All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @arunsoni , You can try below props; [your_sourcetype] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z\s\[\w+\]\s\w+\s)\{ TRUNCATE=20000 ... See more...
Hi @arunsoni , You can try below props; [your_sourcetype] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z\s\[\w+\]\s\w+\s)\{ TRUNCATE=20000  
hello Dear i installed appdynamics platform recently and i want to instrument dotnet core application in docker, in all the other agent such as machine-agent i used secure credentials but for dotnet... See more...
hello Dear i installed appdynamics platform recently and i want to instrument dotnet core application in docker, in all the other agent such as machine-agent i used secure credentials but for dotnet core in containers i couldn't find any refrence for environment which i can set for in docker image, is ther any way i use secure credentials like java agent?
Hi @gcusello    What stanza should I insert in inputs .conf to monitor all the client accesses to the DC? and what do you mean by local events?
Hi @hazem , having the UF on the Domain Controller you can monitor all the accesses to the DC from the clients but not the local events from each server. To have local events, you have to install U... See more...
Hi @hazem , having the UF on the Domain Controller you can monitor all the accesses to the DC from the clients but not the local events from each server. To have local events, you have to install UF on each client. Ciao. Giuseppe
Hi @Nawab , it's normal: alert runs are distributed between the three Search Heads. Ciao. Giuseppe
Hi @hazem , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I want my customer to be able to set the "interval" and control how frequent the module runs. I started with this: default/inputs.conf   [app_name] interval = 43200   and it worked as a default... See more...
I want my customer to be able to set the "interval" and control how frequent the module runs. I started with this: default/inputs.conf   [app_name] interval = 43200   and it worked as a default fallback, but once I added it to inputs.conf.spec, things started to break [app_name://<name>] interval = <integer>   The value was ignored. I tried 30 for every 30 seconds and tracked logs. further more I had this log message in my server: Ignoring parameter "interval" for modular input "app_name" when scheduling the runtime for script="/opt/splunk/etc/apps/app_name/bin/script_name.py". This means potentially Splunk won't be restarting it in case it gets terminated.   What is the way to expose "interval" to end user? (Ideally in "more options" at the Add Input UI. )      
Hello, Below is my log file and I want to break as two log events in splunk using props.conf(regex)   2024-07-31T01:38:09.930Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","... See more...
Hello, Below is my log file and I want to break as two log events in splunk using props.conf(regex)   2024-07-31T01:38:09.930Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"404":0,"200":0},"codeCategory":{"6":0,"0":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1208","msecBins":{"50":8,"100":0,"500":2,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"504":0,"200":10},"codeCategory":{"19":0,"0":10,"5":0}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"201","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":12,"100":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":2984280751}} 2024-07-31T01:38:09.931Z [INFO] ContentGenerator {"recordType":"CGHealth","ContentGenerator":{"KnownSessions":1,"WaitingForResponse":0,"PendingDeleteSessions":0,"UnderRecovery":0,"jobQueue":0,"JobsEnqueued":5221688,"JobsDequeued":5221688,"AllocatedSessions":1,"CGStatsSessions":1,"HPIReqs":8,"ManifestCacheObjs":83,"SavedState":29159,"HlsCount":1,"DashCount":0,"HpiReq":346395,"HpiCancel":0,"GitRef":"41d2f857114d10689016ff5074144a580b1ba544","Status":200},"DecisionQueue":{"adReqQueue":{"queuedJobs":658,"dequeuedJobs":658,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":1,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500},"boReqQueue":{"queuedJobs":0,"dequeuedJobs":0,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":0,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500}},"MQMessages":{"Messages":{"1511":2,"1508":22,"1514":352,"704":359,"706":6,"1044":658,"709":372,"9":4693470}}} 