Pretty much the title. I have created alerts using IT Essentials Learn app. The alert is running because I receive alerts to slack. However, I cannot figure out where the alert is housed so I am unable to return to the edit screen and modify the alert. I've looked through both IT apps as well as the Search and Reporting app alerts panel. I cannot find the alerts anywhere. Where are they housed?

Hi There,   I have two queries [Query 1  and Query 2].  what i am planning to achieve is that when user clicks on the server_ID for tabular output of Query 1, then it should be passed as INPUT to the WHERE clause in Query 2  . Any help would be appreciated.     Query 1: index=<<index_name>>   sourcetype=webserver | dedup server_ID | table  server_ID   Query 1 Output: server_ID 49552473-567 d5eedf55-dca 5d4bb774-74a 03f03042-1f7   Query 2:   index=<< index_name>>   "Exception" | where  server_ID= "server_ID from Query1 table"     Thank You

Our organization has been using the AppDynamics Java agent with IBM Websphere for a number of years. This is our first attempt to get the Java agent working with Tomcat. When the Tomcat application server starts up, we get Connection Refused error messages in the java agent logs. Stack Trace Error Message: org.apache.http.conn.HttpHostConnectException: Connect to server.domain.name:443 [server.domain.name/<IP Address>] failed: Connection refused (Connection refused)         at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:156) ~[httpclient-4.5.13.jar:4.5.13]         at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13]         at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13]         at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13]         at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13]         at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13] Configuration information:       -Dappdynamics.controller.hostName=server.domain.name \       -Dappdynamics.controller.port=443 \       -Dappdynamics.agent.applicationName=APP-NAME \       -Dappdynamics.agent.tierName=Services \       -Dappdynamics.agent.nodeName=APP1_Node1 \       -Dappdynamics.agent.accountName=customer1 \       -Dappdynamics.bciengine.should.implement.new.interfaces=false \       -Dappdynamics.agent.accountAccessKey=<account number>\ What kind of things could cause a connection refused with the Java agent running in Tomcat? What should I be looking for in the logs? Is there a known difference in connection behaviour between Websphere and Tomcat? Any help would be appreciated. Thanks! Dale Chapman

  I'm doing a query to return the text part of the log, but when using it on my dashboard it gives this error message: Value node <query> is not supposed to have children   my query: index=... user Passed-Authentication earliest=@d | rex field=_raw "mdm-tlv=ac-user-agent=(?<message>.*?)," | table message   My dashboard: <panel> <single> <title>Meu titulo</title> <search> <query>index=... user Passed-Authentication earliest=@d | rex field=_raw "mdm-tlv=ac-user-agent=(?<message/>.*?)," | table message </query> </search> <option name="height">96</option> </single> </panel>  I believe the error is due to <message>, but I'm new to splunk  

In the latest Splunk Security Essentials 3.4.0, and previous release the Data Inventory detection in CIM+Event Size Introspection starts a query that will never complete due to an unmatched paranthesis.    The query is autogenerated, so I'm not sure if this is due to a misconfiguration on my part, or perhaps just a unwanted feature.   (index=main source=WinEventLog:Security) ) OR (index=main source=WinEventLog:Security ) | head 10000 | eval SSELENGTH = len(_raw) | eventstats range(_time) as SSETIMERANGE | fields SSELENGTH SSETIMERANGE tag | fieldsummary

Please confirm something or correct me. If I understand correctly, it's the event's _time that's the basis for bucket ageing (hot->warm->cold(->frozen)), right? I understand that it's typically designed this way for collecting event which have monotonicaly "growing" time. But what would happen if my source (regardless of the reason) generated events with a "random" timestamp? One could be from an old past (several years, maybe?), another from the future and so on. Would it mean that I'd have a chance to roll the buckets after just one or two events because I'd have sufficiently old events or sufficiently  big timespan in case of hot buckets?

Hi I have two field on my logfile <servername> <CLOSESESSION> need to know when CLOSESESSION is 0 each day by servername. everyday I expect CLOSESESSION appear on my server logs, if one or more server has no CLOSESESSION it means something going wrong. here is the spl: index="my_index" | rex field=source "(?<servername>\w+)." | rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)" | table _time servername CLOSESESSION   Expected output: Servername     cause Server10           NOCLOSESESSION Server15            NOCLOSESESSION   any idea? Thanks,