All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Prasad.V, I know we are coming back from the holidays here. I wanted to see if you saw the reply from Mario and wanted to reply to keep the conversation going.
Hi @Roberto.Barnes, Thanks for sharing your question on the community. It's been a few days with no reply. Did you happen to find a solution you can share here? If you are still looking for help... See more...
Hi @Roberto.Barnes, Thanks for sharing your question on the community. It's been a few days with no reply. Did you happen to find a solution you can share here? If you are still looking for help, you can contact AppDynamics Support. How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
@AL3Z  Stats:- Calculates aggregate statistics over the entire dataset or subsets of the dataset.   Eventstats:- Calculates summary statistics for all existing fields in the search results a... See more...
@AL3Z  Stats:- Calculates aggregate statistics over the entire dataset or subsets of the dataset.   Eventstats:- Calculates summary statistics for all existing fields in the search results and adds these statistics as new fields to each event. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
stats is a transforming command whereas eventstats is not.  IOW, the output of stats contains only the fields explicitly given in the command, but the output of eventstats contains all of the existin... See more...
stats is a transforming command whereas eventstats is not.  IOW, the output of stats contains only the fields explicitly given in the command, but the output of eventstats contains all of the existing event fields *plus* those calculated by the command. Use eventstats when you need to do a calculation across all events, while preserving the events themselves.  For example, to list the events where a field value exceeds the average.   ... | eventstats avg(x) as AvgX | where x > AvgX ...    
Eventstats can add new fields to existing events, (hence the name), whereas, using stats replaces existing events with stats events. So, scenarios where you want to keep the events, you might use eve... See more...
Eventstats can add new fields to existing events, (hence the name), whereas, using stats replaces existing events with stats events. So, scenarios where you want to keep the events, you might use eventstats, where you want to replace the events with the results of stats functions, you would use stats.
I misunderstood your problem - your conditions need to use the values of the labels, i.e. US and EU <form version="1.1" theme="light"> <label>Hosts</label> <init> <set token="host">eks-prod-... See more...
I misunderstood your problem - your conditions need to use the values of the labels, i.e. US and EU <form version="1.1" theme="light"> <label>Hosts</label> <init> <set token="host">eks-prod-saas-ue1-*</set> </init> <fieldset submitButton="false"> <input type="dropdown" token="connection"> <label>Select Region</label> <default>dev-platform-postgres</default> <choice value="dev-platform-postgres">US</choice> <choice value="dev-platform-postgres-eu">EU</choice> <change> <condition label="US"> <set token="host">eks-prod-saas-ue1-*</set> </condition> <condition label="EU"> <set token="host">prd-shared-services-eu-eks*</set> </condition> </change> </input> </fieldset> <row> <panel> <html> <p>$host$ $connection$</p> </html> </panel> </row> </form>
Hello all !  I need to get data from Splunk Observability (list of synthetics tests) into Splunk cloud. I have tried to use this observability API :  curl -X GET "https://api.{REALM}.signalfx.com/... See more...
Hello all !  I need to get data from Splunk Observability (list of synthetics tests) into Splunk cloud. I have tried to use this observability API :  curl -X GET "https://api.{REALM}.signalfx.com/v2/synthetics/tests" \ -H "Content-Type: application/json" \ -H "X-SF-TOKEN: <value>"  Then, I attempted to execute a cURL query in Splunk Cloud like this : | curl method=get uri=https://api.xxx.signalfx.com/v2/synthetics/tests?Content-Type=application/json&X-SF-TOKEN=xxxxxxxxxxx | table curl* but i am getting the following error : HTTP ERROR 401 Unauthorized. Thanks for any help !    
Hi, Could you pls let me know in what scenario would we use eventstats vs stats?
The behavior is very strange. To stop getting error messages, I had to reassign savedsearches to an existing admin account. The messages disappeared. It's a workaround. But I get lots of similar mes... See more...
The behavior is very strange. To stop getting error messages, I had to reassign savedsearches to an existing admin account. The messages disappeared. It's a workaround. But I get lots of similar messages when I navigate to the Scheduler Activity: Instance dashboard in the monitoring console: 01-06-2025 17:07:59.749 +0100 ERROR UserManagerPro [24247 TcpChannelThread] - user=“nobody” had no roles
The way that hot/warm/cold buckets along with bucket replication works it is in your best interest to make site 1 and site 2 indexing tier identical.  Someone with advanced on prem admin experience w... See more...
The way that hot/warm/cold buckets along with bucket replication works it is in your best interest to make site 1 and site 2 indexing tier identical.  Someone with advanced on prem admin experience would be able to size this but storage becomes you biggest concern with unaligned resources. If you have some sort of business or budget constraints then I get why you would have unaligned sites - however personally I would very strongly suggest that both sites be identical compute and storage capacity at the indexing tier. Your individual indexer CPU count will determine how many concurrent searches can be run.  The compute power of your new machines appears acceptable from the minimal information available.  Keep an eye on skipped searches to confirm - the internal logs will indicate a skip reason.  Ideally SH and IDX should keep similar if not exact same CPU cores.
We are planning to upgrade our Splunk hardware. We currently have below(multisite indexer cluster with independant search head clusters) and we are facing problems with low cpu count and high disk la... See more...
