All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello,  I just want to know before creating an alert how to find the keywords inside that will compose your alert? please answer with and example. Thank you so much.
Hello,  Apache agent was configured and when trying to run the ./install.sh or httpd -t -D DUMP_INCLUDES We get the below error. Has anyone had this before? httpd : could not open configuration... See more...
Hello,  Apache agent was configured and when trying to run the ./install.sh or httpd -t -D DUMP_INCLUDES We get the below error. Has anyone had this before? httpd : could not open configuration file /scratch/syseng/workspace/Apache.../apache/stage/install/conf/httpd.conf no such file or directory (btw there is no scratch file system at all)
Hi all! I'm currently trying to create a RDP session analysis dashboard.  I'm using sysmon eventlogs, specifically Event-ID "3" to create a SPL query that shows traffic on port 3389 with a few filte... See more...
Hi all! I'm currently trying to create a RDP session analysis dashboard.  I'm using sysmon eventlogs, specifically Event-ID "3" to create a SPL query that shows traffic on port 3389 with a few filters. I only want to see usernames that are existing in the windows domain.   index=windows source=sysmon DestinationPort=3389 EventCode=3 Image!="C:\Program Files\RANDOMAPP*" | rename User as SourceUser | search SourceUser!="NT AUTHORITY\NETWORK SERVICE" SourceUser!="NT-AUTHORITY\Network Service" SourceUser!="NT-AUTHORITY\SYSTEM" | stats count by SourceUser Image SourceHostname DestinationHostname SourceIp DestinationIp DestinationPort | sort - count   Since last week, the "Image" value has unexpectedly started appearing in the "User" field in all events. Why is this happening and how can I prevent it from appearing in the "User" field?    When I add the following query, no events are displayed. Could it be that the "User" field is getting mixed up with the "Image" field?   User!=Windows\* User!="Program Files*"   Also, if you check the events, you can see 2 events being displayed for “User” Sorry for the bazilion questions, but I'm starting to get a bit frustrated here Thanks in advance for your help and have a great day!      
Hello Splunkers, I'm new to Splunk and I'm stuck; I'm getting more data than I'm supposed to. Users are showing up when they shouldn't, and vice versa. The purpose of the query is to determine which... See more...
Hello Splunkers, I'm new to Splunk and I'm stuck; I'm getting more data than I'm supposed to. Users are showing up when they shouldn't, and vice versa. The purpose of the query is to determine which users are accessing the bastion with the tag=1 from the "index2" index. However, there's no information on the users. That's why I'm fetching user data from the "index1" index by performing a join on the IP address. The ultimate goal is to display the results in the following format: Users - IP - _time. It's important to note that IP addresses are dynamic. When I run this command, it returns 1000 lines: `index="index2" tag=1 | table srcip, _time` However, when I run this command, I get a lot more (11000), even though I'm supposed to have the same number since I'm just fetching users from the other index, but I'm not supposed to have any additional lines: index="index1" | search Users =* AND IP=* | fields Users, IP, _time | where NOT match(Users, "^AAA-[0-9]{5}\$") | eval IP=if(match(IP, "^::ffff:"), replace(IP, "^::ffff:(\d+\.\d+\.\d+\.\d+)$", "\1"), IP) | eval ip=IP | table Users, ip, _time | join type=inner ip [ search index="index2" tag=1 | fields srcip, _time | eval ip=srcip | table ip, _time] | table Users, ip, _time Does anyone have a solution?
Hi All, I have installed Linux monitoring extension to get the NFS utilization metrics as per this documentation https://developer.cisco.com/codeexchange/github/repo/Appdynamics/linux-monitoring-ex... See more...
Hi All, I have installed Linux monitoring extension to get the NFS utilization metrics as per this documentation https://developer.cisco.com/codeexchange/github/repo/Appdynamics/linux-monitoring-extension/#readme but post doing necessary changes as per documentation, i have restarted machine-agent. i am getting this error while startup. Please check and let me know the solution. [rinst@vm-64e6db337156cc18f93ef923 logs]$ cat machine-agentstartup.log  my-vm==> [main] 06 May 2024 07:40:06,143  INFO FlexibleX509TrustManager - Using default keystore for SSL certificate validation. my-vm==> [main] 06 May 2024 07:40:06,446  INFO HostIdProvider - Default Host Identifier Resolver using host name for unique host identifier [my-vm] my-vm==> [main] 06 May 2024 07:40:06,549  INFO MachineLicensePropertiesProvider - Detected Virtual CPU Count: 4 my-vm==> [main] 06 May 2024 07:40:06,549  INFO MachineLicensePropertiesProvider - Detected Logical CPU Count: 4 my-vm==> [main] 06 May 2024 07:40:06,549  INFO MachineLicensePropertiesProvider - Detected Physical CPU Count: 4 my-vm==> [system-thread-0] 06 May 2024 07:40:06,970  INFO SecondStageSystem - Starting main system with features Features(features=[dmm, sim], reason=Features.Reason(message=, code=)) my-vm==> [system-thread-0] 06 May 2024 07:40:07,206  INFO SystemAgent - #################################################################################### my-vm==> [system-thread-0] 06 May 2024 07:40:07,206  INFO SystemAgent - Agent Install Directory [/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23] my-vm==> [system-thread-0] 06 May 2024 07:40:07,206  INFO SystemAgent - Using Agent Version [Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] my-vm==> [system-thread-0] 06 