All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I want to display the result only for users who  has both ID  AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users... See more...
Hi, I want to display the result only for users who  has both ID  AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users who has ID both AR9 & AD  USER  ID John AD John AY9 Riya AD Toby AR9 Nathan AD Nathan AR9 Sam AD Sam AR9   Thanks!  
Hi All,   I am having a very wierd issue where I cannot see report in Splunk UI. When I search using Filter: All, I can see the report but when I set the filter to 0, I get 'no searches, reports, ... See more...
Hi All,   I am having a very wierd issue where I cannot see report in Splunk UI. When I search using Filter: All, I can see the report but when I set the filter to 0, I get 'no searches, reports, and alerts found'. This couldn't be the case of visibilty as the configuration isn't set in the conf file. These are the set specs in the conf file, attched below for reference. I have also attached the metadata file as there is no access control information set for the specific saved search. There are 6 more savedsearches which I can see when I filter using Report, but not this sepcific one.   No clue how the report is not found during the filter.   Thanks in advance.   Pravin
\"message\": \"Invalid Application ID\", \"messages\": null, \"error_response\": null, Need to extract the above message field without dropping other log messages. Like Nodrop option 
Hello I have this query : index="report" Computer_Name="*" |chart dc(Category__Names_of_Patches) as totalNumberOfPatches by Computer_Name | eval exposure_level = case( totalNumberOfPatches >= ... See more...
Hello I have this query : index="report" Computer_Name="*" |chart dc(Category__Names_of_Patches) as totalNumberOfPatches by Computer_Name | eval exposure_level = case( totalNumberOfPatches >= 3 AND totalNumberOfPatches <= 6, "Low Exposure", totalNumberOfPatches >= 7 AND totalNumberOfPatches <= 10, "Medium Exposure", totalNumberOfPatches >= 11, "High Exposure", totalNumberOfPatches == 2, "Compliant", totalNumberOfPatches == 1, "<not reported>", 1=1,"other" ) | stats count(Computer_Name) as totalNumberOfPatches by exposure_level | eval category=exposure_level Looks like I've lost the _time field on the way so when im trying to run timechart im getting no results
Hi, I have a dashboard in Splunk and I have a question About the query, I have a line of fields and I have a column. and I want to color specific color if a specific field is true. how to do that. ... See more...
Hi, I have a dashboard in Splunk and I have a question About the query, I have a line of fields and I have a column. and I want to color specific color if a specific field is true. how to do that. the line in the dashboard of a specific column looks like this:   <format type="color" field="nemeOfColumn"> <colorPallete></colorPallete></format>
  Hi all, First of all thank you for your time. I am quite new to splunk and I am struggling with this issue for some time but it seems quite more challenging than I initially expected. I have thi... See more...
  Hi all, First of all thank you for your time. I am quite new to splunk and I am struggling with this issue for some time but it seems quite more challenging than I initially expected. I have this following sample data in tabular form: A B C D E F 0.1 b1 0.1 d1 0.1 f1 0.11 b2 0.2 d2 0.35 f2 0.2 b3 0.3 d3 0.9 f3 0.22 b4     1.0 f4 0.4 b5         0.5 b6         0.55 b7         0.9 b8           and I need to generate something like: A B C D E F 0.1 b1 0.1 d1 0.1 f1 0.11 b2         0.2 b3 0.2 d2     0.22 b4         0.3   0.3 d3     0.35       0.35 f2 0.4 b5         0.5 b6         0.55 b7         0.9 b8     0.9 f3 1.0       1.0 f4   So, first I need to merge column A with C and E sorted and then I need to make columns C and E match with column A including data in columns D and F respectively. I guess there is an easy way to achieve this. I have tried with joins but I cannot make it work. Any help would be much appreciated.            
Hi there everyone. I am struggling to get the Events Api to accept a query for some metrics I want to query. I followed the instructions on https://docs.appdynamics.com/appd/21.x/21.6/en/extend-a... See more...
Hi there everyone. I am struggling to get the Events Api to accept a query for some metrics I want to query. I followed the instructions on https://docs.appdynamics.com/appd/21.x/21.6/en/extend-appdynamics/appdynamics-apis/analytics-events-api and have setup the postman request with the required fields. I have made sure to give the api_key the correct permissions but I when querying the fra-ana controller I am hit with a 403.  I cannot see why I am being hit with his error or find any documentation to help me debug it. `My query looks like the following: curl -X POST "http://fra-ana-api.saas.appdynamics.com/events/query" -header "X-Events-API-AccountName: <global_account_name>"  -header "X-Events-API-Key: <api_key>"  -header "Content-Type: application/vnd.appd.events+text;v=2"  -header "Accept: application/vnd.appd.events+json;v=2"  -data "SELECT * FROM logs" I have tried this command in postman and in Powershell both returning the same 403.
