I need you help to figure out how to put multiple HF or indexer name in collectd.conf for matrices data.
I want high availability for HF. Incase HF1 is down my HF2 should be able to send data or vice versa.
e.g. I have HF server HF1 and HF2
My existing configuration:
... View more
Once an alert is registered to Alert manager, the initial status is new, then it should change to "auto_assigned" or "auto_resolved". But in our case in Production environment, it is not changing it state from "new". Did anyone faced this kind of issue, then what is the solution.
... View more
@xpac, I wanted to add to your second point that the query in the question returns only productId field through final pipe | productId . The <fieldForLabel> and <fieldForValue> options for dropdown must contain the field names returned in the Search Query if Dynamic Options are used for building choices for the dropdown. If fields names do not match i.e. (1) either they are not present or (2) they have a different casing/name then it is expected behavior that Dropdown will show Duplicate Values Causing Conflict error.
Secondly, just FYI, the | fields command will retain the fields mentioned and also all internal fields with underscore ( _ ) i.e. _time, _raw etc. So either they need to be explicitly removed with | fields - _* or
| table command can be used for specific fields.
Ideally, as a fix following query should be used:
index="main" sourcetype="access_combined_wcookie" status="200" file="success.do" productName="*" productValue="*"
| dedup productValue
| table productName productValue
The base search filters and productName="*" and productValue="*" ensure events with both fields present are returned. Since productValue field is the fieldForValue , it should be unique. Hence dedup is performed on productValue. If it is not, search query should have eval to create a unique value field i.e. something like | eval productValue = productId."-".productValue .
However, having said all these, @Anirban92Chakraborty you should check query with productName and productValue in independent search. Only if they are returning these unique records for productName and productValue you should use them.
Based on the query provided are you using working with Buttercup Games Search Tutorial data from Splunk? I don't think productId field is available for source="success.do" . Also productName is not present in the raw events. Splunk Documentation provides it as prices.csv lookup file to enrich product Ids with their corresponding names and prices. If it is so make sure you have the lookup file uploaded and lookup definition created. Even with the lookup file you should use productId as <fieldForValue> and productName as <fieldForName> as the field productValue does not exist (unless you have created one).
Please try out and provide further details if provided details do not work.
... View more