May 2024 07:40:07,207  INFO SystemAgent - JVM Runtime:  java.home=/ngs/app/rinst/applejdk-11.0.16.8.1 java.vm.vendor=Apple Inc. java.vm.name=OpenJDK 64-Bit Server VM java.version=11.0.16 java.specification.version=11 java.runtime.version=11.0.16+8-20220720170112 java.io.tmpdir=/tmp user.language=en user.country=US user.variant= Default locale=en_US my-vm==> [system-thread-0] 06 May 2024 07:40:07,207  INFO SystemAgent - OS Runtime:  os.name=Linux os.arch=amd64 os.version=4.18.0-477.51.1.el8_8.x86_64 user.name=rinst user.home=/ngs/app/rinst user.dir=/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23 my-vm==> [system-thread-0] 06 May 2024 07:40:07,207  INFO SystemAgent - JVM Args : -Xmx256m | -Dlog4j.configuration=file:/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/conf/logging/log4j.xml |  my-vm==> [system-thread-0] 06 May 2024 07:40:07,211  INFO SystemAgent - JVM Runtime Name: 2589878@my-vm my-vm==> [system-thread-0] 06 May 2024 07:40:07,211  INFO SystemAgent - JVM PID: 2589878 my-vm==> [system-thread-0] 06 May 2024 07:40:07,211  INFO SystemAgent - Machine Agent is resolving bootstrap info.... my-vm==> [system-thread-0] 06 May 2024 07:40:07,299  INFO SystemAgent - Orchestration is disabled - disabling virtualization resolvers by default. my-vm==> [system-thread-0] 06 May 2024 07:40:07,303  WARN ContainerIdExtractor - Unable to use /proc/self/cgroup for unique hostname, could not locate container ID my-vm==> [system-thread-0] 06 May 2024 07:40:07,305  INFO SystemAgent - Full Agent Registration Info Resolver found system property [appdynamics.agent.create.agent.info.if.missing] for appdynamics.agent.create.agent.info.if.missing [false] my-vm==> [system-thread-0] 06 May 2024 07:40:07,313  INFO SystemAgent - Default Host Identifier Resolver using host name for unique host identifier [my-vm] my-vm==> [system-thread-0] 06 May 2024 07:40:07,315  INFO SystemAgent - Default IP Address Resolver found IP addresses [[fe80:0:0:0:889b:9bd4:a19a:6e79%eth0, 17.182.56.82]] my-vm==> [system-thread-0] 06 May 2024 07:40:07,319  INFO SystemAgent - Full Agent Registration Info Resolver using selfService [false] my-vm==> [system-thread-0] 06 May 2024 07:40:07,319  INFO SystemAgent - Full Agent Registration Info Resolver using ephemeral node setting [false] my-vm==> [system-thread-0] 06 May 2024 07:40:07,319  INFO SystemAgent - Full Agent Registration Info Resolver using application name [null] my-vm==> [system-thread-0] 06 May 2024 07:40:07,320  INFO SystemAgent - Full Agent Registration Info Resolver using tier name [null] my-vm==> [system-thread-0] 06 May 2024 07:40:07,320  INFO SystemAgent - Full Agent Registration Info Resolver using node name [null] my-vm==> [system-thread-0] 06 May 2024 07:40:07,323  INFO SystemAgent - XML Controller Info Resolver found controller host [rins-appd-stg.apple.com] my-vm==> [system-thread-0] 06 May 2024 07:40:07,323  INFO SystemAgent - XML Controller Info Resolver found controller port [443] my-vm==> [system-thread-0] 06 May 2024 07:40:07,326  INFO SystemAgent - XML Agent Account Info Resolver using account name [customer1] my-vm==> [system-thread-0] 06 May 2024 07:40:07,326  INFO SystemAgent - XML Agent Account Info Resolver using account access key [****] my-vm==> [system-thread-0] 06 May 2024 07:40:07,329  INFO SystemAgent - Keystore file /ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/conf/cacerts.jks was not found my-vm==> [system-thread-0] 06 May 2024 07:40:07,340  INFO SystemAgent - Machine Agent resolved bootstrap info! my-vm==> [system-thread-0] 06 May 2024 07:40:07,340  INFO SystemAgent - Creating machine agent scheduler, pool size: 2 my-vm==> [system-thread-0] 06 May 2024 07:40:07,349  INFO SystemAgent - Creating machine agent monitor scheduler, pool size: 4 my-vm==> [system-thread-0] 06 May 2024 07:40:07,353  INFO SystemAgent - Started Agent Schedulers my-vm==> [ConfigExecutor-0] 06 May 2024 07:40:07,366  INFO DefaultLegacyAgentRegistrationStateManager - Registered machine with machine ID [Optional.of(14786)] my-vm==> [ConfigExecutor-0] 06 May 2024 07:40:07,367  INFO DefaultLegacyAgentRegistrationStateManager - Scheduling System-Agent start... my-vm==> [system-thread-0] 06 May 2024 07:40:07,372  INFO SimAgentRepetitiveLoggingModule - The turnover time for the SIM agent repetitive logger is 5 minutes my-vm==> [system-thread-0] 06 May 2024 07:40:07,372  INFO SimAgentRepetitiveLoggingModule - The cache size for the SIM agent repetitive logger is 1000 my-vm==> [system-thread-0] 06 May 2024 07:40:07,577  INFO Fabric8Client - No Kubernetes was detected. my-vm==> [system-thread-0] 06 May 2024 07:40:07,596  WARN DynamicMonitoringModeTask - Encountered error checking monitoring mode. Will retry in 60 seconds. my-vm==> [system-thread-0] 06 May 2024 07:40:07,596  INFO DefaultLegacyAgentRegistrationStateManager - Starting machine agent... my-vm==> [system-thread-0] 06 May 2024 07:40:07,596  INFO SystemAgent - Starting Machine Agent.... my-vm==> [system-thread-0] 06 May 2024 07:40:07,597  INFO ControllerTimeSkewHandler - Skew Handler is : [enabled]. my-vm==> [system-thread-0] 06 May 2024 07:40:07,634  INFO SystemAgent - Full certificate chain validation performed using default certificate file my-vm==> [system-thread-0] 06 May 2024 07:40:07,682  INFO ManagedMonitorDelegate - Started Agent Metric Generation Service my-vm==> [system-thread-0] 06 May 2024 07:40:07,688  INFO ManagedMonitorDelegate - Event Service is : [enabled]. my-vm==> [system-thread-0] 06 May 2024 07:40:07,697  INFO ManagedMonitorDelegate - Initialized with maxPublishQueueLength [2], aggregationFrequencyInMillis [60000] my-vm==> [system-thread-0] 06 May 2024 