Hello, The reason for my question is that I have installed the database agent, but on the Controller, I can't see queries and activities. When I take a look at the logs, I have the following: and on controller UI I get this message: Thanks for your Help!

Hi all, new to splunk, we are regularly burning down our heavy forwarders and as such the IPs change regularly. I need a way to keep the UFs pointed at the HFs but ive read that using an AWS ELB isnt recommended. To add to the challenge we have to keep everything encrypted over TLS. what is the recommended way to handle ips changing all the time when managing hundreds of UFs? how do people ensure that the UFs are always talking to the geographically nearest HFs? many thanks Oz

Hello,  I'm dealing with an issue for one of my forwarders. I have13 forwarders that are all showing in my search app in the proper format. For some reason, the forwarder that also happens to be our primary domain controller is only using a source and sourcetype of xml files. Is there a way to troubleshoot this?

I want to get an API usage report per user and I am struggling with the Splunk Query for this, can someone please help with the query, I tried using rex but didn't get through.   In my app logs, I have a text like - U87XXXX:ddddffggggggsss.REG.Currency [RestInterceptor]: RestRequest: URI : https://abc.net/api/curr ........  RequestBody: {"loginId": "U87XXXX"}   I want the output as UserID                     URL                                                 COUNT  U87XXXX        https://abc.net/api/curr                    5 U78XXXX       https://abc.net/api/xyz                     11    Thanks in advance.

Hi. I have log with different messages. I want to understand which line appears the most times in the log. Please help me   Here you can see example to 4 lines from the log: '2022-04-14 05:11:53,833',SmartX.ControlUp.Client.CacheActivityListener,'[Connections#12]','DEBUG','[OnDBTransaction] IsEntityInBlackList: Entity= Processes blackList is empty.' '2022-04-14 05:11:53,833',SmartX.ControlUp.Client.AlertsFactory,'[Observables#18]','INFO','GetInvokedTrigger ShouldBeInvoked ==> Session, for trigger id = 3cb3a80e-0d64-4585-a255-9c554d534deb, trigger name = AAS_Session State - Active to Idle - BLK' '2022-04-14 05:11:53,848',SmartX.ControlUp.Client.AlertsFactory,'[Observables#18]','DEBUG','ExamineAdvancedTriggersInternal - ret is true, trigger was added, trigger id = 3cb3a80e-0d64-4585-a255-9c554d534deb, trigger name = AAS_Session State - Active to Idle - BLK' '2022-04-14 05:11:53,833',SmartX.ControlUp.Client.CacheActivityListener,'[Connections#12]','DEBUG','[OnDBTransaction] IsEntityInBlackList: Entity= Processes blackList is empty.' I want receive statistic data about each raw how many times it appears in the log. Of course in my log are much more than 4 different lines

Hello, How to integrate Appdynamics with Jaspersoft to create formatted reports (Dashboards and tables)? I used the following article as guideline https://community.appdynamics.com/t5/Knowledge-Base/How-do-I-retrieve-metrics-and-so-I-can-display-them-with/ta-p/39478 But it worked when I created a "Data Adapter" as "JSON URL/File" It worked in some table cases, but not all dashboards of Jaspersoft community edition. Also, It did not work on "Web Data Source" via Jaspersoft Pro Edition!

Hi, I need some help. We have been using Splunk for MongoDB alert for a while, now the new MongoDB version we are upgrading to is changing the log format from text to JSON. I need to alter the alert in Splunk so that it will continue to work with the new JSON log format. Here is an example of a search query in one of the alert we have now: index=googlecloud* source="projects/dir1/dir2/mongodblogs" data.logName="projects/dir3/logs/mongodb" data.textPayload="* REPL *" NOT "catchup takeover" | rex field=data.textPayload "(?<sourceTimestamp>\d{4}-\d*-\d*T\d*:\d*:\d*.\d*)-\d*\s*(?<severity>\w*)\s*(?<component>\w*)\s*(?<context>\S*)\s*(?<message>.*)" | search component="REPL" message!="*took *ms" message!="warning: log line attempted * over max size*" NOT (severity="I" AND message="applied op: CRUD*" AND message!="*took *ms") | rename data.labels.compute.googleapis.com/resource_name as server | regex server="^preprod0[12]-.+-mongodb-server8*\d$" | sort sourceTimestamp data.insertId | table sourceTimestamp server severity component context message   The content of the MongoDB log is under data.TextPayload, currently is being formatted using regex and split into 5 groups with labels and then we search from each group for the string or message that we want to be alerted on. The new JSON format log looks like this: {"t":{"$date":"2022-04-19T07:50:31.005-04:00"},"s":"I", "c":"REPL", "id":21340, "ctx":"RstlKillOpThread","msg":"State transition ops metrics","attr":{"metrics":{"lastStateTransition":"stepDown","userOpsKilled":0,"userOpsRunning":4}}} I need to split them into 7 groups, using comma as delimiter and then search from each group using the same search criteria. I have been trying and testing for 2 days, I'm new to Splunk and not very good in regex. Any help would be appreciated. Thanks ! Sally

Hi Team,    We have splunk dashboard created by using dashboard beta app. just would like to know is that possible to increase the size of the page. As we have customized more than 10 panels after we save the dashboard and try to download couldn't see the last few panels. will that be possible to increase the size.?

Hi, I have a requirement where I want to create an alert on some of my APIs which are being monitored in Splunk. I've created a search which checks the success/failures of each API and then calculates the failure rate and if that is more than 10% then it triggers the alert. Now what is happening is the alerts gets triggered even for bigger blips when they are only for short duration. Like there is a high increase in error rate for 5 mins and then it gets recovered itself. I don't want to trigger the alert in that situation because it will make unnecessary callouts to people for investigation which is not required. How can i create alert which runs every 30 mins and looks into the failure rate consistently for each 5 mins in the last 30 minutes period. So if the failure rate is consistent for more than 15/20 mins then only trigger the alert. This is my base search     index=api_prod (message.httpResponseCode=50* OR message.httpResponseCode=20*) | rename message.serviceName as serviceName message.httpResponseCode as httpResponseCode | stats count as totalrequests count(eval(like(httpResponseCode, "20%"))) as successrequest count(eval(like(httpResponseCode, "50%"))) as failedrequest by serviceName | eval Total = successrequest + failedrequest | eval failureRatePercentage = round(((failedrequest/totalrequests) * 100),2) | where failureRatePercentage > 10 | fields - Total |table serviceName,totalrequests,successrequest,failedrequest,failureRatePercentage     Any guidance is really appreciated. Best Regards, Shashank

Any ideas how to resolve this one guys ? I'm getting 1 error every min ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-winevtlog.exe" splunk-winevtlog - WinEventMon::enumEvtLogChannels: Failed to enumerate event log channels: '(1717)'.

I found many errors from _internal log ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-regmon.exe" splunk-regmon - WinRegistryMonitor::configure: Failed to get configuration settings: 'Regex: number too big in {} quantifier' Any ideas how to resolve this error?

Hello All,   I having issue with data due to DST timezone update since 29 March as data is coming one hour late in splunk and due to that we are getting false alert. Can someone guide me how can we update the timezone in DB connect app? also again do we need to make it to default after DST end? Appreciating your help.