Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About wfrankl2
wfrankl2
Explorer
Member since:
01-29-2016
09-26-2022
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 01-29-2016 |
Activity Feed
- Posted Re: Uploading images in Dashboard Studio on Security. 09-26-2022 04:42 AM
- Got Karma for Re: How is Server Identified After clone-prep-clear-config Script is Run?. 07-16-2022 10:10 AM
- Posted Re: How is Server Identified After clone-prep-clear-config Script is Run? on Deployment Architecture. 07-15-2022 12:29 PM
- Posted Re: Is the universal forwarder 8.0 supported on Windows 2012 R2? on Getting Data In. 10-11-2021 10:34 AM
- Posted Re: Why is there a scheduled dashboard PDF delivery issue after upgrading to 7.2.6? on Dashboards & Visualizations. 11-04-2019 06:22 AM
- Posted Re: Why is there a scheduled dashboard PDF delivery issue after upgrading to 7.2.6? on Dashboards & Visualizations. 11-04-2019 06:21 AM
- Posted Re: ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/eth#/speed: Invalid argument on All Apps and Add-ons. 10-11-2019 06:34 AM
- Posted Can you help us troubleshoot the following naming problem in the Splunk add on for AppDynamics? on All Apps and Add-ons. 09-21-2018 09:08 AM
- Tagged Can you help us troubleshoot the following naming problem in the Splunk add on for AppDynamics? on All Apps and Add-ons. 09-21-2018 09:08 AM
- Tagged Can you help us troubleshoot the following naming problem in the Splunk add on for AppDynamics? on All Apps and Add-ons. 09-21-2018 09:08 AM
- Posted Re: Why is the substitution string is not working when using the map command to execute a saved search? on Reporting. 04-06-2018 07:21 AM
- Posted Re: Why is the substitution string is not working when using the map command to execute a saved search? on Reporting. 04-05-2018 09:48 AM
- Posted Why is the substitution string is not working when using the map command to execute a saved search? on Reporting. 04-05-2018 06:43 AM
- Tagged Why is the substitution string is not working when using the map command to execute a saved search? on Reporting. 04-05-2018 06:43 AM
- Tagged Why is the substitution string is not working when using the map command to execute a saved search? on Reporting. 04-05-2018 06:43 AM
- Tagged Why is the substitution string is not working when using the map command to execute a saved search? on Reporting. 04-05-2018 06:43 AM
- Posted Re: How to get HTTP Event Collectors enabled in Splunk Cloud? on Getting Data In. 10-24-2016 11:10 AM
- Posted Re: Can I get field extraction for XML data that is a data field in a JSON event? on Splunk Search. 01-29-2016 07:05 AM
- Posted Re: Can I get field extraction for XML data that is a data field in a JSON event? on Splunk Search. 01-29-2016 06:59 AM
- Posted Can I get field extraction for XML data that is a data field in a JSON event? on Splunk Search. 01-29-2016 04:24 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-26-2022
04:42 AM
Following as I have the same question and actually my power users can't upload images either even though documentation says they can.
... View more
07-15-2022
12:29 PM
1 Karma
Update: What I had responded is actually incorrect, in that it's not a feature change but actually a bug. The bug showed up in 8.1.x and fixed in 8.1.6 and apparently in 9.0.x. But in 8.2.5 and potentially any 8.2.x (have a case currently open as of today 7/18/2022) to make that determination. So my apologies in the haste of that response as what research I had done in docs and what we were seeing it appeared the functionality had changed. Leaving the below here as to context of my correction. I believe this behavior changes with 8.2. The host is no longer being stored on ftr, and if you have host coded in your inputs.conf from prior releases. The clone-prep-clear-config command will not clean out that file in the 8.2.x releases, at least not in 8.2.5 that we are on. We just ran up on this issue as we have images that our servers are created from and the steps have been to run the clone-prep-clear-config to reset the inputs.conf host values and the guid. But it no longer clears out the host name from inputs.conf. So we have had to change our steps as we were not having data come into Splunk under the proper host name. So now we remove the inputs.conf as well as run the clone-prep-clear-config to reset our servers.
... View more
10-11-2021
10:34 AM
why did they bring it back in 8.2? But not retro back to 8.0 and 8.1?
... View more
11-04-2019
06:22 AM
Workaround 2 that is. We are cloud so Workaround 1 would be a pain.
... View more
11-04-2019
06:21 AM
This worked for me as well as we started experiencing it when moving to 7.2.6. Thanks for having the answer out here!!