07:40:07,699  INFO ManagedMonitorDelegate - Metric Service is : [enabled]. my-vm==> [system-thread-0] 06 May 2024 07:40:07,702  INFO ManagedMonitorDelegate - Started Agent Env Properties Service my-vm==> [system-thread-0] 06 May 2024 07:40:07,704  INFO ManagedMonitorDelegate - Scheduled Continuous Task Monitor with frequency [30000]ms my-vm==> [system-thread-0] 06 May 2024 07:40:07,705  INFO NodeMonitorManager - Not running legacy system-agent monitor because SIM is enabled. my-vm==> [system-thread-0] 06 May 2024 07:40:07,705  INFO NodeMonitorManager - Not running legacy system-agent monitor because SIM is enabled. my-vm==> [system-thread-0] 06 May 2024 07:40:07,709  INFO MonitorConfigReader - Reading monitor config file:/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/monitors/analytics-agent/monitor.xml my-vm==> [system-thread-0] 06 May 2024 07:40:07,720  INFO MonitorConfigReader - os name [linux] version [4.18.0-477.51.1.el8_8.x86_64] my-vm==> [system-thread-0] 06 May 2024 07:40:07,725  INFO NodeMonitorManager - Initializing managed monitor [analytics-agent] my-vm==> [system-thread-0] 06 May 2024 07:40:07,725  INFO ManagedMonitorDelegate - Initializing managed monitor [AppDynamics Analytics Agent] my-vm==> [system-thread-0] 06 May 2024 07:40:07,725  INFO ManagedMonitorDelegate - Executing managed monitor [AppDynamics Analytics Agent], task name [null] my-vm==> [system-thread-0] 06 May 2024 07:40:07,725  INFO ManagedMonitorDelegate - Task [null] for monitor [AppDynamics Analytics Agent] is SCHEDULED my-vm==> [system-thread-0] 06 May 2024 07:40:07,743  INFO InProcessLauncherTask - Found a directory [/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/monitors/analytics-agent/lib] my-vm==> [system-thread-0] 06 May 2024 07:40:07,756  INFO InProcessLauncherTask - Working directory appears to be [/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/monitors/analytics-agent] my-vm==> [system-thread-0] 06 May 2024 07:40:07,758  INFO AnalyticsAgentLauncher - The logs directory property [ad.dw.log.path] has been set to [/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/logs] my-vm==> [system-thread-0] 06 May 2024 07:40:07,758  INFO InProcessLauncherTask - Starting to execute actual task with parameters [{csvMethodArgs=/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/monitors/analytics-agent/conf/analytics-agent.properties, methodName=main, className=com.appdynamics.analytics.agent.AnalyticsAgent}] my-vm==> [system-thread-0] 06 May 2024 07:40:13,348  INFO InProcessLauncherTask - Started [com.appdynamics.analytics.agent.AnalyticsAgent] my-vm==> [system-thread-0] 06 May 2024 07:40:13,349  INFO MonitorConfigReader - Reading monitor config file:/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/monitors/LinuxMonitor/monitor.xml my-vm==> [system-thread-0] 06 May 2024 07:40:13,355  INFO MonitorConfigReader - os name [linux] version [4.18.0-477.51.1.el8_8.x86_64] my-vm==> [system-thread-0] 06 May 2024 07:40:13,357  INFO NodeMonitorManager - Initializing managed monitor [LinuxMonitor] my-vm==> [system-thread-0] 06 May 2024 07:40:13,357  INFO ManagedMonitorDelegate - Initializing managed monitor [LinuxMonitor] my-vm==> [system-thread-0] 06 May 2024 07:40:13,357  INFO ManagedMonitorDelegate - Executing managed monitor [LinuxMonitor], task name [Linux Monitor Run Task] my-vm==> [system-thread-0] 06 May 2024 07:40:13,357  INFO ManagedMonitorDelegate - Task [Linux Monitor Run Task] is periodic my-vm==> [system-thread-0] 06 May 2024 07:40:13,379 ERROR JavaTaskCreator - Could not load/instantiate the Java Task Main class for Java task [Linux Monitor Run Task] java.lang.NoClassDefFoundError: org/apache/log4j/Layout at java.lang.Class.getDeclaredConstructors0(Native Method) ~[?:?] at java.lang.Class.privateGetDeclaredConstructors(Class.java:3137) ~[?:?] at java.lang.Class.getConstructor0(Class.java:3342) ~[?:?] at java.lang.Class.newInstance(Class.java:556) ~[?:?] at com.singularity.ee.agent.systemagent.task.JavaTaskCreator.createJavaTask(JavaTaskCreator.java:69) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.MonitorTaskRunner.createTask(MonitorTaskRunner.java:75) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.PeriodicTaskRunner.<init>(PeriodicTaskRunner.java:41) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.ManagedMonitorDelegate.setupEnvTask(ManagedMonitorDelegate.java:255) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.ManagedMonitorDelegate.initializeMonitor(ManagedMonitorDelegate.java:212) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.NodeMonitorManager.readConfig(NodeMonitorManager.java:178) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.NodeMonitorManager.startAllMonitors(NodeMonitorManager.java:265) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.NodeMonitorManager.<init>(NodeMonitorManager.java:79) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.AgentMonitorManager.<init>(AgentMonitorManager.java:63) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.Agent.setupMonitorManager(Agent.java:492) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.Agent.startServices(Agent.java:399) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.SystemAgent.startServices(SystemAgent.java:79) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.Agent.start(Agent.java:384) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.appdynamics.agent.sim.legacy.DefaultLegacyAgentRegistrationStateManager$1.run(DefaultLegacyAgentRegistrationStateManager.java:80) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?] at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:829) [?:?] Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Layout at com.singularity.ee.util.loader.FileSystemClassLoader.findClass(FileSystemClassLoader.java:372) ~[agent-23.4.0-845.jar:?] at java.lang.ClassLoader.loadClass(ClassLoader.java:589) ~[?:?] at com.singularity.ee.util.loader.FileSystemClassLoader.loadClass(FileSystemClassLoader.java:320) ~[agent-23.4.0-845.jar:?] at java.lang.ClassLoader.loadClass(ClassLoader.java:522) ~[?:?] ... 24 more my-vm==> [system-thread-0] 06 May 2024 07:40:13,387  WARN ManagedMonitorDelegate - Error executing managed monitor [LinuxMonitor], task name [Linux Monitor Run Task] com.singularity.ee.agent.systemagent.api.exception.TaskInstantiationException: Could not load/instantiate task main class[com.appdynamics.extensions.linux.LinuxMonitor] for task [Linux Monitor Run Task] at com.singularity.ee.agent.systemagent.task.JavaTaskCreator.createJavaTask(JavaTaskCreator.java:90) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.MonitorTaskRunner.createTask(MonitorTaskRunner.java:75) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.PeriodicTaskRunner.<init>(PeriodicTaskRunner.java:41) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.ManagedMonitorDelegate.setupEnvTask(ManagedMonitorDelegate.java:255) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.ManagedMonitorDelegate.initializeMonitor(ManagedMonitorDelegate.java:212) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.NodeMonitorManager.readConfig(NodeMonitorManager.java:178) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.NodeMonitorManager.startAllMonitors(NodeMonitorManager.java:265) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.NodeMonitorManager.<init>(NodeMonitorManager.java:79) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.AgentMonitorManager.<init>(AgentMonitorManager.java:63) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.Agent.setupMonitorManager(Agent.java:492) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.Agent.startServices(Agent.java:399) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.SystemAgent.startServices(SystemAgent.java:79) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.Agent.start(Agent.java:384) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.appdynamics.agent.sim.legacy.DefaultLegacyAgentRegistrationStateManager$1.run(DefaultLegacyAgentRegistrationStateManager.java:80) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?] at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:829) [?:?] my-vm==> [system-thread-0] 06 May 2024 07:40:13,387  WARN NodeMonitorManager - Could not initialize monitor com.singularity.ee.agent.systemagent.api.exception.TaskInstantiationException: Could not load/instantiate task main class[com.appdynamics.extensions.linux.LinuxMonitor] for task [Linux Monitor Run Task] com.singularity.ee.agent.systemagent.components.monitormanager.exception.MonitorInitializationException: com.singularity.ee.agent.systemagent.api.exception.TaskInstantiationException: Could not load/instantiate task main class[com.appdynamics.extensions.linux.LinuxMonitor] for task [Linux Monitor Run Task] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.ManagedMonitorDelegate.initializeMonitor(ManagedMonitorDelegate.java:217) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.NodeMonitorManager.readConfig(NodeMonitorManager.java:178) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.NodeMonitorManager.startAllMonitors(NodeMonitorManager.java:265) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.NodeMonitorManager.<init>(NodeMonitorManager.java:79) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.AgentMonitorManager.<init>(AgentMonitorManager.java:63) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.Agent.setupMonitorManager(Agent.java:492) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.Agent.startServices(Agent.java:399) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.SystemAgent.startServices(SystemAgent.java:79) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.Agent.start(Agent.java:384) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.appdynamics.agent.sim.legacy.DefaultLegacyAgentRegistrationStateManager$1.run(DefaultLegacyAgentRegistrationStateManager.java:80) [machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?] at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:829) [?:?] Caused by: com.singularity.ee.agent.systemagent.api.exception.TaskInstantiationException: Could not load/instantiate task main class[com.appdynamics.extensions.linux.LinuxMonitor] for task [Linux Monitor Run Task] at com.singularity.ee.agent.systemagent.task.JavaTaskCreator.createJavaTask(JavaTaskCreator.java:90) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.MonitorTaskRunner.createTask(MonitorTaskRunner.java:75) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.PeriodicTaskRunner.<init>(PeriodicTaskRunner.java:41) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.ManagedMonitorDelegate.setupEnvTask(ManagedMonitorDelegate.java:255) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] at com.singularity.ee.agent.systemagent.components.monitormanager.managed.ManagedMonitorDelegate.initializeMonitor(ManagedMonitorDelegate.java:212) ~[machineagent.jar:Machine Agent v23.2.0.3568 GA compatible with 4.4.1.0 Build Date 2023-02-21 10:37:10] ... 