All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, So I have 2 problems I have an alert that fire emails whenever FILE_NAME=FILE_ERROR, and when that happen, I have to merge it with a list of users from internal with USER_TYPE=Internal . E... See more...
Hello, So I have 2 problems I have an alert that fire emails whenever FILE_NAME=FILE_ERROR, and when that happen, I have to merge it with a list of users from internal with USER_TYPE=Internal . Each table are like so Main table: _time FILE_NAME (time) FILE_ERROR   Table that I want to merge with USER_TYPE USER_EMAIL USER_PHONE Internal internal1@gmail.com 1234 Internal internal2@gmail.com 5678   I want the result to show like this _time FILE_NAME USER_TYPE USER_EMAIL USER_PHONE (time) FILE_ERROR Internal internal1@gmail.com 1234 (time) FILE_ERROR Internal internal2@gmail.com 5678   So basically I want to fill all rows of FILE_NAME and (time) in the main table with the other table so I can use Alert for each result and send emails using $result.USER_EMAILS$. I have try append, appendcols and join but it only have 1 row that had value.  Or I want the result table look like this _time FILE_NAME USER_TYPE USER_EMAIL USER_PHONE (time) FILE_ERROR Internal internal1@gmail.com, internal2@gmail.com 1234,5678   Does anyone have solution for this.
Hello Splunk Experts ,   I have following dashboard    I want to filter dropdown "Select Operation" on basis of API and Method dropdown selection ,but I am getting 'duplicate values caus... See more...
Hello Splunk Experts ,   I have following dashboard    I want to filter dropdown "Select Operation" on basis of API and Method dropdown selection ,but I am getting 'duplicate values causing conflict' error. Below is my code :   <input type="dropdown" token="token_service" searchWhenChanged="true"> <label>Select API:</label> <choice value="party_interaction_rest">PARTY INTERACTION</choice> <choice value="ticket_mgmt_rest">TICKET MANAGEMENT</choice> <choice value="customer_management_rest">CUSTOMER MANAGEMENT</choice> <choice value="agreement_management_rest">AGREEMENT MANAGEMENT</choice> <choice value="product_order_rest">PRODUCT ORDER</choice> <choice value="cust_comm_rest">CUSTOMER COMMUNICATION</choice> <choice value="product_inv_rest">PRODUCT INVENTORY</choice> <change> <condition label="PARTY INTERACTION"> <set token="sourcetyp">$value$</set> <set token="src">http:party_interaction_rest</set> <set token="uuid">"properties.o2-PartyInteraction-ReqId"</set> </condition> <condition label="TICKET MANAGEMENT"> <set token="sourcetyp">$value$</set> <set token="src">http:ticket_mgmt_rest</set> <set token="uuid">"properties.o2-TroubleTicket-ReqId"</set> </condition> <condition label="CUSTOMER MANAGEMENT"> <set token="sourcetyp">$value$</set> <set token="src">http:customer_management_rest</set> <set token="uuid">"properties.o2-CustomerManagement-ReqId"</set> </condition> <condition label="AGREEMENT MANAGEMENT"> <set token="sourcetyp">$value$</set> <set token="src">http:agreement_management_rest</set> <set token="uuid">"properties.o2-Agreement-ReqId"</set> </condition> <condition label="PRODUCT ORDER"> <set token="sourcetyp">$value$</set> <set token="src">http:product_order_rest</set> <set token="uuid">"properties.o2-ProductOrder-ReqId"</set> </condition> <condition label="CUSTOMER COMMUNICATION"> <set token="sourcetyp">$value$</set> <set token="src">http:cust_comm_rest</set> <set token="uuid">"properties.o2-Communications-ReqId"</set> </condition> <condition label="PRODUCT INVENTORY"> <set token="sourcetyp">$value$</set> <set token="src">http:product_inv_rest</set> <set token="uuid">"properties.o2-Product-ReqId"</set> </condition> </change> <default>ticket_mgmt_rest</default> <initialValue>ticket_mgmt_rest</initialValue> </input> <input type="dropdown" token="token_method" searchWhenChanged="true"> <label>Select Method:</label> <fieldForLabel>METHOD</fieldForLabel> <fieldForValue>METHOD</fieldForValue> <search> <query>| makeresults | eval API="party_interaction_rest",METHOD="Alle,GET,POST" | append [| makeresults | eval API="ticket_mgmt_rest",METHOD="Alle,GET,POST,PATCH"] | append [| makeresults | eval API="customer_management_rest",METHOD="Alle,GET,PATCH"] | append [| makeresults | eval API="agreement_management_rest",METHOD="Alle,GET"] | append [| makeresults | eval API="product_order_rest",METHOD="Alle,GET,POST,PATCH,DELETE"] | append [| makeresults | eval API="cust_comm_rest",METHOD="Alle,GET"] | append [| makeresults | eval API="product_inv_rest",METHOD="Alle,GET,POST,PATCH"] | eval METHOD=split(METHOD,",") |mvexpand METHOD| table API METHOD | search API="$token_service$"</query> </search> <change> <condition value="Alle"> <set token="token_method">*</set> </condition> </change> <default>Alle</default> <initialValue>Alle</initialValue> </input> <input type="dropdown" token="tkn_ OPERATION"> <label>Select Operation:</label> <fieldForLabel>OPERATION</fieldForLabel> <fieldForValue>OPERATION</fieldForValue> <search> <query>| makeresults | eval API="party_interaction_rest" , METHOD="GET",OPERATION="Alle,LIST_PARTY_INTERACTIONS" | append [| makeresults | eval API="party_interaction_rest" , METHOD="POST",OPERATION="Alle,RETRIEVE_PARTY_INTERATION,CREATE_PARTY_INTERATION"] | append [| makeresults | eval API="ticket_mgmt_rest" , METHOD="GET",OPERATION="Alle,LIST_TROUBLE_TICKETS"] | eval OPERATION=split(OPERATION,",") |mvexpand OPERATION| table API METHOD OPERATION | search API="$token_service$" METHOD=$token_method$ </query> </search>      
Hi team, Is it possible to created radial guage panel with time based threshold. suppose the threshold between office hours(8am to 6PM) is 100,200,500 and out of office hours(6PM to 8M) be like... See more...
Hi team, Is it possible to created radial guage panel with time based threshold. suppose the threshold between office hours(8am to 6PM) is 100,200,500 and out of office hours(6PM to 8M) be like 10,20,50 Thank you
I have logs that seem to be extracting perfectly. All fields show up in "Interesting Fields", and each one can be searched (myField=*) gives results. EXCEPT: I have a field called "domain". It ca... See more...
I have logs that seem to be extracting perfectly. All fields show up in "Interesting Fields", and each one can be searched (myField=*) gives results. EXCEPT: I have a field called "domain". It cannot be searched. It is there. It shows 100% of events have it. I hover over it and i see the contents. But when I run a search, nada.   index=disa-cbii   Search    index=disa-cbii domain="insight.adsrvr.org"   0 Results found. Same for domain=* Now, if we throw in spath   index=disa-cbii | spath domain | search domain="insight.adsrvr.org"   we get plenty of results. What is happening? From everything i can tell, I should not need spath because the event is extracting just fine. All the other dozen fields are extracted and searchable.    index=disa-cbii | table domain    works fine. How can I table something that doesn't exist?
I have upgraded my Splunk Enterprise to 9.0 and we now get warning like this: Some visualizations have not loaded since we detected usage of risky commands in the query. This is OK,  and I now wh... See more...
I have upgraded my Splunk Enterprise to 9.0 and we now get warning like this: Some visualizations have not loaded since we detected usage of risky commands in the query. This is OK,  and I now why and this dashboard is for admin use only.   So I like to Deactivate the warning for this dashboard only.  That way I will get warning if there are other dashboard with dangerous commands.  But if I read the documentation, it seems that I can only disable all warning or warning for some commands.  I would like to disable warning pr dashboard.  Anyone has a workaround? https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards?ref=hk
Hi, Could you please explain me what happens when deployment server stops working? How does it affects data inflow from UF's? and what components can be affected if DS goes down.   Thank You
App compilation passed successfully but fire a runtime exception 2022-06-27 13:57:02.201 5632-5632/my.package.name E/AndroidRuntime: FATAL EXCEPTION: main Process: my.package.name, PID: 5632 java.... See more...
