All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,   I have this props and transforms file to filter out the events before they reach the indexqueue. Not sure but the filter doesn't seem to work any more.  When I use btools to check the con... See more...
Hi,   I have this props and transforms file to filter out the events before they reach the indexqueue. Not sure but the filter doesn't seem to work any more.  When I use btools to check the configurations, I still notice the configuration in place. We recently upgraded Splunk version to 9.0.4 from 8.1.0 a month ago to check if this has some effects on the configurations but it doesn't have any  What could be the reason
Dear Techies, Does disabling an App or Add-on also disables its respective objects/configurations in Splunk Cloud/Enterprise? Please share links to support your answers if any as I would be needing... See more...
Dear Techies, Does disabling an App or Add-on also disables its respective objects/configurations in Splunk Cloud/Enterprise? Please share links to support your answers if any as I would be needing it.   -Thanks
Is it possible for me to do a main search and based on the results from main search I find the fileName and want to use it in the inputlookup for a sub-search. I'm using this on dashboard as well, so... See more...
Is it possible for me to do a main search and based on the results from main search I find the fileName and want to use it in the inputlookup for a sub-search. I'm using this on dashboard as well, so doing it by map is waiting for inputs in dashboard and never getting populated. Lookup with map:   index=main Events | stats count, Events | eval fileName= <filename> | eval lookup="| inputlookup ".fileName | map search="| makeresults | map search="$lookup$   My Current search query:   index=main Events | stats count, Events | eval fileName= <filename> [| inputlookup [| makeresults | eval search=fileName | table search]] | stats count as known by Events | fillnull known values=0 <remaining search>​    
When using the Splunk Add-On for AWS, we're observing that events for sourcetype aws:cloudwatch:guardduty are not all parsed the same. There are events that have _raw begin with {"version":"0",... an... See more...
When using the Splunk Add-On for AWS, we're observing that events for sourcetype aws:cloudwatch:guardduty are not all parsed the same. There are events that have _raw begin with {"version":"0",... and others that begin with {"schemaVersion":"2.0",... . For the ones that begin with version, they seem to have the other same event data as the schemaVersion events, however the data is nested in a JSON field "detail". How to fix this?
Hi Community, We have installed Universal forwarder on windows 2019 server and were able to get the data into Splunk. Since yesterday, the Universal forwarder stopped forwarding data to the indexer... See more...
Hi Community, We have installed Universal forwarder on windows 2019 server and were able to get the data into Splunk. Since yesterday, the Universal forwarder stopped forwarding data to the indexer. No change in Network and configuration. We have identified below error while troubleshooting the issue.  ERROR TcpOutputFd [4124 TcpOutEloop] - Connection to host=xx.xx.xx.xx:9997 failed 06-13-2023 00:11:28.769 -0700 WARN AutoLoadBalancedConnectionStrategy [4124 TcpOutEloop] - Applying quarantine to ip=xx.xx.xx.xx port=9997 connid=0 _numberOfFailures=2 06-13-2023 00:11:47.944 -0700 WARN TcpOutputProc [7272 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=xx.xx.xx.xx inside output group default-autolb-group from host_src=hostname1 has been blocked for blocked_seconds=1300. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. 06-13-2023 00:12:02.123 -0700 INFO HttpPubSubConnection [4976 HttpClientPollingThread_D1664EB5-096A-4F59-8E50-70D7FB5CDD49] - Running phone uri=/services/broker/phonehome/connection_xx.xx.xx.xx_8089_xx.xx.xx.xx_hostname1_D1664EB5-096A-4F59-8E50-70D7FB5CDD49 06-13-2023 00:13:02.167 -0700 INFO HttpPubSubConnection [4976 HttpClientPollingThread_D1664EB5-096A-4F59-8E50-70D7FB5CDD49] - Running phone uri=/services/broker/phonehome/connection_xx.xx.xx.xx_8089_xx.xx.xx.xx_hostname1_D1664EB5-096A-4F59-8E50-70D7FB5CDD49 06-13-2023 00:13:28.222 -0700 WARN TcpOutputProc [7272 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=xx.xx.xx.xx inside output group default-autolb-group from host_src=hostname1 has been blocked for blocked_seconds=1400. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. 06-13-2023 00:14:02.186 -0700 INFO HttpPubSubConnection [4976 HttpClientPollingThread_D1664EB5-096A-4F59-8E50-70D7FB5CDD49] - Running phone uri=/services/broker/phonehome/connection_xx.xx.xx.xx_8089_xx.xx.xx.xx_hostname1_D1664EB5-096A-4F59-8E50-70D7FB5CDD49 06-13-2023 00:15:02.197 -0700 INFO HttpPubSubConnection [4976 HttpClientPollingThread_D1664EB5-096A-4F59-8E50-70D7FB5CDD49] - Running phone uri=/services/broker/phonehome/connection_xx.xx.xx.xx_8089_xx.xx.xx.xx_hostname1_D1664EB5-096A-4F59-8E50-70D7FB5CDD49 06-13-2023 00:15:08.542 -0700 WARN TcpOutputProc [7272 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=xx.xx.xx.xx inside output group default-autolb-group from host_src=hostname1 has been blocked for blocked_seconds=1500. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. Please help us to resolve the issue.
