index=error sourcetype=error_log "Retry counter reached" | makemv delim="=",values | dedup errId | table errId         | map search="search index=error sourcetype=error_log $errId$ "Caused by" | head 1 | rex field=_raw  "MessageText=(?<FailureReason>.+) Please report to system admin"        | eval FailureReason=\"$FailureReason$\"        | eval errId=\"$errId$\"" | table errId, FailureReason The above query does not show any results. If i run the searches separately, i do see the output. What is wrong with the query please?

Currently running a script on  server querying a servers availability, the result of the script is "200" or other codes if the environment is not available..  How can I create a visualization that shows that percentage of the environments availability of 30 days ?

Hi, We setup an F5 VIP to load balance syslog input to several heavy forwarders on UDP 514.  We're successfully receiving syslog events through the F5 VIP from several sources, but for some reason the syslogs from our vmware environment are not being accepted.  Network tracing on the F5 VIP shows vmware sources making connections to the front end VIP and the back-end HF's, but the syslogs are not being accepted and processed by the HF's.  We've taken one VMWare server and directed syslogs straight to one of the HF's (bypassing the F5), and this works.  Any suggestions on what might be happening when sending the vmware syslogs through the F5 that would cause them to not be accepted\received by the HF's?  The inputs.conf file has also been configured with all the VMware sources to accept syslog input from. Thank you.

I have events coming from an API that all have the same 10 fields.  Viewing the RAW event one of the fields (detail) is quote escaped JSON (\").  The contents of the field varies and I cannot get consistent parsing via configuration files.   The props.conf does already include KV_MODE = json   If I add | spath input=detail to the SPL it parses perfectly, but I need to do the parsing from the config files so I can build Datamodels.   Since KV's vary across events parsing the whole detail field verses regex's on specifc KV's seems to be more efficient.   I've had limited success using a regex in transforms.conf.  And I think trying to use the | eval details = spath(X,Y) won't work because there are multiple keys and values.  Some sample events are below. {"edgeName": "DVC_NAME", "enterpriseUsername": null, "event": "EDGE_NEW_DEVICE", "category": "EDGE", "id": 12345678, "segmentName": null, "severity": "NOTICE", "eventTime": "2021-08-03T13:21:31.000Z", "message": "New or updated client device 01:23:45:67:ab:ef, ip 192.168.0.100, segId 0, hostname NT_HOSTNAME, os", "detail": "{\"last_request_time\":0,\"client_mac\":\"01:23:45:67:ab:ef\",\"client_ipv4addr\":\"192.168.0.100\",\"hostname\":\"NT_HOSTNAME\",\"os_type\":0,\"os_class\":0,\"os_class_name\":\"UNKNOWN\",\"os_version\":\"\",\"device_type\":\"\",\"os_description\":\"\",\"dhcp_param_list\":\"1,3,6,15,31,33,43,44,46,47,119,121,249,252\",\"segment_id\":0}"} {"id": 73646231, "severity": "INFO", "eventTime": "2021-08-03T06:36:31.000Z", "segmentName": null, "message": "Edge [DVC_NAME] has re-established communication with the Orchestrator", "category": "EDGE", "event": "EDGE_UP", "enterpriseUsername": null, "detail": "{\"enterpriseAlertConfigurationId\":null,\"enterpriseId\":316,\"edgeId\":8748,\"edgeName\":\"DVC_NAME\",\"state\":\"PENDING\",\"stateSetTime\":\"2021-08-03T06:36:30.867Z\",\"triggerTime\":\"2021-08-03T06:36:30.867Z\",\"remainingNotifications\":1,\"nextNotificationTime\":\"2021-08-03T06:36:30.867Z\",\"lastContact\":\"2021-08-03T06:36:29.000Z\",\"name\":\"EDGE_UP\",\"type\":\"EDGE_UP\",\"firstNotificationSeconds\":0,\"maxNotifications\":1,\"notificationIntervalSeconds\":120,\"resetIntervalSeconds\":3600,\"timezone\":\"America/Phoenix\",\"locale\":null}", "edgeName": "DVC_NAME"} {"edgeName": "DVC_NAME", "id": 73579676, "eventTime": "2021-08-02T23:24:58.000Z", "event": "MGD_CONF_APPLIED", "severity": "INFO", "segmentName": null, "enterpriseUsername": null, "detail": "{\"heartBeatSeconds\": 30, \"managementPlaneProxy\": {\"drHeartbeatSecs\": 60, \"primary\": \"host-1.domain.net\", \"secondary\": \"host-2.domain.net\"}, \"timeSliceSeconds\": 300, \"statsUploadSeconds\": 300}", "message": "Applied new configuration for managementPlane version 1627946184323", "category": "EDGE"}

I have the following scenario where duplicate accounts has been created for a transaction id value. I would like to count how many duplicates has been created and list it as a table. I compare the message with a string, which indicates the successful creation of the account. The current query is as follows:   index=myindex sourcetype=mysourcetype | spath message | search message="Account Created Successfully" |stats count by transactionId   I have the following format for logs   { level: info message: Account Created Successfully timestamp: 2021-08-02T05:58:44-04:00 transactionId: 100200300 }     The above search query is not giving me the correct counts. I manually checked the logs for the transaction ID, but the `stats` count is wrong. How can I modify the query to get accurate counts ?

