All Topics

Top

All Topics

I would like to be able to see the daily traffic flow rate of Splunk Enterprise on my dashboard. Ideally, I would like to be able to see the traffic flow per forwarder, but at the very least I would... See more...
I would like to be able to see the daily traffic flow rate of Splunk Enterprise on my dashboard. Ideally, I would like to be able to see the traffic flow per forwarder, but at the very least I would like to see the overall traffic flow. Is this possible?
Hello All, I have a search question. I have a csv file that returnds data. the ID field if there is no data - I want to have a table which shows 4 columns: NAME,STATUS,DATE,ACTION. These come from ... See more...
Hello All, I have a search question. I have a csv file that returnds data. the ID field if there is no data - I want to have a table which shows 4 columns: NAME,STATUS,DATE,ACTION. These come from the csv file header line. If the ID >0 I want to show these columns: DATE-Changed,ID,NAME,DATE_DOWN,ACTION. I have not yet seen how I might do this. What I need, in a sense, it two searches, one when ID=0, and one when ID>0. Any suggestions?   Thanks, EWHOLZ
What is Smart Agent and how can I use it?  Available as of v23.11.0, released November 29, 2023, Cisco AppDynamics Smart Agent allows you to manage agent operations, including install, upgrade, and... See more...
What is Smart Agent and how can I use it?  Available as of v23.11.0, released November 29, 2023, Cisco AppDynamics Smart Agent allows you to manage agent operations, including install, upgrade, and rollback, from the Controller UI. There, you will be able to view the Smart Agent inventory details, along with the other installed agents.  Smart Agent currently manages six supported agents and also provides Smart Agent CLI option for advanced configurations.  Which agents are supported?  The following agents are supported, with more planned and underway: Apache Web Server  Java  Machine Agent  Node.js  PHP  Python    How do I use Smart Agent?  To use Smart Agent, you will need to install it on each host where you want to use its management features. See the short list of prerequisites in the documentation.  Check out our Smart Agent series in the Knowledge Base, starting with Smart Agent: agent lifecycle management reimagined. For contextualized day-in-the-life discussions of how Smart Agent works, see:  Exploring an APM agent upgrade scenario with Smart Agent  Exploring an APM agent installation scenario with Smart Agent     Expect more such content in the coming weeks!    Where can I learn more about Smart Agent?  Interested in using Smart Agent and exchanging your experience, insights and questions with other professionals? Come to the new Smart Agent Forum in the Community. 
This XML file does not appear to have any style information associated with it. The document tree is shown below. <response> <messages> <msg type="ERROR">Unauthorized</msg> </messages> </response>
Real-world scenario: With Smart Agent installed, what is the 4-step process to install supported agents?  This article shows a real-world example of how to use Smart Agent to install APM agents, ... See more...
Real-world scenario: With Smart Agent installed, what is the 4-step process to install supported agents?  This article shows a real-world example of how to use Smart Agent to install APM agents, using the installation of a new Java Agent as an example. It covers prerequisites and shows what you might expect in the process as well as the presented scenario.    NOTE | For information about installing Smart Agent itself, start with the Smart Agent page, then choose Quick Start or Get Started. In this article...  How do I use the Smart Agent to install APM agents through the Controller UI? Notes about this installation example  Supporting clustering scenarios  Additional resources     How do I use the Smart Agent to install APM agents through the Controller UI?  Let us say you want to install a new Java agent. As a prerequisite, the Smart Agent must already be installed on the host.   NOTE | If other agents are already installed on the host, the Smart Agent will be able to manage them as well. However, in the scenario we’re describing here, we want to push an agent install from the user interface. Using the Smart Agent will provide a much simpler process. From the main Agent Management menu, click Install Agent then click the agent type. In our scenario, Java.   Figure 1 - Installing the Java Agent through UI Then, select where to deploy the agent. Choose the host and then select the application, tier name, etc. Smart Agent makes scaling easy by supporting the ability to import host details from a CSV file.     Next, look over configuration options and modify them with the appropriate application, tier, and node name depending on your needs. You have control over which agent version you want to choose (default is the latest).  Finally, depending on the application, you will need to modify the application startup parameters so that when the application is restarted, the agents start to collect the data. As of the November 2023 release, the Smart Agent supports auto-attaching to Java and Node.JS applications.  PLEASE NOTE | To avoid unanticipated application disruptions, changes will not take place until you restart your application.  And that is it! It does not get any simpler - your agents will begin to install onto their respective hosts.  Back to TOC   Notes about our Java installation scenario  If your Java application is written in Tomcat, Weblogic, Glassfish, or Spring, for example, you only need to restart your application. The just-installed new version of the agent will be auto-attached to the application with all the relevant start-up parameters.   If your application is written in another application, you must ensure the application startup parameters take account of the agent by following the respective settings in the documentation on the Install App Server Settings page.  How cool is that! Back to TOC   Supporting clustering scenarios  For the build-time workflows, customers can use our new Smart Agent CLI to integrate with an existing CI/CD pipeline. You can integrate with Jenkins, Docker or with a Terraform script.   Back to TOC   Additional resources  Smart Agent lifecycle management reimagined Exploring an APM agent upgrade scenario with Smart Agent  FAQ: Simplified agent management and Smart Agent Smart Agent: How easy is it? — a short, clickable demo Smart Agent Forum — add your own comments and insights here   In the Documentation, see: Agent Management > Smart Agent  Agent Management User Interface  Smart Agent Command Line Utility (CLI)   Supported Agents 
Real-world scenario: With Smart Agent installed, what is the 3-step process to upgrade supported agents?  Once you install Smart Agent, how do you upgrade your existing agents? In this article, see... See more...