App compilation passed successfully but fire a runtime exception 2022-06-27 13:57:02.201 5632-5632/my.package.name E/AndroidRuntime: FATAL EXCEPTION: main Process: my.package.name, PID: 5632 java.lang.NoClassDefFoundError: Failed resolution of: Lcom/appdynamics/eumagent/runtime/networkrequests/OkHttp3$OkHttpClient$Constructor$INIT; at okhttp3.OkHttpClient$Builder.build(Unknown Source:2) at my.package.name.dagger.ServiceFactoryModule.provideOkHttpClient(SourceFile:7) at my.package.name.dagger.ServiceFactoryModule_ProvideOkHttpClientFactory.provideOkHttpClient(Unknown Source:0) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get0(SourceFile:99) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get(SourceFile:9) at hf.b.get(SourceFile:5) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get1(SourceFile:92) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get(SourceFile:8) at hf.b.get(SourceFile:5) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC.injectMyAppApplication2(SourceFile:4) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC.injectMyAppApplication(Unknown Source:0) at my.package.name.application.Hilt_MyAppApplication.onCreate(SourceFile:1) at my.package.name.application.MyAppApplication.onCreate(SourceFile:1) at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1182) at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6460) at android.app.ActivityThread.access$1300(ActivityThread.java:219) at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1859) at android.os.Handler.dispatchMessage(Handler.java:107) at android.os.Looper.loop(Looper.java:214) at android.app.ActivityThread.main(ActivityThread.java:7356) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930) Caused by: java.lang.ClassNotFoundException: com.appdynamics.eumagent.runtime.networkrequests.OkHttp3$OkHttpClient$Constructor$INIT at okhttp3.OkHttpClient$Builder.build(Unknown Source:2)  at my.package.name.dagger.ServiceFactoryModule.provideOkHttpClient(SourceFile:7)  at my.package.name.dagger.ServiceFactoryModule_ProvideOkHttpClientFactory.provideOkHttpClient(Unknown Source:0)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get0(SourceFile:99)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get(SourceFile:9)  at hf.b.get(SourceFile:5)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get1(SourceFile:92)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get(SourceFile:8)  at hf.b.get(SourceFile:5)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC.injectMyAppApplication2(SourceFile:4)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC.injectMyAppApplication(Unknown Source:0)  at my.package.name.application.Hilt_MyAppApplication.onCreate(SourceFile:1)  at my.package.name.application.MyAppApplication.onCreate(SourceFile:1)  at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1182)  at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6460)  at android.app.ActivityThread.access$1300(ActivityThread.java:219)  at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1859)  at android.os.Handler.dispatchMessage(Handler.java:107)  at android.os.Looper.loop(Looper.java:214)  at android.app.ActivityThread.main(ActivityThread.java:7356)  at java.lang.reflect.Method.invoke(Native Method)  at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)  at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)  2022-06-27 13:57:04.477 1840-5714/? E/ResolverController: No valid NAT64 prefix (101, <unspecified>/0) 2022-06-27 13:57:04.822 1840-5715/? E/ResolverController: No valid NAT64 prefix (101, <unspecified>/0) 2022-06-27 13:57:06.371 5632-5677/my.package.name E/FirebaseInstanceId: Failed to get FIS auth token Before AGP version update :myapp:transformClassesWithAppDynamicsForRelease task was successful without any warning. After the AGP plugin update it is giving a warning from R8 >  WARNING:R8: Missing class com.appdynamics.eumagent.runtime.networkrequests.OkHttp3$Request$Builder$build (referenced from: okhttp3.Request 
Hi,  After upgrading Splunk Enterprise, I am no longer able to see events coming in for a certain dashboard. How am I able to check if the forwarder that was previously sending the data is st... See more...
Hi,  After upgrading Splunk Enterprise, I am no longer able to see events coming in for a certain dashboard. How am I able to check if the forwarder that was previously sending the data is still working?
Our monitoring console is also acting as a deployment server. As per SVD-2022-0608 vulnerability, we need to upgrade our deployment server to v9.x, however, considering its sharing the role of monit... See more...
