All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Single country map - custom icon

by in Dashboards & Visualizations
‎01-17-2022 11:11 AM
‎01-17-2022 11:11 AM
  Hello guys! I need a help with some dashboards, basically i dont even know if what i have to do is possibile or not... I have a choroplet map where countries are colored based on a status ... See more...
  Hello guys! I need a help with some dashboards, basically i dont even know if what i have to do is possibile or not... I have a choroplet map where countries are colored based on a status field using geom command..(i have attached an example). When a user click on one of the colored country, a new dashboard  should appear with a new map of the country selected. In this map i have to put based on lat and lon (that i have) some icons with a specific color. ( icons an color are base on two fields. I'm struggling just for charting only a country map and not the entire planisphere, but i do noyhave also idea if its possible to put custom icon on it. Thanks in advance for anyone who can help! Below an example of the table that i have for doing the second dashboard Country (select by the user from the first dashboard) Lat Lon Icon Type Icon Color Italy number number ballon red Italy number number umbrella yellow
Labels

Two different earliest values on one dashboard

by in Dashboards & Visualizations
‎01-17-2022 11:04 AM
1 Karma
‎01-17-2022 11:04 AM
1 Karma
I have a time picker on my dashboard called timePicker. There are some pie charts that are populated based on the earliest and latest of the time picker. That part works great. However, I have on th... See more...
I have a time picker on my dashboard called timePicker. There are some pie charts that are populated based on the earliest and latest of the time picker. That part works great. However, I have on the same dashboard a line graph that shows counts over hour by day for the last 7 days. That earliest and latest is set static like this ...   earliest=-7D@d latest=now   Ideally I would like the line graph to not just show the previous seven days before now, but the previous seven days based on the time picker. The latest part is easy. I could do this ...   earliest=-7D@d latest=$timePicker.latest$   My trouble is with earliest. I need to subtract 604800 from  it (seven days worth of seconds). I tried this, but it doesn't seem to work.   [stats count | eval early=$$timePicker.earliest$$ | eval earliest=early-604800 | fields earliest] latest=$timePicker.latest$   I doubled $ for the earliest token to escape it out because it is used in a dashobard ... I read somewhere that  $ needs to be escaped. Anyway, I get no results. I'm sure my syntax is wrong or maybe I'm going about it wrong. Anyone have any thoughts on how to do this? I guess another thought would be to create a token when the time picker is selected that calculates $timePicker.earliest$ - 604800 but I'm not sure if that is possible or how to do it. Any help would be much appreciated. Thanks.
Labels

Boss of the SOC

by in Splunk Cloud Platform
‎01-17-2022 08:59 AM
‎01-17-2022 08:59 AM
Is there a way to upload the BOTS data set to my cloud environment so my team can practice regularly? I'm looking for a way to have this data remain persistent. 
Labels