2024-07-31T01:39:09.058Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0},"codeCategory":{"0":0,"6":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1305","msecBins":{"500":0,"1000":2,"5000":0,"15000":0,"above":0,"50":8,"100":0},"errors":0,"codes":{"504":0,"200":10,"404":0},"codeCategory":{"5":0,"19":0,"0":10}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"287","msecBins":{"50":12,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0},"restoreMsecSum":"0","restoreMsecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":1982904320}}2024-07-31T01:38:09.930Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"404":0,"200":0},"codeCategory":{"6":0,"0":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1208","msecBins":{"50":8,"100":0,"500":2,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"504":0,"200":10},"codeCategory":{"19":0,"0":10,"5":0}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"201","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":12,"100":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":2984280751}} 2024-07-31T01:38:09.931Z [INFO] ContentGenerator {"recordType":"CGHealth","ContentGenerator":{"KnownSessions":1,"WaitingForResponse":0,"PendingDeleteSessions":0,"UnderRecovery":0,"jobQueue":0,"JobsEnqueued":5221688,"JobsDequeued":5221688,"AllocatedSessions":1,"CGStatsSessions":1,"HPIReqs":8,"ManifestCacheObjs":83,"SavedState":29159,"HlsCount":1,"DashCount":0,"HpiReq":346395,"HpiCancel":0,"GitRef":"41d2f857114d10689016ff5074144a580b1ba544","Status":200},"DecisionQueue":{"adReqQueue":{"queuedJobs":658,"dequeuedJobs":658,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":1,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500},"boReqQueue":{"queuedJobs":0,"dequeuedJobs":0,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":0,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500}},"MQMessages":{"Messages":{"1511":2,"1508":22,"1514":352,"704":359,"706":6,"1044":658,"709":372,"9":4693470}}} 2024-07-31T01:39:09.058Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0},"codeCategory":{"0":0,"6":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1305","msecBins":{"500":0,"1000":2,"5000":0,"15000":0,"above":0,"50":8,"100":0},"errors":0,"codes":{"504":0,"200":10,"404":0},"codeCategory":{"5":0,"19":0,"0":10}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"287","msecBins":{"50":12,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0},"restoreMsecSum":"0","restoreMsecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":1982904320}}     Expectation: Event1 : 2024-07-31T01:38:09.930Z [INFO] ContentGenerator Event 2 : complete json   
We have 500 domain workstations, and we have installed Splunk Universal Forwarders (UF) on the Active Directory server. The question is, how can we monitor the security logs of those workstations fro... See more...
We have 500 domain workstations, and we have installed Splunk Universal Forwarders (UF) on the Active Directory server. The question is, how can we monitor the security logs of those workstations from the Universal Forwarder installed on the Active Directory server?
| eval request_time=if(isnotnull(transactionID) AND isnotnull(customerID), time, null()) | eval response_time=if(isnotnull(transactionID) AND isnull(customerID), time, null()) | eventstats values(req... See more...
| eval request_time=if(isnotnull(transactionID) AND isnotnull(customerID), time, null()) | eval response_time=if(isnotnull(transactionID) AND isnull(customerID), time, null()) | eventstats values(request_time) as request_time values(response_time) as response_time values(customerID) as customerID by transactionID | eventstats values(type) as type by customerID | stats values(request_time) as request_time values(response_time) as response_time values(status) as status values(type) as type by customerID transactionID
You could try something like this | eval _raw=body | multikv forceheader=1 Although you may need to rename the fields afterwards
index="index0" ``` Assuming you are actually searching _raw and that date has already been extracted ``` | rex "(?<vmbus>vmbus)" | eventstats values(vmbus) as vmbus by date | where vmbus="vmbus" | s... See more...
index="index0" ``` Assuming you are actually searching _raw and that date has already been extracted ``` | rex "(?<vmbus>vmbus)" | eventstats values(vmbus) as vmbus by date | where vmbus="vmbus" | search "dot" | rex field=msg "VF\s+dot\s+(?<dot_number>\d+)" | dedup msg | sort _time,host | stats range(_time) as n1 by host,dum_number" If this doesn't work for you, please share some actual (anonymised) events so we can see what you are actually dealing with rather than a confusing set of pseudo events.
So now the issue is, Some alarms triggered in 1 sh and others trigger in 2nd sh
@PickleRick , @jawahir007  Thank you for your responses; my issue has been resolved.  