15 more my-vm==> [system-thread-0] 06 May 2024 07:40:13,388  INFO NodeMonitorManager - Directory [/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/monitors/unmanaged] not found, continuing. my-vm==> [system-thread-0] 06 May 2024 07:40:13,388  INFO AgentMonitorManager - Initialized System Monitor Manager with directory [/ngs/app/rinst/machineagent-bundle-64bit-linux-aarch64-23/monitors] my-vm==> [system-thread-0] 06 May 2024 07:40:13,388  INFO SystemAgent - Set up agent monitor manager my-vm==> [system-thread-0] 06 May 2024 07:40:13,389  INFO SystemAgent - Orchestration is disabled - disabling one-way agent transport. The agent will not be able to execute workflow tasks. my-vm==> [system-thread-0] 06 May 2024 07:40:13,394  INFO SystemAgentConfigManager - Scheduling configuration refresh at an interval of 60 seconds my-vm==> [system-thread-0] 06 May 2024 07:40:13,395  INFO SystemAgentConfigManager - Configuration refresh task interval is 60 seconds my-vm==> [system-thread-0] 06 May 2024 07:40:13,395  INFO SystemAgent - Configuration manager successfully configured my-vm==> [system-thread-0] 06 May 2024 07:40:13,397  INFO RunbookHandler - Runbook Operation Execution is : [enabled]. my-vm==> [system-thread-0] 06 May 2024 07:40:13,398  INFO SystemAgent - Started AppDynamics Machine Agent Successfully. my-vm==> [ExtensionStarter-AgentServer] 06 May 2024 07:40:37,516  INFO SystemAgent - Creating machine agent scheduler, pool size: 2 my-vm==> [ExtensionStarter-AgentServer] 06 May 2024 07:40:37,516  INFO SystemAgent - Creating machine agent monitor scheduler, pool size: 4 my-vm==> [ExtensionStarter-AgentServer] 06 May 2024 07:40:37,517  INFO SystemAgent - Started Agent Schedulers my-vm==> [ExtensionStarter-ServerMonitoring] 06 May 2024 07:40:38,247  INFO ServersExtensionModule - OS is LINUX my-vm==> [ExtensionStarter-ServerMonitoring] 06 May 2024 07:40:38,689  INFO SystemAgent - Creating machine agent scheduler, pool size: 2 my-vm==> [ExtensionStarter-ServerMonitoring] 06 May 2024 07:40:38,690  INFO SystemAgent - Creating machine agent monitor scheduler, pool size: 4 my-vm==> [ExtensionStarter-ServerMonitoring] 06 May 2024 07:40:38,690  INFO SystemAgent - Started Agent Schedulers my-vm==> [extension-scheduler-pool-0] 06 May 2024 07:40:38,694  INFO ServersDataCollectorManager - There is change in components collection configurations. my-vm==> [ExtensionStarter-ServerMonitoring] 06 May 2024 07:40:38,699  INFO ServersDataCollectorManager - Version of free command : free from procps-ng 3.3.15 my-vm==> [extension-scheduler-pool-0] 06 May 2024 07:40:38,699  INFO ServersDataCollectorManager - Starting data collectors. my-vm==> [ConfigExecutor-0] 06 May 2024 07:40:38,709  INFO AwsTagsScheduledRunner - Started AWS tags scheduled runner to poll for tags my-vm==> [ConfigExecutor-0] 06 May 2024 07:40:38,711  INFO K8sTagsScheduledRunner - Started K8s tags scheduled runner to poll for tags my-vm==> [ExtensionStarter-NetVizExtension] 06 May 2024 07:40:38,852  INFO SystemAgent - Creating machine agent scheduler, pool size: 2 my-vm==> [ExtensionStarter-NetVizExtension] 06 May 2024 07:40:38,852  INFO SystemAgent - Creating machine agent monitor scheduler, pool size: 4 my-vm==> [ExtensionStarter-NetVizExtension] 06 May 2024 07:40:38,852  INFO SystemAgent - Started Agent Schedulers my-vm==> [ConfigExecutor-0] 06 May 2024 07:40:38,858  INFO NetVizConfigrationListener - Applying conf: NetVizConfiguration(start=false) my-vm==> [ConfigExecutor-0] 06 May 2024 07:40:38,909  INFO NetVizConfigrationListener - NetViz Agent is not running my-vm==> [ExtensionStarter-DockerMonitoring] 06 May 2024 07:40:39,071  INFO SystemAgent - Creating machine agent scheduler, pool size: 2 my-vm==> [ExtensionStarter-DockerMonitoring] 06 May 2024 07:40:39,071  INFO SystemAgent - Creating machine agent monitor scheduler, pool size: 4 my-vm==> [ExtensionStarter-DockerMonitoring] 06 May 2024 07:40:39,072  INFO SystemAgent - Started Agent Schedulers my-vm==> [ExtensionStarter-DockerMonitoring] 06 May 2024 07:40:39,085  INFO DockerMonitoringModule - Initializing Executor Service for Docker Metric Collection, pool size:  3 my-vm==> [ExtensionStarter-DockerMonitoring] 06 May 2024 07:40:39,087 ERROR CGroupFileSystemRootProvider - Could not find CGroup files in following path(s) : [/sys/fs/cgroup, /cgroup] my-vm==> [ExtensionStarter-DockerMonitoring] 06 May 2024 07:40:39,149  INFO DockerMonitor - Not starting docker monitoring extension my-vm==> [ExtensionStarter-DockerMonitoring] 06 May 2024 07:40:39,149  INFO DockerMonitor - Docker Enabled: false; SIM Enabled: true; MA Plus available: false my-vm==> [ConfigExecutor-0] 06 May 2024 07:40:39,160  INFO DockerMonitorConfigListener - Docker tags is collection is disabled. my-vm==> [ExtensionStarter-CrashGuard] 06 May 2024 07:40:39,178  INFO SystemAgent - Creating machine agent scheduler, pool size: 2 my-vm==> [ExtensionStarter-CrashGuard] 06 May 2024 07:40:39,179  INFO SystemAgent - Creating machine agent monitor scheduler, pool size: 4 my-vm==> [ExtensionStarter-CrashGuard] 06 May 2024 07:40:39,179  INFO SystemAgent - Started Agent Schedulers my-vm==> [ConfigExecutor-0] 06 May 2024 07:40:39,216  INFO CrashGuardRunner - Not starting crash guard extension because it is disabled.To enable, please update the configuration enabled in CrashGuardConfig.yml. my-vm==> [extension-scheduler-pool-0] 06 May 2024 07:40:39,878  INFO ServersDataCollector - Started servers data collector - DataCollectorConfig(samplingInterval=30000, componentNames=[monitored.process.classes, cpus, networks, load, operating.system, volumes, partitions, memory, availability]). my-vm==> [extension-scheduler-pool-0] 06 May 2024 07:40:39,881  INFO ServersDataCollector - Started servers data collector - DataCollectorConfig(samplingInterval=30001, componentNames=[remote.volumes, partitions]). my-vm==> [extension-scheduler-pool-1] 06 May 2024 07:40:46,515  INFO AwsTagsSupplier - Skip retrieving AWS tags. Server is either not on AWS or cannot connect to AWS services my-vm==> [system-thread-0] 