All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I followed coding snippets at https://docs.appdynamics.com/display/PRO45/Java+Agent+API+User+Guide marking business transactions and they don't show up in the BT list for the application. With b... See more...
I followed coding snippets at https://docs.appdynamics.com/display/PRO45/Java+Agent+API+User+Guide marking business transactions and they don't show up in the BT list for the application. With basic code public String checkout(List<ItemOrders> orders) {    try (Transaction transaction = AppdynamicsAgent.startTransaction("Checkout", null, EntryTypes.POJO, false)) {         /*******************          * Method Body Here          *******************/     } }   I also reviewed https://community.appdynamics.com/t5/Knowledge-Base/Why-aren-t-business-transactions-appearing-in-the-Business/ta-p/13973#SeeBusinessTransactions but that page doesn't address API created transactions. Any pointers on how this can be debugged?
Hello Splunkers, Problem Statement :-  When i click on html validate button in my dashboard i can see a hidden panel getting populated as expected .But that panel does not show any values and on the... See more...
Hello Splunkers, Problem Statement :-  When i click on html validate button in my dashboard i can see a hidden panel getting populated as expected .But that panel does not show any values and on the contrary it shows "Search is waiting for input...".I have also added a checkbox to again hide the panel and when i tried to do the same and then again click on validate button (2nd time click) strangely i can see all the values getting populated in that  panel. First time no values, and when I unhide and again click on my button then I can see all the values in my panel. Resolution steps taken :- 1) I tried to print all the tokens on that panel which I am trying to use and can be seen getting populated and despite that panel is waiting for some kind of input/token. 2) Also, i tried to find if I am using any values starting with $ (dollar) sign, which I am not.   The highlighted ones are the token which I am using in my dashboard and can be seen visible but still panel is waiting for some inputs.    Once I click the check box and then again click the validate button and then i can see all the values getting populated in the panel.   Also adding source code in comments for further details. Any suggestion would be very much appreciated and thanks a lot in advance.
I have a saved search need to check the each hour the search is being executed based on the cron configuration. Expected Result: Savedsearch Name Cron config Number of time executed Search ... See more...
I have a saved search need to check the each hour the search is being executed based on the cron configuration. Expected Result: Savedsearch Name Cron config Number of time executed Search Sav1   */5 * * * * 12 Search ran all 12 times Sav2 */10 * * * * 6 Search skipped at 5 run    
Hi All, @renjith_nair   I'm working on a requirement to create a Splunk Alert which triggers/Creates the Incident in Service Now portal. I want the alert to create multiple incidents for each r... See more...
Hi All, @renjith_nair   I'm working on a requirement to create a Splunk Alert which triggers/Creates the Incident in Service Now portal. I want the alert to create multiple incidents for each result. My Findings : The alert creates Single Incident with multiple events for each result in ServiceNow. Requirement : Alert should be able to create Incident for each result in ServiceNow. How can this be achieved?
Hello Splunkees, I am setting up a Splunk Cloud account. I started a trial account and i start to add all the data ingestion accounts and all was going well, but yesterday night i started to check ... See more...
Hello Splunkees, I am setting up a Splunk Cloud account. I started a trial account and i start to add all the data ingestion accounts and all was going well, but yesterday night i started to check how to do SSO with azure ad. It was failing due to the acs not connecting properly as it was late, i checked if i could connect with the direct link as suggested in the sso config page in case i was locked out I copy the URL in a safe place, and tested couple times to be sure it was working, and it was all ok. But this morning i have an issue where, when i put the username and password correctly, it shows an error message that says " Server error " (see screenshot below)   As this is a Splunk Cloud, i have no access to the server to further diagnose, I tried to call customer support but they have no agents available, as suggested in the phone line, I left a message but would appreciate any help from the community. Thank you
Morning Team, Currently looking at trying to convert what i think is 10 digit Unix/Epoc time into a human readable format but struggling to find the right syntax. "timestamp" field values: 1561012... See more...