We are planning to upgrade our Splunk hardware. We currently have below(multisite indexer cluster with independant search head clusters) and we are facing problems with low cpu count and high disk latency(we currently have HDDs). We primarily index data through HEC.   Type Site Number of nodes CPU p/v (per node) memory GB (per node) SH cluster 1 4 16/32 128 Indexer cluster 1 11 4/8 64 Indexer manager/License master 1 1 16/32 128 SH cluster 2 4 16/32 128 Indexer cluster 2 11 4/8 64 Indexer manager/License master 2 1 16/32 128   Daily indexing/license usage 400-450GB which may grow further in near future Search concurrency example for one instance from 4 node SH cluster   We are trying to come up with the best hardware configuration that can support such load.   Looking at Splunk recommended settings, we have comeup with below config. Can someone shed more light on if this is an optimal config and also advise on the number of SH machines and indexer machines needed with such new hardware Site1: 3 node SH clusters, 7 node idx cluster Site2:  As we are using site2 for searching and indexing only during unavailability of site1, may be it can be smaller? Role CPU (p/v) Memory Indexer 24/48 64G Non indexer 32/64 64G
I tried also : <fieldset submitButton="false"> <input type="dropdown" token="connection"> <label>Select Region</label> <default>dev-platform-postgres</default> <choice value="dev-platform-postgres"... See more...
I tried also : <fieldset submitButton="false"> <input type="dropdown" token="connection"> <label>Select Region</label> <default>dev-platform-postgres</default> <choice value="dev-platform-postgres">US</choice> <choice value="dev-platform-postgres-eu">EU</choice> <change> <condition match="$connection$==dev-platform-postgres"> <set token="host">eks-prod-saas-ue1-*</set> </condition> <condition match="$connection$==dev-platform-postgres-eu"> <set token="host">prd-shared-services-eu-eks*</set> </condition> </change> </input> </fieldset> but again $host$ is not updated on fieldset change
Are these values always aligned, or are the values sometimes unaligned and you still want to know if they are in both fields?
Which Windows OS?
Hi @ITWhisperer thanks for taking the time to reply when using init -it only initializes the first time but doesn't update accordingly when fieldset is changed
Use an init block <form version="1.1" theme="light"> <label>Hosts</label> <init> <set token="host">eks-prod-saas-ue1-*</set> </init> <fieldset submitButton="false"> <input type="drop... See more...
Use an init block <form version="1.1" theme="light"> <label>Hosts</label> <init> <set token="host">eks-prod-saas-ue1-*</set> </init> <fieldset submitButton="false"> <input type="dropdown" token="connection"> <label>Select Region</label> <default>dev-platform-postgres</default> <choice value="dev-platform-postgres">US</choice> <choice value="dev-platform-postgres-eu">EU</choice> <change> <condition label="dev-platform-postgres"> <set token="host">eks-prod-saas-ue1-*</set> </condition> <condition label="dev-platform-postgres-eu"> <set token="host">prd-shared-services-eu-eks*</set> </condition> </change> </input> </fieldset> <row> <panel> <html> <p>$host$ $connection$</p> </html> </panel> </row> </form>
I am working om creating a dashboard to display data from my app-I have a dropdown where you select which environment you want to see data for-I need to set 2 values based on this dropdown: 1.connec... See more...
I am working om creating a dashboard to display data from my app-I have a dropdown where you select which environment you want to see data for-I need to set 2 values based on this dropdown: 1.connection for db queries 2. host for logs based queries I searched many option but couldn't get any to work:I am trying to do  <fieldset submitButton="false"> <input type="dropdown" token="connection"> <label>Select Region</label> <default>dev-platform-postgres</default> <choice value="dev-platform-postgres">US</choice> <choice value="dev-platform-postgres-eu">EU</choice> <change> <condition label = 'dev-platform-postgres'> <set token="host">eks-prod-saas-ue1-*</set> </condition> <condition label = 'dev-platform-postgres-eu'> <set token="host">prd-shared-services-eu-eks*</set> </condition> </change> </input> </fieldset> and then be able to use both $host$ and $connection$ tokens in the dashboard but I cant get $host$ initialized correctly any help would be appreciated also -side note I am getting a warning "Expected at most 1 children of fieldset in dashboard, instead saw 2"-how am I supposed to handle a case where I want 2 selections -one of date and one of connection?
Could you please share the sample raw logs and how are those looking in Splunk once they are ingested? Issues with Line breaking, timestamp assignment, field extraction?
You can disable those integrity checks as well if your Splunk environment is working fine after upgrade. To disable the file integrity check, edit the installed_files_integrity setting in the limits.... See more...
You can disable those integrity checks as well if your Splunk environment is working fine after upgrade. To disable the file integrity check, edit the installed_files_integrity setting in the limits.conf file
Let me now if below query helps - | makeresults count=3 | streamstats count as field1 | eval field2=field1+0 | eval field2=if(field2=3, Null(), field2) | fields - _time | eval field3=if(field1==fiel... See more...
Let me now if below query helps - | makeresults count=3 | streamstats count as field1 | eval field2=field1+0 | eval field2=if(field2=3, Null(), field2) | fields - _time | eval field3=if(field1==field2, null(), field1)