Any guidance would be greatly appreciated, as I am currently stuck on this. Thank you!
Hello everyone! I would like to ask about the Splunk Heavy Forwarder Splunk-side config: https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Splunk/heavyforwarder/ With those ...
See more...
Hello everyone! I would like to ask about the Splunk Heavy Forwarder Splunk-side config: https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Splunk/heavyforwarder/ With those settings it will send the metadata in the format of key::value. Is it possible to reconfigure it to send metadata key-value pairs with some other key-value separator instead of "::"? If yes, how exactly?
Actually, I think transaction should work in this case. @bowesmana is correct that your command is missing host as parameter. But more than that, it is also missing option keeporphans. Also the de...
See more...
Actually, I think transaction should work in this case. @bowesmana is correct that your command is missing host as parameter. But more than that, it is also missing option keeporphans. Also the determinant is not eventcount but closed_txn. | transaction host maxspan=5m keeporphans=true startswith="%ROUTING-LDP-5-NSR_SYNC_START" endswith="%ROUTING-LDP-5-NBR_CHANGE"
| where closed_txn != 1
| stats count by host Apply the above to this mock dataset: _raw _time host 1 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:02:45 host1 2 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:02:39 host2 3 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:02:33 host3 5 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:02:21 host0 6 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:02:15 host1 7 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:02:09 host2 8 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:02:03 host3 9 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:57 host4 10 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:51 host0 11 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:01:45 host1 13 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:01:33 host3 14 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:01:27 host4 15 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:01:21 host0 16 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:15 host1 17 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:09 host2 18 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:03 host3 19 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:57 host4 20 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:51 host0 21 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:00:45 host1 22 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:00:39 host2 23 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:00:33 host3 25 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:00:21 host0 26 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:15 host1 27 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:09 host2 28 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:03 host3 29 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 18:59:57 host4 30 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 18:59:51 host0 You get host count host2 1 host4 2 Here is an emulation that produces the above mock data | makeresults count=30
| streamstats count as _count
| eval _time = _time - _count * 6
| eval host = "host" . _count % 5
| eval _raw = _count . " " . mvindex(mvappend("%ROUTING-LDP-5-NSR_SYNC_START", "%ROUTING-LDP-5-NBR_CHANGE"), -ceil(_count / 5) %2)
| search NOT (_count IN (4, 12, 24) %ROUTING-LDP-5-NBR_CHANGE)
``` the above emulates
index = test ("%ROUTING-LDP-5-NSR_SYNC_START" OR "%ROUTING-LDP-5-NBR_CHANGE")
``` Play with it and compare with real data.
I'm trying to create a simple status page visualization that mimics the style I've seen by Atlassian Statuspage. You can see it on the status page for Discord and Wiz. Currently, I have a timechar...
See more...
I'm trying to create a simple status page visualization that mimics the style I've seen by Atlassian Statuspage. You can see it on the status page for Discord and Wiz. Currently, I have a timechart and if status=1 then it's up, but if status=0 then it's down. When the app is down, there is simply no bar on the graph. How do I "force" a value for the bar to appear but then color each bar based on the status value. I think I'm missing something really simple and hoping someone can point me in the right direction. Current SPL index=main app="myApp"
| eval status=if(isnull(status), "0", status)
| timechart span=1m max(status) by app Current XML <dashboard version="1.1" theme="light">
<label>Application Status</label>
<row>
<panel>
<chart>
<search>
<query>index=main app="myApp"
| eval status=if(isnull(status), "0", status)
| timechart span=1m max(status) by app</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.maximumNumber">1</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.columnSpacing">0</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.seriesColors">[0x459240]</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</dashboard>
Sorry I missed that part. I found this old post https://community.splunk.com/t5/Deployment-Architecture/What-is-the-curl-command-used-on-the-deployer-to-apply-shcluster/td-p/202735?_gl=1*row333*_gc...
See more...
Sorry I missed that part. I found this old post https://community.splunk.com/t5/Deployment-Architecture/What-is-the-curl-command-used-on-the-deployer-to-apply-shcluster/td-p/202735?_gl=1*row333*_gcl_au*MTI1NzYwOTM2Ni4xNzM2NjM1OTU2*FPAU*MTI1NzYwOTM2Ni4xNzM2NjM1OTU2*_ga*Mjc0NTEwOTk4LjE3MzY2MzU5NTY.*_ga_5EPM2P39FV*MTczNjYzNTk1Ni4xLjEuMTczNjYzNjM4Mi4wLjAuMTQ1OTAyMDQ4*_fplc*UXpNN09jNUpTRlNJbCUyQno4bmxjdVFQSjBNYTQ1bXdDVGxKcVc2TGJNWGpBNjF0RzV0ZldvMXElMkI3NjBtYWhRZ2kzT00ydjFmejlVUHVCbkh2UHhnTU5SJTJGTE1hbWFVNkNjeDNTYndDRndXdGV5eURwdUFmVFNwYjJHeFduT0x3JTNEJTNE#answer-321559 I haven’t suitable test environment on my hand now, but maybe this is still valid?
index IN (cart purchased) cart_id=* OR pur_id=*
| eval common_id=coalesce(cart_id, pur_id)
| eventstats dc(index) as common_count by common_id
| where index="cart"
| stats count as carts count(eval(c...
See more...
index IN (cart purchased) cart_id=* OR pur_id=*
| eval common_id=coalesce(cart_id, pur_id)
| eventstats dc(index) as common_count by common_id
| where index="cart"
| stats count as carts count(eval(common_count > 1)) as purchases
| eval pct=(purchases*100)/carts
| table carts purchases pct
@isoutamoLook into the opening post, they have no CLI access on the servers. I assume it's either an infrastructure managed by third party or they have a very strict duty separation policies in place.