Morning Team, Currently looking at trying to convert what i think is 10 digit Unix/Epoc time into a human readable format but struggling to find the right syntax. "timestamp" field values: 1561012289 1561012304 1561012315 1609193962   Any assistance would be appreciated, happy to provide more info if needed!
Hello Splunk community, I need to do one prediction for two different time ranges in different span in one report. The objective is making alert on the prediction of rate of messages: 1- from 5 am ... See more...
Hello Splunk community, I need to do one prediction for two different time ranges in different span in one report. The objective is making alert on the prediction of rate of messages: 1- from 5 am to10pm (span=10min) and 2- from 10pm to 5am (span=20 min). It can be really easy, but as I'm new to Splunk, I couldn't find a proper way for it. My base query is: |tstats latest(msg) as msg where `sws_logs_indexes` sourcetype=sws:sag:msgpartners host="p*" mp_name="Bessserver*" sag_instance="*SAG12" by _time sag_instance mp_name span=10m | stats sum(msg) as msg by _time sag_instance | streamstats current=false latest(msg) as previous_msg by sag_instance | eval rate=msg-previous_msg | timechart span=10m avg(rate) as "Server msg rate" | predict "Server msg rate" as prediction algorithm=LLP5 holdback=0 future_timespan=0 period=1008 upper75=upper75 lower75=lower75 |`forecastviz(24, 0, "Server msg rate", 75)` | eval isOutlier = if(prediction!="" AND 'Server msg rate' != "" AND ('Server msg rate' < 'lower75(prediction)' OR 'Server msg rate' > 'upper75(prediction)'), 1, 0) | where isOutlier=1 |table _time,isOutlier
I have a table in my Dashboard which displays a large amount of data and has drilldowns which activates other table results. I want to either to highlight the selected row or change the background co... See more...
I have a table in my Dashboard which displays a large amount of data and has drilldowns which activates other table results. I want to either to highlight the selected row or change the background color only using simple xml as I don't have the access to change or add the js file. or if there is a way to add .js code in the simple xml code itself. any leads would be helpful.
  Hi all, i am new to Splunk and i need to create search which will show that event with end didnt occur after 15 min from start event. Please help me. This is start event: [Infor... See more...
  Hi all, i am new to Splunk and i need to create search which will show that event with end didnt occur after 15 min from start event. Please help me. This is start event: [Information] Downtime start:16/12/2020 18:13:07.043 And this one shows end of below one: [Information] Downtime start:16/12/2020 18:13:07.043, end:17/12/2020 08:09:57.505 I would like check if duration from start event extended 15 min to occur end event. Thank you very much
Hi all, i am new to Splunk and i need to create search which will show that event with end didnt occur after 15 min from start event. Please help me. This is start event: [Information] Downtime sta... See more...
Hi all, i am new to Splunk and i need to create search which will show that event with end didnt occur after 15 min from start event. Please help me. This is start event: [Information] Downtime start:16/12/2020 18:13:07.043 And this one shows end of below one: [Information] Downtime start:16/12/2020 18:13:07.043, end:17/12/2020 08:09:57.505 I would like check if duration from start event extended 15 min to occur end event. Thank you very much
Good morning, I am fairly new to splunk , I am getting data from the databases and am trying to use the time range filter option to filter out the timings based on the user but its doesn't filter th... See more...
Good morning, I am fairly new to splunk , I am getting data from the databases and am trying to use the time range filter option to filter out the timings based on the user but its doesn't filter the data based on the given input of time range which i given instead of its showing always the total time which covered in the tables I am running query like this | dbxquery query="" can anyone help me , is there any solution to filter the time which is coming from external databases through the time option using token
Hi Everyone, I have one requirement. We have over 100 dashboards built for our App. Our team spends a lot of time monitoring the availability and accuracy of these dashboards. I want to see the lis... See more...
