I have been tasked with implementing a system to monitor our application and alert whenever a page load takes longer than a specified threshold. I need to be able to determine what is causing the slow performance (application vs database vs infrastructure) and create a support ticket routed to the appropriate time. It looks like there are two potential options for this on the Splunk products page: Splunk Observability Cloud or Splunk APM. Is anyone able to advise me on which of these products would be a better fit for what I'm looking to do?

Hello, team! I need your help with my search.  I have a search which collects the list of ip-addresses, and next I need to check if there is event in other index with this ip-address. if there is a corresponding event, it's okay, if not - alert. How to implement it better?

Hi Team, I have created two panels My first panel details are: <query> <![CDATA[index=abc ns=blazegateway app_name=blazecrsgateway* "serviceResponseStatus" $Ope$ $caller$ $status$ |rex field=_raw "operation:(?P<Operation>.*), serviceResponseStatus" |rex field=_raw "caller:(?P<Caller>.*) =" |rex field=_raw "serviceResponseTime\(ms\)=(?P<Response_Time>.*)" | eventstats count by Caller|rename Caller as "GRS Caller" |lookup ApplicationRef.csv GRSCaller as "GRS Caller" OUTPUT DisplayName |rename "GRS Caller" as "GRSCaller" |eval CallerName=If(isnull(DisplayName),GRSCaller,DisplayName) | table CallerName Operation Response_Time serviceResponseStatus date|rename CallerName as "GRS Caller" | rename date as "Date" | rename serviceResponseStatus as "Response_Status"|sort - Date]]> <drilldown> <set token="show_panel1">true</set> <set token="selected_value">$click.value$</set> </drilldown>   From this I am getting details as below: GRS Caller   Operation   ResponseTime   Status         Date OneForce     ls                       286 ms                   Success    2022-06-27 OneForce     dmrupload      381 ms                    Failure   2022-06-27   I want when I click on 1st row the detailed description of 1st row should come. Can someone guide me what query I can make for 2nd panel extraction Currently I have make this but its not working   <row> <panel depends="$show_panel1$"> <table> <title>Caller Details1</title> <search> <query>abc ns=blazegateway app_name=blazecrsgateway* "serviceResponseStatus" $Ope$ $caller$ $status$ $selected_value$ </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> </table> </panel> </row>  

Hi Team, While exploring Splunk documentation and few scenarios , noticed that there is Rest approach to extract  saved one.  But i would like to extract unsaved ( adhoc ) searches performed to understand patterns and load 1. Unsaved searches performed on given index or all indexes along with the query used.  I found below threads which can be used to fetch saved searches  https://community.splunk.com/t5/Splunk-Search/How-can-I-get-a-list-of-all-saved-searches-from-all-apps-using/m-p/162615  https://community.splunk.com/t5/Splunk-Search/Listing-all-saved-searches-from-all-apps-via-REST-without/m-p/508688 Is there any Rest based query which can be used for extracting to find adhoc searches performed on splunk to understand load patterns.      

Hi , I have  4 fields and those need to be in a tabular format .Out of which one field has the ratings which need to be converter to column to row format with count and rest 3 columns need to be same . I have tried using transpose and xyseries but not able to achieve in both . Ex : current table format Name Domain Area Rating Nsp -1 IT End user service H NSP-2 IT Mainframe M NTS-10 G&A ENT L NTL -05 EPP Distributed M WMC-04 AES corp L   How this can be changed to the below format using splunk search , Expected table format : Name Domain Area Rating(H) count Rating(M) count  Rating(L) count Nsp -1 IT End user service 1 0 0 NSP-2 IT Mainframe 0 1 0 NTS-10 G&A ENT 0 0 1 NTL -05 EPP Distributed 0 1 0 WMC-04 AES corp 0 0 0   Please let me know how to achieve this in using Splunk search.

Hi, I want to get back Token id from the Curl command below : curl -k -u UserName:Password -X POST https://0.0.0.0:8089/services/authorization/tokens But , I am  getting back : <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Unauthorized</msg> </messages> </response>   Can anyone help how to resolve this case , what is missing in Curl command or what is wrong ?  