We have created a XML dashboard for infrastructure monitoring, where the panes for CPU utilization , RAM utilization, File Count and Storage utilization are like in the below snippet. I am abl... See more...
We have created a XML dashboard for infrastructure monitoring, where the panes for CPU utilization , RAM utilization, File Count and Storage utilization are like in the below snippet. I am able to see the above dashboards and the values in the graphs , radial gauge, and filler gauges, but our team members are not able to see those values, Graphs and gauges even though they have the same permissions like me to the dashboard. Once they try to open the dashboard they are seeing like in the below snippet. Below is the sample xml code that has been given for the dashboard panels. <panel id="CPU_Information"> <html> <H1 style="text-align:center;background-color:#0080ff;">CPU Information (In Percentage)</H1> </html> <html> <style> #CPU_Information{ height: 25px; } #CPU_Information{ width:35% !important; } </style> </html> <chart> <search> <query>index="app_events_dwh2_de_int" _raw=*cpu* | rex ": %utilization\",.+:\"(?&lt;CPU_Utilization&gt;[\d\.]+)" | rex max_match=0 ":\\\\\"(?&lt;TIME&gt;\d\d:\d\d:\d\d)" | chart Values(CPU_Utilization) over TIME</query> <earliest>$Infra Time Select.earliest$</earliest> <latest>$Infra Time Select.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.backgroundColor">#FFFFFF</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.fontColor">#000000</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">125</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> <html> <H1 style="text-align:center;background-color:#0080ff;">RAM Information (in KB)</H1> </html> <chart> <search> <query>index="app_events_dwh2_de_int" _raw=*kbswpused* | rex max_match=0 "\\\\\\\\\\\\\"kbswpused\\\\\\\\\\\\\":\d*\\\\\\\\\\\\\"(?&lt;Swap_used&gt;[^\\\]+)" | rex max_match=0 ":\\\\\"(?&lt;TIME&gt;\d\d:\d\d:\d\d)" | eval Swap_Used(GB)=round(Swap_Used/1024/1024,3) | chart Values(Swap_Used(GB)) over TIME</query> <earliest>$Infra Time Select.earliest$</earliest> <latest>$Infra Time Select.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.backgroundColor">#FFFFFF</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">connect</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"Success": 0x009900, "Error": 0xFF0000, "Wait": 0xFF9900, "Running": 0x0047AB}</option> <option name="charting.fontColor">#000000</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">231</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel id="File_Information"> <html> <H1 style="text-align:center;background-color:#0080ff;">FILE Count(in thousands)</H1> <style> #File_Information{ height:25px !important; } #File_Information{ width:35% !important; } </style> </html> <chart> <search> <query>index="app_events_dwh2_de_int" _raw=*File_count* | rex max_match=0 "\\\\\\\\\\\\\"File_count\\\\\\\\\\\\\":d*\\\\\\\\\\\\\"(?&lt;File_Count&gt;[^\\\]+)" | stats latest(File_Count) as File_Count | chart Values(File_Count)</query> <earliest>$FileCount and Storage.earliest$</earliest> <latest>$FileCount and Storage.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.backgroundColor">#ffffff</option> <option name="charting.chart">fillerGauge</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.fieldColors">{"Success": 0x009900, "Error": 0xFF0000, "Wait": 0xFF9900, "Running": 0x0047AB}</option> <option name="charting.fontColor">black</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">145</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">small</option> <option name="trellis.splitBy">_aggregation</option> </chart> <html> <H1 style="text-align:center;background-color:#0080ff;">Storage Consumption (in GB)</H1> </html> <chart> <search> <query>index="app_events_dwh2_de_int" _raw=*File_Count* | rex max_match=0 "\\\\\\\\\\\\\"CONTENT_SIZE\\\\\\\\\\\\\":\d*\\\\\\\\\\\\\"(?