06 May 2024 07:41:07,366  WARN DynamicMonitoringModeTask - Encountered error checking monitoring mode. Will retry in 60 seconds. my-vm==> [AD Thread-Metric Reporter1] 06 May 2024 07:41:07,714  INFO SystemAgent - Full certificate chain validation performed using default certificate file my-vm==> [extension-scheduler-pool-8] 06 May 2024 07:41:08,692  INFO ServersDataCollectorManager - There is change in components collection configurations. my-vm==> [extension-scheduler-pool-8] 06 May 2024 07:41:08,692  INFO ServersDataCollector - Stopped servers data collector - DataCollectorConfig(samplingInterval=30000, componentNames=[monitored.process.classes, cpus, networks, load, operating.system, volumes, partitions, memory, availability]). my-vm==> [extension-scheduler-pool-8] 06 May 2024 07:41:08,692  INFO ServersDataCollector - Stopped servers data collector - DataCollectorConfig(samplingInterval=30001, componentNames=[remote.volumes, partitions]). my-vm==> [extension-scheduler-pool-8] 06 May 2024 07:41:08,692  INFO ServersDataCollectorManager - Starting data collectors. my-vm==> [extension-scheduler-pool-8] 06 May 2024 07:41:08,693  INFO ServersDataCollector - Started servers data collector - DataCollectorConfig(samplingInterval=30000, componentNames=[monitored.process.classes, networks, load, operating.system, availability]). my-vm==> [extension-scheduler-pool-8] 06 May 2024 07:41:08,694  INFO ServersDataCollector - Started servers data collector - DataCollectorConfig(samplingInterval=30001, componentNames=[remote.volumes, partitions]). my-vm==> [extension-scheduler-pool-8] 06 May 2024 07:41:08,694  INFO ServersDataCollector - Started servers data collector - DataCollectorConfig(samplingInterval=3000, componentNames=[cpus, volumes, partitions, memory]). my-vm==> [system-thread-0] 06 May 2024 07:42:07,366  WARN DynamicMonitoringModeTask - Encountered error checking monitoring mode. Will retry in 60 seconds. my-vm==> [AD Thread-Metric Reporter1] 06 May 2024 07:42:07,709  INFO SystemAgent - Full certificate chain validation performed using default certificate file my-vm==> [extension-scheduler-pool-10] 06 May 2024 07:42:38,756  WARN ProcessMonitor - ProcessMonitor::Caught exception during collection and reporting. com.appdynamics.voltron.rest.client.NonRestException: Method: SimProcessesAgentService#updateProcessMetadata(String,List) - Result: 403 Forbidden - content: <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>Apple</center> </body> </html>   at com.appdynamics.voltron.rest.client.VoltronErrorDecoder.decode(VoltronErrorDecoder.java:62) ~[rest-client-1.1.0.187.jar:?] at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:156) ~[feign-core-10.7.4.jar:?] at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:80) ~[feign-core-10.7.4.jar:?] at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:100) ~[feign-core-10.7.4.jar:?] at com.sun.proxy.$Proxy156.updateProcessMetadata(Unknown Source) ~[?:?] at com.appdynamics.sim.agent.extensions.servers.DoubleBufferedProcessProperties.reportProcesses(DoubleBufferedProcessProperties.java:75) ~[servers-23.2.0.3568.jar:?] at com.appdynamics.sim.agent.extensions.servers.ProcessMonitor.run(ProcessMonitor.java:78) [servers-23.2.0.3568.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?] at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:829) [?:?] my-vm==> [system-thread-0] 06 May 2024 07:43:07,365  WARN DynamicMonitoringModeTask - Encountered error checking monitoring mode. Will retry in 60 seconds. my-vm==> [AD Thread-Metric Reporter1] 06 May 2024 07:43:07,712  INFO SystemAgent - Full certificate chain validation performed using default certificate file my-vm==> [extension-scheduler-pool-9] 06 May 2024 07:43:38,739  WARN ProcessMonitor - ProcessMonitor::Caught exception during collection and reporting. com.appdynamics.voltron.rest.client.NonRestException: Method: SimProcessesAgentService#updateProcessMetadata(String,List) - Result: 403 Forbidden - content: <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>Apple</center> </body> </html>   at com.appdynamics.voltron.rest.client.VoltronErrorDecoder.decode(VoltronErrorDecoder.java:62) ~[rest-client-1.1.0.187.jar:?] at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:156) ~[feign-core-10.7.4.jar:?] at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:80) ~[feign-core-10.7.4.jar:?] at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:100) ~[feign-core-10.7.4.jar:?] at com.sun.proxy.$Proxy156.updateProcessMetadata(Unknown Source) ~[?:?] at com.appdynamics.sim.agent.extensions.servers.DoubleBufferedProcessProperties.reportProcesses(DoubleBufferedProcessProperties.java:75) ~[servers-23.2.0.3568.jar:?] at com.appdynamics.sim.agent.extensions.servers.ProcessMonitor.run(ProcessMonitor.java:78) [servers-23.2.0.3568.jar:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?] at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:829) [?:?]
Hello ,   The Forwarder ingestion latency is showing red on my search head.... Root Cause(s): Indicator 'ingestion_latency_gap_multiplier' exceeded configured value. The observed value is 54748... See more...
Hello ,   The Forwarder ingestion latency is showing red on my search head.... Root Cause(s): Indicator 'ingestion_latency_gap_multiplier' exceeded configured value. The observed value is 5474815. Message from 452CE67F-3C57-403C-B7B1-E34754172C83:10.250.2.7:3535 Can anyone please provide any suggestions?  
Hello, I am in need of some help from the community. Is it possible to create a  token in a schedule report and create a trends. I have a file that gets upload loaded every 2 weeks called audit_fi... See more...
