All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

hi @yuanliu thanks for tips, i tried running with the modified query. i got the results for ORDERS which are NOT AVAILABLE (which is the resultant of First search) . my requirement is to match ORDERS... See more...
hi @yuanliu thanks for tips, i tried running with the modified query. i got the results for ORDERS which are NOT AVAILABLE (which is the resultant of First search) . my requirement is to match ORDERS which are NOT AVAILABLE with ORDERS in second log . and display ORDERS  and UNIQUEID   sharing the data here  INFO [pool-9-thread-3] CLASS_NAME=Q, METHOD=, MESSAGE=response status for TransNum: 629f2ad - 400 | Response - {"code":0001,"message":"Not available","messages":[],"additionalTxnFields":[]} INFO [pool-9-thread-7] CLASS_NAME=Q, METHOD=, MESSAGE=Request for TransNum: 629f2ad - {"address":{"billToThis":true,"country":"","email":"******************","firstname":"FN","lastname":"LN","postcode":"0","salutation":null,"telephone":"+999999999999"},"deliveryMode":"","payments":[{"amount":10,"code":"BFD"}],"products":[{"currency":356,"price":600,"qty":2,"uniqueid":"QSTRUJIK"}],"refno":"629f2ad","syncOnly":true}  
Your by clause also include dv_priority which is why you are getting multiple results for an incident. Try something like this index=snow "INC783" | search dv_state="In Progress" OR dv_state="New" O... See more...
Your by clause also include dv_priority which is why you are getting multiple results for an incident. Try something like this index=snow "INC783" | search dv_state="In Progress" OR dv_state="New" OR dv_state="On Hold" | stats max(_time) as Time latest(dv_state) as State latest(dv_priority) as Priority by number | fieldformat Time=strftime(Time,"%Y-%m-%d %H:%M:%S") | table number,Time, Priority, State
Not every chart type supports zoom/selections. You may need to represent your data in a different way, e.g. column chart, which does support zoom/selections.
From looking at what you have posted, it appears that there may be a space between the "-" and the start of the number which is not present in the regex. This is why we ask for event data and SPL cod... See more...
From looking at what you have posted, it appears that there may be a space between the "-" and the start of the number which is not present in the regex. This is why we ask for event data and SPL code to be shared in code blocks, so these things can be more easily spotted. Assuming this is the case, then use the regex as I showed (not as you have apparently used).
+1 on that - don't use join unless there is absolutely no other way (or you have a very small dataset). Not only it's relatively slow and resource-hungry, it has also pretty serious limitations and ... See more...
+1 on that - don't use join unless there is absolutely no other way (or you have a very small dataset). Not only it's relatively slow and resource-hungry, it has also pretty serious limitations and you can get wrong or incomplete results without knowing it.
Hi Team,   I have a splunk query that am testing for Service Now data extract.   index=snow "INC783" | search dv_state="In Progress" OR dv_state="New" OR dv_state="On Hold" | stats max(_time) as ... See more...
Hi Team,   I have a splunk query that am testing for Service Now data extract.   index=snow "INC783" | search dv_state="In Progress" OR dv_state="New" OR dv_state="On Hold" | stats max(_time) as Time latest(dv_state) as State by number, dv_priority | fieldformat Time=strftime(Time,"%Y-%m-%d %H:%M:%S") | table number,Time, dv_priority, State     The challenge with the code is, above output is listing all the states for the particular Incidnet, even when i tried to filter for only the latest and max time. number Time dv_priority State INC783 2024-11-13 16:56:14 1 - Critical In Progress INC783 2024-11-13 17:00:03 3 - Moderate On Hold   The data must only show the latest one, which must be the one with "On Hold". Tried multiple method, but failing and showing all. how can i achieve it.   thanks Jerin V
Hi @bowesmana & @ITWhisperer ,    Thanks for your reply!    I have tried using selection but facing some error even after this warning this is not working. "Invalid child="selection" is not all... See more...
