All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am trying to remove the year from from the time labels on the area chart without it messing up the charts format.  I've tried fieldformat but that would mess up the chart when the new year hap... See more...
I am trying to remove the year from from the time labels on the area chart without it messing up the charts format.  I've tried fieldformat but that would mess up the chart when the new year happens, any help would be great.
| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false") You didn't nest the second IF statement | eval description=if('app'=="linux", host. "-" ... See more...
| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false") You didn't nest the second IF statement | eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))
I am trying to create a new field called "description" that contains values from two other existing fields.  If field "app" is equal to linux than i want to combine existing fields "host" and "aler... See more...
I am trying to create a new field called "description" that contains values from two other existing fields.  If field "app" is equal to linux than i want to combine existing fields "host" and "alert_type". If field "app" is equal to windows than i want to combine existing field values "host" and "severity" If app equals anything else, i want the value to be false.  Below is the eval i have, buts its not working:   | eval description=if('app'=="linux", host. "-" .alert_type', 'app'==windows, host. "-" .severity, "false")    
Hi Ryan, Unfortunately, the uninstall-smart-agent instructions did not work.  I need to remove the dead/inactive Smart Agent from the controller Agent Management--->Agents--->Smart Agents section.  ... See more...
Hi Ryan, Unfortunately, the uninstall-smart-agent instructions did not work.  I need to remove the dead/inactive Smart Agent from the controller Agent Management--->Agents--->Smart Agents section.  Thanks!
Hi can anybody help with this problem, please? source1: lookup Tab (lookup.csv) att1 att2 att3 F1 1100 12.09.2024 F2 1100 23.04.2024 F3 1100 15.06.2024 F4 1100 16.03.2024 att1 is also in index=... See more...
Hi can anybody help with this problem, please? source1: lookup Tab (lookup.csv) att1 att2 att3 F1 1100 12.09.2024 F2 1100 23.04.2024 F3 1100 15.06.2024 F4 1100 16.03.2024 att1 is also in index=myindex I want to have in a table for all att1 from lookup.csv count of all events from index=myindex att1=$att1$ AND earliest=strptime($att3$, "%d.%m.%Y") output: att1 count(from myindex) att2 att3 F1 count 1100 12.09.2024 F2 count 1100 23.04.2024 F3 count 1100 15.06.2024 F4 count 1100 16.03.2024
@shalomsuresh These solutions don't work if there are more than 3 with the same score, e.g. if "f" had a score of 73 as well.
Hello @Kathryn.Green, I was told you should be having a conversation soon with ApPDynamics about your questions here, as they have reached our privately. 
Is there a way to get Service Endpoint values (response time, load, errors) into Analytics so it can be queried? I have multiple custom service endpoints that are looking at the performance of api c... See more...
Is there a way to get Service Endpoint values (response time, load, errors) into Analytics so it can be queried? I have multiple custom service endpoints that are looking at the performance of api calls from a specific customer.  They are calls like createCart and placeOrder etc. Is there a way for me to get the values like load, response time, and error counts for these service endpoints, in Analytics? I know I can get those metrics for business transactions, but these service endpoints are subsets within the BTs.  I don't want to have to create a custom BT for each of these custom service endpoints if I can avoid that. Thanks, Greg
Hi @Huy.Nguyen, First off, cool profile pic! Second, I found this AppD Docs page that could be helpful on how to uninstall a Smart Agent with Command line. https://docs.appdynamics.com/appd/24.x... See more...
Hi @Huy.Nguyen, First off, cool profile pic! Second, I found this AppD Docs page that could be helpful on how to uninstall a Smart Agent with Command line. https://docs.appdynamics.com/appd/24.x/24.8/en/agent-management/smart-agent/uninstall-smart-agent
Hi, Is the Dnslookup available in Splunk cloud like enterprise?
If you want to avoid using 2 streamstats you shall try this way, | streamstats count as Rank | delta Score as Diff | eval Rank=if(Diff=0,Rank-1,Rank) | fields - Diff And with 2 streamstats you sh... See more...
If you want to avoid using 2 streamstats you shall try this way, | streamstats count as Rank | delta Score as Diff | eval Rank=if(Diff=0,Rank-1,Rank) | fields - Diff And with 2 streamstats you shall try this so to avoid 1 extra filldown command, | streamstats count as Rank | streamstats window=2 range(Score) as range | eval Rank=if(Rank=1 OR range != 0, Rank, Rank-1)
Hi, What if we are unable to upgrade the controller (v24.4.1) to version 24.6 or higher at this time, is there a way to remove the inactive Smart Agent from the controller via the command line or fr... See more...
