All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Summary index or any alternative Hi, I have created a dashboard with 8 panels and time frame is last 5 minutes. Kept that shorter time frame booz for this platform we are receiving large chunks of d... See more...
Summary index or any alternative Hi, I have created a dashboard with 8 panels and time frame is last 5 minutes. Kept that shorter time frame booz for this platform we are receiving large chunks of data, App team want this dashboard to The run for longer time frames may be last 7 days. If we are running for last 7 days, search is taking so much time and lot of resources getting wasted. They asked for solution to implement longer time Frame with faster results I explored and found SUMMARY index as an option but never worked on it. Can this help me? We have nearly 100+ indexes in that particular platform and sourcetype is same for all. We have RBAC implemented for each index (restricting app A users to view app B logs and viceversa ) Now if I implement Summary Index here,can this RBAC sill take effect because summary index provides data for all indexes and if it used the same in dashboard.. app A user can see app B logs by any chance or set RBAC applies here over summary index? Or else suggest other alternatives as well. At the end it should align with my RBACs created.
What would be the expected result from your sample data? 8 events and 52044 total bags or something else? | bin span=1d TIME | stats count latest("TOTAL DAILY BAGS") as TOTAL_DAILY_BAGS by TIME | st... See more...
What would be the expected result from your sample data? 8 events and 52044 total bags or something else? | bin span=1d TIME | stats count latest("TOTAL DAILY BAGS") as TOTAL_DAILY_BAGS by TIME | stats sum(count) as total_events sum(TOTAL_DAILY_BAGS) as total_daily_bags If your TIME field is not already the date (as shown in your sample), you may need to bin it first
Hi @Simona11  You could try: | timechart span=1d latest("TOTAL DAILY BAGS") as daily_bags, count as total_alarms |stats sum(total_alarms) as total_alarms, sum(daily_bags) as total_bags   | ma... See more...
Hi @Simona11  You could try: | timechart span=1d latest("TOTAL DAILY BAGS") as daily_bags, count as total_alarms |stats sum(total_alarms) as total_alarms, sum(daily_bags) as total_bags   | makeresults count=8 | streamstats count as row | eval AREA=case(row=1,"1111", row=2,"1111", row=3,"1222", row=4,"1323", row=5,"1323", row=6,"1222", row=7,"1111", row=8,"1323") | eval "ALARM DESCRIPTION"=case(row=1,"TRIGGER", row=2,"TRIGGER", row=3,"FAILURE", row=4,"FAILURE", row=5,"HAC", row=6,"FAILURE", row=7,"FAILURE", row=8,"TRIGGER") | eval "TOTAL DAILY BAGS"=case(row<=5,18600, row>5,33444) | eval TIME=case(row<=5,"2024-03-01", row>5,"2024-02-01") | eval _time=strptime(TIME,"%Y-%m-%d") | timechart span=1d latest("TOTAL DAILY BAGS") as daily_bags, count as total_alarms | stats sum(total_alarms) as total_alarms, sum(daily_bags) as total_bags  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
I have a lookup table with daily records which includes: area, alarm description, date, number of bags per area and for that specific day (repetitive number). There is a timestamp for each alarm, and... See more...
I have a lookup table with daily records which includes: area, alarm description, date, number of bags per area and for that specific day (repetitive number). There is a timestamp for each alarm, and a bag column repeating the total bags for that day (same number appears multiple times because the same day has multiple alarm rows). I want to:  1) compute the total number of bags for the whole 3-month period. 2) compute the total number of alarm events (counted as total occurrences across 3 months). What is the best approach in Splunk enterprise to get both in the same final stats result? Example of scenario: AREA ALARM DESCRIPTION TOTAL DAILY BAGS TIME 1111 TRIGGER 18600 01/03/2024 1111 TRIGGER 18600 01/03/2024 1222 FAILURE 18600 01/03/2024 1323 FAILURE 18600 01/03/2024 1323 HAC 18600 01/03/2024 1222 FAILURE 33444 01/02/2024 1111 FAILURE 33444 01/02/2024 1323 TRIGGER 33444 01/02/2024
It is not so much the copy paste, it is the value used for All, this needs to be "All" not "*" (similarly with the initialValue) <form version="1.1" theme="light"> <label>All handling</label> <s... See more...
