All Topics

Top

All Topics

How to filter a field from the log where the values change for example please see below, logfile =(result1=0 result2=5 result3=10 result4=14)  at 5AM logfile =(result1=8 result2=5 result3=10 result... See more...
How to filter a field from the log where the values change for example please see below, logfile =(result1=0 result2=5 result3=10 result4=14)  at 5AM logfile =(result1=8 result2=5 result3=10 result4=14) at 5:10Am logfile =(result1=4 result2=5 result3=10 result4=14) at 5:20Am logfile =(result1=3 result2=5 result3=10 result4=14) at 5:30Am i want query to return result and show when result1 is greater than 5, please help Current state im at =index=indexname | search sourcetype=eventname "result1=5" gives results but if i do index=indexname | search sourcetype=eventname "result1> 5" returns nothing  
Hi everyone, As you know from the dashboard the least standard timeframe is the last 5 minutes, we wanted to know the last 1 minute, so I used the same script as I did before when I wanted to get th... See more...
Hi everyone, As you know from the dashboard the least standard timeframe is the last 5 minutes, we wanted to know the last 1 minute, so I used the same script as I did before when I wanted to get the visits per day (Check the article). And just changed the time frame I now made a new script that checks the concurrent visits for the last minute. The script is below: #!/bin/bash now=$(date +"%s.%3N" | awk '{printf "%d%03d\n", $1, substr($2,1,3)}') lastmin=$(date -d "now - 1 minute" +"%s.%3N" | awk '{printf "%d%03d\n", $1, substr($2,1,3)}') scrollid=$(curl -s -X POST "<ES_IP>:9080/events/query?start=${lastmin}&end=${now}" -H"X-Events-API-Key:<API-KEY>" -H"X-Events-API-AccountName:<Your-Account-Global-Name>" -H"Content-Type:application/vnd.appd.events+text;v=2" -H"Accept:application/vnd.appd.events+json;v=2" -d"[{ \"query\": \"SELECT * FROM web_session_records\", \"mode\": \"scroll\"}]" | grep -oP '(?<="scrollid":").*?(?=",)') curlout=$(curl -s -i \ -H "Accept: application/vnd.appd.events+json;v=2" \ -H "Content-Type:application/vnd.appd.events+text;v=2" \ -H "X-Events-API-Key:<API-KEY>" \ -H "X-Events-API-AccountName:<Your-Account-Global-Name>" \ -d "[{ \"query\": \"SELECT count(*) FROM web_session_records\", \"mode\": \"scroll\", \"scrollid\":\"$scrollid\"}]" \ -X POST "http://<ES_IP>:9080/events/query?start=${lastmin}&end=${now}") echo "$curlout" | grep -o '"results":\[\[[0-9]*\]\]' | cut -d "[" -f3 | cut -d "]" -f1 Also, I made a small webserver on port 8000 that returns the output of this script: https://<Contoller_IP>:8000 Do you guys have a better way to do it? Best regards, Mohamed Ashraf Mohamed Ashraf Application Operations Engineer Platform & IT Solution Ops team Saudi Company for Visa and Travel Solutions (SVTS) Phone: +966549574746 Email: mmahmoud.c@saudivts.com  Riyadh, Saudi Arabia
Hi everyone, Problem: Unfortunately, you cannot display data more than 10K on the dashboard using ES queries. So the only way to do it is from the API. Objective: We want automation to find ... See more...