Real-world scenario: With Smart Agent installed, what is the 3-step process to upgrade supported agents?  Once you install Smart Agent, how do you upgrade your existing agents? In this article, see the three steps you will follow to upgrade and orchestrate agents using Smart Agent and the Controller user interface.   Though the real-world scenario described here is about software compliance standards, this process applies to any supported agent upgrade once Smart Agent is installed.  Need to roll back to the previous agent? That is also discussed here.    In this article...  Example Scenario: Adhering to Software Compliance Standards Step 1. Filter by agent status  Step 2. Select an agent upgrade option Default upgrade | Custom upgrade Step 3. Monitor progress and respond as needed  Automatic agent rollback  Additional resources  Knowledge Base articles | Documentation   Example Scenario: Adhering to Software Compliance Standards Say you need to adhere to software compliance standards in which software cannot be older than one year. In this scenario, an inventory must be reported and then remediated to meet compliance as needed.  NOTE | Once Smart Agent is installed, the following steps also apply to any supported agent upgrade Back to TOC Step 1. Filter by agent status  With simplified agent management using  Smart Agent and central UI controls, you just have to filter by agent status, select all the agents of the same type, and then click on upgrade.   One or many? The process is the same, and because you have installed the Smart Agent, orchestration happens on your behalf.  PLEASE NOTE | Bulk upgrades are only supported for the same type at a time; i.e., all Java or all PHP. You cannot perform a bulk upgrade against Java and PHP in the same thread.   You just need to choose which agents to act on and allow AppDynamics to orchestrate the rest!  Back to TOC Step 2. Select an agent upgrade option  Once the list of agents has been selected and the action for upgrades has been initiated, you will have two options for upgrading agents: default and custom.   The default upgrade option entails simply using the latest version, retaining all the previous configuration settings, and using the AppDynamics Downloads portal.   Figure 1 – Default upgrade options   The custom upgrade option allows you to choose which agent version is appropriate and make other configuration changes you want to send to the agents. You can also leverage a local directory to distribute the agents—a best practice if you are upgrading many agents.  PLEASE NOTE | Due to release cadences, custom upgrade options may differ, and not all options may be initially available. This feature is being rolled out in phases, so if an option does not appear, or is not enabled, please check back later or reach out to your SE and ask that they request a priority.    Step 3. Monitor progress and respond as needed  You can monitor the progress in a Tasks In Progress menu, which includes a log file should troubleshooting be necessary through the process. Once the task is executed, you can go to the History menu, where you can see the status of the upgrade and, again, get more information about the upgrades from a log file.  Back to TOC Agent Rollback  If the upgrades don’t go as expected, you can roll back agents to the previous version. Again, this is orchestrated through the user interface in conjunction with the Smart Agent.   Now that makes sense!  Back to TOC   Additional resources  Community:  Smart Agent reimagines agent lifecycle management  FAQ: Simplified agent management and Smart Agent Exploring an APM agent installation scenario with Smart Agent Smart Agent: How easy is it? — a short, clickable demo Smart Agent Forum — add your own comments and insights here In the Documentation, see: Agent Management > Smart Agent  Agent Management User Interface  Smart Agent Command Line Utility (CLI)   Supported Agents Back to TOC
Cisco AppDynamics unveils our robust new agent lifecycle management solution and its benefits  In November, we released a robust agent lifecycle management solution that leverages a Smart Agent whi... See more...