&lt;Storage&gt;[^\\\]+)" | stats latest(Storage) as Storage | chart Values(Storage)</query> <earliest>$FileCount and Storage.earliest$</earliest> <latest>$FileCount and Storage.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.backgroundColor">#FFFFFF</option> <option name="charting.chart">radialGauge</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.fieldColors">{"Success": 0x009900, "Error": 0xFF0000, "Wait": 0xFF9900, "Running": 0x0047AB}</option> <option name="charting.fontColor">#000000</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">253</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row>     We request you to kindly look into the above and do the needful  
Hi all, I have query one the change of color of 3 columns (named as col1, col2, col3) based one the column category   If the category is neg then high, low, med should be in red,orange and b... See more...
Hi all, I have query one the change of color of 3 columns (named as col1, col2, col3) based one the column category   If the category is neg then high, low, med should be in red,orange and blue respectively else if category is positive the high , low, med should be dark green, green and orange .. how to do ?
Below error is coming in Splunk machine continuously What is the the cause and find the solution ERROR   sendmodalert - Error in 'sendalert' command: Alert script returned error code 3. ERROR Searc... See more...
Below error is coming in Splunk machine continuously What is the the cause and find the solution ERROR   sendmodalert - Error in 'sendalert' command: Alert script returned error code 3. ERROR SearchScheduler - Error in 'sendalert' command: Alert script returned error code 3., search='sendalert webhook results_file="/mnt/opt/splunk/var/run/splunk/dispatch/rt_scheduler__admin__sap__RMD585fd0ca39fe4b642_at_1686095400_4037.3/per_result_alert/tmp_2.csv.gz" 
Hello. I have these two rows (PR_Tags and PR_ID). Need to return the PR_ID's that are matching the PR_Tags when I select in a Dropdown filter (Like if I select the line 1row 1, return the PR_ID's th... See more...
Hello. I have these two rows (PR_Tags and PR_ID). Need to return the PR_ID's that are matching the PR_Tags when I select in a Dropdown filter (Like if I select the line 1row 1, return the PR_ID's that matches this PR_Tag selected) How can I do that?   index= host= sourcetype=csv source=........\\resul_test.csv | table PR_Tags, PR_ID | eval PR_Tags=split(PR_Tags,",") | mvexpand PR_Tags | dedup PR_Tags PR_ID  
We have an environment of mixed client instances, is there a removal tool to uninstall the splunk client and remove any registry entries before installing the latest splunk client.
Hi team. We  are implementing appDynamics in order to monitor end to end transactions in SAP PI/PO (Process Integration/Process Orchestration NW 7.5). The scenario is: Source System->SAP PI/PO->t... See more...
Hi team. We  are implementing appDynamics in order to monitor end to end transactions in SAP PI/PO (Process Integration/Process Orchestration NW 7.5). The scenario is: Source System->SAP PI/PO->target system. We would like to know which classes and methods have to be set in order to extract messages and processing times for specific interfaces, where an interface is an end to end configuration in SAP PI/PO because there can be several of them (more than 500 for our case). SAP PI/PO has a lot of out-of-the-box classes wich are internally invoked at  runtime and we are not clear how if this requerement can be done with appDynamics. Thank you in advance. Oscar
I am trying to configure the url extension and getting the below errors while running the mvn clean install. I have installed the configured the apache-maven and planning to use windows machine-agen... See more...
