All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Other than poor speed and performance, is there a reason why the map command is considered dangerous? The official documentation says that the map command can result in data loss or potential securi... See more...
Other than poor speed and performance, is there a reason why the map command is considered dangerous? The official documentation says that the map command can result in data loss or potential security risks. But I don't see any details. Why?   https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Map    
Hi All, I am able to see only 4 status, why am I not able to see status=skipped and status = continued  
the index is appearing inside the indexer cluster dashboard inside cluster master but when i try to search it using Search Head i can't find any data i look at the splunkd inside one of the indexers ... See more...
the index is appearing inside the indexer cluster dashboard inside cluster master but when i try to search it using Search Head i can't find any data i look at the splunkd inside one of the indexers it's appears it working fine   should i do restart or something or do i need to change anything?
Hi , I want to extract this line from an event. RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy;
Hi, I am trying to configure AWS Lambda running in Node Js in AppD. I have subscribed to Serverless APM for AWS Lambda subscription. Node js version is 20.x We selected a lambda function and added ... See more...
Hi, I am trying to configure AWS Lambda running in Node Js in AppD. I have subscribed to Serverless APM for AWS Lambda subscription. Node js version is 20.x We selected a lambda function and added a layer then added environment variables via the console. After adding the variables the lambda is executed. But the application is not reporting in AppDynamics controller. What could be the reason. Is there any additional instrumentation required.  Also, please confirm on ARN version to be used, the function is hosted in us-east-1, also confirm whether runtime is compatible or not with Node js 20.  
Hello members,   I have clustered environment and i create index on HF and data inputs for receive syslog, I create the same index inside indexers.conf in cluster master then pushed the configurati... See more...
Hello members,   I have clustered environment and i create index on HF and data inputs for receive syslog, I create the same index inside indexers.conf in cluster master then pushed the configuration. the index not appears in indexer cluster in CM and not searchable i tried to use btool inside each indexer and appears my indexer on loaded indexers .   so what the problem .
Invalid key in stanza [clustermaster:one] in /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf, line 7: master_uri (value: https://<address>:8089). Invalid key in stanza ... See more...
Invalid key in stanza [clustermaster:one] in /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf, line 7: master_uri (value: https://<address>:8089). Invalid key in stanza [clustermaster:one] in /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf, line 8: pass4SymmKey (value: ***************************************). Invalid key in stanza [clustermaster:one] in /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf, line 9: multisite (value: true)
I have a sample data pushed to Splunk as below: Help me with Splunk query where I want only unique server names with final status as second column. compare both horizontally & vertically for each ser... See more...
I have a sample data pushed to Splunk as below: Help me with Splunk query where I want only unique server names with final status as second column. compare both horizontally & vertically for each server second column status, The condition is if any of the second column value is No for that server then consider No as final status for that server, if all the second column values are Yes for a Server, then consider that server final status as Yes. sample.csv: ServerName, Status, Department, Company, Location Server1,Yes,Government,DRDO,Bangalore Server1,No,Government,DRDO,Bangalore Server1,Yes,Government,DRDO,Bangalore Server2,No,Private,TCS,Chennai Server2,No,Private,TCS,Chennai Server3,Yes,Private,Infosys,Bangalore Server3,Yes,Private,Infosys,Bangalore Server4,Yes,Private,Tech Mahindra,Pune Server5,No,Government,IncomeTax India, Mumbai Server6,Yes,Private,Microsoft,Hyderabad Server6,No,Private,Microsoft,Hyderabad Server6,Yes,Private,Microsoft,Hyderabad Server6,No,Private,Microsoft,Hyderabad Server7,Yes,Government,GST Council,Delhi Server7,Yes,Government,GST Council,Delhi Server7,Yes,Government,GST Council,Delhi Server7,Yes,Government,GST Council,Delhi Server8,No,Private,Apple,Bangalore Server8,No,Private,Apple,Bangalore Server8,No,Private,Apple,Bangalore Server8,No,Private,Apple,Bangalore Note : The Department, Location & Company is same for any given server, Only Server status differs for each row of the server. I already have a query to get the Final Status for a server. Below query gives me unique Final status count of each server. | eval FinalStatus = if(Status="Yes", 1, 0) | eventstats min(FinalStatus) as FinalStatus by ServerName | stats min(FinalStatus) as FinalStatus by ServerName | eval FinalStatus = if(FinalStatus=1, "Yes", "No") | stats count(FinalStatus) as ServerStatus But what I want is I have a 3 dropdown on the top of the classic dashboard where 1. Department 2. Company 3. Location   - Dropdown list  Whenever I select a department, or Company or Location from any of the dropdowns, I need to get the Final Status count of each server based on any of the fields search. For say, If Bangalore is selected from Location dropdown, I need to get the final status count for a servers. if i search a Company DRDO from dropdown, I should be able to get final status count for servers based on company. I think its like | search department="$department$" Company="$Company$" Location="$Location$" Please help with spunk query.
