11-12-2023 21:20:03.288 +0900 ERROR CacheManager [3953110 TcpChannelThread] - Failed to check receipt for cache_id=""dma|ioapratraffic~434~9DF98E46-8A38-48F5-9EFB-90D0467F1463|89513704-8894-4CFC-AC58-9BF7D36B3B59_DM_Splunk_SA_CIM_Compute_Inventory"" err=Service Unavailable Before upgrading, the following error were frequently output from the indexer, but after upgrading, they were still output, but the number of error has drastically decreased.    version upgarded from 8.2.1 to 8.2.7

I am trying to get percentage value fields for multiple fields by time, and fields are dynamic. How can I calculate?  search | eval Duration=tostring(round(TimeDiff1), "duration") | chart count over TimeDiff1 by MaterialNumber | chart sum(*) as * by TimeDiff1 span=300  my result is: TimeDiff1 KM50115007V002 KM51585489V000 KM51585490V000 KM51585494V000 0-300 24 0 2 0 300-600 0 1 0 0 600-900 0 7 0 1 900-1200 0 0 0 0 1200-1500 0 0 0 4 1500-1800 0 0 0 0 1800-2100 0 0 0 0 2100-2400 0 0 0 1   But, I want result in below format.  TimeDiff1 KM50115007V002 KM51585489V000 KM51585490V000 KM51585494V000 perc(KM50115007V002) perc(KM51585489V000) perc(KM51585490V000) perc(KM51585494V000) 0-300 24 0 2 0 100 0 100 0 300-600 0 1 0 0 0 12.5 0 0 600-900 0 7 0 1 0 87.5 0 16.66666667 900-1200 0 0 0 0 0 0 0 0 1200-1500 0 0 0 4 0 0 0 66.66666667 1500-1800 0 0 0 0 0 0 0 0 1800-2100 0 0 0 0 0 0 0 0 2100-2400 0 0 0 1 0 0 0 16.66666667  

I have three Splunk ver 9.0.0 on Windows Server 2019 environments completely isolated and I like to run the Web interface even on my Indexers so I have it running just fine on 6 clustered Indexers in Production where it runs as https with our own certificates I also have it running on http in my home lab also on 3 Indexers in a cluster  but when I try to run it in our lab on 3 clustered Indexers for the life of me it won't start, I have restered Splunk 900 times and I even tried the Splunk Start Splunkweb and it never does these checks:  Waiting for web server at https://127.0.0.1:8000 to be available.   nor give me the message that the web is running: The Splunk web interface is at http://MyIndexServer01:8000

My requirement is to fire an action from Appdynamics using ansible to restart the the AppServer. How we can integrate Appdynamics to Ansible and What configuration is required at ansible side , please share.

Hello, I was using a search and getting an error message stated in the subject. I have tried moving the tstats around and editing some of the commands but either run into the same error or tsidx error. Here is the search as follows.   index=netsec_index sourcetype=pan* OR sourctype=fgt* user=saic-corp\\heathl misc=* OR url=* earliest=-4d| eval Domain=coalesce(misc, url) | eval domain=misc + "," + url | makemv delim="," domain | fields _time action category rule session_end_reason http_category vendor_action url misc domain Domain | table _time action category rule session_end_reason http_category vendor_action url misc domain Domain | stats count by domain `comment("Search for High Volume of Packets in/out (Show Megabytes/Gigabytes) back by earliest=-1d. Exclude app=ipsec.")` | tstats summariesonly=true count from datamodel=Network_Traffic where All_Traffic.action=allowed AND NOT All_Traffic.app=ipsec-esp-udp earliest=-1d by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.app All_Traffic.packets_in All_Traffic.packets_out All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.action All_Traffic.rule All_Traffic.user | rename All_Traffic.* as * | sort - bytes_out | eval Megabytes_out=round(bytes_out/1024/1024,2) `comment("Math for bytes > Megabytes")` | eval Megabytes_in=round(bytes_in/1024/1024,2) `comment("Math for bytes > Megabytes")` | eval Gigabytes_out=round(bytes_out/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")` | eval Gigabytes_in=round(bytes_in/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")` | eval packets_in=tostring(packets_in, "commas") | eval packets_out=tostring(packets_out, "commas") | eval bytes=tostring(bytes, "commas") | eval bytes_in=tostring(bytes_in, "commas") | eval bytes_out=tostring(bytes_out, "commas") | fields - count | head 100 If any guidance can be provided I would be appreciate it. Thank you.

I'm trying to blacklist the event code 4634 when user_type = computer.  I'm using the below blacklist in my inputs.conf file and it doesn't seem to work.  When I remove user_type="computer", it does properly filter out the event code 4634, but it doesn't work when I try the combination of the two.  What am I doing wrong or is there a different way to accomplish this?   blacklist4 = EventCode="4634" user_type="computer"

Recently I upgraded splunk enterprise to 9.0.2 version. After few days, Index queue fill ratio is 100% and indexing rate is 0. I increased max queue size to 100MB, but still there is a bottleneck on Index Queue. I think Indexers are too late to write data to disk. How to change indexer speed or size to write disk? Please help.

Is there any way to join 2 metrics in plot editor and create a chart or Table. Eg. Plot A have "otelcol_process_cpu_seconds" and Plot B "have cpu.utilization".  I need to create Plot C list data exist in B (cpu.untilization) but not exist in plot A(otelcol_process_cpu_seconds").  I tried with formula, but formula works only for math operations like B-A (single value) but not working for showing the listing data, I need to plot table shows host name not in "otelcol_process_cpu_seconds".

Hi all, I'm trying to install(tar.gz file) an app available on GitLab. I am using 'apps/local' endpoint to install it.     curl -k -u user:pass -X POST https://localhost:8089/services/apps/local -d path=https://gitlab.com/xxxxx/yyyyy/internal_app-1.0.0.tar.gz -d update=1     But it gives an error like below.     splunklib.binding.HTTPError: HTTP 500 Internal Server Error -- Unexpected error downloading update: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.     Does anyone have an idea how can i solve it? Btw, i do not want to disable ssl-tls verification if possible.    

Hi all, I am very new to Splunk and trying to learn it. Following is my JSON: {         TrainID=AA11           TrainData: [                                     {                               ConnectingTrain: {                                                                 TR1: {                                                                             connectionTime: 59                                                                              TotalPassengers: 44                                                                          },                                                                     }                                    }                           ]            connectionTime : 38 } Here I want to print the value of connection time which is under TR1 and not the one that is a duplicate variable having a different value. Appreciate any pointers here.   Thanks, Chetan

We need to use HTML tags in alert email body, right now whatever the tag we pass, they are considered as text and displayed in the email as it is. As per below suggested solution we need to update sendemail.py file in splunk server. https://community.splunk.com/t5/Alerting/How-to-add-HTML-markups-to-alert-email/m-p/524453 Is there any other way to achieve this? Need help on this.

I have index that suddenly stoped indexing data. even after I entered crcSalt = <SOURCE> to the inputs.conf file data is not indexed anymore the logs continue to show the following error: "File will not be read, is too small to match seekptr checksum (file=<file_path>). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info." any idea how to resolve this issue?