All Topics

Top

All Topics

Hi, I want to write a case condition where i can check values from Range column. For instance If range for both cost & product is low the a new column should show value as low If range for both... See more...
Hi, I want to write a case condition where i can check values from Range column. For instance If range for both cost & product is low the a new column should show value as low If range for both Cost & Product = severe then New Column should show severe If range for Cost=severe & Product=low OR if Cost=low & Product =severe Then New column = elevated Please suggest
Hello, I am facing issues to find delta. I have: Lookup Table: testaccount_holder.csv 2 Field names in Lookup: account_no and cell index=test Sourcetype =test_account 2 Field names :  account_n... See more...
Hello, I am facing issues to find delta. I have: Lookup Table: testaccount_holder.csv 2 Field names in Lookup: account_no and cell index=test Sourcetype =test_account 2 Field names :  account_no and cell Now, need to compare Lookup table with  sourcetype using these 2 fields and find all the records/rows which are exist in Lookup table but not in sourcetype. This comparison is based on these 2 fields. Any recommendations will be highly appreciated. Thank you so much.  
I have 2 groups of data: messageId1: ['A', 'B', 'C'] messageId2: ['A', 'E', 'F', 'G', 'T', 'Z']   How do I return the values that are ONLY present in messageId1 and not in messageId2? So the res... See more...
I have 2 groups of data: messageId1: ['A', 'B', 'C'] messageId2: ['A', 'E', 'F', 'G', 'T', 'Z']   How do I return the values that are ONLY present in messageId1 and not in messageId2? So the result for this would be: 'B' and 'C'
Hi all. I have one SHC with 3 search heads I thought if I create a HEC using web gui in specific memer, others were replicated HEC But NOT how should I do to fix that? my SHC member have replic... See more...
Hi all. I have one SHC with 3 search heads I thought if I create a HEC using web gui in specific memer, others were replicated HEC But NOT how should I do to fix that? my SHC member have replication_port = 9887 in server.conf
I need to create a single field named MemberOf from the XML snippet below.  It should look like this: memberOf CN=Buttercup,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,... See more...
I need to create a single field named MemberOf from the XML snippet below.  It should look like this: memberOf CN=Buttercup,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors – US – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=ButtercupLocation - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Everyone - M to Q - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=O365-Buttercup,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com         <entry key="memberOf"> <value> <Map> <entry key="CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/> <entry key="CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/> <entry key="CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com"/> <entry key="CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> </Map> </value> </entry>      
I am trying to split the values in both the columns and create 5 rows by assigning respective values. I need an output as below. Can someone suggest how can I achieve this ?  I tried mvexpand but ... See more...
I am trying to split the values in both the columns and create 5 rows by assigning respective values. I need an output as below. Can someone suggest how can I achieve this ?  I tried mvexpand but it does not seem to help. Anything else we can try ?    field1       | field 2  ------------------------------- Name 1   |  10 ------------------------------- Name 2   | 12  
TL;DR What is wrong with the SPL at the end? I am trying to list the IIS cs_user_Agent(s) for each test customer. The EventID field that is found in the SystemLog matches up with the IISEventId f... See more...
TL;DR What is wrong with the SPL at the end? I am trying to list the IIS cs_user_Agent(s) for each test customer. The EventID field that is found in the SystemLog matches up with the IISEventId field in IIS. That is how they are connected. The inner search (sourcetype="SystemLog*") run alone returns 6,000 events. That is correct. With the join 160,000 events are returned.  Since the sub search is run first and every  EventID is unique I would expect 6000 events.     There is only one CustomerName shown in stats and it is the same in each row.  The CustomerName is also different on each search.  If I add a specific customer to the sub search, such as CustomerName="Bob's Pizza", or CustomerName="Bolts R Us" the same number of results are returned.   Search The names have been changed to protect the innocent.  Any spelling errors or missing quotes are just a failure in my typing ability.  I have switched the two searches in the join and also switched the rename order and had the same problem.  If the subsearch is run first and the join uses the renamed field from the subsearch for the outer search this seems correct to me.    index=myIndex sourcetype=IIS   | join IISEventID  [ search index=myIndex sourcetype="SystemLog*" IsTestCustomer="True"   | rename EventID as IISEventID   | fields CustomerName ] | stats count by CustomerName cs_User_Agent   This is a sample of the output.  I know that Bob's Burgers does not use PRTG.  If I run it again the CustomerName may be "The Three Broomsticks" or any other customer. CustomerNAme cs_User_Agent count  Bob's Burgers Rebex+HTTPS 2150  Bob's Burgers Mozilla/4.0+ 934  Bob's Burgers Mozilla/5.0 611  Bob's Burgers Amazon-Route53-Health-Check 464  Bob's Burgers PRTG/Go+Health+Check 124   Thanks for any help  
I installed a sh and before I added to the SH cluster search worked and after I added it I got the following so whats going on Why does splunk do this as I gain momentum.
