All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I was able to send Oracle alert logs to splunk and do some basic searches. However, I've one issue. What happens when we recycle alert log ? On regular basis, we rename alert log file and comp... See more...
Hi, I was able to send Oracle alert logs to splunk and do some basic searches. However, I've one issue. What happens when we recycle alert log ? On regular basis, we rename alert log file and compress it. The problem is, there is lag to transfer logs to splunk. so when we rename alert log file, what is going to happen to log in splunk ? we don't want to miss any data in log file and want to everything in alert log. How can i do that ? I'm using universal forwarder and input.conf has filename, sourcetype... Thanks.
Hi Splunker, I would like to lower the string/value present inside the double quotes and then use as it is. Values highlighted in red are basically string which I would like to convert it into a lo... See more...
Hi Splunker, I would like to lower the string/value present inside the double quotes and then use as it is. Values highlighted in red are basically string which I would like to convert it into a lower case. Actual field value :  "AWSURLmonitor_" + url sourcetype + "SystemRestarted" "Batch_Comm_critical_alert"."_".to_DST_Filename."-".Time   Expected field value: "awsurlmonitor" + url sourcetype + "systemrestarted" "batch_comm_critical_alert"."_".to_DST_Filename."-".Time Similarly, like above  example, I have multiple data in my environment, my task is to lower case whatever the value present inside the double quotes. Any help would be really appreciated. Regards,
Hi, please help. I would like to see in table (to extract with rex) value of field paid. Log is: 2020-12-23 12:14:42.744 [Error] ## Get Sap NOK --> Check:OK (type:aaaa, paid:111.00EUR, change:0.00E... See more...
Hi, please help. I would like to see in table (to extract with rex) value of field paid. Log is: 2020-12-23 12:14:42.744 [Error] ## Get Sap NOK --> Check:OK (type:aaaa, paid:111.00EUR, change:0.00EUR, changeDddd:0.00EUR) - fffff:OK - rrrrr:NOT_STARTED - bbbb:NOT_STARTED - bnbn: - sn: - gggg:3333 - rererere:54554545- ererr:2 Thank you very much Iv
Hello, I've ready a ton of forums posts regarding this but I still cannot get it to work so I'm hoping someone could point out what I'm doing wrong. The scenario I have is there are multiple hosts ... See more...
Hello, I've ready a ton of forums posts regarding this but I still cannot get it to work so I'm hoping someone could point out what I'm doing wrong. The scenario I have is there are multiple hosts with the Splunk agent installed on it and we're currently logging that data to our Splunk indexers + a syslog server. For a short period of time, I want to send a subset of logs only to syslog but I can't seem to get that to work. Below is my current config on my heavy forwarders. I expect this to send all hosts with server* to Splunk and syslog but only endpoint* to syslog. Right now no matter what I do, everything still goes to Splunk. I even fully commented out the routeSubset section and "splunk reload deploy-server" and I still got those logs in Splunk Any thoughts would be greatly appreciated. props.conf [source::WinEventLog:Security] TRUNCATE = 0 SEDCMD-win = s/(?mis)(Token\sElevation\sType\sindicates|This\sevent\sis\sgenerated).*$//g TRANSFORMS-routing = routeSubset, routeSubset2 transforms.conf [routeSubset] SOURCE_KEY=MetaData:Host REGEX=(?i)^server[0-9][0-9].* DEST_KEY=_TCP_ROUTING FORMAT=splunkssl [routeSubset2] SOURCE_KEY=MetaData:Host REGEX=(?i)(.*endpoint[0-9][0-9].*|^server[0-9][0-9].*) DEST_KEY=_SYSLOG_ROUTING FORMAT=syslog_server
Hi - I am planning an upgrade from V7+ to V8. I am running to issues with the results of the upgrade readiness app. Most are warnings but one blocker has me concerned. The app , Splunk App for Uni... See more...
Hi - I am planning an upgrade from V7+ to V8. I am running to issues with the results of the upgrade readiness app. Most are warnings but one blocker has me concerned. The app , Splunk App for Unix (V6 - just downloaded and installed), has blockers and warnings The blocker- Splunk Web on Enterprise 8.0 and above may not start if any app has a CherryPy endpoint/controller written in Python 2.7. I've not been able to find any path to investigate or resolve this error. Please keep in mind I am not a python dev, nor much above a linux sys admin1. Please keep that in mind when replying. As for the warnings - Update these Python scripts to be dual-compatible with Python 2 and 3. Several scripts cause this error.   Any help is greatly appreciated. I'd rather figure this out now then have to deal with Splunk support after. Thanks Ron
Hello, I have a table with many columns. My requirement is for our users to scroll vertically to view the other columns while freezing the first 5-6 columns and headers (just as available in Excel).... See more...
Hello, I have a table with many columns. My requirement is for our users to scroll vertically to view the other columns while freezing the first 5-6 columns and headers (just as available in Excel). I read and tired this post. How to freeze first 3~4 columns in a table  I have a few questions/issues concerning that post. 1) Is the views path always the same, or does this need to modified for my app file location? #myTable div [data-view="views/shared/results_table/ResultsTableMaster"] td:nth-child(1) { position: fixed; 2) Only one column froze, and the headers scrolled off the dashboard when vertically scrolling. Thanks in advance for your assistance. Teach a man to fish... God bless, Genesius
Hello, I am a novice a javascript and need to perform the following. Apply tooltips to several fields in a dashboard table. I have seen various answers on combining the two fields into one and usin... See more...