Hi Splunk community, I am having trouble creating an embed from a saved report.  The website is throwing a 404 error when I click “Enable Embeding”. Its throwing this error inside the 404:   {"messages":[{"type":"ERROR","text":"Cannot find saved search with name 'NameRedacted'."}]}   I have also attached a gif to show exactly where this error is happening

Hi, How would I write Time_FORMAT and TIME_PREFIX for my Props Conf file for the following sample events. Any help will be highly appreciated. Thank you so much. RTJCB|DEMOEE|AFFR|ANALYST   |VIEWSUMMARY    |XYA565656873                ||12.214.61.90|00|                                                            |20210730 13:00:26:907|   |000000|030|ACMF|0|  STJCB|DEMOEE|AFFR|ANALYST   |VIEWCASE       |YNA565656873                ||12.214.61.90|00|                                                            |20210730 13:00:29:045|      |000000|030|ACMF|0|      TRJCB|DEMO|AFFR|ANALYST   |VIEWSUMMARY    |XBC565656873                ||12.214.61.90|00|                                                            |20210730 13:00:30:421|       |000000|030|ACMF|0|  RXJCB|DEMOEE|AFFR|ANALYST   |VIEWCASE       |DCN132748456                ||12.214.61.90|00|                                                            |20210730 13:00:40:273|     |201512|030|ACMF|0|     DSJCB|DEMOEE|AFFR|ANALYST   |UPDATECASE     |CBB132748456                ||12.214.61.90|01|Attempt to update to an code                 |20210730 13:00:47:347|        |201512|030|ACMF|0|              RXJCB|DEMOEE|AFFR|ANALYST   |VIEWCASE       |ABB132748456                ||12.214.61.90|00|                                                            |20210730 13:00:48:519|          |201512|030|ACMF|0|           

Hello All,   We have an index cluster which utilizes SmartStore in AWS S3.  Things appear to be working but we have observed the following in our logs on the index peers. 08-02-2021 12:34:53.725 -0400 ERROR IndexerIf [22952 FilesystemOpExecutorWorker-0] - failed to update bucket bid=sysandy_test2~2~32FED627-479E-41CF-A401-2F061C2EF7E5 with remote metadata due to err= 08-02-2021 12:45:04.668 -0400 ERROR IndexerIf [24603 FilesystemOpExecutorWorker-0] - failed to update bucket bid=sysandy_test2~3~32FED627-479E-41CF-A401-2F061C2EF7E5 with remote metadata due to err= 08-02-2021 12:55:21.684 -0400 ERROR IndexerIf [25930 FilesystemOpExecutorWorker-0] - failed to update bucket bid=sysandy_test2~1~80593238-39FB-443D-8E13-8FC3E521B22C with remote metadata due to err= It appears that these errors sometimes occur only on one or two of the three index peers but result in a tsidx file that that is different locally then the S3 copy.   It is unclear as to why this is happening and the err= appears to be blank. Has anyone ever seen this behavior and any suggestions for resolving this ? Thanks.    

We are having an issue with the "Splunk_TA_nix/bin/ps.sh" script and the way it's reporting cpu usage for servers with multiple cpu's. It caps the cpu at 100, but that value can actually go up to the number of cpu's * 100. So a server with 32 CPU's can reach 3200. Limiting that value to 100 seems to gives incorrect information. Can anyone give some insight into what's going on here? We are on Enterprise 7.3 if that makes a difference. Thanks

i have noticed that there is a notable events when we tried to open the correlation search related to that notable event it said " search doesn`t exist "  , also i can`t find it in content management , after searching i found the saved search under search app in local/savedsearch.cong , why it don`t show up in the content management and how to solve that issue? Thanks.

After windows UF upgrade from 7.1.10 to 8.2.0, we are getting the spunk perfmon.exe counters not found error in splunk internal index. However windows perfmon data is coming in Splunk. Before upgrade I couldn't see any this type of error. Please help me on this. 08-03-2021 07:55:02.999 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"" splunk-perfmon - OutputHandler::composeOutput: Counters not found: % Processor Time   08-03-2021 07:35:02.734 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"" splunk-perfmon - OutputHandler::composeOutput: Counters not found: IO Read Operations/sec