Hi everyone, Problem: Unfortunately, you cannot display data more than 10K on the dashboard using ES queries. So the only way to do it is from the API. Objective: We want automation to find the last 24h visits every day just by running a script and sending an email with the results daily using Cronjob Solution: I made a script to get the total number of Nusuk website visits using AppDynamics API as it’s the only way to get the number. https://docs.appdynamics.com/appd/23.x/23.12/en/extend-appdynamics/appdynamics-apis/analytics-events-api#id-.AnalyticsEventsAPIv23.10-query-eventsQueryEvents(SingleQuery)  Challenges: 1- I had to find a way to automate the script to find the current date and time in UNIX format 2- Then, call the API with the right parameters to get the scrollID. 3- Lastly, call the API again to get the Visits number. Script tasks: Get today’s and yesterday's dates in UNIX format (13 digits) -> last 3 digits should be zeros Call the first API to get the scrollid string. Recall the API with scrollid string in the API data. Grep the results. Script: #!/bin/bash today=$(date +"%s.%3N" | awk '{printf "%d%03d\n", $1, substr($2,1,3)}') yesterday=$(date -d "yesterday" +"%s.%3N" | awk '{printf "%d%03d\n", $1, substr($2,1,3)}') scrollid=$(curl -s -X POST "<ES-IP>:9080/events/query?start=${yesterday}&end=${today}" -H"X-Events-API-Key:<your-Key>" -H"X-Events-API-AccountName:<customer-ID>" -H"Content-Type:application/vnd.appd.events+text;v=2" -H"Accept:application/vnd.appd.events+json;v=2" -d"[{ \"query\": \"SELECT * FROM web_session_records\", \"mode\": \"scroll\"}]" | grep -oP '(?<="scrollid":").*?(?=",)') curlout=$(curl -s -i \ -H "Accept: application/vnd.appd.events+json;v=2" \ -H "Content-Type:application/vnd.appd.events+text;v=2" \ -H "X-Events-API-Key:<your-key>" \ -H "X-Events-API-AccountName:<customer-ID>" \ -d "[{ \"query\": <ES_IP>\"SELECT count(*) FROM web_session_records\", \"mode\": \"scroll\", \"scrollid\":\"$scrollid\"}]" \ -X POST "http://<ES_IP>:9080/events/query?start=${yesterday}&end=${today}") echo "$curlout" | grep -o '"results":\[\[[0-9]*\]\]' | cut -d "[" -f3 | cut -d "]" -f1 You can get the variables from: 1- Account name From the license page on the Contoller UI 2- API key: https://docs.appdynamics.com/appd/23.x/23.12/en/analytics/deploy-analytics-with-the-analytics-agent/analytics-and-data-security/manage-api-keys#id-.ManageAPIKeysv23.1-CreateAPIKeys 
Hi, I am having trouble generating a stats report based on JSON data containing an array.  I want to produce the following report: ErrorCode ErrorMessage Count 212 The image quality is poo... See more...
Hi, I am having trouble generating a stats report based on JSON data containing an array.  I want to produce the following report: ErrorCode ErrorMessage Count 212 The image quality is poor 1 680 The image could not be found 1 809 Document not detected 1       When I do the stats command, I do not get any results:   | spath input=jsondata |stats count by "embedded.metadata.data.results{}.notifications.*"   I have to know the error code value in the array in order to get any stats output.  For example:   | spath input=jsondata |stats count by "embedded.metadata.data.results{}.notifications.809"   Result: embedded.metadata.data.results{}.notifications.809 count Document not detected 1   Here example of the json data { "_embedded": {   "metadata": {      "environment": {          "id": "6b3dc"       }, "data": {    "results": [     {      "documentId": "f18a20f1",      "notifications": {          "212": "The image quality was poor"        }    }, {    "documentId": "f0fdf5e8c",    "notifications": {       "680": "The image could not be found"      } }, {    "documentId": "95619532",    "notifications": {       "809": "Document not detected"     } } ] } } } } Thanks in advance for any assistance!!
Hi, Could if anyone pls share the dashboard spl for the lateral movement in this YouTube video. https://youtu.be/bCCf9q2B4BM?si=P7FoduAwS--Hkgbw Thanks 
Hi Team, I am a volunteer working in a non profit organization. Is there any splunk pricing available for non profit organizations. Thank you.
I need to extract timestamp from a JSON log where date and time are on two separate fields. Example below:    { "Date": 240315, "EMVFallback": false, "FunctionCode": 80, "Time": 154915 }   Date ... See more...
I need to extract timestamp from a JSON log where date and time are on two separate fields. Example below:    { "Date": 240315, "EMVFallback": false, "FunctionCode": 80, "Time": 154915 }   Date here is equivalent of 2024-March-15 and the time is 15:49:15 pm. I am struggling to find a way to extract timestamp using props.conf. May you please assist. 
