I have setup local splunk instance(8.2) and have installed add-on ' splunk add-on for microsoft cloud services'(4.1.3). I have already created eventhub and have added Azure Event Hubs Data Owner permission to my app in order to be able to access eventhub in azure. I am able to add azure app account in the configuration tab but while trying to add input, the splunk gui keeps on loading and am not able to add any inputs. When I checked the logs I found 404 errors. Below is a stack trace of the error. 06-28-2021 14:58:08.717 -0400 ERROR AdminManagerExternal [67673713 TcpChannelThread] - Stack trace from python handler:\nTraceback (most recent call last):\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunktaucclib/rest_handler/handler.py", line 117, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunktaucclib/rest_handler/handler.py", line 172, in all\n **query\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunklib/binding.py", line 290, in wrapper\n return request_fun(self, *args, **kwargs)\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunklib/binding.py", line 71, in new_f\n val = f(*args, **kwargs)\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunklib/binding.py", line 686, in get\n response = self.http.get(path, all_headers, **query)\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunklib/binding.py", line 1194, in get\n return self.request(url, { 'method': "GET", 'headers': headers })\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunklib/binding.py", line 1255, in request\n raise HTTPError(response)\nsplunklib.binding.HTTPError: HTTP 404 Not Found -- b'{"messages":[{"type":"ERROR","text":"Not Found"}]}'\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/Applications/Splunk/lib/python3.7/site-packages/splunk/admin.py", line 114, in init_persistent\n hand.execute(info)\n File "/Applications/Splunk/lib/python3.7/site-packages/splunk/admin.py", line 637, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_mscs_rh_mscs_storage_table.py", line 111, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunktaucclib/rest_handler/admin_external.py", line 51, in wrapper\n for entity in result:\n File "/Applications/Splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunktaucclib/rest_handler/handler.py", line 122, in wrapper\n raise RestError(exc.status, str(exc))\nsplunktaucclib.rest_handler.error.RestError: REST Error [404]: Not Found -- HTTP 404 Not Found -- b'{"messages":[{"type":"ERROR","text":"Not Found"}]}'\n     Can someone please provide any suggestions on this ? @jkat54 , @chli_splunk  , @bradp1234 , @tmontney 

Hi All, Currently, I try to implement cluster-operator and cluster-agent on K8s. the cluster metric shows under the "Server/Cluster" menu correctly. However, I would like to config auto-instrument for Java application but no hope follow the validate guide here is still not much helpful... https://docs.appdynamics.com/21.5/en/infrastructure-visibility/monitor-kubernetes-with-the-cluster-agent/auto-instrument-applications-with-the-cluster-agent/validate-auto-instrumentation#ValidateAuto-Instrumentation-TroubleshootAuto-InstrumentationWhenNotApplied apiVersion: appdynamics.com/v1alpha1 kind: Clusteragent metadata: name: k8s-cluster-agent namespace: appdynamics spec: appName: "TEST-CLUSTER" controllerUrl: "https://xxx.appdynamics.com" account: "xxxdev" logLevel: DEBUG logFileSizeMb: 7 logFileBackups: 6 # docker image info image: "my.own.repository.org:5000/appdynamics/cluster-agent:latest" serviceAccountName: appdynamics-cluster-agent nsToMonitor: - "appdynamics" - "cma-dev" - "cma-qa" # # auto-instrumentation config # instrumentationMethod: Env nsToInstrumentRegex: "xxx-dev|xxx-qa" appNameStrategy: label defaultAppName: not-specific defaultCustomConfig: "-Dappdynamics.agent.maxMetrics=15000" defaultEnv: JAVA_TOOL_OPTIONS resourcesToInstrument: - Deployment imageInfo: java: image: "my.own.repository.org:5000/appdynamics/java-agent:latest" agentMountPath: /opt/appdynamics instrumentationRules: - namespaceRegex: "xxx-dev" language: java env: JAVA_TOOL_OPTIONS appNameLabel: app instrumentContainer: first imageInfo: image: "my.own.repository.org:5000/appdynamics/java-agent:latest" agentMountPath: /opt/appdynamics - namespaceRegex: "xxx-qa" language: java env: JAVA_TOOL_OPTIONS appNameLabel: app instrumentContainer: first imageInfo: image: "my.own.repository.org:5000/appdynamics/java-agent:latest" agentMountPath: /opt/appdynamics But I got this.... [DEBUG]: 2021-06-28 16:12:36 - instrumentationconfig.go:628 - rule xxx-qa matches Deployment spring-api-productprofile in namespace xxx-qa with labels map[app:spring-api-productprofile] [DEBUG]: 2021-06-28 16:12:36 - instrumentationconfig.go:639 - Found a matching rule {xxx-qa map[] java first -Dappdynamics.agent.maxMetrics=15000 JAVA_TOOL_OPTIONS map[agent-mount-path:/opt/appdynamics image:my-own-repository.org:5000/appdynamics/java-agent:latest] map[bci-enabled:true port:3892] 0 0 app 0 false []} for Deployment spring-api-productprofile in namespace xxx-qa with labels map[app:spring-api-productprofile] [DEBUG]: 2021-06-28 16:12:36 - instrumentationconfig.go:249 - Instrumentation state for Deployment spring-api-productprofile in namespace xxx-qa with labels map[app:spring-api-productprofile] is false [DEBUG]: 2021-06-28 16:12:36 - instrumentationconfig.go:628 - rule xxx-dev matches Deployment spring-api-deliveries in namespace xxx-dev with labels map[app:spring-api-deliveries] [DEBUG]: 2021-06-28 16:12:36 - instrumentationconfig.go:639 - Found a matching rule {xxx-dev map[] java first -Dappdynamics.agent.maxMetrics=15000 JAVA_TOOL_OPTIONS map[agent-mount-path:/opt/appdynamics image:my-own-repository.org:5000/appdynamics/java-agent:latest] map[bci-enabled:true port:3892] 0 0 app 0 false []} for Deployment spring-api-deliveries in namespace xxx-dev with labels map[app:spring-api-deliveries] [DEBUG]: 2021-06-28 16:12:36 - instrumentationconfig.go:249 - Instrumentation state for Deployment spring-api-deliveries in namespace xxx-dev with labels map[app:spring-api-deliveries] is false Please advice

