All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try something like this index="webmethods_prd" host="USPGH-WMA2AISP*" source="/apps/WebMethods/IntegrationServer/instances/default/logs/SmartIST.log" | eval Interface=mvindex(split(SmartISTINTERFAC... See more...
Try something like this index="webmethods_prd" host="USPGH-WMA2AISP*" source="/apps/WebMethods/IntegrationServer/instances/default/logs/SmartIST.log" | eval Interface=mvindex(split(SmartISTINTERFACE," "),0) |stats count by Interface
@richgalloway the problem is the cached events are delivered more recently (lower priority transmission) than the actual current state event which is why the search for max(triggeredEventNumber) inst... See more...
@richgalloway the problem is the cached events are delivered more recently (lower priority transmission) than the actual current state event which is why the search for max(triggeredEventNumber) instead of first/last or earliest/latest since I cannot forecast how many cached events may be delivered after current state and before the next current state event is created (as a result of a state change typically battery percent change)
Thank you for the reply @richgalloway  The results I want to see are the fields for that triggered event number only.
I am getting result like this.   query: index="webmethods_prd" host="USPGH-WMA2AISP*" source="/apps/WebMethods/IntegrationServer/instances/default/logs/SmartIST.log" |stats count by SmartI... See more...
I am getting result like this.   query: index="webmethods_prd" host="USPGH-WMA2AISP*" source="/apps/WebMethods/IntegrationServer/instances/default/logs/SmartIST.log" |stats count by SmartISTINTERFACE instead of above I want a report like this:    
Hello all, I'm trying to reset a host under the DHM tab in TrackMe so I can remove a sourcetype it's not finding that no longer exists. However, when I do this I receive the error below. I have alrea... See more...
Hello all, I'm trying to reset a host under the DHM tab in TrackMe so I can remove a sourcetype it's not finding that no longer exists. However, when I do this I receive the error below. I have already checked my permissions and as an admin have the correct role to admin the app as well. 
That is the way the values() function works.  It will list, in lexicographical order, all of the unique values for the given field.  What would you rather see?
Sorry for the confusion, I can clarify. I am looking for the left column in the picture to be in the left-most area where it is typically located when using the stats/chart count by command and not i... See more...
Sorry for the confusion, I can clarify. I am looking for the left column in the picture to be in the left-most area where it is typically located when using the stats/chart count by command and not in the middle of the overall table. Similar to the CPUMFR column in picture above.
Please clarify the request.  There are 10 rows displayed so there is no middle one.  Not that it matters since there is no left/right orientation for (horizontal) rows.  If you are referring to the c... See more...
Please clarify the request.  There are 10 rows displayed so there is no middle one.  Not that it matters since there is no left/right orientation for (horizontal) rows.  If you are referring to the columns, then again I ask for clarification since there is no middle column when there are only 2 of them. That said, if you want to put the "Total" value at the bottom, put the addcoltotals command after the sort.
All, In the metric browser, I see a DB appear under Backends|Discovered backend call...  I also see the same backend under Overall Application Performance|My Tier|External Calls|Call-JDBC to Discove... See more...
All, In the metric browser, I see a DB appear under Backends|Discovered backend call...  I also see the same backend under Overall Application Performance|My Tier|External Calls|Call-JDBC to Discovered backend... The calls per minute graphs are approximately the same shape, but counts are not even close.  Under backends, the counts are much higher, like 5x higher.  This app only has 1 active tier. Why is there such a large difference in counts?  I would like to get a breakdown of DB calls per tier, but the numbers seem low. thanks
The Thread Name would be useful in coordinating with logs.  Without any changes to apps, most apps print out thread names in their logging pattern.  RequestGUID would not show up unless we plugged in... See more...
The Thread Name would be useful in coordinating with logs.  Without any changes to apps, most apps print out thread names in their logging pattern.  RequestGUID would not show up unless we plugged in something and made a very specific call and that would mean modifying all apps/all calls to retrieve it once per transaction. Was hoping it could be retrieve or there would be a trick to make one of the Data Collectors call currentThread.getName to log it with requestGUID. Thanks.
I am looking to have the middle row of this table be in the left instead. I think something in the query is off and causing it to have a weird behavior.  index=main host=* sourcetype=syslog ... See more...
I am looking to have the middle row of this table be in the left instead. I think something in the query is off and causing it to have a weird behavior.  index=main host=* sourcetype=syslog process=elcsend "\"config" $city$ | rex "([^!]*!){16}(?P<MEMGB>[^!]*)!" | chart count by MEMGB | addcoltotals label=Total labelfield=MEMGB | sort count desc This is the current search query. The rex provides the data in the MEMGB column.
How do I return field values from a specific max(eventnumber)? This was helpful but did not solve my issue Solved: How to get stats max count of a field by another f... - Splunk Community We are ... See more...