I want to get my inputlookup csv filename with the query. | inputlookup abc.csv | stats count by inputlookup_filename  ```<= the result I needed is "abc"``` Or | table inputlookup_filename ```<... See more...
I want to get my inputlookup csv filename with the query. | inputlookup abc.csv | stats count by inputlookup_filename  ```<= the result I needed is "abc"``` Or | table inputlookup_filename ```<= the result I needed is "abc"```
is the output of the attached image right? i can see data model per run duration but by size has no values
good day, please help. DB agent has a problem with connecting more detailed metrics. I restarted and reinstalled the agent but the error persists #|2023-11-28T13:37:39.480+0100|SEVERE|glassfish 4.1... See more...
good day, please help. DB agent has a problem with connecting more detailed metrics. I restarted and reinstalled the agent but the error persists #|2023-11-28T13:37:39.480+0100|SEVERE|glassfish 4.1|com.sun.jersey.spi.container.ContainerResponse|_ThreadID=56;_ThreadName=http-listener-1(6);_TimeMillis=17011750594 80;_LevelValue=1000;|The RuntimeException could not be mapped to a response, re-throwing to the HTTP container RestException(statusCode=500, code=Unknown, errorMessage=Unknown server error., developerMessage=null, logCorrelationId=5041de7e-2229-4c14-a847-5e8cd4703df6) at com.appdynamics.analytics.client.common.exceptions.RestExceptionFactory.makeException(RestExceptionFactory.java:56) at com.appdynamics.analytics.client.common.RestClientUtils.validateResponse(RestClientUtils.java:278) at com.appdynamics.analytics.client.common.RestClientUtils.resolve(RestClientUtils.java:85) at com.appdynamics.analytics.client.common.GenericHttpRequestBuilder.executeAndReturnRawResponseString(GenericHttpRequestBuilder.java:287) at com.appdynamics.analytics.shared.rest.client.eventservice.DefaultEventServiceClient.searchEvents(DefaultEventServiceClient.java:479) at sun.reflect.GeneratedMethodAccessor20202.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.singularity.ee.controller.beans.analytics.client.AccountCreatingAnalyticsClient$ProxyingEventServiceClient.invoke(AccountCreatingAnalyticsClient.java:10 4) at com.sun.proxy.$Proxy620.searchEvents(Unknown Source) at com.appdynamics.analytics.shared.rest.client.DefaultAnalyticsClient.searchEvents(DefaultAnalyticsClient.java:68) at com.appdynamics.ui.dbmon.impl.query.QueryHelper.search(QueryHelper.java:165) at com.appdynamics.ui.dbmon.impl.esHelpers.DBReportsHelper2.getWaitStateInfoForDB(DBReportsHelper2.java:28) at com.appdynamics.ui.dbmon.impl.services.dashboard.DBServerDashboardUiServiceImpl.getWaitStateData(DBServerDashboardUiServiceImpl.java:215) at sun.reflect.GeneratedMethodAccessor22351.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java :185) at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:540) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:715) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:286) at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:276) at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:181) at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:135) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.filter.RestSessionFilter.doFilter(RestSessionFilter.java:209) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.CsrfFilter.doFilter(CsrfFilter.java:139) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.AgentRejectionFilter.doFilter(AgentRejectionFilter.java:59) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.RequestOriginMarkingFilter.lambda$doFilter$0(RequestOriginMarkingFilter.java:26) at com.appdynamics.platform.RequestOrigin.runAs(RequestOrigin.java:64) at com.singularity.ee.controller.servlet.RequestOriginMarkingFilter.doFilter(RequestOriginMarkingFilter.java:24) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.CacheControlFilter.doFilter(CacheControlFilter.java:65) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.UnsecuredUrlsRejectFilter.doFilter(UnsecuredUrlsRejectFilter.java:78) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734) at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:678) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:416) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:283) at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:206) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:180) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:539) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573) at java.lang.Thread.run(Thread.java:748)
While the Speakatoo API performs as expected in POSTMAN, it encounters challenges when integrated into my system.
please tell me. How do I hide filters in Splunk Dashboard Studio? Is it an XML-only option? XML → <form hideFilters="true"> JSON → ???
hello everyone i check in log maxmind tracker get this error "Could not download MaxMind GeoIP MD5, exiting." how can i solve this ?    thankyou
Dear team, I need to join the two-index search and print the common ID's count. The below mentioned two different index it work independently, both the index having same correlation_ID but different... See more...
