As i mentioned below prod column has multiple values and i want to split it based on \n next line command and get the output as mentioned in output image. Current data: Expected output: Thanks in advance ..

Is it possible to configure a 6.5.2 universal forwarder to send events to an http event collector (on 7.2)? I have a series of universal forwarders that had been sending logs to an old indexer on port 9997 -- both the forwarders and the indexer are slated for retirement "soon", part of an app that's been mostly retired already, but I need to keep them going a few more months.   The indexer hardware died badly, and I thought I'd easily be able to switch these UFs over to our current indexer, which runs 7.2 (upgrading soon to 8.x), but that indexer only listens using the HEC on port 8088.  It's behind an AWS ALB, so opening up port 9997 would be problematic. Is this even *supposed* to be possible (sending events from 6.5.2 UF to 7.2 HEC)? I've tried putting the following into local/outputs.conf, but it seems to have no impact.  Splunk isn't complaining about the statements when it starts up, and it also isn't sending any network traffic on port 8088.     [httpout] httpEventCollectorToken = [642bc63f-8e62-4b3e-9579-f146345eeaa2] uri = http://splunk.domain-name.com:8088 batchSize = 65536 batchTimeout = 5    

Hi, In my query: index="my_local" | sort -Date I get a list of items, and if I look at one item (and lick "show as raw text") it looks like this: {"Level":"Info","MessageTemplate":"ApiRequest","RenderedMessage":"ApiRequest","Properties":{"httpMethod":"GET","statusCode":200}, ...} Since a lot of the properties are wrapped inside "Properties", I always have to expand it manually by clicking the expand icon (with plus sign). Is there any way to get the search results already expanded (so I don't always have to click "Properties" to manually expand it)? Many thanks!

Hi, I have below data in lookup,i need to add up the row data example: For first row i need to add total offw,total 'B',total 'V' and show the count in 3 different column for OFF,B and V. Similary for each row i need add the same data value and show in a column   any query or commands ?

Hi All,   I have an JSON file that is ingested into Splunk, I need to create a dashboard with the different API's and their traffic fields extracted are having the the timestamp as well and it makes it difficult to be used directly for the dashboard queries data{}.fca-accounts-metrics-api-v1.08/23/2021.Number of Failure Traffic Below is the extract of the JSON content { "org": "xxx", "env": "prod", "from_date": "08/23/2021 00:00:00", "curr_date": "08/23/2021 23:59:59", "data": [ { "management-api-v1": { "08/23/2021": { "Total Number of Traffic": "0.0", "Average Request Turnaround(ms)": "0.0", "Number of Failure Traffic": "0.0", "Number of Success Traffic": "0.0" } } }, { "sXXXX-api-v1": { "08/23/2021": { "Total Number of Traffic": "2113.0", "Average Request Turnaround(ms)": "57.68", "Number of Failure Traffic": "0.0", "Number of Success Traffic": "2108.0" } } }, { "sXX-api-v1": { "08/23/2021": { "Total Number of Traffic": "0.0", "Average Request Turnaround(ms)": "0.0", "Number of Failure Traffic": "0.0", "Number of Success Traffic": "0.0" } } }, { "open-banking-v31": { "08/23/2021": { "Total Number of Traffic": "0.0", "Average Request Turnaround(ms)": "0.0", "Number of Failure Traffic": "0.0", "Number of Success Traffic": "0.0" } } }, { "fca-accounting-metrics-api-v1": { "08/23/2021": { "Total Number of Traffic": "135.0", "Average Request Turnaround(ms)": "57.66", "Number of Failure Traffic": "0.0", "Number of Success Traffic": "136.0" } } } ] }   Is there a way to extract the API names and the traffic details. if this could be made to a tabular form with the date and api names and its traffic details it would be great to create a dashboard or chart. 