I managed to solve this by commenting in web.conf following parameter: mgmtHostPort = xxx.xxx.xxx.xxx:8089
Hi All,   I have a requirement where I need to filter the virtual machine outage occurrence from the kernel logs.   I have sent kernel logs to splunk based on some pattern. Now I have a issue... See more...
Hi All,   I have a requirement where I need to filter the virtual machine outage occurrence from the kernel logs.   I have sent kernel logs to splunk based on some pattern. Now I have a issue for filtering those values in splunk. Here the requirement is, I need to filter the data only if one "string" has appeared in logs on same day.   example: I have following logs in splunk date1: hv_vmbus: registering driver hv_netvsc date1:hv_netvsc 000d3 eth0: VF dot 1 added date1:hv_netvsc 000d3 eth0: VF dot 2 added date1:hv_netvsc 000d3 eth0: VF dot 2 removed date1:hv_netvsc 000d3 eth0: VF dot 1 removed date2:hv_netvsc 000d3 eth0: VF dot 1 added date2:hv_netvsc 000d3 eth0: VF dot 2 added date2:hv_netvsc 000d3 eth0: VF dot 2 removed date2:hv_netvsc 000d3 eth0: VF dot 1 removed   I need to fetch  the data for "dot" only if "hv_vmbus" pattern occured on same date. here I need only data in date1   I tried following query but it isn't working for me. "index="index0" | search "dot" | rex field=msg "VF\s+dot\s+(?<dot_number>\d+)" | dedup msg | sort _time,host | stats range(_time) as n1 by host,dum_number"   Requesting help for achieving this requirement.   Thanks, Veeresh Shenoy  
Ok. You are doing some strange things here. You're going several times over the same data extracting the same fields. You are doing negative matches. You're posting some partial search in pseudo-SPL ... See more...
Ok. You are doing some strange things here. You're going several times over the same data extracting the same fields. You are doing negative matches. You're posting some partial search in pseudo-SPL Just show us the source events (anonymized if need be) and describe the desired output and relation between events and output without using SPL.
In shcluster the scheduler distributes scheduled searches among shcluster members so that if you have 3 SHs 32 CPUs each, you have effectively 96 CPUs to distribute searches among. But a single sear... See more...
In shcluster the scheduler distributes scheduled searches among shcluster members so that if you have 3 SHs 32 CPUs each, you have effectively 96 CPUs to distribute searches among. But a single search is run on a single SH and its results are replicated to other members. Also show shcluster-status shows way more information than just "up".
shcluster status is up. If notable should trigger on only on and correlation searches only run on 1 search head, what is the point of having a shcluster. Also what will happen of reports that u... See more...
shcluster status is up. If notable should trigger on only on and correlation searches only run on 1 search head, what is the point of having a shcluster. Also what will happen of reports that use notable data. How will I control searches to be run on only 1 sh.
You didn't illustrate what is the expected results look like.  Based on the last stats in your OP, you only want to filter for first, last of people with a leave ticket, not to add any information ab... See more...
You didn't illustrate what is the expected results look like.  Based on the last stats in your OP, you only want to filter for first, last of people with a leave ticket, not to add any information about the ticket.  Is this correct? In that case, just extract first and last in the second search and use it as subsearch, like this. index=collect_identities sourcetype=ldap:query [ search index=db_mimecast splunkAccountCode=* mcType=auditLog |fields user | dedup user | eval email=user, extensionAttribute10=user, extensionAttribute11=user | fields email extensionAttribute10 extensionAttribute11 | format "(" "(" "OR" ")" "OR" ")" ] [search index=db_service_now sourcetype="snow:incident" affect_dest="STL Leaver" | dedup description | rex field=description "Leaver Request for (?<first>\S+) (?<last>\S+) -" | fields first last] | dedup email | eval identity=replace(identity, "Adm0", "") | eval identity=replace(identity, "Adm", "") | eval identity=lower(identity) | stats values(email) AS email values(extensionAttribute10) AS extensionAttribute10 values(extensionAttribute11) AS extensionAttribute11 values(first) AS first values(last) AS last BY identity Note the extraction of first and last depends on the precise format in description; additionally, it assumes that first and last contains no white space.