Hello Splunkers, I was wondering if it's possible to combine adaptive and static thresholds in IT Service Intelligence for the same KPI. As an example, let's consider the percentage of swap memory used by a host. If I apply static thresholds, I know there's an issue only when the last detected value exceeds a fixed number (we can call this "the old style monitoring" 😋). On the other hand, if I use ITSI adaptive thresholding, the boundary will adapt itself using historical data. This solution would be great, but let's imagine that the swap memory used by the system slowly but continuously grows over days and weeks. At a certain point, it will reach 100%, but the KPI state will say "normal" because that value is, in some way, aligned with previous ones. Is there a way to use the adaptive thresholding behavior while keeping the "emergency" values fixed? Thanks in advance. Happy Splunking! ... View more

Hi Splunkers, I'm trying to use ITSI to monitor my Windows intrastructure. I used the data collection script (generated by ITSI) to automatically install and configure the splunk forwarder on a test windows 2019 server. I  see the data stream coming from the test server to indexer. The entity is correctly created but both the Sample service and base searches created with the "Data Integrations -> Monitoring MS Windows" doesn't work. For what I understood until now there is a mismatch between the sourcetype assinged by forwarder and the one used in base searches.  sourcetype=perfmonMK:LogicalDisk (in base search) vs sourcetype=PerfmonMetrics:LogicalDisk (in indexed data) Is there someone else with the same issue? Could be a bug? Any tips to fix ?   ... View more

Hi Splunkers, I've installed both Add-on for VMware metrics collector and Add-on for Unix and Linux. I noticed that  the same host collected by the two add-on is managed in different ways. Is there a best pratice to follow in order to merge data or at least to tell ITSI we're talking about the same host? I've already tried to merge entities but without finding an acceptable solution. Can someone help me on this topic? ... View more

Hi Splunkers, I'm here again asking for help with the alert manager app. I'm trying the "auto-resolve" feature combined with "append incident with the same title". I would like that all incidents with new appended events to be automatically closed at time "last_event + ttl" What I'm seeing now is an automatic closure at time "open time + ttl" even if there are new events for the same incident. Here below a simple example: Auto-close = enabled Append new incidents = enabled Search = my search TTL = 11m Incident creation time = 13:00:00  Appended events time = 13:05:00 , 13:10:00 Auto close time = 13:00:00 + 11m = 13:11:00 Desidered auto close time = 13:10:00 + 11m = 13:21:00 Thanks in advance for your support. ... View more

Hello Splunkers, I have an heavy forwarder that receives millions of events in json format. In order to save space and license I'd like to send to indexer only some interesting fields. I tried different combinations with props and transforms but without success. What I obtained is simply the match of first group of regex and nothing else. Here below the configuration (I reduced the regex to only 3 fields and the event structure to make it easy), an event example and what is the output now transforms.conf [KeepJsonFields] REGEX = ("Field001":".*?".)|("Field002":".*?".)||("Field003":".*?".) FORMAT = {$1$2$3} DEST_KEY = _raw props.conf [st_json_fields] DATETIME_CONFIG = KV_MODE = json MAX_TIMESTAMP_LOOKAHEAD = 34 NO_BINARY_CHECK = true TRANSFORMS-KeepJsonFields = KeepJsonFields SHOULD_LINEMERGE = false TIME_FORMAT = %Y%m%d%H%M%S" TIME_PREFIX = "FieldForTime":" pulldown_type = true TZ = UTC Event sample { "Block1":{ "Field001":"Value001", "Field002":"Value002 ", "Field003":1000, "Field004":"Value004", "Field005":1000, "Field00N":1000 }, "Block2":{ "Field-001":"Value-001", "Field-002":"Value-002", "Field-003":"Value-003", "Field-00N":"Value-004" }, "Block3":{ "Field_001":"Value_001", "Field_002":"Value_002", "Field_003":"Value_003" } } Event in splunk {"Field001":"Value001",} Here below main problems I've encountered: The regex seems to stop at the first occurence How to manage commas to rebuild the correct json format (is it correct to include them in the capture group?) Thanks in advance for the help you can give me ... View more

Hi all, I'm going crazy with a table in Splunk. What I'm trying to do is to dynamically create a table based on non null fields in my events. I'm using a Simple XML dashboard. This is the environment: Event1: _time fieldA=<valueA> fieldB=<valueB> fieldC=<valueC> fieldD=<valueD> fieldE=<valueE> Event2: _time fieldA=<valueA> fieldB=<valueB> fieldC=<valueC> fieldF=<valueF> fieldG=<valueG> Event3: ... If I use a search string like this index=<my_index> fieldD=<valueD> | table * The generated table appears like _time fieldA fieldB fieldC fieldD fieldE fieldF fieldG <time> <valueA> <valueB> <valueC> <valueD> <valueE> Why does Splunk show the empty columns too? How can I change my search to solve this issue? Maybe it seems an easy thing but I'm not finding a solution. Help me please! 🙂 ... View more