Hi @bowesmana & @ITWhisperer ,    Thanks for your reply!    I have tried using selection but facing some error even after this warning this is not working. "Invalid child="selection" is not allowed in node="viz" " <row> <panel> <title>status</title> <viz type="timeline_app.timeline"> <search> <query>index=$siteid$ sourcetype=logs* CAT IN ("TAT") _raw=*** (NOT CODE=* OR CODE IN ("T11")) | head 100000 | eval Eventts_date=substr(Eventts,1,10) | eval Eventts_time=substr(Eventts,12,8) | eval Eventts_new=Eventts_date." ".Eventts_time | eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N") | fillnull value="N/A" ............................. | eval displayname="Operational".displayname | table _time displayname FIELD_01 duration | append [ search index=$siteid$ sourcetype=FSC* CAT IN ("ST") _raw=*** (NOT CODE=* OR CODE IN ("Ad13")) | head 100000 | eval Eventts_date=substr(Eventts,1,10) | eval Eventts_time=substr(Eventts,12,8) | eval Eventts_new=Eventts_date." ".Eventts_time | eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N") .............................. | table _time displayname FIELD_01 duration ] </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="height">460</option> <option name="refresh.display">progressbar</option> <option name="timeline_app.timeline.axisTimeFormat">SECONDS</option> <option name="timeline_app.timeline.colorMode">categorical</option> <option name="timeline_app.timeline.maxColor">#DA5C5C</option> <option name="timeline_app.timeline.minColor">#FFE8E8</option> <option name="timeline_app.timeline.numOfBins">6</option> <option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option> <option name="timeline_app.timeline.useColors">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <selection> <set token="selection.earliest">$start$</set> <set token="selection.latest">$end$</set> <set token="start.count">$start.count$</set> <set token="end.count">$end.count$</set> </selection> <drilldown><link target="_blank">search?q= <query>index=$siteid$ sourcetype=FSC* CAT IN ("TAT") _raw=*** (NOT CODE=* OR MARKCODE IN ("TZ11")) | head 100000 | where _time &gt;= $selection.earliest$ AND _time ?&lt;= $selection.latest$ | eval Eventts_date=substr(Eventts,1,10) | eval Eventts_time=substr(Eventts,12,8) | eval Eventts_new=Eventts_date." ".Eventts_time | eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N") .................. | table _time displayname FIELD_01 duration | append [ search index=$siteid$ sourcetype=FSC* CAT IN ("ST") _raw=*** (NOT CODE=* OR CODE IN ("Ak03")) | head 100000 | eval Eventts_date=substr(Eventts,1,10) | eval Eventts_time=substr(Eventts,12,8) | eval Eventts_new=Eventts_date." ".Eventts_time | eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N") ............................................ | eval displayname="Maintenance".displayname | table _time displayname FIELD_01 duration ] </query></link></drilldown> </viz> </panel> </row>
Yes, same issue when I tried. Only when disabling the operator flag, the deployment goes through
First, Key value pairs (field=value) are usually auto extracted when KV_MODE is set to auto in props.conf. Configure automatic key-value field extraction - Splunk Documentation If it is set to none... See more...
First, Key value pairs (field=value) are usually auto extracted when KV_MODE is set to auto in props.conf. Configure automatic key-value field extraction - Splunk Documentation If it is set to none please set your field extraction under Settings --> Fields --> Field extractions that's the right place for it.
Sample logs looks like this: adshdsfkdlfpofgsk message hdksodb Stage=8 gjhjyeomhf hjhdgy …   I deployed the configurations in the cloud instance from the settings > sourcetypes option.
Please share your sql query, table structure and some sample events.
Hi @NanSplk01 , why do you want to use the subsearch? if I correctly understand you need only to truncate the Message field to the first 3 chars, is it correct? index=replicate category=* action=*... See more...
Hi @NanSplk01 , why do you want to use the subsearch? if I correctly understand you need only to truncate the Message field to the first 3 chars, is it correct? index=replicate category=* action=* Message=* | eval Msg=substr(Message,1,30) | stats values(category) AS category values(Msg) AS Msg BY action Ciao. Giuseppe
Hi @bond77s , not having your search (as also @isoutamo said) it's difficoult to help you, at least, please better describe your requirements. anyway supponing that you have a search and you want t... See more...