Dear team, I need to join the two-index search and print the common ID's count. The below mentioned two different index it work independently, both the index having same correlation_ID but different messages. So common correlation ID count for the both index need to print. index = Test1  invoked_component="XXXX" "genesys" correlation_id="*" message="Successfully received" | stats count by correlation_id index = Test2  invoked_component="YYYY" correlation_id="*" | where message IN ("Successfully created" , "Successfully updated") | stats count by correlation_id
Is this even possible?! Any help will be appreciated. I need to search for specific text in a Windows host name that is located, by naming convention, after a 4, 5 or 6 character campus site code. T... See more...
Is this even possible?! Any help will be appreciated. I need to search for specific text in a Windows host name that is located, by naming convention, after a 4, 5 or 6 character campus site code. The specific text identifies the function of the host (e.g., print server, database server, domain controller, etc.). For example (these host names are simplified to illustrate the problem): 1.)    host=L004PS4bldDC7, the campus site code is “L004” and the function code is “PS” 2.)    host= L0005DB5bldPS, the campus site code is “L0005” and the function code is “DB” 3.)    host=L00006DC6rDB1, the campus site code is “L00006” and the function code is “DC” The data I’m searching through has 200+ campus site codes, each of which can be 4, 5 or 6 characters and each search will return 1000+ events. We are using a lookup to identify the campus site attribute from the host name. Using the same process doesn’t work for the function code. The characters following the function code are determined by the campus site admins and used to identify the physical location of each host on their campus (building name or room number). These physical location codes sometimes contain characters that match a function code required by the naming convention. For instance, if I search for events or metrics from print servers using *PS*, I also get them from non-print servers like host #2 above.
I created a manual correlation search with the below SPL --> the action is notable creation splunk_server=* index=* host=x.x.x.x "login" | stats count by src_ip | where count > 3 after that i can... See more...
I created a manual correlation search with the below SPL --> the action is notable creation splunk_server=* index=* host=x.x.x.x "login" | stats count by src_ip | where count > 3 after that i can see the notable created from the search tab index=notable but still the incident review has no values any hints guys?
How to create a detection rule on the LLMNR with sysmon or wineventlog, im kinda new to splunk
Hello Splunkers,    I wanted to extract  output1 and output6 fields from raw event Example Event1: Message : output,1: The guess/tmp/var/tms/bmp_abcd/apm_salesforce/address_standardplot/service... See more...
Hello Splunkers,    I wanted to extract  output1 and output6 fields from raw event Example Event1: Message : output,1: The guess/tmp/var/tms/bmp_abcd/apm_salesforce/address_standardplot/serviceinput/AddressStandardiplot_S3_VariousDmsJob_V9_apm_unmatch_AVI-pct-STANDARD_123456789_9912333333-f12f-5cb9-aa10-9d101188ad47.banana.2 file, which contains 456 rows, was written to the standardplot-s3-abc-dev-005 bucket. Example Event 2 Message : output,6: Input 0 consumed 123 records. desired result output1=456 rows output6=123 records Message field is also not auto extracted by Splunk. May need to use |rex field=_raw........ Please Advise  
I need to be able to perform a search in Splunk for a message ID and identify all the users that received it. We currently have a SOAR playbook that uses the Microsoft EWS API, but that has been depr... See more...
I need to be able to perform a search in Splunk for a message ID and identify all the users that received it. We currently have a SOAR playbook that uses the Microsoft EWS API, but that has been depreciated. As far as I know, Graph API (the replacement) does not have an end point for a full message trace. Does anyone have a better alternative?
Hi, we have multiple services that we want to have filtered out from the journald. Is there a way to do the opposite of this stanza parameter? to exclude _SYSTEMD_UNIT=my.service journalctl-filt... See more...
Hi, we have multiple services that we want to have filtered out from the journald. Is there a way to do the opposite of this stanza parameter? to exclude _SYSTEMD_UNIT=my.service journalctl-filter =_SYSTEMD_UNIT=my.service    If that's not possible, what's the best way to do that?