Trellis drilldown issues when using token

by in Splunk Enterprise
‎01-17-2022 08:44 AM
‎01-17-2022 08:44 AM
Hi, I have a trellis which I need to enable drilldown on which should launch a custom search using a token determined by which part of the trellis is being clicked. Here is my code which is not work... See more...
Hi, I have a trellis which I need to enable drilldown on which should launch a custom search using a token determined by which part of the trellis is being clicked. Here is my code which is not working. I've tried $trellis.name$ and $trellis.value$ but neither works... Any help much appreciated! <single id="singleTrellis2"> <title>Breakdown of Packaged Win10 Applications</title> <search> <query>| inputlookup SCCM_data | search DevicesWithApp_2012&gt;0 AND Retired!=TRUE "Organization Name"="$dept$" "Level 01 Organization Name"="$division$" | dedup SoftwareName | eval label="_" | search Packaged_2016=TRUE | fillnull value="To_Be_Reviewed" Proven | eval Proven=if(Proven="NULL","To_Be_Reviewed",Proven) | eval Proven=if(Proven="UnProven","Awaiting_Sign_Off",Proven) | eval Proven=if(Proven="Proven","Ready_To_Deploy",Proven) | rename Proven as Proven? | stats count by Proven? | transpose header_field=Proven? column_name=Proven? | fields - Proven?</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">all</option> <option name="height">120</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">small</option> <option name="trellis.splitBy">_aggregation</option> <option name="useColors">0</option> <drilldown> <set token="proven">$trellis.name$</set> <link target="_blank">search?q=%7C%20inputlookup%20SCCM_data%20%0A%7C%20search%20DevicesWithApp_2012%3E0%20AND%20Retired!%3DTRUE%20%22Organization%20Name%22%3D%22$dept$%22%20%22Level%2001%20Organization%20Name%22%3D%22$division$%22%20%0A%7C%20dedup%20SoftwareName%20%0A%7C%20eval%20label%3D%22_%22%20%0A%7C%20search%20Packaged_2016%3DTRUE%20%0A%7C%20fillnull%20value%3D%22To_Be_Reviewed%22%20Proven%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22NULL%22%2C%22To_Be_Reviewed%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22UnProven%22%2C%22Awaiting_Sign_Off%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22Proven%22%2C%22Ready_To_Deploy%22%2CProven)%20%0A%7C%20search%20Proven%3D%22$proven$%22%20%0A%7C%20fields%20FriendlyTitle%202016Name%20Proven&amp;earliest=-24h@h&amp;latest=now</link> </drilldown> </single>

Which instance should I send REST API to?

by in Splunk Enterprise
‎01-17-2022 08:20 AM
‎01-17-2022 08:20 AM
Hi, everyone. I am new to Splunk. I have an environment with 3 nodes indexer cluster + cm + Search Head. I am wondering which instance I should send my request to when using REST API?  I have check... See more...
Hi, everyone. I am new to Splunk. I have an environment with 3 nodes indexer cluster + cm + Search Head. I am wondering which instance I should send my request to when using REST API?  I have checked API reference and API User tutorial, try to figure it out which endpoint for which instance, but no luck. It seems all HTTPS request send to localhost:8089? Please help. Thanks.

Display table base on the if condition

by in Splunk Search
‎01-17-2022 07:26 AM
‎01-17-2022 07:26 AM
Hi, I want to count the LOGLEVEL only for weekdays.  If there's not logs then the query should return '0'.  Can you please help me to correct this query. index="XYZ" sourcetype=Logs LOGLEVEL=ERROR ... See more...
Hi, I want to count the LOGLEVEL only for weekdays.  If there's not logs then the query should return '0'.  Can you please help me to correct this query. index="XYZ" sourcetype=Logs LOGLEVEL=ERROR OR LOGLEVEL=FATAL OR LOGLEVEL=INFO|eval Day=strftime(_time,"%w")| eval DayType=if((Day >=0) AND (Day <=6) ,"WeeekDay","WeekEnd") | If(DayType=="WeekDay", count(LOGLEVEL=ERROR OR LOGLEVEL=FATAL OR LOGLEVEL=INFO),'0')   Regards, Syed
Labels

help on timechart click value

by in Splunk Enterprise
‎01-17-2022 07:16 AM
‎01-17-2022 07:16 AM
hello I use a click value token on my timechart in order to display details it works but now what I need is when I click on a specific bar of my timechart (it means a bar for a specific day) I need... See more...
hello I use a click value token on my timechart in order to display details it works but now what I need is when I click on a specific bar of my timechart (it means a bar for a specific day) I need to display only the data for this date how to do this please <search> <query>index=tutu sourcetype=toto ezconf=$ezconf$ | timechart span=1d count(hang)as hang</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <drilldown> <set token="hang">$click.value$</set> </drilldown> </chart> </panel> </row> <row> <panel depends="$hang$"> <title></title> <table> <title></title> <search> <query>index=toto sourcetype=tutu ezconf=$ezconf$ | eval time = strftime(_time, "%d-%m-%y %H:%M") | sort - time | table time hang</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>  