It is not so much the copy paste, it is the value used for All, this needs to be "All" not "*" (similarly with the initialValue) <form version="1.1" theme="light"> <label>All handling</label> <search id="base_search"> <query>| makeresults format=csv data="categories A B C" | table categories</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fieldset submitButton="false"> <input type="multiselect" token="categories"> <label>Categories</label> <choice value="All">All</choice> <default>All</default> <initialValue>All</initialValue> <fieldForLabel>categories</fieldForLabel> <fieldForValue>categories</fieldForValue> <search base="base_search"> <query> |stats count by categories </query> </search> <valuePrefix>testCategories="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> AND </delimiter> <change> <eval token="form.categories">case(mvcount('form.categories')=0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")&gt;0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")=0,mvfilter('form.categories'!="All"),1==1,'form.categories')</eval> <eval token="categories_choice">if('form.categories'=="All","categories=\"*\"",'categories')</eval> </change> </input> </fieldset> <row> <panel> <html> Categories: $categories_choice$ </html> </panel> </row> </form>
Hi Team, I am new to this community. I am working on golang integration with appdynamics. Go sdk is not available in appdynamics downloads. Can anybody help me how to get it? And, if anyone can share... See more...
Hi Team, I am new to this community. I am working on golang integration with appdynamics. Go sdk is not available in appdynamics downloads. Can anybody help me how to get it? And, if anyone can share the documentation for integration of app dynamics with golang, that would be really helpful. Thanks in advance. #AppDynamics #AppD #Golang #integration
Hi Team,   I am currently working on to monitor a C++ application in Appdynamics. Have instrumented other applications Java,PHP , .Net , but this looks totally different. As per the documentation,... See more...
Hi Team,   I am currently working on to monitor a C++ application in Appdynamics. Have instrumented other applications Java,PHP , .Net , but this looks totally different. As per the documentation, these were the 3 steps, but bit confused. 1.Add the AppDynamics Header File to the Application - This is fine, will add this line #include <path_to_SDK>/sdk_lib/appdynamics.h in the application source code. But is there any specific file name or instructions for this?   2.Initialize the Controller Configuration - The values mentioned below does these need to be updated in c++ application source code and call the Appdynamics SDK. If so does both these codes to be included and how toc all the SDK.   const char APP_NAME[] = "SampleC"; const char TIER_NAME[] = "SampleCTier1"; const char NODE_NAME[] = "SampleCNode1"; const char CONTROLLER_HOST[] = "controller.somehost.com"; const int CONTROLLER_PORT = 8080; const char CONTROLLER_ACCOUNT[] = "customer1"; const char CONTROLLER_ACCESS_KEY[] = "MyAccessKey"; const int CONTROLLER_USE_SSL = 0;        struct appd_config* cfg = appd_config_init(); // appd_config_init() resets the configuration object and pass back an handle/pointer appd_config_set_app_name(cfg, APP_NAME); appd_config_set_tier_name(cfg, TIER_NAME); appd_config_set_node_name(cfg, NODE_NAME); appd_config_set_controller_host(cfg, CONTROLLER_HOST); appd_config_set_controller_port(cfg, CONTROLLER_PORT); appd_config_set_controller_account(cfg, CONTROLLER_ACCOUNT); appd_config_set_controller_access_key(cfg, CONTROLLER_ACCESS_KEY); appd_config_set_controller_use_ssl(cfg, CONTROLLER_USE_SSL); .   3.Initialize the SDK - This I understand to be called from the source code to trigger the SDK, correct me if I am wrong. If my undertsnading is correct, any specific instructions toa dd these lines in the code? int initRC = appd_sdk_init(cfg); if (initRC) { std::cerr << "Error: sdk init: " << initRC << std::endl; return -1; }  
Hello everyone, I’m trying to integrate AppDynamics with a Golang application, and I came across mentions of an AppDynamics Go SDK. However, after checking the AppDynamics Downloads page, it doesn’t... See more...
Hello everyone, I’m trying to integrate AppDynamics with a Golang application, and I came across mentions of an AppDynamics Go SDK. However, after checking the AppDynamics Downloads page, it doesn’t seem to be listed under the available Agents for the “Go SDK” category. Is the AppDynamics Go SDK still available? If so: Where can I download it? Any guidance or official confirmation would be greatly appreciated! Thanks in advance.    