I am trying to configure the url extension and getting the below errors while running the mvn clean install. I have installed the configured the apache-maven and planning to use windows machine-agent. [ERROR] com.appdynamics.extensions.urlmonitor.UrlMonitorTest.urlMonitorExceptionOccurredTest  Time elapsed: 0.002 s  <<< ERROR! java.lang.NoClassDefFoundError: Could not initialize class org.mockito.internal.creation.jmock.ClassImposterizer$3         at org.mockito.internal.creation.jmock.ClassImposterizer.createProxyClass(ClassImposterizer.java:68)         at org.mockito.internal.creation.jmock.ClassImposterizer.imposterise(ClassImposterizer.java:50)         at org.powermock.api.mockito.internal.mockcreation.MockCreator.createMethodInvocationControl(MockCreator.java:100)         at org.powermock.api.mockito.internal.mockcreation.MockCreator.mock(MockCreator.java:58)         at org.powermock.api.mockito.internal.expectation.DefaultConstructorExpectationSetup.createNewSubsituteMock(DefaultConstructorExpectationSetup.java:80)         at org.powermock.api.mockito.internal.expectation.DefaultConstructorExpectationSetup.withArguments(DefaultConstructorExpectationSetup.java:48)         at com.appdynamics.extensions.urlmonitor.UrlMonitorTest.init(UrlMonitorTest.java:50)         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)         at java.base/java.lang.reflect.Method.invoke(Method.java:568)         at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)         at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)         at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)         at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:24)         at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)         at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)         at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)         at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)         at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)         at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)         at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)         at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)         at org.junit.runners.ParentRunner.run(ParentRunner.java:309)         at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:316)         at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:240)         at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:214)         at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:155)         at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:385)         at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:162)         at org.apache.maven.surefire.booter.ForkedBooter.run(ForkedBooter.java:507)         at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:495) Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.ExceptionInInitializerError [in thread "main"]         at org.mockito.cglib.core.KeyFactory$Generator.generateClass(KeyFactory.java:167)         at org.mockito.cglib.core.DefaultGeneratorStrategy.generate(DefaultGeneratorStrategy.java:25)         at org.mockito.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:217)         at org.mockito.cglib.core.KeyFactory$Generator.create(KeyFactory.java:145)         at org.mockito.cglib.core.KeyFactory.create(KeyFactory.java:117)         at org.mockito.cglib.core.KeyFactory.create(KeyFactory.java:109)         at org.mockito.cglib.core.KeyFactory.create(KeyFactory.java:105)         at org.mockito.cglib.proxy.Enhancer.<clinit>(Enhancer.java:70)         at org.mockito.internal.creation.jmock.ClassImposterizer.createProxyClass(ClassImposterizer.java:68)         at org.mockito.internal.creation.jmock.ClassImposterizer.imposterise(ClassImposterizer.java:50)         at org.mockito.internal.util.MockUtil.createMock(MockUtil.java:54)         at org.mockito.internal.MockitoCore.mock(MockitoCore.java:45)         at org.mockito.Mockito.mock(Mockito.java:921)         at org.mockito.Mockito.mock(Mockito.java:816)         at com.appdynamics.extensions.urlmonitor.RequestConfigTest.init(RequestConfigTest.java:50)         ... 25 more
Hello Everyone. I have a search with a subsearch that's correctly running on a test environment (Splunk 8.2.9). Now I copied it on a production environment (Splunk 82.9), but it doesn't run: the su... See more...
Hello Everyone. I have a search with a subsearch that's correctly running on a test environment (Splunk 8.2.9). Now I copied it on a production environment (Splunk 82.9), but it doesn't run: the subsearch has always zero as result.   | rest /services/authorization/roles/ | search title="logmon_app*" | table title | rename title as role | join type=left role max=0 [| rest /services/authentication/users | table roles title | rename title as userName,roles as role | mvexpand role | search role="logmon_app*" ] | stats values(userName) as username by role | eval rolepresent="yes" | outputlookup logmon_roles_users.csv override_if_empty=false,     Thank you 
so we have a Deployment Server with an application on there that already sends the three basic Windows Event logs (Application, Security, and System) to an Index say called EventLogs.  Can we in the ... See more...
so we have a Deployment Server with an application on there that already sends the three basic Windows Event logs (Application, Security, and System) to an Index say called EventLogs.  Can we in the same app have the same three logs be sent to a second Index say called EventLogs2? I know this may sound a bit crazy but this is just for troubleshooting and will be only implemented for a couple days.   the inputs.conf stanzas look something like this: [WinEventLog://System] index=EventLogs disabled = false [WinEventLog://System] index=EventLogs2 disabled = false
Hi everyone, For one of our client we are sending in json log data via log4j2 to the splunk cloud HEC token. we are using the /event/collector/raw endpoint. What I notice is that the fields are... See more...