Cisco AppDynamics unveils our robust new agent lifecycle management solution and its benefits  In November, we released a robust agent lifecycle management solution that leverages a Smart Agent which orchestrates the entire agent lifecycle management tasks through an improved centralized user interface and advanced Smart Agent CLI.  One Smart Agent is installed on a host that can manage the Machine Agent and any number of APM agents that are running on the same host. Each host running applications for APM just needs one Smart Agent.   Instantly identify agent versions with Smart Agent. Do you need to meet compliance requirements? Smart Agent supports your immediate adherence. Execute necessary upgrades automatically and at scale. Benefit from readily available detailed historical records that enhance transparency and foster trust. Smart Agent's capabilities are specifically designed to cater to agile environments with speed and efficiency. This solution focuses on three main areas:   Accelerates Time-to-Value with faster deployments and easier upgrades, reducing time and effort   Simplifies software compliance with agent version auditing, bulk upgrades, and rollback  Increases agility to employ the latest functionality, future-proofing your investment    In this article...  What is included in agent lifecycle management? Agent Status | Inventory Management | Filtering | Reports | Automation | Logging CLI for advanced functionality  How does SmartAgent work? Supported environments | Preliminary requirements | Agent management user interface What's next in agent management? Additional resources Updated 1/24/24 Back to TOC   What is included in agent management functionality? For those looking to simplify their agent lifecycle management tasks, the November 2023 release of the Smart Agent, with the improved agent management user interface, brings the following insights and functionality regarding Agent status, inventory management, filtering, reports, and logging: Agent Status, Inventory Management, Filtering, Reports, Automation, Logging, CLI for advanced functionality. Back to TOC   Agent Status  Clearly understand the agent’s state, such as:  Agent Status with Smart Agent Latest  Know when the agents are healthy and in compliance  Update available  Be informed when updates that are applicable to your running environment(s)  are available, such as when an enhancement or patch was issued  Out of date  Know which Agents are no longer supported, have extended their support life (generally, >1+ year old), or are identified for urgent update  Unknown  Know whether an agent’s state is unknown, to address immediately  Back to TOC Inventory Management  Gain a holistic overview of the agent lifecycle and environment, including:  Smart Agent Inventory Management  Agent mapping  Know which application, tier, and node the agents support  Agent version  Per agent, easily know what versions are running  Smart Agent  Know whether the agent is being managed by Smart Agent  Monitoring status Know whether the agents are actively monitoring applications, or whether they are disabled (meaning no collection is taking place)  Back to TOC Filtering capabilities  Zero in on which agents or environments need to be investigated, for example, during compliance investigations.  Back to TOC Report generation  Export a data grid of the entire agent inventory environment into a CSV format for use in other reporting programs.  Back to TOC Automation capabilities  Efficiently install and upgrade at scale and execute other bulk actions such as rolling back failed upgrades or choosing the appropriate version. Back to TOC Logging  Address common upgrade challenges with historical logs that aid in troubleshooting, should upgrades not be successful.   Back to TOC Utilizing CLI for Advanced Functionality in RedHat and Debian Deployments  For more advanced functionality, a CLI can be used for RedHat and Debian deployments, which provides capabilities that can be incorporated into an existing workstream to perform functions such as:  Support deployments during build time, such as when you install the agent when building the application environment for a cluster.  Provide deployment options for both the Smart Agent itself and language/machine agents.  Leverage an attach-configure-file that will ensure the application is instrumented accordingly upon application restart.  Install, update, configure, rollback, and uninstall agents with advanced control options such as agent version, where to download, connection options (i.e., SSH), install directory, and more! Keep reading to understand how all this works, and where we are going!  Back to TOC   How it works  To get started, you will need to install a single Smart Agent on each host machine running applications that need to be or are already being monitored. This installation process uses existing deployment methods for our other language library agents, or more appropriately the Machine Agent. As such, you can download the agent from our portal and then distribute it through your existing CI/CD tooling pipelines, or any method you prefer. For example, a JFrog Artifactory or distributed through the Smart Agent CLI. Once the Smart Agent is present on the host machine and has been registered with the Controller, which is nothing more than a simple configuration file change, you can carry out all the agent lifecycle management operations from within the user interface or through the Smart Agent CLI.   