Hello, I am a novice a javascript and need to perform the following. Apply tooltips to several fields in a dashboard table. I have seen various answers on combining the two fields into one and using a "|" to separate and hide the other field. While this does work, I have 2 issues with it. 1) As mentioned, I need to use this on more than a single cell. For example. The table will display the user's current email address. We need a tooltip that will display the original email they entered when they subscribed. The same requirement is needed for phone, address, and several other fields. 2) Because the above uses a hidden field and the "|", I need to remove those when the user downloads the table into a csv file. While I believe I could use post-processing, and tabs to control the running of searches to create the csv (still learning that one), I would like to know if there is a simpler way. Also, as a novice js user, what sites can you recommend so I can start writing and implementing my own js in Splunk? Is all js functionality available in Splunk? Is there a Splunk doc that instructs how to use js? I'm checking out a how-to on js and they use let and const. I see Splunk uses var amongst other syntax. Thanks in advance for any help you can provide. Teach a man to fish.... God bless, Genesius
I am trying to find the events that are taking place between March 1 2021 and September 1 2021. I was hoping someone could tell me where I am going wrong in my search. | eval timestampDate=strptime(... See more...
I am trying to find the events that are taking place between March 1 2021 and September 1 2021. I was hoping someone could tell me where I am going wrong in my search. | eval timestampDate=strptime(ScheduledStartDate, "%m/%d/%Y") | eval project_start=strptime("03/01/2021", "%m/%d/%Y") | eval project_end=strptime("09/01/2021", "%m/%d/%Y") | eval formattedTimestamp = strftime(timestamp, "%Y-%m-%d") | where timestampDate >= project_start AND timestampDate <= project_end | table Country timestampDate
Hi.. I have in splunk logs comes from different sources.. and different events. For example, one type of events contains user information without server name: Logged-in user {'kind': 'user', 'name':... See more...
Hi.. I have in splunk logs comes from different sources.. and different events. For example, one type of events contains user information without server name: Logged-in user {'kind': 'user', 'name': 'XXXXXX', 'admin': False, 'groups': [], 'server': '/jhub-test/user/XXXXXX/', 'pending': None, 'created': '2020-12-27T03:29:41.850432Z', 'last_activity': '2021-01-16T05:18:16.822564Z', 'servers': None}   and other have server ip on that..   So I need to construct query were I can select the source based on server ip search and after search the specific action - for example user logon events.   so I want to write some query like this: if source=* contain ip address when source="the actual source name which contain ip address"  |search "*Logged*"
Hello community. I am not able to perform a sub-search between 2 sourcetypes. The 'drm' sourcetype has 5 million events and I need to sub-search an sourcetype with 2 million events (drm_tuser). I tri... See more...
Hello community. I am not able to perform a sub-search between 2 sourcetypes. The 'drm' sourcetype has 5 million events and I need to sub-search an sourcetype with 2 million events (drm_tuser). I tried with the join and append command followed by stats but I am not able to accomplish this task. Here is an example: userId is a common field between sourcetypes. index="ott" sourcetype="drm" | append [ search index=ott sourcetype=drm_tuser earliest=1] | stats dc(sourcetype) as sourcetype values(retailerUserId) as retailerUserId values(bitrate) as bitrate by userId Append use limit of 50k results in limits.conf, but I would not like to change the limits.conf so any other solution would be ideal Tanks for help
Hi, I am trying to validate my app with app inspect and im getting the following error, I have tried multiple solutions but couldn't get through. Extract from App Inspect [ Failure Summary ] Fail... See more...
Hi, I am trying to validate my app with app inspect and im getting the following error, I have tried multiple solutions but couldn't get through. Extract from App Inspect [ Failure Summary ] Failures will block the Cloud Vetting. They must be fixed. check_inputs_conf_spec_stanzas_has_python_version_property Modular input "cloudlock" is defined in README/inputs.conf.spec, python.version should be explicitly set to python3 under each stanza. File: README/inputs.conf.spec Line Number: 1 Modular input "cloudlock_health_check" is defined in README/inputs.conf.spec, python.version should be explicitly set to python3 under each stanza. File: README/inputs.conf.spec Line Number: 4 Modular input "destination_lists_health_check" is defined in README/inputs.conf.spec, python.version should be explicitly set to python3 under each stanza. File: README/inputs.conf.spec Line Number: 7 Modular input "investigate_health_check" is defined in README/inputs.conf.spec, python.version should be explicitly set to python3 under each stanza. File: README/inputs.conf.spec Line Number: 10   Following is my configurations in  README/inputs.conf.spec [cloudlock://<name>] Log_Level = INFO [cloudlock_health_check://<name>] Log_Level = INFO [destination_lists_health_check://<name>] Log_Level = INFO [investigate_health_check://<name>] Log_Level = INFO   Following is my configurations in input.conf [cloudlock://incidents] disabled = 0 interval = 60 Log_Level = INFO python.version = python3 [cloudlock_health_check://health_check_cloudlock_batch_job] disabled = 0 interval = 600 Log_Level = INFO python.version = python3 [destination_lists_health_check://health_check_destination_lists_batch_job] disabled = 0 interval = 600 Log_Level = INFO python.version = python3 [investigate_health_check://health_check_investigate_batch_job] disabled = 0 interval = 600 Log_Level = INFO python.version = python3   Please help me with a solution .
Note: I'm answering my own question here for posterity as I'm sure others will want to find the answer. I haven't seen anyone provide good solution to this question. Question: How does one calcula... See more...
Note: I'm answering my own question here for posterity as I'm sure others will want to find the answer. I haven't seen anyone provide good solution to this question. Question: How does one calculate actual search concurrency usage and overlay with maximum search concurrency. Answer to follow.
Hi I am having a really hard time in understanding the Splunk lookups process from your splunk documentation. I have configured the splunk lookups from an example csv file as per the steps given in ... See more...
