Hello, I am trying to extract the system IDs from single event into the multiple events, I mean that each SID is in a separate line. I try to deploy a regex for this, without success. Could perhaps anyone help with the below? Kind Regards, Kamil   | makeresults | eval SID="I32 DYR DZ1 MHW DYN I58 ICZ ICN I69 I8Y IAE I6J I71 SLG I9Z I7T I7Z I5Y I5U I5T I3I I3G TCX I5O DZX DZC DYQ DYO DYM OGO OJ8 OK8 OKQ OKX DXF DYE DYF SS4 QMW I24 R9H O67 OP0 SP9 I4I I4M" | rex field=SID "^(?<SID2>[^\r\n].+)"  

Good Morning, I am using the http_poller logstash input filter to connect to the AppDynamics OAUTH API that I will then use to pass to the http filter plugin to retrieve AppDynamics REST API metric data to insert into Elasticsearch. My logstash http_poller configuration is: ``` input { http_poller { urls => { AppDynamics => { method => post url => "https://*appdynamics-test-account*/controller/api/oauth/access_token" headers => { "Accept" => "application/json" "Content-Type" => "application/vnd.appd.cntrl+protobuf;v=1" "Authorizations" => "*AppDynamics bearer token*" "grant_type" => "client_credentials" "client_id" => "Stage-CurlTest" "client_secret" => "*AppDynamics Client Secret*" } } } request_timeout => 60 schedule => { every => "1h"} codec => "json" metadata_target => "appd-token" type => "AppDynamics" } } } ``` I am getting the following error response when the poller tries to connect to AppDynamics ``` { "type": "AppDynamics", "@timestamp": "2021-10-18T14:02:11.191Z", "appd-token": { "request": { "method": "post", "url": "https://*appdynamics-test-account*/controller/api/oauth/access_token", "headers": { "Authorizations": "AppDynamics Bearer Token", "grant_type": "client_credentials", "client_secret": "`AppDynamics Client Secret`", "client_id": "Stage-CurlTest", "Content-Type": "application/vnd.appd.cntrl+protobuf;v=1", "Accept": "application/json" } }, "response_headers": { "x-content-type-options": "nosniff", "x-frame-options": "SAMEORIGIN", "x-xss-protection": "1; mode=block", "connection": "keep-alive", "server": "AppDynamics", "date": "Mon, 18 Oct 2021 14:02:10 GMT" }, "runtime_seconds": 0.36, "host": "SAPPLOG03", "name": "AppDynamics", "response_message": "Not Acceptable", "code": 406, "times_retried": 0 }, "@version": "1", "tags": [ "_httprequestfailure" ] } ``` New to both the http_poller filter and the AppDynamics Metric REST API so not sure what I have configured wrong. I have also posted to the Elastic Community forum. I have removed any account-specific information for security reasons so any additional information that would be helpful let me know and I'll get it for this post. Thanks, Bill

I have a time range picker <input type="time" token="myTime"></input> in my dashboard. When I choose "Date & Time Range" -> Between 10/17/2001 14:08:46.000 (HH:MM:SS.SSS) and 10/18/2021 00:00:00:000 (HH:MM:SS.SSS), the dropdown menu "crashes" and is not visible any more. Same thing happens if I have "form.myTime.latest=1634508000" in the URL (1634508000 corresponds to 10/18/2021 00:00:00:000 (HH:MM:SS.SSS)), it hangs at "loading". This seems to happen when start/finish time is 00:00:00.000. Any help?

Hi, I would like some advice on how to best resolve my current issue with regards to the Logs being delayed that are being sent from Syslog Server via a Universal Forwarder. Situation Details: We have a central Syslog Server (Linux Based) that is handling all network devices Logs and storing them locally. The average size of daily log volume on the Syslog Server is about 800 GB to 1 TB approx. We have configured retention policies such that only 2 days of Logs are kept locally on the Syslog Server.  To onboard the logs into Splunk we have deployed a Universal Forwarder on the Syslog Server and configured the below to optimize it,  server.conf   [general] parallelIngestionPipelines = 2 [queue=parsingQueue] maxSize = 10MB   limits.conf   [thruput] maxKBps = 0    However, even now we are getting many events in splunkd.log of    WARN Tail Reader - Enqueuing a very large file=/logs/.... in the batch reader, with bytes_to_read=xxxxxxx, reading of other large files could be delayed   The effect of this is that even though Logs are being forwarded to Splunk but there is a large delay time associated with when the logs are received on Syslog Server and when they are indexed/searchable in Splunk. There are many dips in logs received in Splunk when investigating and usually these dips recover as soon as we start receiving the logs that are sent by Splunk UF. However in some cases, the logs are missed because it seems by the time the Splunk agent reaches the log file to read 2 days have passed so that the log file is no longer available as per retention policies.  Would appreciate any helpful advice on how to go about addressing this issue. Thank you. 

Hi Experts,                    As part of an new initiative looking at SLO metrics. I have created the below query which nicely counts the amount of errors per day over a 30 day window and also provides a nice average level on the same graph using an overlay for easy viewing. earliest=-30d@d index=fx ERROR sourcetype=mysourcetype source="mysource.log" | rex field=source "temp(?<instance>.*?)\/" | stats count by _time instance | timechart span=1d max(count) by instance | appendcols [search earliest=-30d@d index=fx ERROR sourcetype=mysourcetype source="mysource.log" | rex field=source "temp(?<instance>.*?)\/" | stats count by _time instance | stats avg(count) AS 30d_average]|filldown 30d_average I wanted to somehow work out the percentage of good results (anything that is lower then the average value) and the percentage of bad results (above the average) and show in a stats table for each instance. Help needed! thanks in advance Theo

Very new to splunk here. I would like to group each http request to each directory based on their directory, and produce a count for each and plot it in a pie chart. GET /vendor, GET /Services, GET /config, GET /About For example GET /vendor/vendor/auth/signin  and GET /vendor/vendor/browse should be classified under /vendor in a table. my current query is wrong and doesn't show anything, modified it based on a GIAC paper. index="apache_logs" | stats count by request | eval request=case( request="GET /config*", "/config", request="GET /vendor*", "/vendor", request="GET /Services*", "/Services", request="GET /About*", "/About") request="GET /about*", "/about") | top request limit=0 useother=f | eval request=request." (".count." events, ".round(percent,2)."%)" I would also like to differentiate requests to /about and /About   I hope this made sense.