All Topics

Top

All Topics

Hi  How to write spl search query by adding multiple field in single search    Field 1 - contain data like authorization " Write or Read "  Field 2 - contain user id details like " @abc.com , use... See more...
Hi  How to write spl search query by adding multiple field in single search    Field 1 - contain data like authorization " Write or Read "  Field 2 - contain user id details like " @abc.com , user1, user 2,  Question  How to write a spl query  Index =testing ("write" AND " @abc.com" )  spl query to add multiple filed which contain " write " AND "@abc.com" when these condition satisfied an alert has to been sent 
Hello, Could someone please help me with this question : should the clients of the deployment server only be forwarders, or can any component of the architecture (indexers, search heads) be a clie... See more...
Hello, Could someone please help me with this question : should the clients of the deployment server only be forwarders, or can any component of the architecture (indexers, search heads) be a client of the deployment server as well ?
Hi Team, I need help to create a alert which can raise if latest hour count is 10% less than last week same day same hour count.   for example: right now i can able to get count but not sure ho... See more...
Hi Team, I need help to create a alert which can raise if latest hour count is 10% less than last week same day same hour count.   for example: right now i can able to get count but not sure how to find  10%  or more difference to get alert. index=ABC sourcetype=XYZ | timechart span=1h count | timewrap d series=short    
Hello, I am getting the following error while trying to enable SAML for my deployment server :   Verification of SAML assertion using the IDP certificate provided failed. Unknown signer of SAML re... See more...
Hello, I am getting the following error while trying to enable SAML for my deployment server :   Verification of SAML assertion using the IDP certificate provided failed. Unknown signer of SAML response. Kindly provide any valuable suggestions
Looking for spl query to get the index wise log consumption for each months splitup for last 6 months
When checking the URL categorization for a URL, it appears that the URL has been classified under two categories, for example, Business/Economy and File Storage/Sharing. However, we can only see one ... See more...
When checking the URL categorization for a URL, it appears that the URL has been classified under two categories, for example, Business/Economy and File Storage/Sharing. However, we can only see one category in the Splunk field (field name: filter_category). Is this something to do with the data collection in Splunk? Any details is appreciated. Check the current WebPulse categorization for any URL: https://sitereview.bluecoat.com/#/ 
I want chart as follow. I could show count each count value (cannot Calc field) (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (inde... See more...
I want chart as follow. I could show count each count value (cannot Calc field) (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (index=interface_count devicename IN ($select_device2$) description IN ($select_device$) data_field_name=Rx_counter) timechart span=5m eval(round(max(eval(Rx/1E5)),1)) as Rx_count by INTinfo1 _time Device_A Gi0/1 (a) Device_A Gi0/2 (b) Device_B Gi0/8 (c) Calc A+B-C 10:00 100 200 50 250 10:05 100 300 80 320 10:10 150 250 100 300    
our servers are in germany but splunk time is 2hr ahead  why is that? like  the event creation is on 5:02 am german time but in splunk it is showing 3:02am . any solutions
Hi Team, We have P1 Splunk alerts generated based on event ID: 12320 triggered from the following servers: scwdxxxxx0009 scwdxxxxx0008 scwpxxxxx0002 scwpxxxxx0001 Recently, we identified that... See more...
Hi Team, We have P1 Splunk alerts generated based on event ID: 12320 triggered from the following servers: scwdxxxxx0009 scwdxxxxx0008 scwpxxxxx0002 scwpxxxxx0001 Recently, we identified that we have a 24-hour suppression time for the alert, which led to a critical incident. To address this issue, the user has requested a reduction in the suppression time for the alert. The goal is to eliminate suppression unless the previous triggered alert is still open. If there are no open P1 tickets for event ID: 12320, there should not be any suppression of the generation of new tickets. Current Alert Configuration We have one alert in Splunk, and we are using the following query: Splunk query: index=winevent sourcetype="WinEvent:*" ((host="scwpxxxxx0001*" OR host="scwdxxxxx0008*" OR host="scwdxxxxx0009*" OR host="scwpxxxxx0002*") AND (EventCode=12320)) | eval assignment_group = "ABC IT - Computing Services" | eval host=lower(mvindex(split(host,"."),0)) | eval correlation_id=strftime(_time,"%Y-%m-%d %H:%M:%S").":".host | eval short_description=case((host="scwpxxxxx0001" OR host="scwdxxxxx0008"),"Microsoft AAD Proxy Connector - Prod not able to connect due to network issues.",(host="scwdxxxxx0009" OR host="scwpxxxxx0002"),"Microsoft AAD Proxy Connector - Dev not able to connect due to network issues.", 1=1, 0 ) | eval category="Application", subcategory="Repair/Fix", contact_type="Event", state=4, ci=host, customer="no573", impact=1, urgency=1, description="Event Code ".EventCode." encountered on host ".host." at ".strftime(_time,"%m/%d/%Y %H:%M:%S %Z")." SourceName:".SourceName." Log Name: ".LogName." TaskCategory:".TaskCategory." Message=".Message." Ticket generated on SNOW at ".strftime(now(),"%m/%d/%Y %H:%M:%S %Z") | table host, short_description, assignment_group, impact, urgency, category, subcategory, description, ci, correlation_id Alert Type Scheduled Schedule Run on cron schedule: */30 * * * * (every 30 minutes) Time Range Last 4 hours Expiration 24 hours Throttle Enabled Suppress results containing field value: host, EventCode Suppress triggering for: 24 hours Trigger Actions ServiceNow Incident Integration How we can suppress the alert as per the requirement. Please help us here. Thank you.
