All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Yash .Gore, Thanks for asking your question on the community. We're you able to find any more information in your problem or even a solution you can share here? If you're still looking for h... See more...
Hi @Yash .Gore, Thanks for asking your question on the community. We're you able to find any more information in your problem or even a solution you can share here? If you're still looking for help, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
Hi @Pondani.Chisi, I asked around and this is what I was told.  There is not a way to do this. It’s possible that the actual deletion takes place later and is somewhere in the DB, but then we ar... See more...
Hi @Pondani.Chisi, I asked around and this is what I was told.  There is not a way to do this. It’s possible that the actual deletion takes place later and is somewhere in the DB, but then we are talking about involving ops, engineering, etc. to fetch it.
Please share your anonymised raw event in a code block (using the </> button)
The cluster/manager/info endpoint should have what you want.  See https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTcluster#cluster.2Fmanager.2Finfo
Is this an XML or Studio dashboard example?  What viz are you using? custom vs OOTB?
https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTcluster#cluster.2Fmanager.2Finfo  
If this is a report then put both inside the same timechart and trellis the results to get your 2 graphics.  If this is a dashboard then create a base search and then 2 viz that pull from the same ba... See more...
If this is a report then put both inside the same timechart and trellis the results to get your 2 graphics.  If this is a dashboard then create a base search and then 2 viz that pull from the same base search but augment each with a unique timechart command.
time_before_close = <integer> * The amount of time, in seconds, that the file monitor must wait for modifications before closing a file after reaching an End-of-File (EOF) marker. * Tells the inp... See more...
time_before_close = <integer> * The amount of time, in seconds, that the file monitor must wait for modifications before closing a file after reaching an End-of-File (EOF) marker. * Tells the input not to close files that have been updated in the past 'time_before_close' seconds. * Default: 3 Is it possible that the file is not producing an EOF marker? or that something keeps chatting to the file?
Thank you for your reply and sorry for the confusing description. I have a basic search and want to output two graphics by timecahrt: -first contains timechart of my search -second contains the sa... See more...
Thank you for your reply and sorry for the confusing description. I have a basic search and want to output two graphics by timecahrt: -first contains timechart of my search -second contains the same timechart of the same search, but with a dedup of one specific field in the search.   Hope it clarifies a bit my request.   Thanks
| timechart count(field) as TotalVolume, dc(field) as UniqueFieldValues Depending on what you need the above might not be it, it was a little confusing so the other option from what I speculate you ... See more...
| timechart count(field) as TotalVolume, dc(field) as UniqueFieldValues Depending on what you need the above might not be it, it was a little confusing so the other option from what I speculate you need is. Do the timechart to 'count by field' and then eventstats to calculate the total.
I hope I can find this trick in the future if I ever need this.
Morning everyone, i want to display for my search two timecharts, one with and one without dedup of a certain field. Thanks!
How long has it been?  Sometimes it takes a day or two.
Can you help with spath 
This looks like JSON - you might be better off using spath to parse the event.
I have a log which contain multiple countries in same format so it grabbing all other countries from  same individual log . for example: Student:{"country":"IND","firstName":"XYZ","state":"MH",... See more...
I have a log which contain multiple countries in same format so it grabbing all other countries from  same individual log . for example: Student:{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} teacher:{"country":"USA","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} So if i use | rex field=_raw  "\"country\":\"(?<country>[^\"]+)\"" it showing me IND and USA. but i only want country related to student.  Also as i stated earlier position of  "country":"*" is not same for all logs. its coming between anywhere Student:{*}
Hello to everyone! I planned to ingest *.csv files using Universal Forwarder from Windows Server 2019 in batch mode. It sounds pretty trivial, but I collided with the problem. After an appearance ... See more...
Hello to everyone! I planned to ingest *.csv files using Universal Forwarder from Windows Server 2019 in batch mode. It sounds pretty trivial, but I collided with the problem. After an appearance of a new file, I observe new events through a search head, and in the end, expecting that file will be deleted by Splunk UF, but the file is still remaining. It seemed that the problem was related to file access, but I can't find any related errors in the logs of this UF instance. So, what can be the root of this behavior? inputs.conf   [batch://C:\ProgramData\ScriptLog\spl_export_vmtools_status\vmtools_stats_*.csv] disabled = false index = vsi crcSalt = <SOURCE> move_policy = sinkhole sourcetype = vsi_file_vmtools-stats   props.conf   [vsi_file_vmtools-stats] ANNOTATE_PUNCT = false BREAK_ONLY_BEFORE_DATE = true INDEXED_EXTRACTIONS = CSV HEADER_FIELD_LINE_NUMBER = 1 SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = Time    
hi  The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log. Regex: \"country\":\": This part lo... See more...
hi  The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log. Regex: \"country\":\": This part looks for "country":". (?<country>[^\"]+): (?<country>...): Creates a group named country. [^\"]+: Matches any character other than ". This part extracts the country value. Finally, the country value (for example, IND) is stored in a new field named country. This structure helps extract the word country wherever it appears. | rex field=_raw  "\"country\":\"(?<country>[^\"]+)\"" You can test with this structure in regex101 (country":"([^"]+))
Hi Rick, thanks for reply. Many customers are using this app as final product from Splunk.  We would like to enable injections as easy as possible and not break connections between Splunk_TA_nix a... See more...
Hi Rick, thanks for reply. Many customers are using this app as final product from Splunk.  We would like to enable injections as easy as possible and not break connections between Splunk_TA_nix and our custom app. You can see my example in article.  Only think what is needed for this  to work is small change in scripts. Here is very easy and dirty example how the script could be improved: diff cpu_metric.sh cpu_metric_new.sh 4a5,11 > # OPTIONS > if [ "$#" -eq 1 ]; then > OPTIONS="$1" > else > OPTIONS="-P ALL 1 1" > fi > 24c31,32 < CMD='sar -P ALL 1 1' --- > #CMD='sar -P ALL 1 1' > CMD="sar $OPTIONS" I hope I am not the only one who will appreciate this.
Hi all, Is it possible to get informations on the cluster manager config bundle through rest api? I am specifically looking for active bundle hash/Active Bundle ID.