Hello, I am in need of some help from the community. Is it possible to create a  token in a schedule report and create a trends. I have a file that gets upload loaded every 2 weeks called audit_fimsa(month/date). Every 2 weeks the file name will stay the same but the month and date will change. For example audit_fisma0409.csv. I have 6 different fields that will need to be compared based of the current week and the previous week.  Do I also have to create a report for each field and trends? Here is a sample of the query below that I am working on. This drafted query reflect the week of 04/09 and 03/28. My goal is to create a report that will automatically pull the file based off the new files that get uploaded every 2 weeks. So that I don't have to manually change the dates. I hope this was enough information.   | inputlookup audit_fisma0409.csv | table "Security Review Completion Date" | replace -* with NA in "Security Review Completion Date" | eval time2=if('Security Review Completion Date'<relative_time(now(),"-1Y"),"Expired","Not_expired") | stats count by time2 | where time2="Expired" | append [ | inputlookup audit_fisma0328.csv | table "Security Review Completion Date" | replace -* with NA in "Security Review Completion Date" | eval time2=if('Security Review Completion Date'<relative_time(now(),"-1Y"),"Expired","Not_expired") | stats count by time2 | where time2="Expired"] | transpose | where column="count" | eval "Security Review Completed" =round('row 1'/'row 2'-1,2) | eval "Security Review Completed" =round('Security Review Completed' * 100, 0) | eval _time=strftime(now(),"%m/%d/%Y") | table "Security Review Completed" _time
I deployed the search header cluster and also deployed the indexer cluster, and merged the search header cluster and the indexer cluster. After downloading the sample data and uploading it to the ind... See more...
I deployed the search header cluster and also deployed the indexer cluster, and merged the search header cluster and the indexer cluster. After downloading the sample data and uploading it to the indexer, all members of the indexer cluster can search for the uploaded data. When searching for members in the header cluster, there are two that cannot be searched for the uploaded data, and one that can be searched. "Unable to distribute to peer named 192.168.44.159 at uri=192.168.44.159:8089 using the uri scheme=https because peer has status=Down. Verify uri scheme, connectivity to the search peer, that the search peer is up, and that an equivalent level of system resources are available. See the Troubleshooting Manual for more information."
Hi All, I want to separate a field which contains multiple value within it but doesn't have delimiter on it. Example: | makeresults | eval field1="example1@splunk.com example@splunk.com sample@... See more...
Hi All, I want to separate a field which contains multiple value within it but doesn't have delimiter on it. Example: | makeresults | eval field1="example1@splunk.com example@splunk.com sample@splunk.com scheduler" I have tried to use | eval split = split(field1, " "). But nothing works, Kindly help me out on this like how to separate this single string field as MV field. Thanks in Advance   
Query: |mstats sum(error.count) as Count where index=metrics_data by provider errorid errorname |search errorname=apf Results: provider errorid errorname Count Digital it... See more...
Query: |mstats sum(error.count) as Count where index=metrics_data by provider errorid errorname |search errorname=apf Results: provider errorid errorname Count Digital it 401 apf 200.0000 Data St 200 apf 500.0000 dtst 0 apf 18.0000 Digital it 100 apf 55.0000 dtst 501 apf 16.0000 Digital it 0 apf 20.0000 Data St 200 apf 300.0000 dtst 201 apf 12.0000 Data St 404 apf 20.0000 Digital it 201 apf 10.0000 Data St 501 apf 10.0000 dtst 201 apf 9.0000 Data St 401 apf 8.0000 dtst 500 apf 3.0000 Data St 555 apf 5.0000 dtst 200 apf 2.0000 expected results: provider errorname errorid Count Digital it apf 401 100 0 200.0000 55.0000 20.0000 Data St apf 200 200 404 500.0000 300.0000 20.0000 dtst apf 0 501 201 18.0000 16.0000 12.0000
When we use a below query, in dashboard panel data is not showing correctly, if  we open the panel query in "open in search data is showing correctly. How to fix this issue?? index=dam-idx (... See more...
When we use a below query, in dashboard panel data is not showing correctly, if  we open the panel query in "open in search data is showing correctly. How to fix this issue?? index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) repoter.dataloadingintiated |stats count by local |append [search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) task.dataloadedfromfiles NOT "error" NOT "end_point" NOT "failed_data" |stats count as FilesofDMA] |append [search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) "app.mefwebdata - jobintiated" |eval host = case(match(host_ip, "12.234"), "HOP"+substr(host, 120,24), match(host_ip, "10.123"), "HOM"+substr(host, 120,24)) |eval host = host + " - " + host_ip |stats count by host |fields - count |appendpipe [stats count |eval Error="Job didn't run today" |where count==0 |table Error]] |stats values(host) as "Host Data Details", values(Error) as Error, values(local) as "Files created localley on AMP", values(FilesofDMA) as "File sent to DMA"
Hello, I have created a splunk look up table file( file is in csv format )and now Iam trying to create a look up definition.  But i couldn't create lookup definition because when i tried searching ... See more...
Hello, I have created a splunk look up table file( file is in csv format )and now Iam trying to create a look up definition.  But i couldn't create lookup definition because when i tried searching for the look up file , i couldn't get that file in my drop down menu to select. what could be the reason. can anyone help with this    Thanks in advance
Hi, we could see message ="executed" for started state field. so, would like to replace with same massage where state="completed"  event too for same ID's. I hope I word this out clearly. Th... See more...
Hi, we could see message ="executed" for started state field. so, would like to replace with same massage where state="completed"  event too for same ID's. I hope I word this out clearly. Thank you in advance.
Hi all, First post in SPLUNK and I'm not even going to pretend I know the in's and out's of everything that I am currently trying to achieve so I apologise if this is an easy answer... I have c... See more...