I'm trying to create what is effectively a "server" dropdown in a dashboard, where I want to allow people to filter on one or more servers from a lookup.  By default, I want the visualization to show... See more...
I'm trying to create what is effectively a "server" dropdown in a dashboard, where I want to allow people to filter on one or more servers from a lookup.  By default, I want the visualization to show for all servers.  I have the lookup pulling values, but I'm stuck trying to figure out how to make it so that they don't have to unselect a default "*" value.  Ideally, the input is empty by default (or it can show some value like "*" or "all") but once they start selecting individual servers that "all" option is removed.  Conversely, if they remove all servers from the filter, it should once again act like "*". Here's a stripped-down version of what I'm trying to do:     <form version="1.1" theme="dark"> <label>My dashboard</label> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="server" searchWhenChanged="true"> <label>server</label> <search> <query>| inputlookup server_lookup.csv</query> </search> <fieldForLabel>server</fieldForLabel> <fieldForValue>server</fieldForValue> <delimiter>, </delimiter> <default>*</default> </input> </fieldset> <row> <panel> <title>Some panel</title> <chart> <search> <query>index=* server_used IN ($server$) | stats median(some_value)</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">radialGauge</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.rangeValues">[0,10,30,100]</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.gaugeColors">["0x118832","0xcba700","0xd41f1f"]</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> </form>    
I install Splunk universal Forwarder and ran it, it started but i am not able to access the http site after entering the ip with port number on linux
I wanted to use MLTK k-cluster algorithm to differentiate indexes which are slow usage growth as a cluster and sudden usage growth as a cluster and also predict indexe usages for next year  did some... See more...
I wanted to use MLTK k-cluster algorithm to differentiate indexes which are slow usage growth as a cluster and sudden usage growth as a cluster and also predict indexe usages for next year  did someone already did and exp
Hello to all, I have a multivalue field with a content.errormsg with values and also with a null value. If the null value in the fields it will not showing any results in the output example: ... See more...
Hello to all, I have a multivalue field with a content.errormsg with values and also with a null value. If the null value in the fields it will not showing any results in the output example: errormsg closed connection Empty String null needed result: errormsg closed connection Empty String
If you need to keep empty tiers of your APM application from being purged, there is a way to do so in controllers v.22.10 and above. To do this: Navigate to the Tiers & Nodes page Select a ... See more...
If you need to keep empty tiers of your APM application from being purged, there is a way to do so in controllers v.22.10 and above. To do this: Navigate to the Tiers & Nodes page Select a tier and then click on the "Details" button above On the next view click the drop-down button "Actions" in the upper-right corner Then select the option "Edit Properties" In the opened modal window edit the field "Description" - you can use any description you want, but it must contain the pattern "NON_PURGEABLE_TIER" Finally, save changes. The empty tier won't be purged (manual purging is still available if needed).
Hello, There was a user name that was changed and want to transfer ownership of splunk knowledge Object (Alerts) to her new account name . I will like to achieve this through  the cli and also the u... See more...
Hello, There was a user name that was changed and want to transfer ownership of splunk knowledge Object (Alerts) to her new account name . I will like to achieve this through  the cli and also the user changed her name and will want the new name to be applied to the knowledge object Pls how will i go about effecting this change.  
Getting below mentioned error in logs of appdynamics cluster agent  [ERROR]: 2024-03-15 14:36:30 - agentregistrationmodule.go:132 - clusterId: -1 [ERROR]: 2024-03-15 14:36:30 - agentregistrationmo... See more...