Hi everyone, For one of our client we are sending in json log data via log4j2 to the splunk cloud HEC token. we are using the /event/collector/raw endpoint. What I notice is that the fields are not extracted consistently. We do not see any pattern in our process so we cannot pinpoint the exact location of the issue.  I am using the following source type with its configs: Hopefully can someone see what might cause this issue.   Thankyou in advanced.   Duy    
I was running through the installation guide for SecKit TA IDM Windows’s and there are searches it ask you to run but after running I discovered about a third dont work or point to lookups that dont ... See more...
I was running through the installation guide for SecKit TA IDM Windows’s and there are searches it ask you to run but after running I discovered about a third dont work or point to lookups that dont have lookup files period. I switched around some to point to acsv that are close but that doesnt seem the best option as there are lookups for different circumstances such as org, person, default, accounts, bunit,nha  etc I attached a screenshot of the lookups and lookup file tables post tricking the  lookup file tables.   if theres anyonte who has used this or set it up to get assets and such info into ES I would like to know what you did. thanks.
Hello All, I need help to build an SPL for finding details of Accelerated Data Models which have failed to execute or failed to complete. I have used rest command to fetch details of data models, b... See more...
Hello All, I need help to build an SPL for finding details of Accelerated Data Models which have failed to execute or failed to complete. I have used rest command to fetch details of data models, but I am unable to find any fields that share if and when it failed.  |rest /servicesNS/nobody/-/datamodel/model splunk_server=local |rex field=acceleration "\{\"enabled\"\:(?<acceleratedValue>[^\,]*)" |search acceleratedValue=true Thus, it would be very helpful to seek your suggestions and approach. Thank you Taruchit
Hello All, How do I find scheduled time and dispatch time of each saved search and alert? The goal is to fetch the two timestamps and then find the magnitude of delay, if any.  I tried to use the ... See more...
Hello All, How do I find scheduled time and dispatch time of each saved search and alert? The goal is to fetch the two timestamps and then find the magnitude of delay, if any.  I tried to use the below but I get the cron schedule and not the timestamp, even though while defining cron was not used. |rest /servicesNS/-/-/saved/searches |search is_scheduled=1 Thus, I need your help and suggestions to build the same. Thank you Taruchit
I have two searches/data sets that I would like to combine into a table, and am not entirely sure on what the correct process of completing the task is. I would like to use the Mandiant indicators/in... See more...
I have two searches/data sets that I would like to combine into a table, and am not entirely sure on what the correct process of completing the task is. I would like to use the Mandiant indicators/information and another search to look for activity that occurred and getting the data from both into one table with a total count of detected activity. If anyone could provide assistance or a recommendation with this matter it would be much appreciated. First Search (Fields Needed: src_ip, dest, City, Country index=pan_logs OR index=estreamer dest="*" | iplocation src_ip | stats count by src_ip dest City Country Second Search (Fields Needed: src_ip, category, mscore, type, malware, threat_actor First Variation | inputlookup mandiant_master_lookup | search type=ipv4 | eval src_ip=_key | table category mscore type malware threat_actor Second Variation | lookup mandiant_master_lookup _key as src_ip output category mscore type malware threat_actor Attempted Join that didn't work |index=pan_logs OR index=estreamer dest="*" | iplocation src_ip | stats count by src_ip dest  City Country | join type=outer indicator [inputlookup mandiant_master_lookup | eval src_ip=_key | table src_ip category mscore type malware threat_actor] Search that was Close, but needed additional iplocation data and action from device: index=pan_logs OR index=estreamer dest="*" | lookup mandiant_master_lookup _key as src_ip output category mscore type malware threat_actor | fillnull value="" | search type=ipv4 | makemv delim=";" category | stats count by src_ip dest category mscore severity type malware threat_actor
For example, in props.conf TIME_PREFIX requires a regex.  My regex seems to work in my search but does not seem to be applied to my data via the .conf file