Hello Splunk Experts ,   I have following dashboard    I want to filter dropdown "Select Operation" on basis of API and Method dropdown selection ,but I am getting 'duplicate values causing conflict' error. Below is my code :   <input type="dropdown" token="token_service" searchWhenChanged="true"> <label>Select API:</label> <choice value="party_interaction_rest">PARTY INTERACTION</choice> <choice value="ticket_mgmt_rest">TICKET MANAGEMENT</choice> <choice value="customer_management_rest">CUSTOMER MANAGEMENT</choice> <choice value="agreement_management_rest">AGREEMENT MANAGEMENT</choice> <choice value="product_order_rest">PRODUCT ORDER</choice> <choice value="cust_comm_rest">CUSTOMER COMMUNICATION</choice> <choice value="product_inv_rest">PRODUCT INVENTORY</choice> <change> <condition label="PARTY INTERACTION"> <set token="sourcetyp">$value$</set> <set token="src">http:party_interaction_rest</set> <set token="uuid">"properties.o2-PartyInteraction-ReqId"</set> </condition> <condition label="TICKET MANAGEMENT"> <set token="sourcetyp">$value$</set> <set token="src">http:ticket_mgmt_rest</set> <set token="uuid">"properties.o2-TroubleTicket-ReqId"</set> </condition> <condition label="CUSTOMER MANAGEMENT"> <set token="sourcetyp">$value$</set> <set token="src">http:customer_management_rest</set> <set token="uuid">"properties.o2-CustomerManagement-ReqId"</set> </condition> <condition label="AGREEMENT MANAGEMENT"> <set token="sourcetyp">$value$</set> <set token="src">http:agreement_management_rest</set> <set token="uuid">"properties.o2-Agreement-ReqId"</set> </condition> <condition label="PRODUCT ORDER"> <set token="sourcetyp">$value$</set> <set token="src">http:product_order_rest</set> <set token="uuid">"properties.o2-ProductOrder-ReqId"</set> </condition> <condition label="CUSTOMER COMMUNICATION"> <set token="sourcetyp">$value$</set> <set token="src">http:cust_comm_rest</set> <set token="uuid">"properties.o2-Communications-ReqId"</set> </condition> <condition label="PRODUCT INVENTORY"> <set token="sourcetyp">$value$</set> <set token="src">http:product_inv_rest</set> <set token="uuid">"properties.o2-Product-ReqId"</set> </condition> </change> <default>ticket_mgmt_rest</default> <initialValue>ticket_mgmt_rest</initialValue> </input> <input type="dropdown" token="token_method" searchWhenChanged="true"> <label>Select Method:</label> <fieldForLabel>METHOD</fieldForLabel> <fieldForValue>METHOD</fieldForValue> <search> <query>| makeresults | eval API="party_interaction_rest",METHOD="Alle,GET,POST" | append [| makeresults | eval API="ticket_mgmt_rest",METHOD="Alle,GET,POST,PATCH"] | append [| makeresults | eval API="customer_management_rest",METHOD="Alle,GET,PATCH"] | append [| makeresults | eval API="agreement_management_rest",METHOD="Alle,GET"] | append [| makeresults | eval API="product_order_rest",METHOD="Alle,GET,POST,PATCH,DELETE"] | append [| makeresults | eval API="cust_comm_rest",METHOD="Alle,GET"] | append [| makeresults | eval API="product_inv_rest",METHOD="Alle,GET,POST,PATCH"] | eval METHOD=split(METHOD,",") |mvexpand METHOD| table API METHOD | search API="$token_service$"</query> </search> <change> <condition value="Alle"> <set token="token_method">*</set> </condition> </change> <default>Alle</default> <initialValue>Alle</initialValue> </input> <input type="dropdown" token="tkn_ OPERATION"> <label>Select Operation:</label> <fieldForLabel>OPERATION</fieldForLabel> <fieldForValue>OPERATION</fieldForValue> <search> <query>| makeresults | eval API="party_interaction_rest" , METHOD="GET",OPERATION="Alle,LIST_PARTY_INTERACTIONS" | append [| makeresults | eval API="party_interaction_rest" , METHOD="POST",OPERATION="Alle,RETRIEVE_PARTY_INTERATION,CREATE_PARTY_INTERATION"] | append [| makeresults | eval API="ticket_mgmt_rest" , METHOD="GET",OPERATION="Alle,LIST_TROUBLE_TICKETS"] | eval OPERATION=split(OPERATION,",") |mvexpand OPERATION| table API METHOD OPERATION | search API="$token_service$" METHOD=$token_method$ </query> </search>      

Hi team, Is it possible to created radial guage panel with time based threshold. suppose the threshold between office hours(8am to 6PM) is 100,200,500 and out of office hours(6PM to 8M) be like 10,20,50 Thank you

I have logs that seem to be extracting perfectly. All fields show up in "Interesting Fields", and each one can be searched (myField=*) gives results. EXCEPT: I have a field called "domain". It cannot be searched. It is there. It shows 100% of events have it. I hover over it and i see the contents. But when I run a search, nada.   index=disa-cbii   Search    index=disa-cbii domain="insight.adsrvr.org"   0 Results found. Same for domain=* Now, if we throw in spath   index=disa-cbii | spath domain | search domain="insight.adsrvr.org"   we get plenty of results. What is happening? From everything i can tell, I should not need spath because the event is extracting just fine. All the other dozen fields are extracted and searchable.    index=disa-cbii | table domain    works fine. How can I table something that doesn't exist?