Hello Members, I have a requirement, in which i have 5 servers, in which i want to send and alert.  In which five server are : a, b,c,d,e,f I want to set an alert in which when the CPU utilization is high on server a --- then alert send to one specific email id @@abc.splunk.com  and for the other 4 servers i want to send an alert on email group---xyz@splunk.com. In splunk alert setting there is no option, we need to put through SPL by using the eval, but it is not working for me. I have tried as below : | eval condition_alert=if(server == "a", "abc.splunk.com", "xyz@splunk.com") --- it is not working | eval condition_alert=if(LIKE(server,"%a%"),"abc.splunk.com", "xyz@splunk.com") --- it is also not working.   Please suggest me the solution.    

Please confirm/deny something for me because it's not clear from the docs. Let's assume I have events containing both "unstructured" data and json. Something similar to the ones from https://community.splunk.com/t5/Getting-Data-In/JSON-transformations/m-p/370127#M67168 Dec 1 22:29:42 127.0.0.1 1 2017-12-01 LOGSERVER 1292 - - {"event_type":"type_here","ipv4":"127.0.0.1","hostname":"pc_name.local","occured":"01-Dec-2017 22:24:34"} If I set KV_MODE=json, I assume the fields from the json part should get parsed automaticaly. But what about the rest of the message? Can I still apply transforms to get additional fields parsed from the event?

I have an index where one of the relevant fields is a domain. This index is used in a search in a dashboard, where I have a table showing relevant fields. Let's consider this:   index=foo contains 5 logs: domain=community.example.com serial=123 desc=whatever1 domain=dev.example.com serial=456 desc=whatever2 domain=abc.dev.example.com serial=789 desc=whatever3 domain=def.dev.com serial=098 desc=whatever4 domain=blog.example.com serial=765 desc=whatever5   I have a whitelist csv inputlookup with the following: *.dev.example.com blog.example.com   I want the table to show a column "whitelist" with YES if the domain is in the whitelist. I'm using the query below to do that, but it does not work for wildcard domains. For example, all domains *.dev.example.com (in my example, abc.dev.example.com and def.dev.example.com) should have the column whitelist as YES, but they appear blank. On the other hand, blog.example.com appear with YES in the whitelist column, because it does not have any wildcard in the whitelist.     index=foo | join type=left domain [| inputlookup whitelist_foo.csv | eval whitelist="YES" | fields domain, serial, desc, whitelist] | table domain, serial, desc, whitelist     From what I understood, the join left interprets the asterisk as a string, not as a wildcard. How can I overcome that?

Hello Splunkers, I'm collecting Aruba AP (Aruba Access Point) logs from my rsyslog inputs. I use the Aruba_Networks add-on available on splunk.com to parse the logs. Actually the Splunk collect the "host" field as the IP address of the AP (host = ip). I created a lookup associating a hostname to the ip of the AP :   hostname,host hostname1,ip1 hostname2,ip2 hostname3,ip3 ...,... hostnameN,ipN   The issue I get is I want a "hostname" field and an "ip" field but I have neither of these. I tried to change my props.conf file :   [(?::){0}aruba*] LOOKUP-aruba_ap_list=aruba_ap_list host OUTPUTNEW hostname host AS ip   and in my transforms.conf (file exist in the lookup folder) :   [aruba_ap_list] filename=aruba_ap_list.csv    But the field "hostname" isn't created and the "host" field alias named "ip" isn't created neither. I don't know what I'm doing wrong. Can you help me please ?

I am running following search query to obtain history of triggered alerts (time, name, severity), manually:   index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | table trigger_time ss_name severity | rename trigger_time as "Alert Time" ss_name as "Alert Name" severity as "Severity"   I am observing following strange behavior: I am running this for "all time", yet I can never match timestamps for two searches. What I mean by this is that if I search for value of `trigger_time` for alert that triggered in May, and search for that very same value in all time export generated in June, I will not find it. It is not a single occurrence. Whichever record I randomly select, I am unable to find in other files exporting seemingly the same data. In case it is important: I have 3 SeachHeads in a cluster. Is this a bug? (v8.0.2.1) If this is not a bug, how do I make Splunk to provide precise time of when alerts were triggered?

Hola, he conseguido enlazar Splunk con LDAP, el problema es que cuando salgo de Splunk he intentado acceder de nuevo pero con algunos de los nuevos usuarios introducidos por LDAP. Además, cuando conseguí la configuración en la sección Asignación de grupos, los usuarios aparecen como si fueran grupos, ¿es así?

Hi there, I want to append a null frame char (x00) to my raw logs intercepted by props stanza. How can I solve this? I tried to insert strings like: SEDCMD REGEX = (.*)  followed by FORMAT Any hints?