... View more
10-11-2019
06:34 AM
I get the same thing but not just for speed. duplex and docker0
... View more
09-21-2018
09:08 AM
We match our application names to our internal application names in our environment. Some of our applications have a "/" in the name. When we access the metrics URL, it uses the app ID number instead of the application name so this never causes us a problem. But, when we use the summary option, we get errors for the apps that have the "/" because it is using the application name. Here is an example of the error:
09-21-2018 09:55:55.025 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_AppDynamics/bin/appdynamics_summary.py" HTTPError: 400 Client Error: Invalid application id outstanding customer balance is specified for url: https://progressive-prod.saas.appdynamics.com/controller/rest/applications/**Oneof%20our%20Apps/withthechar%20notworking**/metric-data?output=JSON&time-range-type=BEFORE_NOW&duration-in-mins=5&metric-path=Overall%20Application%20Performance%7C*
Besides changing our application name is there any way around this issue?
... View more
04-05-2018
09:48 AM
hmmm ok so a little confused you are still using the actual saved search name in the map. My example I provided was not very well expressed my apologies. Let me go about it like this.
index=testindex |stats count by fielda|eval search_name=if(fielda=="John","John Alert","EveryoneElse Alert")
|map $search_name$
So if I get 2 rows back
fielda=john saved_search="John Alert"
fieldb=joan saved_search="EveroneElse Alert"
Then I get John Alert executed for the first row.
Then EveryoneElse Alert for the second row.
... View more
04-05-2018
06:43 AM
From the documentation
"When using a saved search or a literal search, the map command supports the substitution of $variable$ strings that match field names in the input results"
So this is a basic example of what I'm trying to do. The actual work is that I am running a search on some data and with each value returned, if any, would need to execute a different saved search. So I need to be able to assign the correct saved search name that's used based on a value in the result. then call the saved search to run. So I can't hard code the saved search in the map command because it's different for every event.
index="testdata" | eval alert="My Test Alert"
| map $alert$
... View more
10-24-2016
11:10 AM
I have had Support open a ticket and it is fairly painless besides waiting on them to do it. We were able to send data immediately. The docs didn't used to tell you to open a ticket. We tried to create ourselves, but as mentioned before, there is the bug that it doesn't create the collector on the indexer so it won't work. That's why they have to create it. Not sure if that is fixed in 6.5, we are 6.4.1.2.
... View more
01-29-2016
07:05 AM
It removes my xml formatting when I paste it in. the TransactiondataXML is the field where the data would be.
... View more
01-29-2016
06:59 AM
I will check it out. I tried to give a snippet of the code but it removed all formatting. I will give it another try.
{"LogName":"ExampleLog","CorrelationId":"f879095a-0109-4235-8ba8-218f43f27220","LoggingLevel":"All","ThreadId":"9","LocalTimeStamp":"2016-01-28T14:38:36.748986-05:00","AccessModeName":"ABC","AgentCode":"00000","AgentPrefixCode":"CA","ApplicationName":"UQ","ChannelCode":"DI","CIFCommonSchemaVersionNbr":"V0200","CIFGeneratedSchemaId":"05c0b8a4-2954-4fb7-a6ae-def569bd4b63","CIFSoftwareVersionNbr":"1.2","DataCenterLocationText":"None","InstrumentationLogDateTime":"/Date(1454070556298)/","LoggingComputerSystemName":"mycomputer","LoggingLevelName":"Critical","MessageText":"Hello world","OperatingEnvironmentName":"Development","PartyLogonIdTypeName":"None","TransactionDataXML":"application0091ef6c7-7d6b-4374-ac6b-8ec67abc6a9630080serverapplication","TransactionDateTime":"2016-01-28T14:38:36.729986-05:00","CIFSchemaValidationErrors":["AccessModeName should be 10 characters"],"CIFSchemaValidated":true,"Custom1":"Custom1Value","EventId":0,"CIFUniqueMessageId":"f879095a-0109-4235-8ba8-218f43f27220"}
... View more
01-29-2016
04:24 AM
I have event data coming into Splunk as JSON, that's all fine and works great, but one of the fields they are going to use is XML. Is there a way to get the XML field extracted from that? Right now it puts the XML as the value in a data field, but they want to search on values in the XML.
snippet
ThreadId: 9
TransactionDataXML: <TransactionDataXML><Input><Extensions><SourceSystem>application</SourceSystem></Extensions></Input><Output><StorePolicyPacketServiceResponse><ResponseCode>0</ResponseCode><ResponseDetails><TransactionId>091ef6c7-7d6b-4374-ac6b-8ec67abc6a96</TransactionId><ElapsedTime>30080</ElapsedTime><MachineId>server</MachineId><OriginalRequest><Extensions><SourceSystem>application</SourceSystem></Extensions></OriginalRequest></ResponseDetails></StorePolicyPacketServiceResponse></Output></TransactionDataXML>
TransactionDateTime: 2016-01-28T14:38:36.729986-05:00
... View more