NOTE | See the details in the Documentation under Smart Agent, user interface, and Smart Agent CLI It’s just that simple!  Back to TOC Supported environments  Languages and infrastructure agents  As of the November 30, 2023 release, the following agents are supported:  Java  Node.js,   AppDynamics Machine Agent  Python  PHP   Webserver Check the documentation for the most up-to-date information.   AppDynamics Products  Smart Agent is available for both AppDynamics cSaaS and On-Premises version 23.11 (November 2023).   This solution does require both the Smart Agent and the updated Controller.  Deployments  Agent Management through a controller UI supports both greenfield and brownfield use cases. In either scenario, you will just simply need to install the Smart Agent, just once, on any machine hosting applications needing to be, or are currently being, monitored by AppDynamics.   Once that simple task is complete, the user interface will use the Smart Agent to orchestrate all the agent management operations that are necessary, though a Smart Agent CLI does exist.  Back to TOC   Preliminary requirements  To use the orchestration features through the improved user interface, you need admin user privileges. This allows you to manage agents via the UI. Also, the Smart Agent should be installed on any machine you want to manage.  Back to TOC Agent management user interface From Home, click Agent Management. You can also access Agent Management from the user profile menu selection (top right corner).  Figure 1 - Entry points to Agent Management Back to TOC Existing agent inventory  Once on the Agent Management home page, you can view the inventory of all your existing agents. You will quickly see the status of all your agents, whether they are out-of-date or need to be updated, for example. You will also see, and can filter by, the agent type, its version, and which application, tier, or node it applies to, or whether they are being managed by the Smart Agent.   Figure 2 - Main Agent Management menu Back to TOC What’s next in agent management?  Very shortly, we will be providing auto-discovery capabilities that reduce the need for deep application or domain knowledge. By enabling operations teams with the information as to which applications are running on a host, and what language they are written in, any guesswork is practically eliminated. This reduces the enormous amount of effort typically involved with onboarding new applications for APM, which also alleviates the overhead from needing to engage multiple teams that have deeper domain knowledge. With the auto-discovery aspect of Smart Agent, your team will be sure and become more efficient and effective. Additionally, look for upcoming features like scheduling tasks. Back to TOC Additional resources Stay tuned for upcoming articles that explore agent lifecycle management. Meanwhile, do explore this initial series here in the Knowledge Base.  Exploring an APM agent upgrade scenario with Smart Agent  Exploring an APM agent installation scenario with Smart Agent  FAQ: Simplified agent management and Smart Agent  Smart Agent: How easy is it? — a short, clickable demo NEW! Just one Smart Agent: unlimited agent lifecycle control — overview video (9 minutes) Don't miss the Smart Agent forum to find more content, weigh in on discussions, and ask your own questions. See more information in the Documentation: Agent Management > Smart Agent  Agent Management User Interface  Smart Agent Command Line Utility (CLI)   Supported Agents 
Hi What is the different between Extract fields in query with rex or in config file. Pros and cons? how about performance?   Thanks,
I want to get the result of the next line of the log message when I encounter  a key word. Example log: ----error in checking status-------- ----Person Name: abcd, Status=active--------- -----Che... See more...
I want to get the result of the next line of the log message when I encounter  a key word. Example log: ----error in checking status-------- ----Person Name: abcd, Status=active--------- -----Check for Status------ ------success : true-------- -----Start  Processing XXX---------- ----Person Name: abcd, Status=active--------- -----Check for Status------ ------success : true-------- -----Start  Processing XXX---------- ----Person Name: abcd, address:yzgj--------- -----Check for Person------ ------success : true-------- -----Start  Processing XXX----------   In the above log I want to  capture the person name  after the  "Check for Person". The log is indexed by _time.  I want to display the following result:   _time             Process                           Person Name                                                        XXX                                       abcd I don't want to use map or transactions as those are expensive as there are lot of events. Thank you for the help.  
Amazon EKS is a managed container service to run and scale Kubernetes applications in the AWS cloud. It has been a popular choice for users to run Kubernetes on AWS without needing to install, operat... See more...
