Hi , I had worked on few of Biztalk App server data ingestion. usually i need the performance logs from Biztalk Servers . You can fetch those data by using Counters. here is a link to all those counters : https://docs.microsoft.com/en-us/biztalk/core/performance-counters I had also ingested Biztalk DB servers data ingestion using DB connect. Hope i was able to answer your query. ... View more

Hi , You can use the same search for these optimization issue. I prefer to write it like this. index=indexname | stats dc(yourfield) count(eval(anotherfield=fieldvalue)) by other field names ... View more

Hi , Below the installation guide mentioned in the addon - This add-on should be installed on Search Head nodes. - Drop this bad boy into $SPLUNK_HOME/etc/apps or download from it from the GUI, etc. - Use the Setup to establish global SM Connection and Credential Parameters, and set the Field Captions as exposed in SM's RESTful API. - You'll need to talk to your SM administrator to get a user/pass for the API. - The user must have the "RESTful API" capability word and rights to create Incident records. - Default captions are suggested, based on an out-of-box v9.52 Service Manager API. - The out-of-box v9.52 probsummary extaccess record still captions Subcategory and Area respectively as Area and Subarea, even though the Incident screen labels them as Subcategory and Area. For consistency, it is recommended that the Service Manager Administrator re-caption these in the probsummary extaccess record. - That's it! The add-on is installed! - Now, when you or your users are creating alerts which will generate SM Incident tickets, you can select which values will go into which fields. - These can be the same values for all alerts, or separate values - as you please, but in this release they will need to be re-entered for each alert if you choose the former. - Deploy to Distributed Search Head Cluster: You'll need to set the SM operator password on each node. Sorry about that, but since this add-on uses the storage/passwords API to encrypt the SM operator password, it is what it is. You can set every other global parameter in the Setup, and then only have to set the password on each node, though. Please note that this is an addon and you will be able to view it in the alert action ... View more

try running | rest splunk_server=local /services/deployment/server/clients in the DS Search Heads ... View more

Hi , This is not permission issue. This issue is happening due to java path issue. I had similar issue few days back. Add the java path of your server , it will resolve the issue and the modular input will work. For testing purpose , try running the script TA-Akamai_SIEM.sh. I believe it will show the java issue ... View more