Hi I am having a really hard time in understanding the Splunk lookups process from your splunk documentation. I have configured the splunk lookups from an example csv file as per the steps given in the documentation. But not able to search or understand some aspects of it. I would really appreciate if you could help me in this matter and get these doubts clear so I can be able to search my data from the lookups I have configured,. Many Thanks!
I want to develop a Javascript app on my WIndows laptop that talks with the Splunk Enterprise instance on my laptop and i am in search for help with configuration nginx for it to catch the /proxy cal... See more...
I want to develop a Javascript app on my WIndows laptop that talks with the Splunk Enterprise instance on my laptop and i am in search for help with configuration nginx for it to catch the /proxy calls. 
I have a search like this:   index=my_index search=my_search | stats count as no_of_hosts by uptime   It gives me uptime of hosts present in our environment and no_of_hosts having that uptime. ... See more...
I have a search like this:   index=my_index search=my_search | stats count as no_of_hosts by uptime   It gives me uptime of hosts present in our environment and no_of_hosts having that uptime. I would like a chart that gives me uptime in range of say 0-10 days, 11-20, 21-30 and so on ( plotted on x axis ) and no_of_hosts which falls within this uptime range ( plotted on y axis ). something like this: How do I achieve that in Splunk?
Hi Experts, I have created a PowerShell Tool to generate Daily Performance SLA Calculation for Individual Business Transactions using AppDynamics REST API. I tried my best to add explanation of each... See more...
Hi Experts, I have created a PowerShell Tool to generate Daily Performance SLA Calculation for Individual Business Transactions using AppDynamics REST API. I tried my best to add explanation of each code line. Hope it is helpful! ##It is PowerShell Code, marked it as Python to keep the indent as is## #Prerequisites: # 0) Make Sure you have basic understanding of PoswerShell and AppD REST API - It is no rocket science # 1) PowerShell, MicroSoft Excel (I tested it with Excel 2013) #Instructions: # 0) This tool automatically takes care of EPOCH time calculations. Calcumations are done in # 1) Make sure user name is followed by '@customer1' or relevent customer ID # 2) It uses H:\ as default drive to save output excel, you can change it if required # 3) This reprot is created to support 4 Business Transactiosn, using same user ID for authantication # 4) Instructions to modify users is mentioned in script # 5) If you need to add / remove BTs, please understand this script and do it manually # 6) #This report works in UTC - Coordinated Universal Tim # 7) Formula Used: Percentage Successful transactions = ((Sum of Call - Sum of Errors )/ Sum of Calls) *100 #Clear Variable Cache (Without popping up erros on PowerShell Screen) - Start Remove-Variable * -ErrorAction:Ignore #Clear Variable Cache - Completed #Custom Message (Optional) - Start [System.Windows.MessageBox]::Show(' Welcome to AppDynamics Performance Reporting!! Program: Your Program Name #This tool was created with a pre-defined set of Business transactions. You are NOT allowed to choose Business Transactions on the go. #It will save all results in Excel. #This report works only in UTC - Coordinated Universal Time. Author: Sahil Gupta - SahiljGupta@gmail.com') #Custom Message - Completed #Check today's date - Start $TodayDate = $(Get-Date) #Check today's date - Completed #Capture Start date (SD) - Date FROM which user needs report - Start Add-Type -AssemblyName System.Windows.Forms Add-Type -AssemblyName System.Drawing $form = New-Object Windows.Forms.Form -Property @{ StartPosition = [Windows.Forms.FormStartPosition]::CenterScreen Size = New-Object Drawing.Size 243, 230 Text = 'Start Date' Topmost = $true } $calendar = New-Object Windows.Forms.MonthCalendar -Property @{ ShowTodayCircle = $false MaxSelectionCount = 1 MaxDate = $TodayDate #Max date is Today, so user cannot select future date - Comment } $form.Controls.Add($calendar) $okButton = New-Object Windows.Forms.Button -Property @{ Location = New-Object Drawing.Point 38, 165 Size = New-Object Drawing.Size 75, 23 Text = 'OK' DialogResult = [Windows.Forms.DialogResult]::OK } $form.AcceptButton = $okButton $form.Controls.Add($okButton) $cancelButton = New-Object Windows.Forms.Button -Property @{ Location = New-Object Drawing.Point 113, 165 Size = New-Object Drawing.Size 75, 23 Text = 'Cancel' DialogResult = [Windows.Forms.DialogResult]::Cancel } $form.CancelButton = $cancelButton $form.Controls.Add($cancelButton) $result = $form.ShowDialog() if ($result -eq [Windows.Forms.DialogResult]::OK) { $date = $calendar.SelectionStart Write-Host "Date selected: $($date.ToShortDateString())" } else {Break} #Break if user select Cancel - Comment $sd = $date #Capture Start date (SD) - Date FROM which user needs report - Completed #Capture End date (ED) - Date TILL which user needs report - started Add-Type -AssemblyName System.Windows.Forms Add-Type -AssemblyName System.Drawing $form = New-Object Windows.Forms.Form -Property @{ StartPosition = [Windows.Forms.FormStartPosition]::CenterScreen Size = New-Object Drawing.Size 243, 230 Text = 'End Date' Topmost = $true } $calendar = New-Object Windows.Forms.MonthCalendar -Property @{ ShowTodayCircle = $false MaxSelectionCount = 1 MinDate = $sd MaxDate = $TodayDate #Min Date is equal to start date, So user cannot select end date lesser than start date - Comment #Max date is Today, so user cannot select future date - Comment } $form.Controls.Add($calendar) $okButton = New-Object Windows.Forms.Button -Property @{ Location = New-Object Drawing.Point 38, 165 Size = New-Object Drawing.Size 75, 23 Text = 'OK' DialogResult = [Windows.Forms.DialogResult]::OK } $form.AcceptButton = $okButton $form.Controls.Add($okButton) $cancelButton = New-Object Windows.Forms.Button -Property @{ Location = New-Object Drawing.Point 113, 165 Size = New-Object Drawing.Size 75, 23 Text = 'Cancel' DialogResult = [Windows.Forms.DialogResult]::Cancel } $form.CancelButton = $cancelButton $form.Controls.Add($cancelButton) $result = $form.ShowDialog() if ($result -eq [Windows.Forms.DialogResult]::OK) { $date1 = $calendar.SelectionStart Write-Host "Date selected: $($date1.ToShortDateString())" } else {Break} #Break if user select Cancel - Comment $ed = $date1 Start-Sleep -s 0 #Capture End date (ED) - Date TILL which user needs report - Completed #Capture Credential - Started #Make sure user name is followed by '@customer1' $Credentials = Get-Credential -Credential $null $user = $Credentials.UserName $Credentials.Password | ConvertFrom-SecureString $password = $Credentials.GetNetworkCredential().password #Capture Credential - Completed #Generate excel - file NAME - started #You can change the name of Excel as required here $ExcelName = ("AppDynamicsSLAreport_Created_" + $($TodayDate.ToShortDateString()) +"_" + (Get-Date -format HHmm) + "_StartDate_" + $($sd.ToShortDateString()) + "_EndDate_"+ $($ed.ToShortDateString()) + ".xlsx") #Generate excel - file NAME - completed #calculate no of days - no of times transaction to be run - diff between dates + 1 #Time Span - No of times this iteration will run is $ts - Start $ts1 = New-TimeSpan -Start $sd -End $ed $ts = 1 + $ts1.Days # Check results #Time Span - No of times this iteration will run is $ts - Completed Start-Sleep -s 0 #EPOCH Time Calculation - AppD REST APIs works in Epoch Time - Comment $EpochDate = '1970-01-01' #Base Epoch Date - Comment ## Extra commands for future expansion # $ts = New-TimeSpan -Start $EpochDate -End $sd # $ts.TotalSeconds #$EndDateEpoch = (New-TimeSpan -Start $EpochDate -End $sd).TotalSeconds #Remove old TEMP Excel files - started write-host ("Below listed files will be deleted now from H Drive") write-host(Get-ChildItem H:\ | Where-Object Name -Like SahilTempExcelAppDReport.xlsx) Remove-Item h:\SahilTempExcelAppDReport.xlsx -ErrorAction:Ignore #Remove old Excel files - completed Start-Sleep -s 0 #EXCEL Editing - Started $excel = New-Object -ComObject excel.application $excel.visible = $true $workbook = $excel.Workbooks.Add() $SGSpace= $workbook.Worksheets.Item(1) $SGSpace.Name = "SahilAppDReport" #Check and update the cell number FOR Application Name in excel sheet - started $SGSpace.Cells.Item(1,1)= "AppDynamics Performance Report" $SGSpace.Cells.Item(1,1).Interior.ColorIndex = 15 $SGSpace.Cells.Item(1,1).Font.Bold = $True $SGSpace.Cells.Item(2,1)= "Business Transaction 1" $SGSpace.Cells.Item(2,1).Interior.ColorIndex = 15 $SGSpace.Cells.Item(2,1).Font.Bold = $True $SGSpace.Cells.Item(3,1)= "Business Transaction 2" $SGSpace.Cells.Item(3,1).Interior.ColorIndex = 15 $SGSpace.Cells.Item(3,1).Font.Bold = $True $SGSpace.Cells.Item(4,1)= "Business Transaction 3" $SGSpace.Cells.Item(4,1).Interior.ColorIndex = 15 $SGSpace.Cells.Item(4,1).Font.Bold = $True $SGSpace.Cells.Item(5,1)= "Business Transaction 4" $SGSpace.Cells.Item(5,1).Interior.ColorIndex = 15 $SGSpace.Cells.Item(5,1).Font.Bold = $True #Check and update the cell number FOR DATE in excel sheet - Completed Start-Sleep -s 0 ################################################################### #Enough, calling REST API - FOR "Business Transaction 1" - Started for (($i =0); $i -lt $ts; $i++) { $StartDateEpoch = (New-TimeSpan -Start $EpochDate -End $sd).TotalMilliseconds + (86400000*$i) # Day wise calculation of start time - Epoch format - comment $EndDateEpoch = $StartDateEpoch + 86400000 # Day wise calculation of end time - Epoch format - comment #Call rest API for 'Sum of Calls' - started #Modify as per your environment - comment $controller = "controller.domain.com" $port = "443/8080" $protocol = "https/http" #In case you want to use dedicated user, please use below code - started #Do not forget to modify header as stated below #$account = "customer1" #$user = "AppD_username" #$password = "AppD123" #In case you want to use dedicated user, please use below code - completed #Modify as per your environment - comment $controllerEndpoint = "controller/rest/applications/ENDPOINT/&time-range-type=BETWEEN_TIMES&start-time=$StartDateEpoch&end-time=$EndDateEpoch" $restURL = "${protocol}://${controller}:${port}/${controllerEndpoint}" $restURL $headers = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${user}:${password}"))} #In case you want to use dedicated user, modify header as - started #$headers = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${user}@${account}:${password}"))} #In case you want to use dedicated user, modify header as - completed $response = Invoke-WebRequest -Uri $restURL -Headers $headers $response.content #Call rest API for 'Sum of Calls' - Completed #Capture 'Sum of Calls' from API response - started $response -match "<sum>(?