I have upgraded my Splunk Enterprise to 9.0 and we now get warning like this: Some visualizations have not loaded since we detected usage of risky commands in the query. This is OK,  and I now why and this dashboard is for admin use only.   So I like to Deactivate the warning for this dashboard only.  That way I will get warning if there are other dashboard with dangerous commands.  But if I read the documentation, it seems that I can only disable all warning or warning for some commands.  I would like to disable warning pr dashboard.  Anyone has a workaround? https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards?ref=hk

App compilation passed successfully but fire a runtime exception 2022-06-27 13:57:02.201 5632-5632/my.package.name E/AndroidRuntime: FATAL EXCEPTION: main Process: my.package.name, PID: 5632 java.lang.NoClassDefFoundError: Failed resolution of: Lcom/appdynamics/eumagent/runtime/networkrequests/OkHttp3$OkHttpClient$Constructor$INIT; at okhttp3.OkHttpClient$Builder.build(Unknown Source:2) at my.package.name.dagger.ServiceFactoryModule.provideOkHttpClient(SourceFile:7) at my.package.name.dagger.ServiceFactoryModule_ProvideOkHttpClientFactory.provideOkHttpClient(Unknown Source:0) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get0(SourceFile:99) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get(SourceFile:9) at hf.b.get(SourceFile:5) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get1(SourceFile:92) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get(SourceFile:8) at hf.b.get(SourceFile:5) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC.injectMyAppApplication2(SourceFile:4) at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC.injectMyAppApplication(Unknown Source:0) at my.package.name.application.Hilt_MyAppApplication.onCreate(SourceFile:1) at my.package.name.application.MyAppApplication.onCreate(SourceFile:1) at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1182) at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6460) at android.app.ActivityThread.access$1300(ActivityThread.java:219) at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1859) at android.os.Handler.dispatchMessage(Handler.java:107) at android.os.Looper.loop(Looper.java:214) at android.app.ActivityThread.main(ActivityThread.java:7356) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930) Caused by: java.lang.ClassNotFoundException: com.appdynamics.eumagent.runtime.networkrequests.OkHttp3$OkHttpClient$Constructor$INIT at okhttp3.OkHttpClient$Builder.build(Unknown Source:2)  at my.package.name.dagger.ServiceFactoryModule.provideOkHttpClient(SourceFile:7)  at my.package.name.dagger.ServiceFactoryModule_ProvideOkHttpClientFactory.provideOkHttpClient(Unknown Source:0)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get0(SourceFile:99)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get(SourceFile:9)  at hf.b.get(SourceFile:5)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get1(SourceFile:92)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC$SwitchingProvider.get(SourceFile:8)  at hf.b.get(SourceFile:5)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC.injectMyAppApplication2(SourceFile:4)  at my.package.name.application.DaggerMyAppApplication_HiltComponents_SingletonC.injectMyAppApplication(Unknown Source:0)  at my.package.name.application.Hilt_MyAppApplication.onCreate(SourceFile:1)  at my.package.name.application.MyAppApplication.onCreate(SourceFile:1)  at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1182)  at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6460)  at android.app.ActivityThread.access$1300(ActivityThread.java:219)  at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1859)  at android.os.Handler.dispatchMessage(Handler.java:107)  at android.os.Looper.loop(Looper.java:214)  at android.app.ActivityThread.main(ActivityThread.java:7356)  at java.lang.reflect.Method.invoke(Native Method)  at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)  at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)  2022-06-27 13:57:04.477 1840-5714/? E/ResolverController: No valid NAT64 prefix (101, <unspecified>/0) 2022-06-27 13:57:04.822 1840-5715/? E/ResolverController: No valid NAT64 prefix (101, <unspecified>/0) 2022-06-27 13:57:06.371 5632-5677/my.package.name E/FirebaseInstanceId: Failed to get FIS auth token Before AGP version update :myapp:transformClassesWithAppDynamicsForRelease task was successful without any warning. After the AGP plugin update it is giving a warning from R8 >  WARNING:R8: Missing class com.appdynamics.eumagent.runtime.networkrequests.OkHttp3$Request$Builder$build (referenced from: okhttp3.Request 

Hi,  After upgrading Splunk Enterprise, I am no longer able to see events coming in for a certain dashboard. How am I able to check if the forwarder that was previously sending the data is still working?