Amazon EKS is a managed container service to run and scale Kubernetes applications in the AWS cloud. It has been a popular choice for users to run Kubernetes on AWS without needing to install, operate, and maintain their own Kubernetes control plane or nodes.   Splunk Observability Cloud provides the Splunk Distribution of the OpenTelemetry Collector as an EKS Add-on available in the AWS marketplace. The Add-on allows customers to seamlessly deploy the Collector to track EKS performance by namespace, cluster, pod or organizational concepts such as team or application. This is a step to further simplify the installation and deployment of the Collector. You can find the EKS add-on product available in the AWS Marketplace and you can follow the instructions in our documentation to deploy it on your EKS clusters.    
Hi, communities, I am doing a calculation or eval command.       | eval dormancy=if(last_login="(never)",round((now()-strptime(created,"%Y-%m-%d"))/86400),round((now()-strptime(last_login,"%Y-%m-... See more...
Hi, communities, I am doing a calculation or eval command.       | eval dormancy=if(last_login="(never)",round((now()-strptime(created,"%Y-%m-%d"))/86400),round((now()-strptime(last_login,"%Y-%m-%d"))/86400))     The above calculate dormancy number correctly but, soon as I change the following code:     | eval dormancy=if(last_login="(never)",round((now()-strptime(created,"%Y/%m/%d"))/86400),round((now()-strptime(last_login,"%Y/%m/%d"))/86400))     from "-" to "/" strptime doesn't calculate the dormancy days.  Is this limit of strptime or am I doing something wrong?
Large Security Operations Centers (SOCs) with multiple teams need help to make fast decisions when overwhelmed with security events.  A few short weeks ago in our Splunk Enterprise Security 7.2 rel... See more...
Large Security Operations Centers (SOCs) with multiple teams need help to make fast decisions when overwhelmed with security events.  A few short weeks ago in our Splunk Enterprise Security 7.2 release, we introduced optional enhancements to the Incident Review Dashboard that provide a more customizable experience when investigating notable events. This allows analysts to customize and configure the Incident Review Dashboard with table filters and columns to help isolate and rapidly investigate events that matter to them. Additionally, analysts can create saved views of their customized Incident Review Dashboard and share them with other Enterprise Security analysts. Saved Views allows analysts with different use cases to share their tailored views of notable events with other incident investigators in order to collaborate on notable events seamlessly. Splunk Enterprise Security Administrators also have access to a new level of control over the analyst experience in Incident Review, including configuring default views for all users.  This refined analyst experience is now on by default in Splunk Enterprise Security 7.3! In order to ease customers into these new workflows, we’ve also launched an interactive, in-product onboarding experience that will guide users through these new features.  Splunk Ideas continues to be front and center in Splunk Enterprise Security Customer feedback continues to drive innovation and enhancements in Splunk Enterprise Security. In this release, we added Drill-Down Dashboards to Incident Review, allowing content engineers to drill-down into a Splunk dashboard directly from the incident workflow. Users can now create multiple drill-down dashboard links and then use them to investigate a specific notable event. This enables analysts to seamlessly access critical details during an investigation, while reducing manual workloads. Content engineers can now customize the text of the drill-down link and also configure the fields that will be passed as tokens to the dashboard. The use cases for custom dashboards are endless with this new flexibility, and we can’t wait to see how the world’s most advanced SOCs leverage it.  Additionally, customers tell us that there are rare instances outside their control where data is not forwarded to Splunk in real-time, but that they still want Enterprise Security to check those data feeds for threats and anomalies. In this release, we’ve added Index Time Correlation Searches that allow administrators to run specific correlation rules on index time instead of event time for the data sources that routinely arrive after real-time. With this enhancement, Splunk continues to ensure complete visibility no matter where, or when, the data originates.   Risk-Based Alerting is now even more powerful Risk-Based Alerting is an innovative approach to help organizations prioritize security threats, aligned to the MITRE ATT&CK framework and an entity risk score. The SOC can reduce false positive investigations by up to 80% and speed the time needed to investigate and remediate true positive incidents by 50%. In Splunk Enterprise Security 7.3, the Risk Event Timeline is updated to include Drill-down Searches, Drill-down Dashboards, and Contributing Events so that analysts can quickly gather contextual information about risk events as they respond to Risk Notables. With Splunk Enterprise Security 7.3 you’ll get to experience the following enhancements:  Drill-down Searches are a long standing feature of Splunk Enterprise Security’s Incident Review Dashboard. Recently in Splunk Enterprise Security 7.2, we added support for multiple Drill-down Searches so that content engineers can provide analysts with as many options as they need to gather additional information via pre-made searches. Now, all available Drill-down Searches are available in the Risk Event Timeline, when applicable.  The new Drill-down Dashboards, launched in this new release, now also appear in Risk Event Timeline in addition to the Incident Review dashboard, if applicable.  Contributing Events are now refined in Risk Event Timeline to show analysts the raw events associated with a Risk Event, regardless of the presence of drill-down searches or drill-down dashboards having been defined. This provides analysts with the opportunity to gather more information about Risk Events. Additionally, risk events generated by cloud-based streaming analytics, included with Splunk Enterprise Security for customers operating in Splunk Cloud, will also benefit from the Contributing Events refinement for Risk Event Timeline.  Upgrade today to Enterprise Security 7.3! Splunk Enterprise Security 7.3 updates are available now in both cloud and on-prem environments.  We’re listening! If you have ideas and requests, please submit them to Splunk Ideas. To learn more about Splunk Enterprise Security 7.3, check out the release notes. Happy Splunking!