<content>.*)</sum>" $SumofCalls = $matches['content'] #Capture 'Sum of Calls' from API response - Completed #if 'Sum of Calls' is 0 or NonInteger, exit script. else powershell will try to divde by 0 - Start If ($SumofCalls -gt 0) { #Call rest API for 'Sum of Errors' - started $controllerEndpoint = "controller/rest/applications/SUM-Calls-PER-MIN-ENDPOINT/&time-range-type=BETWEEN_TIMES&start-time=$StartDateEpoch&end-time=$EndDateEpoch" $restURL = "${protocol}://${controller}:${port}/${controllerEndpoint}" $restURL $headers = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${user}:${password}"))} $response = Invoke-WebRequest -Uri $restURL -Headers $headers $response.content #Call rest API for 'Sum of Errors' - Completed #Capture 'Sum of Errors' from API response - started $response -match "<sum>(?<content1>.*)</sum>" $SumofErrors1 = $matches['content1'] #Capture 'Sum of Errors' from API response - Completed #Avoid 0 or NonInteger SumofErrors - Started If ($SumofErrors1 -gt 0) { $SumofErrors = $SumofErrors1} else { $SumofErrors = 0 } #Avoid 0 or NonInteger SumofErrors - Completed #Calculate percentage successfull transaction - started $PercentSuccessfulTransactions = [math]::Round(((($SumofCalls - $SumofErrors)*100)/$SumofCalls),2) #Calculate percentage successfull transaction - Completed #Check background color of metric in excel - started #You can specify Accepted/agreed SLA here #I used 99.5 and above as Green (ColorIndex 50), anything below that will be RED (color Indey 3) - comment if ($PercentSuccessfulTransactions -lt 99.5) { $ColorIndex = 3 } else {$ColorIndex = 50} #Check background color of metric in excel - Completed } else #NonZero PercentSuccessfulTransactions, Else statement - started #If Sum of call returns 0, it will be marked as NA { $PercentSuccessfulTransactions = "NA" $ColorIndex = 16 } #NonZero PercentSuccessfulTransactions, Else statement - started Write-Host ("Itration Number" + $i) Write-Host ("start date of itration $i - " + $StartDateEpoch) Write-Host ("End date of itration $i - " + $EndDateEpoch) Write-Host ("Sum of Calls of itration $i - " + $SumofCalls) Start-Sleep -s 0 Write-Host ("Sum of Errors of itration of itration $i - " + $SumofErrors) Write-Host ("Percent Successful Transactions $i - " + $PercentSuccessfulTransactions) Write-Host ("Color Index of itration $i - " + $ColorIndex) #Check and update the cell number FOR DATE in excel sheet - started $CellNumberRow1 = $i +2 $SGSpace.Cells.Item(1,$CellNumberRow1)= (($sd.AddDays(($i))).ToShortDateString()) $SGSpace.Cells.Item(1,$CellNumberRow1).Interior.ColorIndex = 15 $SGSpace.Cells.Item(1,$CellNumberRow1).Font.Bold = $True #Check and update the cell number FOR DATE in excel sheet - Completed #Check and update the cell number in excel sheet - started $CellNumber = $i +2 $SGSpace.Cells.Item(2,$CellNumber)= $PercentSuccessfulTransactions $SGSpace.Cells.Item(2,$CellNumber).Interior.ColorIndex = $ColorIndex $SGSpace.Cells.Item(2,$CellNumber).Font.Color = 16777215 #Check and update the cell number in excel sheet - Completed Start-Sleep -s 0 } #Enough, calling REST API - FOR "Business Transaction 1" - Completed ################################################################### ################################################################### #Enough, calling REST API - FOR "Business Transaction 2" - Started for (($i =0); $i -lt $ts; $i++) { $StartDateEpoch = (New-TimeSpan -Start $EpochDate -End $sd).TotalMilliseconds + (86400000*$i) # Day wise calculation of start time - Epoch format - comment $EndDateEpoch = $StartDateEpoch + 86400000 # Day wise calculation of end time - Epoch format - comment #Call rest API for 'Sum of Calls' - started $controller = "controller.domain.com" $port = "443/8080" $protocol = "https/http" $controllerEndpoint = "controller/rest/applications/SUM-Calls-PER-MIN-ENDPOINT/&time-range-type=BETWEEN_TIMES&start-time=$StartDateEpoch&end-time=$EndDateEpoch" $restURL = "${protocol}://${controller}:${port}/${controllerEndpoint}" $restURL $headers = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${user}:${password}"))} $response = Invoke-WebRequest -Uri $restURL -Headers $headers $response.content #Call rest API for 'Sum of Calls' - Completed #Capture 'Sum of Calls' from API response - started $response -match "<sum>(?<content>.*)</sum>" $SumofCalls = $matches['content'] #Capture 'Sum of Calls' from API response - Completed #if 'Sum of Calls' is 0 or NonInteger, exit script. else powershell will try to divde by 0 - Start If ($SumofCalls -gt 0) { #Call rest API for 'Sum of Errors' - started $controllerEndpoint = "controller/rest/applications/SUM-ERROR-PER-MIN-ENDPOINT/&time-range-type=BETWEEN_TIMES&start-time=$StartDateEpoch&end-time=$EndDateEpoch" $restURL = "${protocol}://${controller}:${port}/${controllerEndpoint}" $restURL $headers = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${user}:${password}"))} $response = Invoke-WebRequest -Uri $restURL -Headers $headers $response.content #Call rest API for 'Sum of Errors' - Completed #Capture 'Sum of Errors' from API response - started $response -match "<sum>(?<content1>.