subsearch join

by in Splunk Dev
‎01-17-2022 06:35 AM
‎01-17-2022 06:35 AM
Hello I have a field that does not return results when searching for specific string.  i need to combine two searches so i will be able to return this field + other results from the search with the... See more...
Hello I have a field that does not return results when searching for specific string.  i need to combine two searches so i will be able to return this field + other results from the search with the specific string this is my query :   sourcetype=clientlogs OR sourcetype="client-logs-api" Categories="Login" | stats count(eval( Message="Unable to load " OR Message="Unable to load from SDK")) as Faliure, values(Message) as Message values(IPAddress) as IPAddress, values(Url) as url by Country SessionGuid | appendpipe [ stats sum(Faliure) as Faliure | fillnull value=0 Faliure | eval Country="TOTAL" ] | appendpipe [ stats count(SessionGuid) as FailedSessions | eval Country="TOTAL",Faliure="Faliure"] ] | table SessionGuid IPAddress Country Faliure Message FailedSessions url | sort - Faliure   i need to add the field CID which return no results when searching for the message at the beginning of the query  how can i join them together so i will see in the table also the values of CID ?
Labels

Nodejs Agent 20.4.0 Mongodb error.

by in Splunk AppDynamics
‎01-17-2022 05:14 AM
‎01-17-2022 05:14 AM
Hi, I recently updated my AppDynamics package for nodejs from version 4.x.x to 20.4.0 and tested it out locally it works perfectly but when I created a docker image to deploy on my server it seems ... See more...
Hi, I recently updated my AppDynamics package for nodejs from version 4.x.x to 20.4.0 and tested it out locally it works perfectly but when I created a docker image to deploy on my server it seems to not work. The main issue I think is due to MongoDB. Can someone please take a look and tell me what the issue could be?  I found a ticket "NODEJS-103" in the past resolved issue so anyone can explain this ticket in detail. I have provided a stack trace of my nodejs API.   stack trace ----------------------------------------------- qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:15.99 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:15.992Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:17.06 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:17.064Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:17.06 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:17.067Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:23.33 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:23.333Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:23.33 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:23.335Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:23.61 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:23.618Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:23.61 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:23.619Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:25.13 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:25.136Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:25.13 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:25.138Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | Returning an existing Mongo instance qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:29.90 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:29.906Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:29.90 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:29.907Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:39.92 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:39.924Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:18:39.92 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:18:39.926Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | Returning an existing Mongo instance qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:19:0.33 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:19:00.330Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:19:0.33 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:19:00.332Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:19:1.62 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:19:01.626Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | 17.01.2022 10:19:1.62 | error | RestInterface | app.js | uncaughtException | uncaught exception qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | {"name":"RestInterface","hostname":"15e77919f4f4","pid":1,"level":50,"fs":"app.js","func":"uncaughtException","error":{},"stack":"TypeError: Cannot read property 'api' of undefined\n at Profiler.agent.profiler.addExitCall (/opt/app-root/node_modules/appdynamics/lib/libagent/libagent-connector.js:562:21)\n at MongodbProbe.addExitCall (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:364:14)\n at Instrumentation.<anonymous> (/opt/app-root/node_modules/appdynamics/lib/probes/mongodb-probe.js:120:14)\n at Instrumentation.emit (events.js:182:13)\n at MongoClient.on.event (/opt/app-root/node_modules/mongodb/lib/apm.js:18:60)\n at MongoClient.emit (events.js:182:13)\n at ReplSet.topology.on (/opt/app-root/node_modules/mongodb/lib/operations/connect.js:661:19)\n at ReplSet.emit (events.js:182:13)\n at ReplSet.<anonymous> (/opt/app-root/node_modules/mongodb/lib/topologies/replset.js:281:14)\n at ReplSet.emit (events.js:182:13)\n at Server.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Server.emit (events.js:182:13)\n at Pool.listener.on.event (/opt/app-root/node_modules/mongodb/lib/core/utils.js:34:71)\n at Pool.emit (events.js:182:13)\n at operation.cb (/opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:928:16)\n at /opt/app-root/node_modules/mongodb/lib/core/connection/pool.js:420:18\n at appd_proxy (/opt/app-root/node_modules/appdynamics/lib/core/appDProxy.js:431:22)\n at process._tickCallback (internal/process/next_tick.js:61:11)","msg":"uncaught exception","time":"2022-01-17T10:19:01.628Z","v":0} qa_recon_api_internal_api-internal.1.mspid2qxv9kz@adkqwk04 | Returning an existing Mongo instance ^ Edited by @Ryan.Paredez for formatting 
Labels