I'm migrating my Splunk Instance from an outdated OS. I want to increase the buffer size for my Splunk forwarder so that it can withstand all the logs when the receiver/ Indexer is down. We are using... See more...
I'm migrating my Splunk Instance from an outdated OS. I want to increase the buffer size for my Splunk forwarder so that it can withstand all the logs when the receiver/ Indexer is down. We are using Splunk version 6.6.0, I'm unable to find relevant documentation for referring to the configuration file changes.
I'm aiming to develop a Playbook in SOAR Phantom to automate the deletion of containers(using label) older than one week. Can you guide me on which App to utilize for container management and how to ... See more...
I'm aiming to develop a Playbook in SOAR Phantom to automate the deletion of containers(using label) older than one week. Can you guide me on which App to utilize for container management and how to implement appropriate filters in the Action Block?
Hello I have 2 searches that return message ids given certain field values. The first search index=messages* MSG_src="AAAAA" MSG_DOMAIN="BBBBBB" MSG_TYPE="CC *" | rename MSGID AS MSGID1 The s... See more...
Hello I have 2 searches that return message ids given certain field values. The first search index=messages* MSG_src="AAAAA" MSG_DOMAIN="BBBBBB" MSG_TYPE="CC *" | rename MSGID AS MSGID1 The second search index=messages* MSG_src="CCCCCC", MSG_DOMAIN="DDDDDDD", MSG_TYPE="Workflow Start" | rex field=_raw "<pmt>(?<pmt>.*)</pmt>" | rex field=_raw <EventId>(?<MSGID1>.*)</EventId> | search pmt=EEEEEEE The results from the second search could come in up to an hour after the results from the first search. It is not an issue unless it takes over an hour. How can I account for this time delay so I can accurately alert if the span is longer than an hour? Thanks for the help!
In a part of splunk soar (phantom) playbook I would like, in some cases, to send a syslog msg to a remote syslog server. I did not find any well-known app which can help me, so I figure out creating... See more...
In a part of splunk soar (phantom) playbook I would like, in some cases, to send a syslog msg to a remote syslog server. I did not find any well-known app which can help me, so I figure out creating it as a (python) code  via "Python Playbook Editor". BUT somehow using the default socket library and the connect + send functions did not work. Listening to all network interfaces did not show any attempt creating the tcp flow to the destination. Could someone help me or show me how can I can open a tcp connection in splunk SOAR   
is It possible to do in Splunk. and What type of logs I need to have in Splunk?
Hi, i recently changes a SQL query in Splunk db connect to one of the dashboard. the query ran but i don't see the dashboard getting reflected to new data. as i was checking i see the index did n... See more...
Hi, i recently changes a SQL query in Splunk db connect to one of the dashboard. the query ran but i don't see the dashboard getting reflected to new data. as i was checking i see the index did not refresh after the new query is implemented. The last event of the index remians the day i changed the query. the new query had two new columns but i dont see it getting reflected. can anyone please help me with this. Its bit urgent !!!!!!!!!
Hello, What are the best methods to ingest Datadog Log and Metrics Data into Splunk Cloud/HF?  We have a requirement to fetch datadog dashboard and populate it to Splunk Dashboard. Thank you. Reg... See more...