hello  I am getting a field port in event . ports="['22', '68', '6556']" how can i display them in separate rows.
 
I have a deployment, where 2 HF's are acting as DS. and they are both connected to MC for licensing at port 8089.   In HF 1 i tried to connect some Deployment Client (DC) and they were successfully... See more...
I have a deployment, where 2 HF's are acting as DS. and they are both connected to MC for licensing at port 8089.   In HF 1 i tried to connect some Deployment Client (DC) and they were successfully connected to HF. In HF 2 I tried the same method, bur DC are connecting to Monitoring console instead of DS. Why is this behaviour happening.
I would like to calculate the success rate of the Toup transaction via Channel( APP Or Web) in 4 API calls( E.g 4 Levels,Request will submit 1 do the validation and pass on level 2 and then at level ... See more...
I would like to calculate the success rate of the Toup transaction via Channel( APP Or Web) in 4 API calls( E.g 4 Levels,Request will submit 1 do the validation and pass on level 2 and then at level 2 will do business validation and pass the transaction to next level and so on) in that few transactions may fail at level 1/2/3/4.  The channel method will be available only in the Level 1 not in the Other level. Transaction ID is the only field comman in all the levels. If I apply filter on Channel the output only the list of transaction in Level 1 since Channel field available in level1. 1. If apply filter on Web/APP Channel I should get the list of transaction IDs respective of channel 2. Taking the transaction IDs as a input it should the validate the status of the transaction at each level (2/3/4).   Note: In level 2/3/4 the log has both App and web logs only based on the transaction ID from level 1 need to differentiate. Https status -200(Success); 500(Failure)
Hello, As an admin, I deleted a user in Splunk Web, but when I try to add a user during an investigation, I still see the deleted user in the list. Why is this happening? Is there a conflict betwee... See more...
Hello, As an admin, I deleted a user in Splunk Web, but when I try to add a user during an investigation, I still see the deleted user in the list. Why is this happening? Is there a conflict between deleting users in Splunk Enterprise and Splunk ES?  
We have recently tried installing Machine Agent on Azure linux machine. Using Linuz Zip bundle Linux Install Using ZIP with Bundled JRE (appdynamics.com) Installation is successful,  Appd machine a... See more...
We have recently tried installing Machine Agent on Azure linux machine. Using Linuz Zip bundle Linux Install Using ZIP with Bundled JRE (appdynamics.com) Installation is successful,  Appd machine agent Service is running & active at the OS End, but noticed that the registration request was failed yyyyyyyy000==> [system-thread-0] 29 Aug 2024 16:33:08,128 INFO ApacheClientImpl - Sending registration request: POST https://xxxxxxx.saas.appdynamics.com:443/controller/sim/v2/agent/machines HTTP/1.1 yyyyyyyy000==> [system-thread-0] 29 Aug 2024 16:33:08,193 ERROR ManagedHttpClient - Request failed with exception javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake From the Server, we are able to reach the SAAS endpoint,, without any proxy and default SSL enabled settings is activated, no certificated manually imported on either side. Any direction on this issue, please
Hi I want to ingest data from cisco ips to splunk, can the following add-on (https://splunkbase.splunk.com/app/1903) still be used? and how to configure it Thank you.
I have a sample data pushed to splunk as below: Help me with splunk query where I want only unique server names with final status as second column. compare both horizantally & vertically for each ser... See more...