How do I return field values from a specific max(eventnumber)? This was helpful but did not solve my issue Solved: How to get stats max count of a field by another f... - Splunk Community We are ingesting logs from test devices. Each log has an event number, which I can search on to find the most recent event. When the devices disconnect from our cloud instance, they cache events which are transmitted at a lower priority (newest to oldest) than real time events. For example: event #100 connected to cloud, event 101-103 disconnected from cloud and cached, events, #104 re-connected to cloud (latest status) received, then event 103 is transmitted, then 102, so using latest/earliest or first/last does not return the most recent status The logs consist of an event number and boolean (true/false) fields. Searching for max(event number) and values(boolean field value) results in both true/false for any time picker period that has multiple events, for example: | stats max(triggeredEventNumber) values(isCheckIn) values(isAntiSurveillanceViolation) BY userName userName                 max(triggeredEventNumber)      values(isCheckIn)      latest(isAntiSurveillanceViolation) NS2_GS22_MW    92841                                                   false true                       FALSE In the example the actual value of isCheckIn was true. Here is a complete example event: { "version": 1, "logType": "deviceStateEvent", "deviceSerialNumber": "4234220083", "userName": "NS2_GS22_MW", "cloudTimestampUTC": "2025-01-06T18:17:00Z", "deviceTimestampUTC": "2025-01-06T18:16:46Z", "triggeredEventNumber": 92841, "batteryPercent": 87, "isCheckIn": true, "isAntiSurveillanceViolation": false, "isLowBatteryViolation": false, "isCellularViolation": false, "isDseDelayed": false, "isPhonePresent": true, "isCameraExposed": false, "isShutterOpen": false, "isMicExposed": false, "isCharging": false, "isPowerOff": false, "isHibernation": false, "isPhoneInfoStale": false, "bleMacAddress": "5c:2e:c6:bc:e4:cf", "cellIpv4Address": "0.0.0.0", "cellIpv6Address": "::" }
Hi @Stephen.Knott, I know we are coming back from the holidays. I wanted to bump this conversation to see if you could check out Mario's reply.  If the reply helped, please click the Accept as Sol... See more...
Hi @Stephen.Knott, I know we are coming back from the holidays. I wanted to bump this conversation to see if you could check out Mario's reply.  If the reply helped, please click the Accept as Solution button, if not and you need more help, reply to keep the conversation going.
Hi @Uma.Boppana, I wanted to give this thread a nudge to see if you saw Mario's reply and want to keep the conversation going or if you found a solution you could share here.
Hi @Prasad.V, I know we are coming back from the holidays here. I wanted to see if you saw the reply from Mario and wanted to reply to keep the conversation going.
Hi @Roberto.Barnes, Thanks for sharing your question on the community. It's been a few days with no reply. Did you happen to find a solution you can share here? If you are still looking for help... See more...
Hi @Roberto.Barnes, Thanks for sharing your question on the community. It's been a few days with no reply. Did you happen to find a solution you can share here? If you are still looking for help, you can contact AppDynamics Support. How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
@AL3Z  Stats:- Calculates aggregate statistics over the entire dataset or subsets of the dataset.   Eventstats:- Calculates summary statistics for all existing fields in the search results a... See more...
@AL3Z  Stats:- Calculates aggregate statistics over the entire dataset or subsets of the dataset.   Eventstats:- Calculates summary statistics for all existing fields in the search results and adds these statistics as new fields to each event. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
stats is a transforming command whereas eventstats is not.  IOW, the output of stats contains only the fields explicitly given in the command, but the output of eventstats contains all of the existin... See more...
stats is a transforming command whereas eventstats is not.  IOW, the output of stats contains only the fields explicitly given in the command, but the output of eventstats contains all of the existing event fields *plus* those calculated by the command. Use eventstats when you need to do a calculation across all events, while preserving the events themselves.  For example, to list the events where a field value exceeds the average.   ... | eventstats avg(x) as AvgX | where x > AvgX ...    
Eventstats can add new fields to existing events, (hence the name), whereas, using stats replaces existing events with stats events. So, scenarios where you want to keep the events, you might use eve... See more...
Eventstats can add new fields to existing events, (hence the name), whereas, using stats replaces existing events with stats events. So, scenarios where you want to keep the events, you might use eventstats, where you want to replace the events with the results of stats functions, you would use stats.
I misunderstood your problem - your conditions need to use the values of the labels, i.e. US and EU <form version="1.1" theme="light"> <label>Hosts</label> <init> <set token="host">eks-prod-... See more...
I misunderstood your problem - your conditions need to use the values of the labels, i.e. US and EU <form version="1.1" theme="light"> <label>Hosts</label> <init> <set token="host">eks-prod-saas-ue1-*</set> </init> <fieldset submitButton="false"> <input type="dropdown" token="connection"> <label>Select Region</label> <default>dev-platform-postgres</default> <choice value="dev-platform-postgres">US</choice> <choice value="dev-platform-postgres-eu">EU</choice> <change> <condition label="US"> <set token="host">eks-prod-saas-ue1-*</set> </condition> <condition label="EU"> <set token="host">prd-shared-services-eu-eks*</set> </condition> </change> </input> </fieldset> <row> <panel> <html> <p>$host$ $connection$</p> </html> </panel> </row> </form>