Minimum requirement for splunk clustered environment

by in Deployment Architecture
‎01-17-2022 05:05 AM
‎01-17-2022 05:05 AM
Hi, What is the Minimum requirement for splunk clustered environment? How many searchheads/Indexers should be in place? What is the CPU value?

Exclude empty fields from search

by in Splunk Search
‎01-17-2022 05:01 AM
‎01-17-2022 05:01 AM
Dear Splunk Community, I'm trying to extract a list of changed fields, but they should only be listed if they have a value.     <mysearch> | eval _raw="DeviceName:" . host ." " . if(len(srcaddr)>... See more...
Dear Splunk Community, I'm trying to extract a list of changed fields, but they should only be listed if they have a value.     <mysearch> | eval _raw="DeviceName:" . host ." " . if(len(srcaddr)>0,"PolicySrc:" . srcaddr,"") ." " . if(len(dstaddr)>0,"PolicyDst:" . dstaddr,"") ." " . if(len(service)>0,"PolicySvc:" . service,"") ."     With len>0 I managed to hide the fields that have not changed, but in the results they are still there as a line break, e.g.     DeviceName: test PolicyDst: dest1 PolicySvc svc1     How can I get rid of these line break(s)?
Labels

On-Prem Splunk upgrade procedure

by in Installation
‎01-17-2022 04:55 AM
‎01-17-2022 04:55 AM
I need help in getting the step by step process in upgrading Splunk on-prem HF
Labels

Separate alert for every (and only) entry which count exceeds threshold

by in Alerting
‎01-17-2022 04:39 AM
‎01-17-2022 04:39 AM
Hi, have CLIENT_CONNECT_AUTH_FAIL log entries in Splunk for different usernames. Would like to send an alert when the count of CLIENT_CONNECT_AUTH_FAIL entries for a specific username exceeds a thr... See more...
Hi, have CLIENT_CONNECT_AUTH_FAIL log entries in Splunk for different usernames. Would like to send an alert when the count of CLIENT_CONNECT_AUTH_FAIL entries for a specific username exceeds a threshold (say 10 within the last 5 min), an alert should be generated for every user that exceeded a threshold (1 alert per the corresponding username). Trying to achieve that I've used `| stats count by username` and then put trigger `search count > 10`, but results are not as expected Consider an example. Stats query produces the following results: username     count user1              20 user2              15 user3              5 If I set `Trigger` = `Once` then I get an alert for only user1 despite that count of CLIENT_CONNECT_AUTH_FAIL for `user2` also exceeded threshold. If I set `Trigger` = `For each result` then I get an alert for every username despite that threshold is not exceeded for `user3`. What is the right way to do this in Splunk?
Labels

progress and token explanation

by in Dashboards & Visualizations
‎01-17-2022 04:20 AM
‎01-17-2022 04:20 AM
  <panel depends="show_panel"> <title>xyz</title> <search base="main_base"> <progress> <condition> <set token="show_panel">true</set> <condition> <condition> <unset token="show_panel"... See more...
  <panel depends="show_panel"> <title>xyz</title> <search base="main_base"> <progress> <condition> <set token="show_panel">true</set> <condition> <condition> <unset token="show_panel"></unset> <condition> </progress> <query> | search months="$tok_mon$" </query> </search> </panel>     can anyone explain what the above xml code is doing with the token show_panel and what the progress Tag is doing or does? this is a drilldown xml code .
Labels