Hi Everyone, I have one requirement. We have over 100 dashboards built for our App. Our team spends a lot of time monitoring the availability and accuracy of these dashboards. I want to see the list of users who are visiting the dashboards  with the count. I am using the below query: index=_internal sourcetype=splunkd_ui_access EPSF_Infrastructure NOT splunkd user!="-" | rex field=uri "^/[^/]+/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)" | search NOT dashboard IN (alert alerts dashboards dataset datasets data_lab home lookup_edit reports report search splunk) | stats count by app dashboard user   EPSF_Infrastructure is my app name. The issue I am facing is : I am not getting all the users who are visiting the dashboards. Do I need to extract the users. Can someone guide me on this.
how to reduce the index size of KV store and summary db on the server
How can I search only match field after Lookup.   For example,     index="idx_mem_mng" sourcetype="type:mem_mng:apptc_detect_error" | where error_count > 2 and error_type != "" | lookup MEMORY_... See more...
How can I search only match field after Lookup.   For example,     index="idx_mem_mng" sourcetype="type:mem_mng:apptc_detect_error" | where error_count > 2 and error_type != "" | lookup MEMORY_MANAGEMENT_APPTC_TEST_CASE.csv id as id_test_case output testcase, process | lookup MEMORY_MANAGEMENT_APPTC_DAILY_INFO.csv id as id_daily_info output version | search version=20201211 OR version=20201207 OR version=20201204 OR version=20201203 | mvcombine delim="," version | sort -version | stats list(version) as COLUMN delim="," by testcase, process | nomv COLUMN | table testcase, process, COLUMN       I want to replace      | search version=20201211 OR version=20201207 OR version=20201204 OR version=20201203     by      |search version=$vers$     where $vers$ is multiple input (ex vers = 20201211 OR 20201207 OR 20201204 OR 20201203)   When I replace, it doesn't work. Any help plz? Thank you for your time!
Given this search for the TcpOutputProc         index=_internal source=*splunkd.log component=TcpOutputProc | fields _raw | head 5         What do the fields pset and reuse stand for? ... See more...
Given this search for the TcpOutputProc         index=_internal source=*splunkd.log component=TcpOutputProc | fields _raw | head 5         What do the fields pset and reuse stand for? 12-29-2020 02:35:22.998 +0000 INFO TcpOutputProc - Connected to idx=X.X.X.X:9997, pset=0, reuse=0. using ACK. 12-29-2020 02:35:22.989 +0000 INFO TcpOutputProc - Connected to idx=X.X.X.X:9997, pset=0, reuse=0. using ACK. 12-29-2020 02:35:22.987 +0000 INFO TcpOutputProc - Connected to idx=X.X.X.X:9997, pset=0, reuse=0. using ACK. 12-29-2020 02:35:22.981 +0000 INFO TcpOutputProc - Connected to idx=X.X.X.X:9997, pset=0, reuse=0. using ACK. 12-29-2020 02:35:22.976 +0000 INFO TcpOutputProc - Connected to idx=X.X.X.X:9997, pset=0, reuse=0. using ACK.      
I was under the impression that port 8089 is used to manage the apps on your endpoints using the Settings > Forwarder Management. This is what happens when I tried to restart splunk forwarder    ./... See more...
I was under the impression that port 8089 is used to manage the apps on your endpoints using the Settings > Forwarder Management. This is what happens when I tried to restart splunk forwarder    ./splunk restart Pid file "/opt/splunkforwarder/var/run/splunk/splunkd.pid" unreadable.: Permission denied Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied Pid file "/opt/splunkforwarder/var/run/splunk/splunkd.pid" unreadable.: Permission denied splunkd.pid file is unreadable. Pid file "/opt/splunkforwarder/var/run/splunk/splunkd.pid" unreadable.: Permission denied Splunk> Like an F-18, bro. Checking prerequisites... Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied Checking mgmt port [8089]: Cannot initialize: /opt/splunkforwarder/etc/apps/learned/metadata/local.meta: Permission denied not available ERROR: mgmt port [8089] - port is already bound. Splunk needs to use this port. Would you like to change ports? [y/n]: n Exiting....     I am currently testing with a one of the Linux servers, I have my "deploymentclient.conf" file in splunkforwarder/etc/system/local/ and it is set to port 8089.  My main server is a single deployment on prem. I am not sure what I am doing wrong?    I tried to mimic the set up of my windows servers because they have a "deploymentclient.conf" file in their splunkforwarder/etc/system/local directory.