I have a sample data pushed to splunk as below: Help me with splunk query where I want only unique server names with final status as second column. compare both horizantally & vertically for each server second column status, if any of the second column value is No for that server then consider No as final status for that server, if all the second column values are Yes for a Server, then consider that server final status as Yes. sample.csv: ServerName,Status,Department,Company,Location Server1,Yes,Government,DRDO,Bangalore Server1,No,Government,DRDO,Bangalore Server1,Yes,Government,DRDO,Bangalore Server2,No,Private,TCS,Chennai Server2,No,Private,TCS,Chennai Server3,Yes,Private,Infosys,Bangalore Server3,Yes,Private,Infosys,Bangalore Server4,Yes,Private,Tech Mahindra,Pune Server5,No,Government,IncomeTax India, Mumbai Server6,Yes,Private,Microsoft,Hyderabad Server6,No,Private,Microsoft,Hyderabad Server6,Yes,Private,Microsoft,Hyderabad Server6,No,Private,Microsoft,Hyderabad Server7,Yes,Government,GST Council,Delhi Server7,Yes,Government,GST Council,Delhi Server7,Yes,Government,GST Council,Delhi Server7,Yes,Government,GST Council,Delhi Server8,No,Private,Apple,Bangalore Server8,No,Private,Apple,Bangalore Server8,No,Private,Apple,Bangalore Server8,No,Private,Apple,Bangalore Output should looks similar to below: ServerName,FinalStatus Server1,No Server2,No Server3,Yes Server4,Yes Server5,No Server6,No Server7,Yes Server8,No The Status count of any server should show based on search of any of the fields Department, Company, Location. The Department , Company, Location value wont change for any given server. Only status value will change.  I already have a query to get the output. Below query gives me unique status of each server. | eval FinalStatus = if(Status="Yes", 1, 0) | eventstats min(FinalStatus) as FinalStatus by ServerName | stats min(FinalStatus) as FinalStatus by ServerName | eval FinalStatus = if(FinalStatus=1, "Yes", "No") | table ServerName, FinalStatus   But what I want is whenever I search a department, or Company or Location, I need to get the Final Status count of each server based on these fields search.  for say, based on Location search, I need to get the final status count for a servers. if i search a Company, I should be able to get final status count for servers based on company.  I think its like  | search department="$department$"  Company="$Company$"  Location="$Location$"   Please help with spunk query. 
How can I always hide a panel unconditionally? (f.i. a basic search panel)
Hi Splunk Experts, I've been trying to group "WARN" logs, but they have a pattern (Dynamic/ Argument values) in them. I'm aware of rex, but I don't want to manually rex for 1000s of such different e... See more...
Hi Splunk Experts, I've been trying to group "WARN" logs, but they have a pattern (Dynamic/ Argument values) in them. I'm aware of rex, but I don't want to manually rex for 1000s of such different events. I've even tried cluster, but that doesn't suits well my usecase. Any assistance would be much appreciated.!! Thanks in advance. 2024-08-31 12:34:56 WARN ConfigurationLoader - Deprecated configuration detected in path /xx/yy/zz. Please update your settings to use the latest configuration options. 2024-08-31 12:34:56 WARN ConfigurationLoader - Deprecated configuration detected in path /aa/dd/jkl. Please update your settings to use the latest configuration options. 2024-08-31 14:52:34 WARN QueryExecutor - Query execution time exceeded the threshold: 12.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'. 2024-08-31 14:52:34 WARN QueryExecutor - Query execution time exceeded the threshold: 21.9 seconds. Query: SELECT * FROM contacts WHERE contact_id > '252’. 2024-08-31 14:52:34 WARN QueryExecutor - Query execution time exceeded the threshold: 9.5 seconds. Query: SELECT * FROM users WHERE user_id = '123024001'. 2024-08-31 13:45:10 WARN MemoryMonitor - High memory usage detected: 85% of allocated memory is in use. Consider increasing the available memory. 2024-08-31 13:45:10 WARN MemoryMonitor - High memory usage detected: 58% of allocated memory is in use. Consider increasing the available memory. 2024-08-31 14:52:34 WARN QueryExecutor - Query execution time exceeded the threshold: 32.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'.   I wish to group them something like below to group similar events!! WARN  ConfigurationLoader Deprecated configuration detected in path. Please update your settings to use the latest configuration options  2 WARN  QueryExecutor Query execution time exceeded the threshold: . Query:  4 WARN  MemoryMonitor High memory usage detected: of allocated memory is in use. Consider increasing the available memory.  2
 Hi All, Can anbody help us with the Regex expression to extract the feild of Channel: values will be either APP or Web which was highlighted in Sample logs below. Sample Log1: \\\":\\\"8E4B381542... See more...