Getting below mentioned error in logs of appdynamics cluster agent  [ERROR]: 2024-03-15 14:36:30 - agentregistrationmodule.go:132 - clusterId: -1 [ERROR]: 2024-03-15 14:36:30 - agentregistrationmodule.go:134 - Registration properties: {} [INFO]: 2024-03-15 14:37:30 - agentregistrationmodule.go:119 - Initial Agent registration [ERROR]: 2024-03-15 14:37:30 - agentregistrationmodule.go:131 - Failed to send agent registration request: Status: 401 Unauthorized, Body: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Unauthorized</title> </head> <body> HTTP Error 401 Unauthorized <p/> This request requires HTTP authentication </body> </html> I'm very new to appdynamics and I had make its implementation asap I'm running  a k8s cluster in minikue right now and configured the cluster agent through Helm chart  I assume there is some issue with the values I have set in the values.yml file  controllerInfo: url: "https://xxxxx.saas.appdynamics.com:443" account: [Redacted] username: [Redacted]  ( or complete email address should be used ?) password:  accessKey: (no issue in that I have verified it twice)  please help in resolving the issue    ^ Post edited by @Ryan.Paredez to remove sensitive account name and info. Please be careful not to share account names, emails, or passwords on Community posts. 
So the logs changed from typical jason to this ...   "message":"type=\"CLIENT_LOGIN\", realmId=\"xxx\", clientId=\"xxx\", userId=\"xxx" so splunk extracts for type this "\"   Now the searches do... See more...
So the logs changed from typical jason to this ...   "message":"type=\"CLIENT_LOGIN\", realmId=\"xxx\", clientId=\"xxx\", userId=\"xxx" so splunk extracts for type this "\"   Now the searches do not work anymore
Hi all, I'm looking at volume of indexes and how much they ingest to calculate the volumes of licenses. I am aware I could find this answer straight away but I like to investigate further     I'm ... See more...
Hi all, I'm looking at volume of indexes and how much they ingest to calculate the volumes of licenses. I am aware I could find this answer straight away but I like to investigate further     I'm not sure on how to construct a SPL search that looks at just metrics indexes and checks how much volume they use up of the daily licesning quota per day   Anyone can help me with this?
Hello, There was a user name that was changed and want to transfer ownership of splunk knowledge Object (Alerts) to her new account name . Pls how will i go about effecting this change 
Hi all, could someone please explain how licensing works for both Events and Metrics in Splunk Cloud. I've looked at other posts in the Splunk Community but they don't really make sense.    Would l... See more...
Hi all, could someone please explain how licensing works for both Events and Metrics in Splunk Cloud. I've looked at other posts in the Splunk Community but they don't really make sense.    Would love a fresh answer to see if there are any differences/updated explanations     Cheers
I'm on Splunk Enterprise 9.1.3, and I've configured the add-on (no proxy) with the SolarWinds server name, port, and credentials.  I've configured the inputs, and I see nothing.  Running tcpdump show... See more...
I'm on Splunk Enterprise 9.1.3, and I've configured the add-on (no proxy) with the SolarWinds server name, port, and credentials.  I've configured the inputs, and I see nothing.  Running tcpdump shows no traffic to the SolarWinds server or the configured port. This is what I see in the log:   2024-03-14 19:55:48,630 +0000 log_level=ERROR, pid=3098123, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=113 | [stanza_name="ics_query"] Failed to index data Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/data_collection/ta_data_collector.py", line 109, in index_data self._do_safe_index() File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/data_collection/ta_data_collector.py", line 129, in _do_safe_index self._client = self._create_data_client() File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/data_collection/ta_data_collector.py", line 99, in _create_data_client self._data_loader.get_event_writer()) File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/ta_cloud_connect_client.py", line 20, in __init__ from ..core.pipemgr import PipeManager File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/core/__init__.py", line 1, in <module> from .engine import CloudConnectEngine File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/core/engine.py", line 6, in <module> from .http import HttpClient File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/core/http.py", line 26, in <module> 'http_no_tunnel': socks.PROXY_TYPE_HTTP_NO_TUNNEL, AttributeError: module 'socks' has no attribute 'PROXY_TYPE_HTTP_NO_TUNNEL' I'd appreciate any help in getting this working.  
I want to create statistic per group of device rather than individual devices. I tried eval, but it produced no result. | eval GR=case (host=5087, GR2, host=7750, GR1, host=7751, GR1, host=7752, G... See more...
I want to create statistic per group of device rather than individual devices. I tried eval, but it produced no result. | eval GR=case (host=5087, GR2, host=7750, GR1, host=7751, GR1, host=7752, GR2) | stats count by GR. TIA, Leon