On a Dashboard, I have a Pie Chart that Status Codes. If I scroll over each code, Splunk shows me the percentage of the total for that code, but it is not included when I export the Pie Chart to CSV (Only the codes and the count are included). Is it possible to export the percentage as well? Thanks

hi   index=toto sourcetype=tutu type=* | fields host _time runq type | join host [ search index=toto sourcetype=tutu type=* | fields host core | stats max(core) as nbcore by host ] | eval Vel = (runq / nbcore) | eval _time = strftime(_time, "%d-%m-%y %H:%M:%S") | sort - _time | rename host as Host, _time as Heure | table Heure Host Vel I use the search below For one host, an event is indexed every 40 seconds Now I need to group these events in a span of 30m So I have added a bin span like this | bin _time span=30m  So for one host there is many events with the same span value Now what I need it's just to the last event indexed for the host in the span So I need to display something like this : "host" "time span" "last event generated" I think it's not very difficult but I have a bug Could you help please?

Is it possible to put time modifiers like "earliest" into a search and essentially disregard the time range drop-down in the Splunk UI? I have data that is logged once every 24 hours, so I'd like to embed "WHERE earliest=-24h" into a rather large, complicated query so I can cut-and-paste from my notes without having to mess around with the drop-down (or more importantly, so I don't need to make additional notes to remind myself to set the drop-down). I tried something like this: index=iis sourcetype=xxxx host=xxxx | WHERE earliest=-24h | eval... | table...  But the UI shows "Error in 'where' command: the operator at 'h' is invalid.

Hello, I am wondering when my index will roll from warm to cold with the settings below, the rest of the settings is default: [XXXX] frozenTimePeriodInSecs = 46656000 maxDataSize = auto_high_volume maxTotalDataSizeMB = 4294967295 maxWarmDBCount = 4294967295 repFactor = auto Will the default setting maxHotSpanSecs = 7776000 roll the buckets from warm to cold or is it just the span within the bucket? When will the buckets roll from warm to cold in this case? Thanks in advance!

https://www.appdynamics.com/partners/technology-partners/google-cloud-platform Hi from the link above it is not clear to me if this is a general information or i can really monitor cloud native applications especially the end-user monitoring. can you please refer to how to configure this as well as the documentation in relation if any. Good day

Hi Team, In tiers and nodes of APPD I found JVM heap,MAX heap,JVM cpu burnt, GC Time spent are showing zero. when i checked App and machine agent status are showing up and running. i found below errors in app agent logs. can some one suggest me how to resolve this issue. [AD Thread-Metric Reporter1] 07 Jan 2022 03:12:27,211 ERROR AgentKernel - Error executing task - [AD Thread Pool-Global0] 07 Jan 2022 03:12:52,221 ERROR AgentKernel - Error executing task - [AD Thread Pool-Global1] 07 Jan 2022 03:12:52,221 ERROR AgentKernel - Error executing task - [AD Thread Pool-Global0] 07 Jan 2022 03:13:22,227 ERROR AgentKernel - Error executing task - [AD Thread Pool-Global0] 07 Jan 2022 03:13:22,227 ERROR AgentKernel - Error executing task - [AD Thread-Metric Reporter0] 07 Jan 2022 03:13:27,212 ERROR JVMMetricReporter - Error getting thread count [AD Thread-Metric Reporter0] 07 Jan 2022 03:13:27,212 WARN JVMMetricReporter - Error updating JVM JMX values [AD Thread-Metric Reporter0] 07 Jan 2022 03:13:27,212 ERROR AgentKernel - Error executing task - [AD Thread Pool-Global1] 07 Jan 2022 03:13:52,223 ERROR AgentKernel - Error executing task - [AD Thread Pool-Global0] 07 Jan 2022 03:13:52,223 ERROR AgentKernel - Error executing task - Regards Charan

Dear Splunk Community, Every 5 minutes the following event is generated : 2022-01-05 21:20:33 : Running OR 2022-01-05 20:19:33 : Failed I would like to display a timeline with two (2) lines showing when the system is running and when it fails. I have come so far:   running OR failed | eval status = if(like(_raw, "%Running%"), "Running", "Not running") | table status     I am in need of some guidance in this matter. How do I change the above search so that I have a line chart visualization with the two lines in it? Thanks in advance.    