manipulating different table rows

by in Splunk Search
‎01-17-2022 02:55 AM
‎01-17-2022 02:55 AM
Hi,  I want to create the following excel table using splunk. The first 3 columns are based on the output of a query, something like this:  <query>index=mfpublic sourcetype=SMF100 IFCID=1 DB2_SHARI... See more...
Hi,  I want to create the following excel table using splunk. The first 3 columns are based on the output of a query, something like this:  <query>index=mfpublic sourcetype=SMF100 IFCID=1 DB2_SHARING_GROUP_NAME=$ssid_tok$ DB2_SUBSYSTEM="DBXH" | table _time DB2_SSID CPU_accumulated </query> The last column is the result of a math operation between first row and second row. Using Excel, column D has the formula: C2-C3 in the first row, then C3-C4 in the second, then C4-C5, and so on.  (A) Time (B) DB2_SSID (C) CPU_accumulated (D) Difference 17-1-2022 11:20 DBXH 355363188 19569 17-1-2022 11:19 DBXH 355343619 19437 17-1-2022 11:18 DBXH 355324182 21579 17-1-2022 11:17 DBXH 355302603 22657 17-1-2022 11:16 DBXH 355279946 19793 17-1-2022 11:15 DBXH 355260153 -   Is it possible to do this math operation between columns from different rows to create another column ?  After having this "column D" I want to create a line chart based on this information.  Thanks a lot for your help !! 
Labels

Why my windows splunk UF agent is failing frequently

by in Splunk Enterprise
‎01-17-2022 02:25 AM
‎01-17-2022 02:25 AM
Hi All, Currently one of the windows user contacted us and informed  that he could notice that Splunk UF agent is failing frequently in his machine. When investigated the issue, we could see the fo... See more...
Hi All, Currently one of the windows user contacted us and informed  that he could notice that Splunk UF agent is failing frequently in his machine. When investigated the issue, we could see the following error details in Splunk _internal logs.  Component= ExecProcessor ========================= 01-17-2022 09:22:11.436 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::~WinEventLogChannel: Failed to checkpoint for channel='Windows PowerShell' 01-17-2022 09:22:11.436 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::saveBookMark: Failed to update Windows Event Log bookmark, channel='Windows PowerShell 01-17-2022 09:22:11.436 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::~WinEventLogChannel: Failed to checkpoint for channel='Security' component=AuthenticationManagerSplunk ========================================= 01-17-2022 09:22:19.839 +0000 ERROR AuthenticationManagerSplunk - Either password or seed file not found! No users configured! component=Metrics ==================== 01-17-2022 09:22:20.245 +0000 ERROR Metrics - Metric with name thruput:idxSummary already registered component=TcpOutputFd ====================== 01-17-2022 04:45:00.175 +0000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host. component=PipelineComponent ============================= 01-17-2022 05:21:48.213 +0000 ERROR PipelineComponent - Monotonic time source didn't increase; is it stuck? component=FileClassifierManager ================================== 01-17-2022 09:22:23.780 +0000 WARN FileClassifierManager - The file 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\C__Program Files_SplunkUniversalForwarder_bin_splunk-winevtlog_exe_crash-2021-08-13-08-22-30.dmp' is invalid. Reason: binary component=TailReader ========================== 01-17-2022 09:22:23.780 +0000 INFO TailReader - Ignoring file 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\C__Program Files_SplunkUniversalForwarder_bin_splunk-winevtlog_exe_crash-2021-08-13-08-22-30.dmp' due to: binary component=WatchedFile ========================== 01-17-2022 09:22:23.498 +0000 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\C__Program Files_SplunkUniversalForwarder_bin_splunk-winevtlog_exe_crash-2021-10-01-08-22-12.log'.   I have checked the truncate value and found all are within the control limit except the below sourcetype  Default Value is set to 10000  WinEventLog:Microsoft-Windows-PowerShell/Operational 21132   Splunk Agent version is 7.0  Splunk Enterprise indexer version is 8.2.2  Please guide me what kind of troubleshooting steps needs to taken in-order to resolve this issue.      
Labels