 Hi All, Can anbody help us with the Regex expression to extract the feild of Channel: values will be either APP or Web which was highlighted in Sample logs below. Sample Log1: \\\":\\\"8E4B3815425627\\\",\\\"channel\\\":\\\"APP\\\"}\"","call_res_body":{}, Sample Log2: 4GksYUB7HGIfhfvs_iLtSc8EFCzOzbAJBze8wjXSDnwmgdhwjjxjsghqsxvhv\\\",\\\"channel\\\":\\\"web\\\"}\"","call_res_body":{},"additional_fields":{}}
Java version openjdk 21-ea 2023-09-19 OpenJDK Runtime Environment (build 21-ea+23-1988) OpenJDK 64-Bit Server VM (build 21-ea+23-1988, mixed mode, sharing) Startup flags  java -Dappdynamics.jvm.... See more...
Java version openjdk 21-ea 2023-09-19 OpenJDK Runtime Environment (build 21-ea+23-1988) OpenJDK 64-Bit Server VM (build 21-ea+23-1988, mixed mode, sharing) Startup flags  java -Dappdynamics.jvm.shutdown.mark.node.as.historical=true -Dappdynamics.agent.log4j2.disabled=true -javaagent:/appdynamics/javaagent.jar From what I understand this version of the agent should work with openjdk21 but please correct me if i'm wrong.. any suggestions on what I can do to get this to startup? At startup I see below log. Which to me means the agent can't startup because of an incompatible java version Class with name [com.ibm.lang.management.internal.ExtendedOperatingSystemMXBeanImpl] is not available in classpath, so will ignore export access. java.lang.ClassNotFoundException: Unable to load class io.opentelemetry.sdk.autoconfigure.spi.ResourceProvider at com.singularity.ee.agent.appagent.kernel.classloader.Post19AgentClassLoader.findClass(Post19AgentClassLoader.java:88) at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.loadClassInternal(AgentClassLoader.java:456) at com.singularity.ee.agent.appagent.kernel.classloader.Post17AgentClassLoader.loadClassParentLast(Post17AgentClassLoader.java:81) at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.loadClass(AgentClassLoader.java:354) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:497) at java.base/java.lang.Class.forName(Class.java:476) at com.singularity.ee.agent.appagent.AgentEntryPoint.createJava9Module(AgentEntryPoint.java:800) at com.singularity.ee.agent.appagent.AgentEntryPoint.premain(AgentEntryPoint.java:639) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:578) at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:491) at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:503) [AD Agent init] Fri Aug 30 20:35:48 UTC 2024[DEBUG]: JavaAgent - Setting AgentClassLoader as Context ClassLoader [AD Agent init] Fri Aug 30 20:35:48 UTC 2024[DEBUG]: JavaAgent - Setting AgentClassLoader as Context ClassLoader java.lang.IllegalArgumentException: Unsupported class file major version 65 at com.appdynamics.appagent/com.singularity.asm.org.objectweb.asm.ClassReader.<init>(ClassReader.java:199) at com.appdynamics.appagent/com.singularity.asm.org.objectweb.asm.ClassReader.<init>(ClassReader.java:180) at com.appdynamics.appagent/com.singularity.asm.org.objectweb.asm.ClassReader.<init>(ClassReader.java:166) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.services.bciengine.asm.PreTransformer.preTransform(PreTransformer.java:49) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.preloadAgentClassesForDeadlockProneJVM(JavaAgent.java:656) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:404) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:347) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:578) at com.singularity.ee.agent.appagent.AgentEntryPoint$1.run(AgentEntryPoint.java:656)