I have a vendor that will provide an api token so I can retrieve SIEM event data. There is no add-on available for this vendor that I can find. I will also want to make this data available to Splunk ... See more...
I have a vendor that will provide an api token so I can retrieve SIEM event data. There is no add-on available for this vendor that I can find. I will also want to make this data available to Splunk Enterprise Security. The data will be available from the vendor using a path like this.    https://siem.vendor.com/authapi/api/siem The event data is intended to be used with a SIEM so it will be in fields like this.    event_id=message source=threat ip=127.0.0.1 I'm assuming I will need to create an add-on, but have not done this before. Or is this a use case for the HTTP Event Collector?
All, I am reviewing my data ingestion health and I see the following error.  Breaking event because limit of 256 has been exceeded Changing breaking behavior for event stream because MAX_EVENTS ... See more...
All, I am reviewing my data ingestion health and I see the following error.  Breaking event because limit of 256 has been exceeded Changing breaking behavior for event stream because MAX_EVENTS (256) was exceeded without a single event break. Will set BREAK_ONLY_BEFORE_DATE to False, and unset any MUST_NOT_BREAK_BEFORE or MUST_NOT_BREAK_AFTER rules. Typically this will amount to treating this data as single-line only. soucetype=package Seems to be impacting about 20 of my hosts. My props.conf on my indexer has the following customizations for this sourcetype otherwise it's thw default Splunk_TA_nix 8.2x configs that came with it. [package] TRUNCATE = 0 MAX_EVENTS = 512 The resulting props.conf via btool on my indexer is [package] ADD_EXTRA_TIME_FIELDS = True ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True CHARSET = UTF-8 DATETIME_CONFIG = CURRENT DEPTH_LIMIT = 1000 HEADER_MODE = KV_MODE = multi LEARN_MODEL = true LEARN_SOURCETYPE = true LINE_BREAKER = ^((?!))$ LINE_BREAKER_LOOKBEHIND = 100 MATCH_LIMIT = 100000 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 512 MAX_TIMESTAMP_LOOKAHEAD = 128 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = false TRANSFORMS = TRUNCATE = 0 detect_trailing_nulls = false maxDist = 100 priority = sourcetype = Any idea why I am getting errors concerning MAX_EVENTS and how I can resolve that?
attempting to locate my free class 7.x Splunk Fundamentals I registered for
Hi all, I get the java.lang.VerifyError running the Java service with the appdyn agent. Constructor threw exception; nested exception is java.lang.VerifyError: Expecting a stackmap frame at branch ... See more...
Hi all, I get the java.lang.VerifyError running the Java service with the appdyn agent. Constructor threw exception; nested exception is java.lang.VerifyError: Expecting a stackmap frame at branch target 190 Exception Details: Location: com/.../TCPConnectImpl.<init>()V @165: ifnull Reason: Expected stackmap frame at this location. Bytecode: 0x0000000: 013a 0701 3a08 013a 092a b700 1110 06bd 0x0000010: 0085 5903 2b53 5904 1cb8 0087 5359 052d ... 0x00001a0: 1304 1919 0813 041b 1304 1c19 0919 0719 0x00001b0: 0db8 042a bf Exception Handler Table: bci [208, 216] => handler: 219 bci [259, 264] => handler: 267 bci [321, 410] => handler: 410 Stackmap Table: full_frame(@410,{Object[#368],Object[#776],Integer,Object[#370],Integer,Object[#569],Object[#603],Object[#133],Object[#368],Object[#1068]},{Object[#428]}) The command I used looks like the following: java -javaagent:/opt/appdyn/javaagent/current/javaagent.jar -jar app.jar Could you please advice why app dynamics instrumentation can cause this error? Is there any way to avoid this error? (possibly excluding this particular TCPConnectImpl class from instrumentation?)