Using results of join in eval if

by in Splunk Search
‎01-17-2022 02:01 AM
‎01-17-2022 02:01 AM
Hello,  i have a question regarding the usage of the results of a join within an eval if. I have a couple of responses, to which I am joining their preceeding requests (written in another source)  ... See more...
Hello,  i have a question regarding the usage of the results of a join within an eval if. I have a couple of responses, to which I am joining their preceeding requests (written in another source)   index="index1" sourcetype="sourcetype1" Response... |table rcvTime Command |join type=left left=response right=request usetime=true earlier=true where response.ID=request.ID [search index="index2" sourcetype="sourcetype2" Request ....|table rcvTime Command|sort _time-]   The issue is, that sometimes I get a wrong match, hence a request, that is not connected to the response and was a few days ago. The reason, why they are matched, is because it is the same device ID.  Thats why I am trying to have an eval for the timediff. If I am using the variable request.command within the if, I will receive empty results:   index="index1" sourcetype="sourcetype1" Response... |table rcvTime Command |join type=left left=response right=request usetime=true earlier=true where response.ID=request.ID [search index="index2" sourcetype="sourcetype2" Request ....|table rcvTime Command|sort _time-] |....(commands calculating timediff) | request.command=if(timediff<300,request.command,"")   If I am saving the value within a field that contains no point in the name, it works properly:   index="index1" sourcetype="sourcetype1" Response... |table rcvTime Command |join type=left left=response right=request usetime=true earlier=true where response.ID=request.ID [search index="index2" sourcetype="sourcetype2" Request ....|table rcvTime Command|sort _time-] |....(commands calculating timediff) |rename requestCommand as request.command | requestCommand=if(timediff<300,requestCommand,"")   Does someone have an idea, why I cannot use request.command within the eval (but on other commands I can use it)? Thanks and best Regards
Labels

How to attach more than 1 cvs to Report

by in Other Usage
‎01-17-2022 01:56 AM
‎01-17-2022 01:56 AM
We got a request to attach 2 CSV files to 1 report  what is the best way to do it  ?
Labels

Microsoft Dynamics 365 Integration with Splunk

by in Splunk Dev
‎01-17-2022 01:24 AM
1 Karma
‎01-17-2022 01:24 AM
1 Karma
Hi Expert Can Microsoft Dynamics 365 data be ingested to Microsoft Security and Compliance portal and from there it can be fed and extracted to Splunk? I'm looking to implement and wonder if this co... See more...
Hi Expert Can Microsoft Dynamics 365 data be ingested to Microsoft Security and Compliance portal and from there it can be fed and extracted to Splunk? I'm looking to implement and wonder if this could be a potential solution. Unlike Splunk has an add-on for Microsoft Office 365, where we can use Office 365 management activity API to retrieve information (https://docs.splunk.com/Documentation/AddOns/released/MSO365/About) Also looking at this link (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32), PowerApps/ D365 data can be ingested to Microsoft Security and Compliance Centre portal and from here the data can be extracted using APIs link to SIEM (Splunk) via AuditRecordType = e.g. 45 PowerApps portal event or 21 for Dynamics 365 events. is my understanding correct? Appreciate your response. Regards/Somnath
Labels

Command-Line Interface

by in Alerting
‎01-17-2022 01:17 AM
‎01-17-2022 01:17 AM
Hi folks Does Splunk offer a command-line interface? Using Splunk through the browser might be OK when working with one alert, but is a little cumbersome when managing lots of alerts. If there is ... See more...
Hi folks Does Splunk offer a command-line interface? Using Splunk through the browser might be OK when working with one alert, but is a little cumbersome when managing lots of alerts. If there is indeed a command-line interface, what is required to use it? Is there documentation for it? Thanks Steve
Labels