Our monitoring console is also acting as a deployment server. As per SVD-2022-0608 vulnerability, we need to upgrade our deployment server to v9.x, however, considering its sharing the role of monitoring console as well, I was wondering whether MC supports compability with peers v8.1.5 ? From the docs, it states The search head must be at the same or a higher level than the search peers. So it looks like it may be possible. Can someone please advise if there would be any issues with this ?
Hello, I extracted a few numbers of fields through SPLUNK web interface (see below) using REGEX/REX (see below), all fields are extracted as expected and showing no errors in preview. But no/any ext... See more...
Hello, I extracted a few numbers of fields through SPLUNK web interface (see below) using REGEX/REX (see below), all fields are extracted as expected and showing no errors in preview. But no/any extracted fields are not showing up from search head (or in my search).  Any thoughts? Your recommendation will be highly appreciated. Thank you so much.  Extracted through this SPLUNK Web Interface: Sample Data TESTUser|TESTSYSTEM|DNSTEST|USERTEST|CREATE_SUPER_USER_GROUP|TEST_ELEMENT<GROUP_NAME_group3>|19e4e88e-7fb1-4309-b8a3-93180e41ef86|76.253.69.172|00||2022-04-14T23:59:33.059-0400|{dsUrn: testgroup:'da04c367-b41c-421a-85e1-d5ab759c0c82'}|NA|||||10.207.92.23|23| TESTUser|TESTSYSTEM|DNSTEST|USER|VIS_EXPORT_EXCEL|TEST_ELEMENT<DNSTES_801482320>|ce01fdc2-2bbe-45ef-845b-f79576e215bf|65.144.148.136|00||2022-05-09T10:21:44.021-0400|{dsUrn: testgroup:'6f10e8f8-100b-4482-9b09-10e18504924c'}|NA|||||10.207.92.23|23|23as REGEX/REX ^(?P<UserID>\w*)\|(?P<UserType>\w*)\|(?P<System>\w*)\|(?P<EventType>\w*)\|(?P<EventId>[^\|]*)\|(?P<Subject>[^\|]*)\|(?P<SID>[^\|]*)\|(?P<IPAddr>[^\|]*)\|(?P<EventStatus>[^\|]*)\|(?P<Msg>[^\|]*)\|(?P<TimeStamp>[^\|]*)\|(?P<DATA>[^\|]*)\|(?P<Period>[^\|]*)\|(?P<MCode>[^\|]*)\|(?P<Type>[^\|]*)\|(?P<Type2>[^\|]*)\|(?P<DeviceId>[^\|]*)\|(?P<DesIP>[^\|]*)\|(?P<Code>[^\|]*)\|(?P<Headers>.*)
i have two types of events which starts with below two formats: 2022-01-18 15:20:42,727, xyz........................ [Sun Mar 16 15:21:18.350517 2022], xyz................. what all need to write ... See more...
i have two types of events which starts with below two formats: 2022-01-18 15:20:42,727, xyz........................ [Sun Mar 16 15:21:18.350517 2022], xyz................. what all need to write in props.conf to see both types of events.
we have multiple search heads all identical on the Windows platform and one of them frequently but not always just keeps saying "Splunkbase login timed out" when I try to use the web console to upgra... See more...
we have multiple search heads all identical on the Windows platform and one of them frequently but not always just keeps saying "Splunkbase login timed out" when I try to use the web console to upgrade the add-on apps to the recommended latest versions, what gives?
we upgraded our Splunk search heads from 8.x to 9.x and our customers report a discrepency in their IPGeo location searches, where version 8.x.x was reporting a different city for the same IP address... See more...
we upgraded our Splunk search heads from 8.x to 9.x and our customers report a discrepency in their IPGeo location searches, where version 8.x.x was reporting a different city for the same IP address as 9.x.x is reporting. I thought ok, let me go upgrade the what ever IPGeo add-on app to the latest version (or to the same version on both Splunk servers) but I don't know what app I am looking for or if even that is a separate app or somehow part of the general Splunk code. your feedback is greatly appreciated 
All our search heads have dual processors in them but Splunk seems to only recognizes one in each of the three servers based on the number of CPU cores it reports in the Monitoring Console web gui, c... See more...