Hi, What if we are unable to upgrade the controller (v24.4.1) to version 24.6 or higher at this time, is there a way to remove the inactive Smart Agent from the controller via the command line or from the database?  Thanks!
Have you tried the lookup command https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Lookup  
I lessened the amount of fields in the csv and that solved the issue. 
Hi Team  Can you please help me to provide a solution to use a csv file with the external vs internal user id data in the splunk.  Below is the current query and output that extracts the internal... See more...
Hi Team  Can you please help me to provide a solution to use a csv file with the external vs internal user id data in the splunk.  Below is the current query and output that extracts the internal userid and i need another column to add corresponding external user id.  Csv file : ABC.csv usr_id,eml_add_ds internal user id 1 , external user id 1 internal user id 2 , external user id 2 internal user id 3 , external user id 3 internal user id 4 , external user id 4 Query : (index=ABC) ("Start" OR "Finish") Properties.AspNetCoreEnvironment="*" | rex field=Message "Start:\s*(?<start_info>[^\s]+)" | rex field=Message "user\s(?<Userid>[^\took|.]+)" | search start_info=* | table Userid | sort time   Output :   
It is difficult to tell without seeing your events and lookup file values but taking a clue from the field name "cidr", does your lookup file contain CIDR-style values, and if so, have you created a ... See more...
It is difficult to tell without seeing your events and lookup file values but taking a clue from the field name "cidr", does your lookup file contain CIDR-style values, and if so, have you created a lookup definition with advanced setting for match type CIDR(cidr)?
@richgalloway @jawahir007  Thank you both for the nice explanation.  As part of my migration activity, I want to clean up or remove all the unnecessary sourcetypes from Splunk so that we may use ... See more...
@richgalloway @jawahir007  Thank you both for the nice explanation.  As part of my migration activity, I want to clean up or remove all the unnecessary sourcetypes from Splunk so that we may use less disk space and move data more quickly from the old server to the new one. But as per your suggestion, delete command will never reduce disk space and in migration the entire data will have to be copied. Am I understanding it correctly ? Some more addition on my first ask. 1. All the sourcetypes coming from one source. 2. All the sourcetypes belongs to only one index. 3. We are using transforms and props to build the sourcetypes. When a particular type of pattern events comes; then transforms create the sourcetype( as mentioned regex inside ) 4. All the parsing and filtering will take care by python script. 5. Both unnecessary and necessary sourcetypes are included in that one index.   Thanks   
  l  
Finally got what I wanted. | inputlookup servers | dedup host | sort host | table host host ...this gives me the delineated list of servers that are individually selectable.  Now I need to add my... See more...
Finally got what I wanted. | inputlookup servers | dedup host | sort host | table host host ...this gives me the delineated list of servers that are individually selectable.  Now I need to add my parameter tokens to trim the list down based on the first 3 LOVs. Thanks all!
1.Using Delete Command  In Splunk, the delete command is used to mark events as deleted from search results. However, it does not physically remove the events from disk or from the index. Instead, i... See more...
1.Using Delete Command  In Splunk, the delete command is used to mark events as deleted from search results. However, it does not physically remove the events from disk or from the index. Instead, it hides the marked events so they are not returned in future search results. The events are still present in the index but flagged as deleted 2.  Permanently Delete Data via Index Cleanup (Retention Policies) To physically delete data from Splunk's indexes, you typically rely on index retention policies. Splunk automatically deletes older data based on index size or time-based retention policies. Set Index Retention Policies: Maximum Size (based on disk usage): Once the index exceeds a defined size, Splunk will delete the oldest data. Time-based Retention: Splunk can automatically remove data that is older than a specific period (e.g., data older than 30 days). Steps: Modify the indexes.conf file, located in $SPLUNK_HOME/etc/system/local/indexes.conf or within an app-specific folder. Example configuration for size- or time-based retention:   [your_index] maxTotalDataSizeMB = 5000 # Set the maximum size of the index in MB frozenTimePeriodInSecs = 2592000 # 30 days in seconds (30 * 24 * 60 * 60) maxTotalDataSizeMB: Sets the maximum disk space the index can use. When this limit is reached, older data is deleted. frozenTimePeriodInSecs: Specifies the number of seconds to retain the data. Once the data is older than this, it will be deleted. After the index reaches the size or time threshold, old data is deleted automatically by Splunk.