All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

what if  I want to remove RAISE-ALARM from staring
the index is appearing inside the indexer cluster dashboard inside cluster master but when i try to search it using Search Head i can't find any data i look at the splunkd inside one of the indexers ... See more...
the index is appearing inside the indexer cluster dashboard inside cluster master but when i try to search it using Search Head i can't find any data i look at the splunkd inside one of the indexers it's appears it working fine   should i do restart or something or do i need to change anything?
Just dedup the field you want <input type="dropdown" token="department" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | dedup department | table department <i... See more...
Just dedup the field you want <input type="dropdown" token="department" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | dedup department | table department <input type="dropdown" token="Location" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | dedup Location | table Location <input type="dropdown" token="Company" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | dedup Company | table Company You should also add a static value of "*" with a label of "All" to each dropdown
| eventstats values(eval(if(status="Issue","Bad",null()))) as Health | fillnull value="Ok" Health
Try something like this | rex "^(?<line>.*proxy)"
You can add channel to all events with the same tran_id with eventstats | eventstats values(channel) as channel by tran_id
I want to extract whole line till proxy RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy;
Hi @Siddharthnegi , could you share some sample of your full message, highlighting in bold the part to extract? Ciao. Giuseppe
Hi , I want to extract this line from an event. RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy;
Sample query for dropdown. other tags exist.    <input type="dropdown" token="department" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | search department="... See more...
Sample query for dropdown. other tags exist.    <input type="dropdown" token="department" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | search department="$department$" Company="$Company$" Location="$Location$" | dedup department | table department <input type="dropdown" token="Location" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | search department="$department$" Company="$Company$" Location="$Location$" | dedup Location | table Location <input type="dropdown" token="Company" searchWhenChanged="true"> index=abc laas_appId=xyz source="/opt/src/var/sample.csv" | search department="$department$" Company="$Company$" Location="$Location$" | dedup Company | table Company
@batabay when i did your command about firewall-cmd i got the port that has syslog not inside allowed port to forward
It's missing the fields value if all Ok.  I need Health field to be populated with Ok if all status field have all Ok value.
Thank you so much for your anwser.  It's pretty clear  I'm going to change my conf now. 
Dropdown is also dynamically populated from sample.csv file.  Yes if i select multiple from dropdown. it should display accordingly like DRDO, Bangalore for both conditions. This is actually i need ... See more...
Dropdown is also dynamically populated from sample.csv file.  Yes if i select multiple from dropdown. it should display accordingly like DRDO, Bangalore for both conditions. This is actually i need to apply all over my other search results like Pie chart. table format. etc. that are displayed in my dashboard.  But for now, I am trying to sort it out for single value count. so i can apply same logic for pie chart etc.
Thanks for the reply.  The issue seems to come from our AD configuration. The popup redirects to an SSO login window, and if I use the "Not you?" button to specify a local user, it ignores it and jum... See more...
Thanks for the reply.  The issue seems to come from our AD configuration. The popup redirects to an SSO login window, and if I use the "Not you?" button to specify a local user, it ignores it and jumps to the SSO login again.  I have a support case with Splunk and this is what they've observed. So we need to check out this redirection issue internally.
Hi, I am trying to configure AWS Lambda running in Node Js in AppD. I have subscribed to Serverless APM for AWS Lambda subscription. Node js version is 20.x We selected a lambda function and added ... See more...
Hi, I am trying to configure AWS Lambda running in Node Js in AppD. I have subscribed to Serverless APM for AWS Lambda subscription. Node js version is 20.x We selected a lambda function and added a layer then added environment variables via the console. After adding the variables the lambda is executed. But the application is not reporting in AppDynamics controller. What could be the reason. Is there any additional instrumentation required.  Also, please confirm on ARN version to be used, the function is hosted in us-east-1, also confirm whether runtime is compatible or not with Node js 20.  
Hi @richgalloway , you were right. The datamodel "Endpoint" was not properly configured, whitelisted indexers were empty. I added the index wineventlog but it still appears in red. But whenever I ... See more...
Hi @richgalloway , you were right. The datamodel "Endpoint" was not properly configured, whitelisted indexers were empty. I added the index wineventlog but it still appears in red. But whenever I click on the "open search" link next to the red icon, that query does get data. any idea of what might be happening here? Also, I created the macro "summaryonly_config" as you suggested but new errors appeared related to the other two missing macros "oldsummaries_config" and "fillnull_config". I also created these macros with a true value in both cases. that seems to solve the issue with the search, no more errors are shown. thanks  
yeah i got events from tcpdump ..   no blocking from firewall
Have you correctly configured your HF to just forwarding events to indexers instead of storing those locally? i have configuered the index from GUI and the data inputs also how could i know if it's ... See more...
Have you correctly configured your HF to just forwarding events to indexers instead of storing those locally? i have configuered the index from GUI and the data inputs also how could i know if it's stored locally or not. Have you configured other indexes on HF which currently found from your indexer cluster and are those events go through this HF? yes, there are indexer names come from HF and also found in CM indexer cluster ( they coming from HF ) When you are configuring indexes on CM that didn' t means that those are seen on locally in CM. Those indexes are pushed only into peers! when i configuered the index from HF i did the same inside indexes.conf in manager-apps directory. Could it be that those new indexes are e.g. under master-apps and old ones are under manager-apps on your CM? You could use only one of those places not both? all the indexers in CM inside manager-apps . i did splunk btool indexes list --debug <your index name> and the index is showing with the same settinges inside CM after pushing the bundle.  
Hi basically it's enough that you have created index on cluster master and then pushed it into search peers. In HF it's more nice to have. Of course if you have some modular inputs which you are con... See more...
Hi basically it's enough that you have created index on cluster master and then pushed it into search peers. In HF it's more nice to have. Of course if you have some modular inputs which you are configuring with GUI,  those usually needs also indexes configure in HF too. Have you correctly configured your HF to just forwarding events to indexers instead of storing those locally?  Have you configured other indexes on HF which currently found from your indexer cluster and are those events go through this HF? When you are configuring indexes on CM that didn' t means that those are seen on locally in CM. Those indexes are pushed only into peers! Could it be that those new indexes are e.g. under master-apps and old ones are under manager-apps on your CM? You could use only one of those places not both? If I recall right manager-apps has higher priority over master-apps (the old place). So if you have any cluster peer configurations (also other than indexes.conf) then all configurations must move there or otherwise those are not working. Again btool is your friends. You could go into any peer and try splunk btool indexes list --debug <your index name>  This shows if its deployed into peer and if where it is. If I recall right there are some options how to run this also on CM and see what its deploy to peers, but I cannot found that option now. But anyhow just look on your CM and ensure that you are using only master-apps or manager-apps and not both. Basically you should see this also on _internal logs. r. Ismo