All our search heads have dual processors in them but Splunk seems to only recognizes one in each of the three servers based on the number of CPU cores it reports in the Monitoring Console web gui, can Splunk use more than one processor?   
hello as you can see, I use a token in order to drilldown from a table panel to another table panel <drilldown> <set token="host">$click.value$</set> </drilldown> </... See more...
hello as you can see, I use a token in order to drilldown from a table panel to another table panel <drilldown> <set token="host">$click.value$</set> </drilldown> </table> </panel> </row> <row> <panel> <table> <title>% de paquets VMware perdus</title> <search> <query>`index`(sourcetype=netproc_tcp" host=$host$ but when I refresh te dashboard my second panel says "waiting for input" is there a solution to always display the events in the second panel and to drilldown when I click on the token field? thanks    
Hello,   I am trying to get a list of values using max_match=5.  However I need the results to only return unique values and not just list 5 values regardless of them being duplicates. | rex ma... See more...
Hello,   I am trying to get a list of values using max_match=5.  However I need the results to only return unique values and not just list 5 values regardless of them being duplicates. | rex max_match=5 (?P<BrandID>(202\d.+?))\" |table BrandID Your help and energy is greatly appreciated.   Thank you, Spencer Neal  
i need to combine the country count on daily bases  If i am using count  If i am using time series  in time series result are not using proper  can i change the x and y axis in time... See more...
i need to combine the country count on daily bases  If i am using count  If i am using time series  in time series result are not using proper  can i change the x and y axis in time series ?  
Hello, I have some issues with field extractions and getting error messages. Sample data, extraction codes (REGEX), and error messages provided below. Any recommendation would be highly appreciated.... See more...
Hello, I have some issues with field extractions and getting error messages. Sample data, extraction codes (REGEX), and error messages provided below. Any recommendation would be highly appreciated. Thank you so much, appreciate your support in these efforts.  Sample Data: TESTUser|TESTSYSTEM|DNSTEST|USERTEST|CREATE_SUPER_USER_GROUP|TEST_ELEMENT<GROUP_NAME_group3>|19e4e88e-7fb1-4309-b8a3-93180e41ef86|76.253.69.172|00||2022-04-14T23:59:33.059-0400|{dsUrn: testgroup:'da04c367-b41c-421a-85e1-d5ab759c0c82'}|NA|||||10.207.92.23|23| TESTUser|TESTSYSTEM|DNSTEST|USER|VIS_EXPORT_EXCEL|TEST_ELEMENT<DNSTES_801482320>|ce01fdc2-2bbe-45ef-845b-f79576e215bf|65.144.148.136|00||2022-05-09T10:21:44.021-0400|{dsUrn: testgroup:'6f10e8f8-100b-4482-9b09-10e18504924c'}|NA|||||10.207.92.23|23|23as TESTUser|TESTSYSTEM|DNSTEST|USERTEST|IMPERSONATE_USER|TEST_ELEMENT<USERNAME_TESTUser4>|c594626f-e6e9-4abd-9e0b-fa9861c47285|236.214.26.15|00||2022-05-10T07:52:48.052-0400|{dsUrn: testgroup:'DNS -3ac6-4e92-b50b-e903961f5894'}|NA|||||10.207.92.23|23| TESTUser1TESTUser|TESTSYSTEM|DNSTEST|USER|VIS_SAVE|TEST_ELEMENT<UNVERIFIED_648656466>|5143518f-dc60-433b-a0cc-2fa024b25360|241.254.244.33|00||2022-05-02T05:01:58.001-0400|{dsUrn: testgroup:'157c4534-d970-4b7b-9181-1bddb8f7a670'}|NA|||||10.207.92.23|23| |TESTSYSTEM|DNSTEST|USERTEST|ENABLE_USER|TEST_ELEMENT<USERNAME_TESTUser1>|2923b00c-0a95-465d-85aa-3af5387e992c|19.173.21.53|00||2022-05-29T12:13:26.013-0400|{dsUrn: 'DNS', groupId:'49de37d5-ea28-45ba-be52-84d933425636'}|NA|||||10.207.92.23|23| TESTUser6|TESTSYSTEM|DNSTEST|USERTEST|ENABLE_USER|TEST_ELEMENT<USERNAME_TESTUser5>|0f1ba654-03bf-DNS-ac8f-8f5185232d42|245.236.181.176|00||2022-04-09T02:14:23.014-0400|{dsUrn: testgroup:'b6a89e91-ac03-4641-a3bc-166d013df252'}|NA|||||10.207.92.23|23| TESTUser2|TESTSYSTEM|DNSTEST|USERTEST|UPDATE_TESTDATA|TEST_ELEMENT<USERNAME_TESTUser>|0acf2593-d7ee-4ba8-bf4e-29a4d4adcdaf|213.184.95.84|01|Failed to update TESTDATA. TESTDATA.|2022-03-12T08:03:19.003-0500|{dsUrn: 'gp', groupId:'9850940e-ff7b-4b77-820b-8d0472933c4a'}|NA|||||10.207.92.23|500|2w1 TESTUser|TESTSYSTEM|DNSTEST|USERTEST|CREATE_SUPER_USER_GROUP|TEST_ELEMENT<GROUP_NAME_group3>|9717a152-3809-416a-87a3-e9a4bc9b01a9|14.22.163.187|00||2022-03-19T10:34:35.034-0400|{dsUrn: 'DNSTEST', groupId:'cf9263ba-aff7-4e34-98c1-a09d17aaf8d6'}|NA|||||10.207.92.23|23|header12 REGEX (?P<UserID>.*?)\|(?P<UserType>.*?)\|(?P<System>.*?)\|(?P<EventType>.*?)\|(?P<EventId>.*?)\|(?P<Subject>.*?)\|(?P<SID>.*?)\|(?P<IPAddr>.*?)\|(?P<EventStatus>.*?)\|(?P<Msg>\w*?)\|(?P<TimeStamp>.*?)\|(?P<DATA>.*?)\|(?P<Period>.*?)\|(?P<MCode>.*?)\|(?P<Type>.*?)\|(?P<Type>.*?)\|(?P<DeviceId>.*?)\|(?P<DesIP>.*?)\|(?P<Code>.*?)\|(?P<Headers>.*?) Error Messages:      
Hi Users,  I have to create a gauge component to show the available memory in the system. As we know the gauge component take only single numeric value. So I need to extract the single numeric value... See more...
Hi Users,  I have to create a gauge component to show the available memory in the system. As we know the gauge component take only single numeric value. So I need to extract the single numeric value from the latest event. My real time search event format is as follows -  INFO c.h.i.d.HealthMonitor - [100.64.29.192]:5701 [gfms] [3.12.9] processors=1, physical.memory.total=4.0G, physical.memory.free=3.4M, swap.space.total=0, swap.space.free=0, heap.memory.used=1.8G, heap.memory.free=1.3G, heap.memory.total=3.1G, heap.memory.max=4.0G, heap.memory.used/total=58.78%, heap.memory.used/max=45.22%, minor.gc.count=0, minor.gc.time=0ms, major.gc.count=0, major.gc.time=0ms, load.process=0.00%, load.system=72.25%, load.systemAverage=6.00, In order to update the Gauge component, I need to extract the  value field of "physical.memory.free" property from the recent search event. Could you guys please let me know the Splunk query for it? 
Does anybody know why while I am able to get results when running query with any field in Splunk, I am  getting empty result when trying to run the same query for particular fields with Java SDK? Doe... See more...
Does anybody know why while I am able to get results when running query with any field in Splunk, I am  getting empty result when trying to run the same query for particular fields with Java SDK? Does that mean some fields are special somehow? Sample query: search field1=value1 Java code: JobArgs jobArgs=new JobArgs(); jobArgs.setEarliest("-1m@m"); String query="search field1=value1"; Job job=splunkService.getJobs().create(query, jobArgs); while(!job.isDone()) { Thread.sleep(500); } JobResultsArgs resultsArgs=new JobResultsArgs(); resultsArgs.setOutPutMode(JSON); job.getResults(resultsArgs);