*)</sum>" $SumofErrors1 = $matches['content1'] #Capture 'Sum of Errors' from API response - Completed #Avoid 0 or NonInteger SumofErrors - Started If ($SumofErrors1 -gt 0) { $SumofErrors = $SumofErrors1} else { $SumofErrors = 0 } #Avoid 0 or NonInteger SumofErrors - Completed #Calculate percentage successfull transaction - started $PercentSuccessfulTransactions = [math]::Round(((($SumofCalls - $SumofErrors)*100)/$SumofCalls),2) #Calculate percentage successfull transaction - Completed #Check background color of metric in excel - started if ($PercentSuccessfulTransactions -lt 99.5) { $ColorIndex = 3 } else {$ColorIndex = 50} #Check background color of metric in excel - Completed } else #NonZero PercentSuccessfulTransactions, Else statement - started { $PercentSuccessfulTransactions = "NA" $ColorIndex = 16 } #NonZero PercentSuccessfulTransactions, Else statement - started Write-Host ("Itration Number" + $i) Write-Host ("start date of itration $i - " + $StartDateEpoch) Write-Host ("End date of itration $i - " + $EndDateEpoch) Write-Host ("Sum of Calls of itration $i - " + $SumofCalls) Start-Sleep -s 0 Write-Host ("Sum of Errors of itration $i - " + $SumofErrors) Write-Host ("Percent Successful Transactions $i - " + $PercentSuccessfulTransactions) Write-Host ("Color Index of itration $i - " + $ColorIndex) #Check and update the cell number FOR DATE in excel sheet - started (One Time activity - Already done for 1st BT) ##$CellNumberRow1 = $i +2 ##$SGSpace.Cells.Item(1,$CellNumberRow1)= (($sd.AddDays(($i))).ToShortDateString()) ##$SGSpace.Cells.Item(1,$CellNumberRow1).Interior.ColorIndex = 24 ##$SGSpace.Cells.Item(1,$CellNumberRow1).Font.Bold = $True #Check and update the cell number FOR DATE in excel sheet - Completed (One Time activity - Already done for 1st BT) #Check and update the cell number in excel sheet - started $CellNumber = $i +2 $SGSpace.Cells.Item(3,$CellNumber)= $PercentSuccessfulTransactions $SGSpace.Cells.Item(3,$CellNumber).Interior.ColorIndex = $ColorIndex $SGSpace.Cells.Item(3,$CellNumber).Font.Color = 16777215 #Check and update the cell number in excel sheet - Completed Start-Sleep -s 0 } #Enough, calling REST API - FOR "Business Transaction 2" - Completed ############################################################################### ################################################################### #Enough, calling REST API - FOR "Business Transaction 3" - Started for (($i =0); $i -lt $ts; $i++) { $StartDateEpoch = (New-TimeSpan -Start $EpochDate -End $sd).TotalMilliseconds + (86400000*$i) # Day wise calculation of start time - Epoch format - comment $EndDateEpoch = $StartDateEpoch + 86400000 # Day wise calculation of end time - Epoch format - comment #Call rest API for 'Sum of Calls' - started $controller = "controller.domain.com" $port = "443/8080" $protocol = "https/http" $controllerEndpoint = "controller/rest/applications/SUM-Calls-PER-MIN-ENDPOINT/&time-range-type=BETWEEN_TIMES&start-time=$StartDateEpoch&end-time=$EndDateEpoch" $restURL = "${protocol}://${controller}:${port}/${controllerEndpoint}" $restURL $headers = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${user}:${password}"))} $response = Invoke-WebRequest -Uri $restURL -Headers $headers $response.content #Call rest API for 'Sum of Calls' - Completed #Capture 'Sum of Calls' from API response - started $response -match "<sum>(?<content>.*)</sum>" $SumofCalls = $matches['content'] #Capture 'Sum of Calls' from API response - Completed #if 'Sum of Calls' is 0 or NonInteger, exit script. else powershell will try to divde by 0 - Start If ($SumofCalls -gt 0) { #Call rest API for 'Sum of Errors' - started $controllerEndpoint = "controller/rest/applications/SUM-ERROR-PER-MIN-ENDPOINT/&time-range-type=BETWEEN_TIMES&start-time=$StartDateEpoch&end-time=$EndDateEpoch" $restURL = "${protocol}://${controller}:${port}/${controllerEndpoint}" $restURL $headers = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${user}:${password}"))} $response = Invoke-WebRequest -Uri $restURL -Headers $headers $response.content #Call rest API for 'Sum of Errors' - Completed #Capture 'Sum of Errors' from API response - started $response -match "<sum>(?<content1>.*)</sum>" $SumofErrors1 = $matches['content1'] #Capture 'Sum of Errors' from API response - Completed #Avoid 0 or NonInteger SumofErrors - Started If ($SumofErrors1 -gt 0) { $SumofErrors = $SumofErrors1} else { $SumofErrors = 0 } #Avoid 0 or NonInteger SumofErrors - Completed #Calculate percentage successfull transaction - started $PercentSuccessfulTransactions = [math]::Round(((($SumofCalls - $SumofErrors)*100)/$SumofCalls),2) #Calculate percentage successfull transaction - Completed #Check background color of metric in excel - started if ($PercentSuccessfulTransactions -lt 99.5) { $ColorIndex = 3 } else {$ColorIndex = 50} #Check background color of metric in excel - Completed } else #NonZero PercentSuccessfulTransactions, Else statement - started { $PercentSuccessfulTransactions = "NA" $ColorIndex = 16 } #NonZero PercentSuccessfulTransactions, Else statement - started Write-Host ("Itration Number" + $i) Write-Host ("start date of itration $i - " + $StartDateEpoch) Write-Host ("End date of itration $i - " + $EndDateEpoch) Write-Host ("Sum of Calls of itration $i - " + $SumofCalls) Start-Sleep -s 0 Write-Host ("Sum of Errors of itration $i - " + $SumofErrors) Write-Host ("Percent