Hi, I have seen a steady increase in perfmon events or data in past 30 days. The number of hosts has been about same and overall production activity is the same. There was one host added during the 3... See more...
Hi, I have seen a steady increase in perfmon events or data in past 30 days. The number of hosts has been about same and overall production activity is the same. There was one host added during the 30 day time frame. I thought that host may have been the cause of the incrase. But, that new host is not even in the top 10 most active hosts.  The amount of overall perfmon data in proportion to the wineventlog data is increasing.  Please see the attached chart. Perfmon is represented with  brown bar, wineventlog is the green bar.  I'm asking for any ideas that would help me in identifying the cause of this change. Thank you, in advance for any help.    
Hi Team, I have generated dynamic URLs using the lookup and add it in the field value of the table. Now I need to make those dynamic URLs as a hyperlink so that we don't want to manually copy and pa... See more...
Hi Team, I have generated dynamic URLs using the lookup and add it in the field value of the table. Now I need to make those dynamic URLs as a hyperlink so that we don't want to manually copy and paste the URL in the browser every time.  I modified the source code as below, but it is working. Please assist on this. Thank you. "visualizations": {         "viz_abc123": {             "type": "splunk.table",             "options": {                 "count": 5000,                 "dataOverlayMode": "none",                 "drilldown": {                     "condition": {                         "field": "URL",                         "link": "$row.URL|n$"                     }                 },                 "backgroundColor": "#FAF9F6",                 "tableFormat": {                     "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByBackgroundColor)",                     "headerBackgroundColor": "> backgroundColor | setColorChannel(tableHeaderBackgroundColorConfig)",                     "rowColors": "> rowBackgroundColors | maxContrast(tableRowColorMaxContrast)",                     "headerColor": "> headerBackgroundColor | maxContrast(tableRowColorMaxContrast)"                 },                 "showInternalFields": false,                 "columnFormat": {                     "Duration(Secs)": {                         "data": "> table | seriesByName(\"Duration(Secs)\") | formatByType(Duration_Secs_ColumnFormatEditorConfig)",                         "rowColors": "> table | seriesByName(\"Duration(Secs)\") | rangeValue(Duration_Secs_RowColorsEditorConfig)"                     },                     "Duration(Mins)": {                         "data": "> table | seriesByName(\"Duration(Mins)\") | formatByType(Duration_Mins_ColumnFormatEditorConfig)",                         "rowColors": "> table | seriesByName(\"Duration(Mins)\") | rangeValue(Duration_Mins_RowColorsEditorConfig)"                     }                 }             },
To ensure you meet the prerequisites and get platform support, visit the AppDynamics Agent Installer documentation. Installation Steps: From the Controller UI, select Home > Agent Installer. ... See more...
To ensure you meet the prerequisites and get platform support, visit the AppDynamics Agent Installer documentation. Installation Steps: From the Controller UI, select Home > Agent Installer. From the Specify Application to Deploy to dropdown, select an existing application, or select New application and enter its name. Example: I am creating a new application named “Abhi-ZeroAgent-Test” Download and run the Agent Installer using either the express installation or custom installation method. On the Server: Access the server where you wish to deploy ZFI (Zero Agent). This agent will help you install both the Java and Machine Agents. Copy the provided command and run it on the server where you wish to deploy the Java/Machine agent. This will create an appd-* folder in the /tmp directory. To deploy the Machine Agent, use the zero-agent.sh file. Run the following command from the same server:  ./zero-agent.sh install --application 'Abhi-ZeroAgent-Test' --account 'xxxx' --access-key 'xxx' --service-url 'https://xxxx.saas.appdynamics.com' --enable-sim 'true'​ Once done, your Machine Agent will be installed in the /opt/appdynamics/zeroagent/agents/machineagent/ folder. Making Configuration Changes: If you wish to make any changes to the Machine Agent configuration, make the changes in the /opt/appdynamics/zeroagent/agents/machineagent/ directory. To restart the Machine Agent with the new properties, run the following command from /opt/appdynamics/zeroagent/bin : zfictl restart machine This will restart the Machine Agent with the updated configuration.