Hi @bond77s , not having your search (as also @isoutamo said) it's difficoult to help you, at least, please better describe your requirements. anyway supponing that you have a search and you want to check if the hostname from the search is listed in the lookup and that MESSAGE_TEXT is a field in your main search and yu want only the events with this condition, you could try something like this: index=your_index MESSAGE_TEXT="Radius" [ |inputlookup filename | rename hostname AS host | fields host ] | ... Then, if in your main search you have also a field called ip and you want to check both host and ip, you could try something like this: index=your_index MESSAGE_TEXT="Radius" ([ |inputlookup filename | rename hostname AS host | fields host ] OR [ |inputlookup filename | fields ip ] Ciao. Giuseppe
Please share some sample data and explain how and where you configured the props.conf.
Check out following helpful docs and specifications files How Splunk Enterprise handles your data - Splunk Documentation props.conf - Splunk Documentation transforms.conf - Splunk Documentation
Hi @super_edition , my hint is to continue to try using stats to reach the wanted output, because join is a very slow command that requires many resources and it's always better to avoid it. Ciao. ... See more...
Hi @super_edition , my hint is to continue to try using stats to reach the wanted output, because join is a very slow command that requires many resources and it's always better to avoid it. Ciao. Giuseppe
Hi, I have deployed AppServerAgent-1.8-24.9.0.36347 with following steps but agent is showing errors and not getting uploaded.  ENV APPDYNAMICS_CONTROLLER_HOST_NAME=" abc" ENV APPDYNAMICS_CONTROLL... See more...
Hi, I have deployed AppServerAgent-1.8-24.9.0.36347 with following steps but agent is showing errors and not getting uploaded.  ENV APPDYNAMICS_CONTROLLER_HOST_NAME=" abc" ENV APPDYNAMICS_CONTROLLER_PORT="443" ENV APPDYNAMICS_AGENT_ACCOUNT_NAME="abc" ENV APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY="your-access-key"  point. ENVAPPDYNAMICS_AGENT_APPLICATION_NAME=" -----------" ENV APPDYNAMICS_AGENT_TIER_NAME=" ----------- "ENV APPDYNAMICS_AGENT_NODE_NAME="your-node name" agent is not getting loaded and giving error: Error: it is because if application name is not get resolved or do i need to make some other configurations? 024-11-14 13:02:18 OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended 2024-11-14 13:02:18 Java 9+ detected, booting with Java9Util enabled. 2024-11-14 13:02:18 Full Agent Registration Info Resolver found env variable [APPDYNAMICS_AGENT_APPLICATION_NAME] for application name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:18 Full Agent Registration Info Resolver found env variable [APPDYNAMICS_AGENT_TIER_NAME] for tier name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:18 Full Agent Registration Info Resolver found env variable [APPDYNAMICS_AGENT_NODE_NAME] for node name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:19 Full Agent Registration Info Resolver using selfService [false] 2024-11-14 13:02:19 Full Agent Registration Info Resolver using selfService [false] 2024-11-14 13:02:19 Full Agent Registration Info Resolver using ephemeral node setting [false] 2024-11-14 13:02:19 Full Agent Registration Info Resolver using application name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:19 Full Agent Registration Info Resolver using tier name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:19 Full Agent Registration Info Resolver using node name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:19 Install Directory resolved to[/opt/appdynamics] 2024-11-14 13:02:19 getBootstrapResource not available on ClassLoader 2024-11-14 13:02:20 Class with name [com.ibm.lang.management.internal.ExtendedOperatingSystemMXBeanImpl] is not available in classpath, so will ignore export access. 2024-11-14 13:02:20 Class with name [jdk.internal.util.ReferencedKeySet] is not available in classpath, so will ignore export access. 