Hello all,   I am trying to extract an field from the below event and using the below add extraction, however this extraction is failing to extract the complete event and is breaking in the middle. Can you please help resolve.   212685,00004107,00000000,2404,"20220106111738","20220106111739",4,-1,-1,"SYSTEM","","psd240",327312673,"MS932","Server ジョブ(Server:/情報提供基盤/EXA-X6系/汎用集計・フロア取込系/ユニット別ﾌﾛｱﾏｽﾀﾃﾝﾎﾟﾗﾘﾈｯﾄ/ユニット別ﾌﾛｱﾏｽﾀﾃﾝﾎﾟﾗﾘ作成:@52X6013)が異常終了しました(status: a, code: 100, host: PSC642, JOBID: 281767)","Error","jp1admin","/HITACHI/JP1/AJS2","JOB","AJSROOT1:/情報提供基盤/EXA-X6系/汎用集計・フロア取込系/ユニット別ﾌﾛｱﾏｽﾀﾃﾝﾎﾟﾗﾘﾈｯﾄ/ユニット別ﾌﾛｱﾏｽﾀﾃﾝﾎﾟﾗﾘ作成","JOBNET","Server:/情報提供基盤/EXA-X6系/汎用集計・フロア取込系/ユニット別ﾌﾛｱﾏｽﾀﾃﾝﾎﾟﾗﾘﾈｯﾄ","Server:/情報提供基盤/EXA-X6系/汎用集計・フロア取込系/ユニット別ﾌﾛｱﾏｽﾀﾃﾝﾎﾟﾗﾘﾈｯﾄ/ユニット別ﾌﾛｱﾏｽﾀﾃﾝﾎﾟﾗﾘ作成","END","20220106111731","20220106111738","100",25,"A0","AJSROOT1:/情報提供基盤/EXA-X6系/汎用集計・フロア取込系","A1","ユニット別ﾌﾛｱﾏｽﾀﾃﾝﾎﾟﾗﾘﾈｯﾄ","A2","ユニット別ﾌﾛｱﾏｽﾀﾃﾝﾎﾟﾗﾘ作成","A3","@52X6013","ACTION_VERSION","0600","B0","n","B1","1","B2","jp1admin","B3","psd240","B4","a","C0","PSC642","C1","","C2","281767","C3","PSC642","C4","0","C5","0","C6","r","E0","1641435451","E1","1641435458","E2","0","E3","0","H2","578828","H3","pj","H4","q","PLATFORM","NT",     Extraction used: (?:[^,]+,){14}(?<alert_description>[^,]+),   Please help extract the highlighted fields.  Thank you

Hi All, I have a query to get the result of the list of filesystems and their respective disk usage details as below: File_System  Total in GB   Used in GB   Available in GB   Disk_Usage in % /var                   10                    9.2                   0.8                           92 /opt                   10                    8.1                   1.9                          81 /logs                 10                    8.7                   1.3                          87 /apps                10                    8.4                   1.6                          84 /pcvs                10                    9.4                    0.6                         94 I need to create a multiselect option with the disk usage values to get the above table for a range of values. For e.g. If I select 80 in the multiselect it will show the table with values of disk usage in the range 76-80, then if I select 80 & 90 in the multiselect it will show the table with values of disk usage in the range 76-80 & 86-90 and so on. I created the multiselect with token as "DU" and created the search query for the table as: .... | where ((Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)) OR (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5))) | table File_System,Total,Used,Available,Disk_Usage | rename Total as "Total in GB" Used as "Used in GB" Available as "Available in GB" Disk_Usage as "Disk_Usage in %" With the above query I am able to get the results when I run a search with two different values (e.g. 100 & 65) for $DU$ in (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)). But with this query I am not able to get the table in the dashboard when I am using multiple values. Please help me with the delimiter to be added or help create a query so that upon selecting multiple options in multiselect will give the table for a range of disk usage values.

hi i have difficulties to understandand whats exacty do the field DEST_KEY and FORMAT on my host in stanza 1 and FORMAT in stanza 2 I have read the documentation but..... Thanks in advance [rfc5424_host] DEST_KEY = MetaData:Host REGEX = <\d+>\d{1}\s{1}\S+\s{1}(\S+) FORMAT = host::$1 [host_as_src] SOURCE_KEY = host REGEX = (.+) FORMAT = src::"$1