Successful Transactions $i - " + $PercentSuccessfulTransactions) Write-Host ("Color Index of itration $i - " + $ColorIndex) #Check and update the cell number FOR DATE in excel sheet - started (One Time activity - Already done for 1st BT) ##$CellNumberRow1 = $i +2 ##$SGSpace.Cells.Item(1,$CellNumberRow1)= (($sd.AddDays(($i))).ToShortDateString()) ##$SGSpace.Cells.Item(1,$CellNumberRow1).Interior.ColorIndex = 24 ##$SGSpace.Cells.Item(1,$CellNumberRow1).Font.Bold = $True #Check and update the cell number FOR DATE in excel sheet - Completed (One Time activity - Already done for 1st BT) #Check and update the cell number in excel sheet - started $CellNumber = $i +2 $SGSpace.Cells.Item(4,$CellNumber)= $PercentSuccessfulTransactions $SGSpace.Cells.Item(4,$CellNumber).Interior.ColorIndex = $ColorIndex $SGSpace.Cells.Item(4,$CellNumber).Font.Color = 16777215 #Check and update the cell number in excel sheet - Completed Start-Sleep -s 0 } #Enough, calling REST API - FOR "Business Transaction 3" - Completed ############################################################################### ################################################################### #Enough, calling REST API - FOR "Business Transaction 4" - Started for (($i =0); $i -lt $ts; $i++) { $StartDateEpoch = (New-TimeSpan -Start $EpochDate -End $sd).TotalMilliseconds + (86400000*$i) # Day wise calculation of start time - Epoch format - comment $EndDateEpoch = $StartDateEpoch + 86400000 # Day wise calculation of end time - Epoch format - comment #Call rest API for 'Sum of Calls' - started $controller = "controller.domain.com" $port = "443/8080" $protocol = "https/http" $controllerEndpoint = "controller/rest/applications/SUM-Calls-PER-MIN-ENDPOINT/&time-range-type=BETWEEN_TIMES&start-time=$StartDateEpoch&end-time=$EndDateEpoch" $restURL = "${protocol}://${controller}:${port}/${controllerEndpoint}" $restURL $headers = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${user}:${password}"))} $response = Invoke-WebRequest -Uri $restURL -Headers $headers $response.content #Call rest API for 'Sum of Calls' - Completed #Capture 'Sum of Calls' from API response - started $response -match "<sum>(?<content>.*)</sum>" $SumofCalls = $matches['content'] #Capture 'Sum of Calls' from API response - Completed #if 'Sum of Calls' is 0 or NonInteger, exit script. else powershell will try to divde by 0 - Start If ($SumofCalls -gt 0) { #Call rest API for 'Sum of Errors' - started $controllerEndpoint = "controller/rest/applications/SUM-ERROR-PER-MIN-ENDPOINT/&time-range-type=BETWEEN_TIMES&start-time=$StartDateEpoch&end-time=$EndDateEpoch" $restURL = "${protocol}://${controller}:${port}/${controllerEndpoint}" $restURL $headers = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${user}:${password}"))} $response = Invoke-WebRequest -Uri $restURL -Headers $headers $response.content #Call rest API for 'Sum of Errors' - Completed #Capture 'Sum of Errors' from API response - started $response -match "<sum>(?<content1>.*)</sum>" $SumofErrors1 = $matches['content1'] #Capture 'Sum of Errors' from API response - Completed #Avoid 0 or NonInteger SumofErrors - Started If ($SumofErrors1 -gt 0) { $SumofErrors = $SumofErrors1} else { $SumofErrors = 0 } #Avoid 0 or NonInteger SumofErrors - Completed #Calculate percentage successfull transaction - started $PercentSuccessfulTransactions = [math]::Round(((($SumofCalls - $SumofErrors)*100)/$SumofCalls),2) #Calculate percentage successfull transaction - Completed #Check background color of metric in excel - started if ($PercentSuccessfulTransactions -lt 99.5) { $ColorIndex = 3 } else {$ColorIndex = 50} #Check background color of metric in excel - Completed } else #NonZero PercentSuccessfulTransactions, Else statement - started { $PercentSuccessfulTransactions = "NA" $ColorIndex = 16 } #NonZero PercentSuccessfulTransactions, Else statement - started Write-Host ("Itration Number" + $i) Write-Host ("start date of itration $i - " + $StartDateEpoch) Write-Host ("End date of itration $i - " + $EndDateEpoch) Write-Host ("Sum of Calls of itration $i - " + $SumofCalls) Start-Sleep -s 0 Write-Host ("Sum of Errors of itration $i - " + $SumofErrors) Write-Host ("Percent Successful Transactions $i - " + $PercentSuccessfulTransactions) Write-Host ("Color Index of itration $i - " + $ColorIndex) #Check and update the cell number FOR DATE in excel sheet - started (One Time activity - Already done for 1st BT) ##$CellNumberRow1 = $i +2 ##$SGSpace.Cells.Item(1,$CellNumberRow1)= (($sd.AddDays(($i))).ToShortDateString()) ##$SGSpace.Cells.Item(1,$CellNumberRow1).Interior.ColorIndex = 24 ##$SGSpace.Cells.Item(1,$CellNumberRow1).Font.Bold = $True #Check and update the cell number FOR DATE in excel sheet - Completed (One Time activity - Already done for 1st BT) #Check and update the cell number in excel sheet - started $CellNumber = $i +2 $SGSpace.Cells.Item(5,$CellNumber)= $PercentSuccessfulTransactions $SGSpace.Cells.Item(5,$CellNumber).Interior.ColorIndex = $ColorIndex $SGSpace.Cells.Item(5,$CellNumber).Font.Color = 16777215 $selection = $SGSpace.usedRange #Check and update the cell number in excel sheet - Completed Start-Sleep -s 0 } #Enough, calling REST API - FOR "Business Transaction 4" - Completed ############################################################################### #Allignment and border - started $selection = $SGSpace.usedRange $selection.select() $selection.HorizontalAlignment = -4108 #center $selection.Borders.LineStyle = 1 $selection = $SGSpace.range("A2:A5") $selection.select() $selection.HorizontalAlignment = -4131 #Left $SGSpace.application.activewindow.splitcolumn = 1 $SGSpace.application.activewindow.freezepanes = $true #Allignment and border - completed # Save updated Excel Sheet - comment $workbook.SaveAs('h:\SahilTempExcelAppDReport.xlsx') $excel.Quit() Start-Sleep -s 1 Rename-Item -path "h:\SahilTempExcelAppDReport.xlsx" -NewName ($ExcelName) -Force #EXCEL Editing - completed Start-Sleep -s 1 [System.Windows.MessageBox]::Show(" Your Report is ready!! File Location: H:\'$ExcelName' Sahil Gupta - SahiljGupta@gmail.com")