Table of Contents How do I open a case with AppDynamics Support Case Opening: When there is only one AppDynamics Subscription associated with the User (most cases) Case Opening: When there ar... See more...
Table of Contents How do I open a case with AppDynamics Support Case Opening: When there is only one AppDynamics Subscription associated with the User (most cases) Case Opening: When there are multiple subscriptions associated with a user  Case severity  Video Tutorials Additional Resources How do I open a case with AppDynamics Support?   First, ensure you can access Cisco SCM with a valid Cisco.com account. If you were part of the migration this should have been done automatically. If you still need to request a Cisco.com account, please refer to the earlier communication about User Identity changes found here.  Make your way to the AppDynamics portal on appdynamics.com/support. When you log in to the AppDynamics portal you will be automatically redirected to Cisco SCM.  Case Opening: When there is only one AppDynamics Subscription associated with the User (most cases)  Navigate to the AppDynamics Portal Link to the Support section (see Figure 1) and click the link “Open a new ticket”.    Figure 1  You will be taken directly to the “Describe problem page” where you will be prompted to enter details of the incident reported (Figure 2). Proceed to select a pre-set sub technology by clicking the “Manually Select a Technology” button.   Figure 2 Choose the Technology that most closely relates to the issue and click the “Select” button. Figure 3  After you submit the case, the system asks if you’d like to receive e-mail updates with details of the ticket and choose to opt in or out (Figure 4).                                                                                 Figure 4  Case Opening: When there are multiple subscriptions associated with a user  Follow the same steps as in the “Case Opening procedure with one subscription associated with a user”, by going to the AppDynamics Portal Link to Support (see Figure 1) and clicking the link to “OPEN SUPPORT TICKETS”.   If there are multiple subscriptions associated with your account, choose the correct subscription number from the menu (Figure 5) then click the “Next” button. Figure 5  SCM detects you being associated with AppDynamics only and reduces the Tech and Sub-Tech to AppDynamics choices (Figure 3).          After you submit the case and if opting for such, the system automatically sends an e-mail with details of the ticket, pointing to the newly opened case in SCM for case management (Figure 4).   Case severity  In conjunction with the migration to Cisco SCM, AppDynamics customers will be making use of the Case severity definition as determined by Cisco in the table below.    Case Severity  Description  Severity 1 (S1)  Critical impact on the customer’s business operations. Cisco’s hardware, software, or as a service product is down.   Severity 2 (S2)  Substantial impact on the customer’s business operations. Cisco hardware, software, or as a service product is degraded.   Severity 3 (S3)  Minimal impact on the customer’s business operations. Cisco hardware, software, or as a service product is partially degraded.  Severity 4 (S4)  No impact on the customer’s business operations. The customer requests information about features, implementation, or configuration for Cisco’s hardware, software, or as a service product.  Note! Post-migration, some functions will be limited. These include:   All open tickets will be migrated to the new system (you will receive a notification with the new case ID).  All tickets closed on or later than May 14th will be available in the new system (you will receive a notification with the new case ID)  Why am I not getting Support Case notifications/emails? Often, case notifications are turned off because users miss setting Case Notifications to "On" while opening a case. As the case creator, you have the ability to enable/disable notifications from the Support Case Manager (SCM) user interface. Enabling notifications ensures that our support engineers' responses are also received via email. Understanding Case Notifications: Case Notifications On: You will receive email updates about the case. Case Notifications Off: You will not receive email updates. In this scenario, you need to check the Support Case Manager for updates: Go to Support Case Manager Navigate to Individual case details -> Notes section Alternatively, by using our Cisco Support Assistant bot. How to Enable Notifications 1. Global Configuration: Go to SCM -> Settings (Gear icon in the top right corner) Note: Global notifications settings have Case Notifications turned off by default. We recommended customers to set this to On at global level. 2. Per-Case Basis: You can also enable notifications on a per-case basis during case creation. Different Case Opening Paths From Account Portal: Opening a case from the Account Portal -> Open new ticket will set the case notifications to "On." From Support Case Manager: Opening a case from the Support Case Manager -> Open a new case will respect the global notifications settings mentioned above Via appd-support@cisco.com -> Case notifications will be "Off" . This does not respect global settings from SCM. Adjusting Notifications After Case Creation You can always turn case notifications on/off after opening the case and before the case closure: Navigate to Support Case Manager Scroll down to Case Notifications and click "Edit." You can also request the support engineers to enable/disable the case notifications by responding to the case, and they will do it for you. Video Tutorials How to open a support case How to navigate and view filed support cases   Additional Resources How do I manage my support cases? AppDynamics Support migration to Cisco CSM
Hello All, I am using | jirarest to fetch tickets from JIRA search results to Splunk. In JIRA I have around 300 tickets, but when I try to fetched in Splunk only 50 are returned. I tried to add ma... See more...