Hello, What are the best methods to ingest Datadog Log and Metrics Data into Splunk Cloud/HF?  We have a requirement to fetch datadog dashboard and populate it to Splunk Dashboard. Thank you. Regards, Madhav
Hi, So i have below base query : | inputlookup abc.csv where DECOMMISSIONED=N | fields DATABASE DB_VERSION APP_NAME ACTIVE_DC HOST_NAME DB_ROLE COMPLIANCE_FLAG PII PCI SOX | rename DATABASE as Data... See more...
Hi, So i have below base query : | inputlookup abc.csv where DECOMMISSIONED=N | fields DATABASE DB_VERSION APP_NAME ACTIVE_DC HOST_NAME DB_ROLE COMPLIANCE_FLAG PII PCI SOX | rename DATABASE as Database | join type=left Database [| metadata type=hosts index=data | fields host, lastTime, totalCount | eval Database=Upper(host)| search totalCount&gt;1 | stats max(lastTime) as lastTime, last(totalCount) as totalCount by Database | eval age=round((now()-lastTime)/3600,1) | eval Status=case( lastTime&gt;(now()-(3600*2)),"Low", lastTime&lt;(now()-(3600*2+1)) AND lastTime&gt;(now()-(3600*8)) ,"Medium", lastTime&lt;(now()-(3600*8+1)) AND lastTime&gt;(now()-(3600*24)),"High", 1=1,"Critical") | convert ctime(lastTime) timeformat="%d-%m-%Y %H:%M:%S" | eval Reference="SPL"] | rex mode=sed field=HOST_NAME "s/\..*$//g" | fields Database Reference DB_VERSION APP_NAME ACTIVE_DC HOST_NAME Status DB_ROLE COMPLIANCE_FLAG | fillnull value=Missing Status | fillnull value=Null Now i need to add field let say Privacy with PII PCI and SOX as filter but i don't need the value of these fields to be come as filter in Privacy filed and reflect same in summary tab  <row> <panel> <table> <title>Summary</title> <search base="base"> <query>| search APP_NAME="$application$" Database="$database$" HOST_NAME="$host$" DB_VERSION="$version$" Status="$status$" COMPLIANCE_FLAG="$compliance$" Privacy="$privacyFilter$" | eval StatusSort=case(Status="Missing","1",Status="Critical","2",Status="High","3",Status="Medium","4",Status="Low","5") | sort StatusSort | table APP_NAME Database HOST_NAME DB_VERSION ACTIVE_DC Status DB_ROLE COMPLIANCE_FLAG PII PCI SOX | rename APP_NAME as Application, DB_VERSION as Version, ACTIVE_DC as DC, HOST_NAME as HOST</query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="number" field="FileSize"> <option name="precision">0</option> </format> <format type="color" field="Status"> <colorPalette type="map">{"Missing":#DC4E41,"Critical":#F1813F,"High":#F8BE34,"Medium":#62B3B2,"Low":#53A051}</colorPalette> </format> </table> </panel> </row> </form>   can someone help how i can get i added this panel <!-- New Privacy Filter Panel --> <input type="multiselect" token="privacyFilter" searchWhenChanged="true"> <label>Privacy</label> <choice value="*">All</choice> <choice value="PII">PII</choice> <choice value="PCI">PCI</choice> <choice value="SOX">SOX</choice> <fieldForLabel>Privacy</fieldForLabel> <fieldForValue>Privacy</fieldForValue> <default>*</default> <initialValue>*</initialValue> </input> </fieldset> and this <row> <panel> <table> <title>Summary</title> <search base="base"> <query>| search APP_NAME="$application$" Database="$database$" HOST_NAME="$host$" DB_VERSION="$version$" Status="$status$" COMPLIANCE_FLAG="$compliance$" Privacy="$privacyFilter$" | eval StatusSort=case(Status="Missing","1",Status="Critical","2",Status="High","3",Status="Medium","4",Status="Low","5") | sort StatusSort | table APP_NAME Database HOST_NAME DB_VERSION ACTIVE_DC Status DB_ROLE COMPLIANCE_FLAG PII PCI SOX | rename APP_NAME as Application, DB_VERSION as Version, ACTIVE_DC as DC, HOST_NAME as HOST</query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="number" field="FileSize"> <option name="precision">0</option> </format> <format type="color" field="Status"> <colorPalette type="map">{"Missing":#DC4E41,"Critical":#F1813F,"High":#F8BE34,"Medium":#62B3B2,"Low":#53A051}</colorPalette> </format> </table> </panel> </row> </form>   but getting no result found