Hi all,   How do you collect your macOS security logs and index them into your Splunk Cloud/Enterprise instance?   I already have a deployment server so it would be great to just install the UF's... See more...
Hi all,   How do you collect your macOS security logs and index them into your Splunk Cloud/Enterprise instance?   I already have a deployment server so it would be great to just install the UF's with some parameters to connect to the DS and from there on install the app & make the UF send what the app tells it to send.   Is the best way to do it using the Splunk UF?   Apple changed to the Unified Log Database format, so how do you do it? My manager suggested SC4S but is it necessary? Can SC4S even ingest macOS data? We want the SC4S server to remain internal since all of us are WFH. SC4S is not recommended to be used with wireless networks/firewalls/or IDS's which we all have. So I don't think that's possible. I would greatly appreciate your help.
I am trying to create a search to generate an alert if I find a host that has more than 1000 events for two consecutive 10 minute periods. The first search would look for a particular string to see ... See more...
I am trying to create a search to generate an alert if I find a host that has more than 1000 events for two consecutive 10 minute periods. The first search would look for a particular string to see if there are more than 1000 occurrences ( by host) 20 minutes ago to 10 minutes ago. Then want to see if that same host has more than 1000 events for 10 minutes ago to now. Would I use two different searches with same search ( index=anIndex source=aSource "aString") with just different lookbacks: ( earliest=-20m latest=-10m ) & ( earliest=-10m latest=now ) and then appendcols ? Where this stumps me is how would I make sure that its the same host from the first search that is also found in the second search ? Or is there a different / better approach for this type of comparison, search ?
Here's my query:   index=comp_logs "processed=" | eval name=consumerGroupId | timechart span=1h sum(processed) as processed by name   it gives me this result:  For each column, I'd like t... See more...
Here's my query:   index=comp_logs "processed=" | eval name=consumerGroupId | timechart span=1h sum(processed) as processed by name   it gives me this result:  For each column, I'd like to get the top 10 values from descending order (we can remove the _time column). Is this possible with timechart? Thank you!
Has anybody managed to integrate a dashboard with FIRST's cvsscalc31.js? We would like to get the cyber data scored using this script - Common Vulnerability Scoring System v3.1: Calculator Use & Desi... See more...
Has anybody managed to integrate a dashboard with FIRST's cvsscalc31.js? We would like to get the cyber data scored using this script - Common Vulnerability Scoring System v3.1: Calculator Use & Design   
I'm trying to alert/query  any Host that has not had an update in more than say 30 days.   Here is the search in Splunk:   "index=endpoint_mcs_server sourcetype="Windows:UpdateList""   Wh... See more...
I'm trying to alert/query  any Host that has not had an update in more than say 30 days.   Here is the search in Splunk:   "index=endpoint_mcs_server sourcetype="Windows:UpdateList""   Which gives me this data: "PSComputerName="host" description="Update" hotfixid="KB5022503" installedby="NT AUTHORITY\SYSTEM" Installedon="02/23/2023""   So it gives me a date "InstalledOn" so I just need to edit the search to only show systems that have not "InstalledOn" and or had an update in the last 30 days.   Thanks for the help
Hello,  I'm having issues with line break for some reason. I'm looking to break an event every 6 lines. Any suggestions? Log Example: Total Operations Currents/sec:Max/sec:Success:Failed 2 144 ... See more...