Hi @SN1  Check out Splunk Alerts for Microsoft Teams - https://splunkbase.splunk.com/app/4855 This application provides alert actions for Microsoft Teams messages publication to allow formatted mes... See more...
Hi @SN1  Check out Splunk Alerts for Microsoft Teams - https://splunkbase.splunk.com/app/4855 This application provides alert actions for Microsoft Teams messages publication to allow formatted messages publication from Splunk Then create alerts from the searches you have in your dashboards and use the Teams alert action from this app to send to your Microsoft Teams destination.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
it works. curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/config/mykvstore -d "field.my_new_column=string"   Thanks
so i have a dashboard and i want to send an alerts to the Microsoft teams channel how can i do that.
@mwmw  - Does @tej57 answered your question?? If that does, kindly please accept the answer by clicking on "Accept as Answer".
Hey @meng, You can also check the latest status of your search head cluster using REST endpoint as mentioned here - https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference... See more...
Hey @meng, You can also check the latest status of your search head cluster using REST endpoint as mentioned here - https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference/9.4/cluster-endpoints/cluster-endpoint-descriptions#get-38 It'll always fetch the latest information for your cluster. And as for getting inaccurate information from metadata, as @gcusello mentioned, open up a support case with Splunk. Thanks, Tejas.  
well, im using splunk cloud so JS is not an option and  i've tries the second option but its not working maybe something in the copy paste became wrong ?  <input type="multiselect" token="cat... See more...
well, im using splunk cloud so JS is not an option and  i've tries the second option but its not working maybe something in the copy paste became wrong ?  <input type="multiselect" token="categories"> <label>Categories</label> <choice value="*">ALL</choice> <fieldForLabel>testCategories</fieldForLabel> <fieldForValue>testCategories</fieldForValue> <search> <query>index="stg_observability_s" sourcetype=SplunkQuality earliest=$time.earliest$ latest=$time.latest$ | search AdditionalData.domain="$domain$" AdditionalData.pipelineName="$pipelineName$" AdditionalData.buildId="$jobid$" AdditionalData.repoUrl="$repo$" | stats count by testCategories</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <default>*</default> <initialValue>*</initialValue> <delimiter> AND </delimiter> <valuePrefix>testCategories="</valuePrefix> <valueSuffix>"</valueSuffix> <change> <eval token="form.categories">case(mvcount('form.categories')=0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")&gt;0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")=0,mvfilter('form.categories'!="All"),1==1,'form.categories')</eval> <eval token="categories_choice">if('form.categories'=="All","categories=\"*\"",'categories')</eval> </change> </input>
@sarit_s6 - That one requires Javascript to be written to remove "All" option. Reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-quot-All-quot-from-Multiselect-Input-in-Da... See more...
@sarit_s6 - That one requires Javascript to be written to remove "All" option. Reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-quot-All-quot-from-Multiselect-Input-in-Dashboard/m-p/301375   OR you can opt for complex XML editing suggested in this reference - https://community.splunk.com/t5/Dashboards-Visualizations/Remove-ALL-from-multi-select-input-once-any-value-is-selected/m-p/711199   I hope this helps!!! Kindly upvote if it does!!!
@Macedovin - Great that you join the Splunk community here. And I'm glad that you were able to resolve the issue you had and even updated that details here.   It would be amazing if you can answer ... See more...
@Macedovin - Great that you join the Splunk community here. And I'm glad that you were able to resolve the issue you had and even updated that details here.   It would be amazing if you can answer your own question here with the details that you added in your question instead currently (UPDATE). So that future Splunk community users can clearly see your question & answer and can get help from it. Once you add your answer, also please mart it as "Accepted".   Community Moderator, Vatsal
thanks its working is it also possible to set it like that so when object is selected it will remove the "ALL" automatically ?
Hi @sarit_s6 , yes, you can use the IN operator and comma as separator. Ciao. Giuseppe
@Alan_Chan - Are you sure your Splunk port is 8443??  
@vader13 - You did not included the reference which mention supported and not supported. Also, I'm not sure what you are referring to with HTTPOUT.