Hi,  some time my server takes time to load dashboard although I checked splunk query search duration which was normal.. so i am assuming that it might be due to network issue. but I want to confirm... See more...
Hi,  some time my server takes time to load dashboard although I checked splunk query search duration which was normal.. so i am assuming that it might be due to network issue. but I want to confirm it by checking response time of spl query. So how can I get response time?  is it present in any internal logs? Thanks,
Hello My question is how to combine the same values into one which are getting differentiate  by another field Example if I done stats by ReqId it is giving me 1 as count  stats count(Result=Pass... See more...
Hello My question is how to combine the same values into one which are getting differentiate  by another field Example if I done stats by ReqId it is giving me 1 as count  stats count(Result=Pass) as Pass  by ReqId, Feature set ,domain, test type, asil  it gives output ReqID Feature set Domain test type asil verdict Date Total Pass conducted Passed Fail 5.7.1.2.2.8   SW V&V System Test SW Module/Unit Test B PARTIAL PASS Tue 10 Nov 2020 10:30:00 5 3 3 0   if I add verified column to same search   stats count(Result=Pass) as Pass  by ReqId, Feature set, domain, test type, asil ,verified the output is ReqId Feature set Domain Test type Asil Verified verdict date Total Conducted Passed 5.7.1.2.2.8   SW V&V System Test SW Module/Unit Test B   PARTIAL PASS   2 0 0 R: 5.7.1.2.2.8   SW V&V System Test SW Module/Unit Test B RC01 PASS Tue 10 Nov 2020 10:30:00 3 3 3    Now even when i add verified also it should be display with single ReqId Please help me out with is issue   Thank you in advance  Renuka
Hi, I create a dashboard which contains splunk 2 inputs and 2 html inputs :  1- the two html calendar inputs are not aligned to the splunk inputs : how can I do that ? 2- how to clean the two ... See more...
Hi, I create a dashboard which contains splunk 2 inputs and 2 html inputs :  1- the two html calendar inputs are not aligned to the splunk inputs : how can I do that ? 2- how to clean the two html calendar after selected values ?  Here is the code :      <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="application_tok" searchWhenChanged="true"> <label>Application</label> <fieldForLabel>app</fieldForLabel> <fieldForValue>app</fieldForValue> <search> <query>index=A sourcetype="B" | fields app | dedup app | sort app</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <condition match="isnotnull($value$) AND $value$!=&quot;&quot;"> <set token="tokTextFilter">$value$</set> </condition> </change> </input> <input type="dropdown" token="environment_tok" searchWhenChanged="true"> <label>Environment</label> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <search> <query>index=A sourcetype="B" | search app=$application_tok$ | fields env | dedup env | sort env</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <condition match="isnotnull($value$) AND $value$!=&quot;&quot;"> <set token="tokTextFilter">$value$</set> </condition> </change> </input> <html> <div class="dateContainer"> <div class="dateInput"> <label>From :</label> <input id="start" type="datetime-local"/> <label>To :</label> <input id="end" type="datetime-local"/> </div> </div> </html> </fieldset>     here is my xml search code :      <row> <panel> <title>All token</title> <table> <search> <done> <unset token="form.start"></unset> <unset token="form.end"></unset> <unset token="form.application_tok"></unset> <unset token="form.environment_tok"></unset> </done> <query>| makeresults | eval Application="$application_tok$", Environment="$environment_tok$", Start="$start$", End="$end$" | fields - _time | table Application Environment Start End</query> <earliest>-10m</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.auto.interval">60</option> <option name="refresh.display">preview</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row>       Thanks for your help !
Hi, I have batch index with next configuration: [batch://path/to/files] move_policy = sinkhole index = maindata   And if in folder "files" are .csv files, then they will be indexed in seconds.... See more...
Hi, I have batch index with next configuration: [batch://path/to/files] move_policy = sinkhole index = maindata   And if in folder "files" are .csv files, then they will be indexed in seconds. But if in the folder are .tar.gz archive with CSV file inside, then he will be indexed only after restart Splunk.   How to index archive some quickly as .csv files?   Thanks.