Hi all, First post in SPLUNK and I'm not even going to pretend I know the in's and out's of everything that I am currently trying to achieve so I apologise if this is an easy answer... I have created a dashboard that contains an HTML form and through JS magic it does everything I need it to, which includes a 'submit' button that is connected to an HTML table in a different panel. When the button is clicked the table is updated with the relevant information - Happy days. Under the HTML table, I have another button that when clicked I want it to create a new dashboard that displays that table (there is more to it but for now I just need it to create a new dashboard).  After a bit of research, I stumbled across AJAX but I'm constantly receiving a 404 error. I understand that a 404 is resource not found, but every document I find indicates that this is the correct resource. My SPLUNK Enterprise version is currently running on my Laptop (127.0.0.1:8000) but I am at a frustrating loss now...     document.getElementById('confirmButton').addEventListener('click', function() { var dashboardData = { name: 'newDash', 'eai:data': '<dashboard><label>$name$</label><description>$goal$</description><row><panel><html><h1>something</h1></html></panel></row></dashboard>', }; $.ajax({ url: '/serviceNS/nobody/search/data/ui/views', type: 'POST', data: dashboardData, success: function(response) { console.log('Success:', response); }, error: function(jqXHR, textStatus, errorThrown) { console.error('Error:', textStatus, errorThrown); } }); });     The issue seems to indicate the url section is wrong, but if anyone could help point me in the right direction, I would greatly appreciate it. Kind Regards, oO0NeoN0Oo   
Hello, I am not an admin that has permission to create or view transform.conf file. I also don't have a lab, so I can't experiment with the KVStore lookup. Can I create KVStore lookup definition ... See more...
Hello, I am not an admin that has permission to create or view transform.conf file. I also don't have a lab, so I can't experiment with the KVStore lookup. Can I create KVStore lookup definition in Splunk UI without using transform.conf file? Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file? Please suggest. Thank you
Hello Using Splunk db connect 3.13.0 which worked fine until I've restarted the server since then the task server is not starting and im getting this error : message from "/opt/splunk/etc/apps/s... See more...
Hello Using Splunk db connect 3.13.0 which worked fine until I've restarted the server since then the task server is not starting and im getting this error : message from "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.sh" com.splunk.modularinput.Event.writeTo(Event.java:65)\\com.splunk.modularinput.EventWriter.writeEvent(EventWriter.java:137)\\com.splunk.dbx.command.DbxQueryServerStart.streamEvents(DbxQueryServerStart.java:51)\\com.splunk.modularinput.Script.run(Script.java:66)\\com.splunk.modularinput.Script.run(Script.java:44)\\com.splunk.dbx.command.DbxQueryServerStart.main(DbxQueryServerStart.java:95)\\ ERROR ExecProcessor [15275 ExecProcessorSchedulerThread] - message from "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.sh" action=dbxquery_server_start_failed error=java.security.GeneralSecurityException: Only salted password is supported  
Hello, Splunkers! I hope there are some SOC analysts around who are using Splunk Enterprise and Splunk ES in their work. I've been learning Splunk for the past month and I have worked with Splunk ES... See more...
Hello, Splunkers! I hope there are some SOC analysts around who are using Splunk Enterprise and Splunk ES in their work. I've been learning Splunk for the past month and I have worked with Splunk ES a bit and tried configuring some correlation searches with automated notable generation along with email notification alerts. I now have to present some cases in my test lab, where I have an attacker who performs some malicious activity that triggers some of the correlation searches that I have configured, and then I need to demonstrate the full investigation process from SOC analyst's POV.  The problem is, I have almost 0 knowledge of how SOC operates and if they were to use Splunk Enterprise and Enterprise Security app, what would they do exactly? Would they just go over all the new notables and look at the drill-down searches trying to understand what notables are related to other notables? Would they try to correlate the events by time? Would they only work around Splunk ES, or would they also go to the dashboards and search for some data there?  I would appreciate it if someone could explain how SOC works with Splunk ES in case of some simple, uncomplicated attacks, that trigger 2-3 correlation searches max.   Also small question, since I have the email notifications configured, who is usually the one receiving the email notifications about triggered correlation searches, is it a SOC director, or analyst, or someone else? Please let me know if more information is required, I would love to provide as many details as needed, as long as I get the best answer that would help me. Thanks in advance for taking the time to read and reply to my post!
Hello. I'm a Splunk newbie. There is confusion about setting up data model acceleration. According to the official documentation, if the data in your data model is out of date, Splunk will continuo... See more...
Hello. I'm a Splunk newbie. There is confusion about setting up data model acceleration. According to the official documentation, if the data in your data model is out of date, Splunk will continuously delete it and keep the data in your data model up to date. So, for example, if you summarize a month's data model in 0 12 * * *cycles, 1. -30 to 0 days data summarized 2. Day after day 3. Data from day -29 to +1 is summarized. 4. -30 days data is deleted Is this process correct? If this process is correct, why is it being done this way? And, information summarized through data model acceleration Is there a way to keep them consecutively like a summary index without them being deleted?
Hello splunkers! I have a simple question regarding Splunk data models and regular searches, I have found some answers, but I would like to dig deeper.  What's the advantage of using the data mod... See more...
Hello splunkers! I have a simple question regarding Splunk data models and regular searches, I have found some answers, but I would like to dig deeper.  What's the advantage of using the data models? Like, why would we want to use the data models instead of regular searches where we just label the indexes in which we want to search for the data?  I know so far that the data models allow searching through multiple sources (network devices and workstations) by having the standardized fields. I also know about the data accelaration, that we can use tstats in our searches on accelerated data models in order to speed up the searches. Is there a particular scenario where we must use data models and not using them will not work? (I am using Enterprise Security as well, so if there is any scenario that involves this app, it is most welcome) I would really appreciate a well-detailed answer. Thank you for taking time reading and replying to my post
Spllunk apps--> splunk app for lookup editing --> select import file, while uploading the file, it is not uploading, no error message.  screen still same import pop options.  Please guide me how t... See more...
Spllunk apps--> splunk app for lookup editing --> select import file, while uploading the file, it is not uploading, no error message.  screen still same import pop options.  Please guide me how to fix this issue.