Hello All, I am using | jirarest to fetch tickets from JIRA search results to Splunk. In JIRA I have around 300 tickets, but when I try to fetched in Splunk only 50 are returned. I tried to add maxResults=1000, but I got 100 tickets. I tried to search about it and found in JIRA cloud if we have more than 100 items to return, we have to iterate through them in batches using startAt. But, the challenge is I am unable to find any way of running the iteration since I only get 50 tickets and not more on which I could run the iteration. Thus, I need your guidance on how to build a solution or workaround in Splunk to fetch all tickets. Thank you  Taruchit  
With polkit versions 0.120 and below, the version number was structured with a major/minor format always using the major version of 0. It appears that Splunk was using that dot between them to decode... See more...
With polkit versions 0.120 and below, the version number was structured with a major/minor format always using the major version of 0. It appears that Splunk was using that dot between them to decode the version number in its create-polkit-rules option to detect whether the older PKLA file or the newer JS version would be supported. Starting in polkit version 121, the maintainers of polkit have dropped the "0." major number and started using the minor version as the major version. Because of this, Splunk does not currently seem to be able to deploy its own polkit rules. This affects both RHEL 9 and Ubuntu 24.04 so far in my testing. Has anyone else run into this issue or have another workaround for it? Thanks!   root@dev2404-1:~# pkcheck --version pkcheck version 124 root@dev2404-1:~# apt-cache policy polkitd polkitd: Installed: 124-2ubuntu1 Candidate: 124-2ubuntu1 Version table: *** 124-2ubuntu1 500 500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages 100 /var/lib/dpkg/status root@dev2404-1:~# /opt/splunk/bin/splunk version Splunk 9.2.1 (build 78803f08aabb) root@dev2404-1:~# /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 1 -create-polkit-rules 1 " ": unable to parse Polkit major version: '.' separator not found. ^C root@dev2404-1:~#     https://github.com/polkit-org/polkit/tags
We apparently have the StreamWeaver integration in place, but we are not sure how it was implemented as the folks who did it are no longer around. How is it done usually?  Is it a REST API integra... See more...
We apparently have the StreamWeaver integration in place, but we are not sure how it was implemented as the folks who did it are no longer around. How is it done usually?  Is it a REST API integration? as I see at Connect: Splunk Enterprise 
We have this stood up and working...sort of.  Splunk Admins can configure alerts to add the "ServiceNow Incident Integration" action, and we can create Incidents in Splunk. The problem is, we have a... See more...
We have this stood up and working...sort of.  Splunk Admins can configure alerts to add the "ServiceNow Incident Integration" action, and we can create Incidents in Splunk. The problem is, we have a lot of development teams that create/maintain their own alerts in Splunk.  When they go to add this action, they're not able to select the account to use when configuring the action...because they don't have read permission to the account.  Even if an Admin goes in and configures the action, it won't work at run-time, because the alert runs under the owner's permissions...which can't read the credentials to use to call ServiceNow. Has anyone else ran into this issue?  How can this be setup to allow non-Admins to maintain alerts?
Hi SMEs, while checking the log from one of the log source i could see logs are not ending properly and getting clubbed all together. Putting the snap below and seeking your best advice to fix it   ... See more...
Hi SMEs, while checking the log from one of the log source i could see logs are not ending properly and getting clubbed all together. Putting the snap below and seeking your best advice to fix it    
I have three lookup files and I am trying to find out which one has a zero count. Below is the query I am using.   | inputlookup file_intel | inputlookup append=true ip_intel | inputlookup appe... See more...
I have three lookup files and I am trying to find out which one has a zero count. Below is the query I am using.   | inputlookup file_intel | inputlookup append=true ip_intel | inputlookup append=true http_intel | search threat_key=*risklist_hrly* | stats count by threat_key I want to know which threat_key has a zero count for threat_key=*risklist_hrly*. I have tried fillnull, its not working.   I can only see the one that has count. I want to get the one that has zero count.      
I have two sources that I'd like to combine/join or search on one based on the other. Source 1 - has two fields  name & date Source 2  - has several fields including name & date, field1, fields2, f... See more...
I have two sources that I'd like to combine/join or search on one based on the other. Source 1 - has two fields  name & date Source 2  - has several fields including name & date, field1, fields2, field3, etc.   I'd like to get the most recent date for a specific name from source 1, and show only the events in source 2 with that name & date