[Updated] HI All, @ITWhisperer  Please help me on this I have data like below -  HostName LastConnected ABC 23/08/2021 10:04 ABC 23/08/2021 10:34 AAA 23/08/2021 12:01 AAA 23/08/2021 12:32 AAA 23/08/2021 13:03 AAA 23/08/2021 13:34 ABC 23/08/2021 17:03 AAA 23/08/2021 15:01 AAA 23/08/2021 15:35 ABC 23/08/2021 14:00 AAA 23/08/2021 21:02 AAA 23/08/2021 22:03 AAA 23/08/2021 20:02 ABC 23/08/2021 11:02 ABC 23/08/2021 11:34 ABC 23/08/2021 12:02 ABC 23/08/2021 13:34 AAA 23/08/2021 14:02 AAA 23/08/2021 14:34 ABC 23/08/2021 15:04 ABC 23/08/2021 16:34 ABC 23/08/2021 16:05 ABC 23/08/2021 22:02 ABC 23/08/2021 23:36 AAA 23/08/2021 11:03 ABC 24/08/2021 11:36 AAA 24/08/2021 12:03 ABC 24/08/2021 11:00 AAA 24/08/2021 12:36 ABC 23/08/2021 17:36 AAA 23/08/2021 20:32 AAA 23/08/2021 21:32   Now, i want output like this    HostName TotalHours Max_Consecutive  23/08/2021 10 23/08/2021 11 23/08/2021 12 23/08/2021 13 23/08/2021 14 23/08/2021 15 23/08/2021 16 23/08/2021 17 23/08/2021 18 23/08/2021 19 23/08/2021 20 23/08/2021 21 23/08/2021 22 23/08/2021 23 24/08/2021 11 24/08/2021 12 24/08/2021 13 24/08/2021 14 24/08/2021 15 ABC 4 2 23/08/2021 10:04 23/08/2021 10:34 offline 23/08/2021 12:02 23/08/2021 13:34 23/08/2021 14:00 23/08/2021 15:04 23/08/2021 16:34 23/08/2021 16:05 23/08/2021 17:03 23/08/2021 17:34 offline offline offline offline 23/08/2021 22:02 23/08/2021 23:36 24/08/2021 11:36 24/08/2021 11:00 offline offline offline offline AAA 8 5 offline 23/08/2021 11:02 23/08/2021 11:34 23/08/2021 12:01 23/08/2021 12:32 23/08/2021 13:03 23/08/2021 13:34 23/08/2021 14:02 23/08/2021 14:34 23/08/2021 15:01 23/08/2021 15:35 offline offline offline offline 23/08/2021 20:02 23/08/2021 20:32 23/08/2021 21:02 23/08/2021 21:32 23/08/2021 22:03 offline offline 24/08/2021 12:03 24/08/2021 12:36 offline offline offline   Note:- I have more than 2 lakhs records, and if user select one week data it should be work for a week If it is connected complete hour ,then it is online - means two times in hour We if mvcount >=2 then it is online , we need to count If it is 1 - no need count keep as it is  0 - offlilne   Thank you in advance 

I am trying to export and import a dashboard using the Controller API, and using the Postman tool. Ref export, I have this working OK: I created an API Client with the administrator role I used the Controller API with the API Client credentials to generate a Bearer Token, https://{{controller_uri}}//controller/api/oauth/access_token I successfully exported a dashboard https://{{controller_uri}}/controller/CustomDashboardImportExportServlet?dashboardId=12355 Headers: Authorization:Bearer {{bearer_token}} Now when I try to import a dashboard using the API, with: A new dashboard name that currently doesn’t exist, Using basic authentication (my user account which also has admin access) because the import API does not support the use of the Bearer Token (open enhancement exists: Internal story ID https://jira.corp.appdynamics.com/browse/METADATA-9305). .. I simply get a 500 response. What I tried is: Method: POST URI: https://{{controller_uri}}/controller/CustomDashboardImportExportServlet BODY: The json of the previously exported dashboard Content-Type: application/json As per the documentation, I also tried using CURL and it worked: https://docs.appdynamics.com/4.5.x/en/extend-appdynamics/appdynamics-apis/configuration-import-and-export-api curl -X POST --user Allister.Green@RSAGroup:<pw> https://<domain uri>/controller/CustomDashboardImportExportServlet -F file=@dashboard.json Because the curl example uses a file, I also tried using a file with Postman instead of using the dashboard json as the message body, but this also generated a 500 response. To use a file: Body: form-data KEY: file, VALUE: <filename>, CONTENT TYPE application/json Has anyone got dashboard imports working using Postman, and if so, please can you share how. Thanks, Allister.

Hello In my base search I'm looking for stores with the minimum count of 1 for 4 differend kind of errors. I count the errors, put them in a xyseries table and filter them out - which works great. Now i would like to know which stores on which day hit all the criterias. -----------------------------------                 Code ----------------------------------- index=main host=* (thrown NotFoundException:Not found) OR (X-30056) OR (Interceptor for tx_pool ITransactionPool has thrown exception, unwinding now) OR (SocketTimeoutException Read Timeout) | rex field=_raw "An accepted error occurred:.(?<exception>\w+-\d+):." | rex field=_raw "SocketTimeoutException: R(?<exception>\w+.\w+)" | rex field=_raw "serverDataState:.(?<exception>\w+.\w+)" | rex field=_raw "Caused by: java.io.InterruptedIOException:.(?<exception>.*)" | rex field=_raw "thrown NotFoundException:(?<exception>\w+.\w+)" | eval ccc = cooperative+cost_center | stats count by ccc exception | xyseries ccc exception count | search X-30056 > 0 AND "Read Timeout" > 0 AND "Not found" > 0 AND "Output operation aborted" > 0 -----------------------------------                Result ----------------------------------- ccc X-30056 Not found Output operation aborted Read Timeout Read Timeout Read timed 0011111 339 6 12 193 364 0022222 620 4 1 640 992 1 0033333 588 4 7 2549 4956 1 What I would like to achieve is the following: Date                 ccc 08/17/2021 0011111 08/18/2021 0022222 08/20/2021 0033333 I'm thankful for any help!