Hello,  I'm having issues with line break for some reason. I'm looking to break an event every 6 lines. Any suggestions? Log Example: Total Operations Currents/sec:Max/sec:Success:Failed 2 144 184469195 201 Key Generate Current/sec:max/sec:Success:Failed 0 0 0 0 Key Version Generate Currect/sec:Max/sec:Success:Failed 0 0 0 0 Key Version Generate Currect/sec:Max/sec:Success:Failed 0 0 0 0  
After updating my add-on to 4.1.2 I am getting this error during certification: check_python_sdk_version Detected an outdated version of the Splunk SDK for Python (1.6.6). Please upgrade to versi... See more...
After updating my add-on to 4.1.2 I am getting this error during certification: check_python_sdk_version Detected an outdated version of the Splunk SDK for Python (1.6.6). Please upgrade to version 1.6.16 or later. File: bin/add-on/aob_py3/solnlib/packages/splunklib/binding.py
I want to add new row to my search result using values from the previous result. Basically I am counting few strings and I want to display percent of that matched string in a new row using some mathe... See more...
I want to add new row to my search result using values from the previous result. Basically I am counting few strings and I want to display percent of that matched string in a new row using some mathematical operators or function. Below is what I have done. My first query works fine but second query in append is giving error. Error is: Error in 'eval' command: The expression is malformed. Expected AND.       index="12345" "Kubernetes.namespace"="testnamespace" | bin _time | stats count(eval(searchmatch("String1"))) AS Success count(eval(searchmatch("string2"))) AS Sent count(eval(searchmatch("string3"))) AS Failed | append [ stats eval Success_percent= Success/(Success+Sent +Failed) AS Success eval Sent_Percent= Sent/(Success+Sent +Failed) AS Sent eval Failed_percent= Failed/(Success+Sent +Failed) AS Failed ] | transpose 0 column_name="Status" | rename "row 1" as Count | rename "row 2" as "Percent"      
Hello, We are monitoring Openshift with AppDynamics 21.4.17. We are using auto-instrumentation to monitor some namespaces. We noticed that when some pods are removed, its app agent status shows 0% o... See more...
Hello, We are monitoring Openshift with AppDynamics 21.4.17. We are using auto-instrumentation to monitor some namespaces. We noticed that when some pods are removed, its app agent status shows 0% on the controller, but its machine agent keep showing 100%. The node stays on the controller until it has to manually be deleted. Anyone experienced similar behavior? Thanks,
Our Splunk license usage hit 100% we are not sure how this is happening. We check the DMC and it shows two of our servers and a few clients are sending excessive amounts of event. This  was not happe... See more...
Our Splunk license usage hit 100% we are not sure how this is happening. We check the DMC and it shows two of our servers and a few clients are sending excessive amounts of event. This  was not happening before, turns out someone was messing with the config files on our Splunk server. Would anyone know which config files are causing the issue?  All local input config files were in some way modified. 
Check the Welcome Center for information about your Community profile and how to personalize it We're back with some tips for you in the Community Welcome Center!  This week, learn details about ... See more...
Check the Welcome Center for information about your Community profile and how to personalize it We're back with some tips for you in the Community Welcome Center!  This week, learn details about using your Community profile, and updating your details from your timezone to your avatar.  Today in Community 101 Two new Welcome Center articles cover personal profiles and how to change settings, as well as your avatar.  Our Community’s value lies in connecting AppDynamics users with information, whether from AppDynamics-created content or conversations with other practitioners. One valuable aspect of setting up your profile is in giving the community a sense of who you are, your industry, and your role within your org.  See those articles here: How do I update and use my profile? How do I update my avatar? Where can I find the Welcome Center? Check out the Welcome Center for yourself, from the top navigation under Groups. You'll find a discussion area as well as "how-to" articles. See you there! Cheers,  Claudia Landivar and Ryan Paredez AppDynamics Community Managers Related Content What do you need to know about connecting in the Community? What do you get from subscribing in the Community? Now in the Welcome Center: new "search how-to" articles  Introducing the Community Welcome Center   Explore the Welcome Center here
We have Security Hub data centralized from all our accounts and have now connected Data Manager to that central account so we can get all Security Hub findings into Splunk Cloud. I have noticed that ... See more...
We have Security Hub data centralized from all our accounts and have now connected Data Manager to that central account so we can get all Security Hub findings into Splunk Cloud. I have noticed that the data coming in has a basic parser but it isn't separating the different streams, i.e. GuardDuty, Config, etc.   Is there a way to properly parse and tag all this data from the Security Hub feed so that it will populate all dashboards and data models etc.?