2024-11-14 13:02:20 Failed to locate module [jdk.jcmd] 2024-11-14 13:02:20 Failed to locate module [jdk.attach] 2024-11-14 13:02:23 [AD Agent init] Thu Nov 14 07:32:23 GMT 2024[DEBUG]: JavaAgent - Setting AgentClassLoader as Context ClassLoader 2024-11-14 13:02:25 [AD Agent init] Thu Nov 14 07:32:25 GMT 2024[INFO]: JavaAgent - Low Entropy Mode: Attempting to swap to non-blocking PRNG algorithm 2024-11-14 13:02:25 [AD Agent init] Thu Nov 14 07:32:25 GMT 2024[INFO]: JavaAgent - UUIDPool size is 10 2024-11-14 13:02:25 Agent conf directory set to [/opt/appdynamics/ver24.9.0.36347/conf] 2024-11-14 13:02:25 [AD Agent init] Thu Nov 14 07:32:25 GMT 2024[INFO]: JavaAgent - Agent conf directory set to [/opt/appdynamics/ver24.9.0.36347/conf] 2024-11-14 13:02:25 [AD Agent init] Thu Nov 14 07:32:25 GMT 2024[DEBUG]: AgentInstallManager - Full Agent Registration Info Resolver is running 2024-11-14 13:02:25 [AD Agent init] Thu Nov 14 07:32:25 GMT 2024[INFO]: AgentInstallManager - Full Agent Registration Info Resolver found env variable [APPDYNAMICS_AGENT_APPLICATION_NAME] for application name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:25 [AD Agent init] Thu Nov 14 07:32:25 GMT 2024[INFO]: AgentInstallManager - Full Agent Registration Info Resolver found env variable [APPDYNAMICS_AGENT_TIER_NAME] for tier name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:25 [AD Agent init] Thu Nov 14 07:32:25 GMT 2024[INFO]: AgentInstallManager - Full Agent Registration Info Resolver found env variable [APPDYNAMICS_AGENT_NODE_NAME] for node name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: AgentInstallManager - Full Agent Registration Info Resolver using selfService [false] 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: AgentInstallManager - Full Agent Registration Info Resolver using selfService [false] 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: AgentInstallManager - Full Agent Registration Info Resolver using ephemeral node setting [false] 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: AgentInstallManager - Full Agent Registration Info Resolver using application name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: AgentInstallManager - Full Agent Registration Info Resolver using tier name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: AgentInstallManager - Full Agent Registration Info Resolver using node name [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[DEBUG]: AgentInstallManager - Full Agent Registration Info Resolver finished running 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: AgentInstallManager - Agent runtime directory set to [/opt/appdynamics/ver24.9.0.36347] 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: AgentInstallManager - Agent node directory set to [measurement-api-service-637966829491.us-east1.run.app] 2024-11-14 13:02:26 Agent runtime conf directory set to /opt/appdynamics/ver24.9.0.36347/conf 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: AgentInstallManager - Agent runtime conf directory set to /opt/appdynamics/ver24.9.0.36347/conf 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: JavaAgent - JDK Compatibility: 1.8+ 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: JavaAgent - Using Java Agent Version [Server Agent #24.9.0.36347 v24.9.0 GA compatible with 4.4.1.0 r8d55fc625d557c4c19f7cf97088ecde0a2e43e82 release/24.9.0] 2024-11-14 13:02:26 [AD Agent init] Thu Nov 14 07:32:26 GMT 2024[INFO]: JavaAgent - Running IBM Java Agent [No] Thanks & Regards Rupinder Kaur 
@gcusello  I was able to get the desired output with inner join
I'm creating it from scratch, 8080,9887 is not in listen state. i'm unable to connect to master from peer ProxyConfig  - Failed to initialize http_proxy from server.conf for splunkd. P lease mak... See more...
I'm creating it from scratch, 8080,9887 is not in listen state. i'm unable to connect to master from peer ProxyConfig  - Failed to initialize http_proxy from server.conf for splunkd. P lease make sure that the http_proxy property is set as http_proxy=http://host:port in case HTTP proxying needs to be enabled. INFO ProxyConfig  - Failed to initialize https_proxy from server.conf for splunkd. Please make sure that the https_proxy property is set as https_proxy=http://host:port in case HTTP proxying needs to be enabled. INFO ProxyConfig - Failed to initialize the proxy_rules setting from server.conf f or splunkd. Please provide a valid set of proxy_rules in case HTTP proxying needs to be enabled. INFO ProxyConfig - Failed to initialize the no_proxy setting from server.conf for splunkd. Please provide a valid set of no_proxy rules in case HTTP proxying needs to be enabled. INFO WatchedFile  - File too small to check seekcrc, probably truncated. Will re-re ad entire file='/opt/splunk/var/log/introspection/http_event_collector_metrics.log'. WARN SSLOptions  - server.conf/[search_state]/sslVerifyServerCert is false disab ling certificate validation; must be set to "true" for increased security  WARN SSLOptions- <internal>.conf/[<internal>]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security  IntrospectionGenerator:resource_usage - RU_main - I-data gathering (Resource Usage) starting; period=10s
Can you add your whole SPL query here, as @ITWhisperer said, your example didn't contains any fields which have value Radius.