Activity Feed
- Posted Re: unable to get the dynatrace logs to Splunk on Getting Data In. 07-31-2023 09:31 AM
- Posted Re: Splunk_TA_nix awk: record `HARD_DRIVES ssd2262 ...' too long on Getting Data In. 01-16-2023 12:41 PM
- Posted Re: " An error occurred while receiving. The exception is KeyError('records')" while collecting event hub data on Getting Data In. 08-17-2022 10:50 AM
- Posted Microsoft Graph API Error message="Error retrieving Graph API Messages." exception='NoneType' object is not iterable on Getting Data In. 05-05-2022 11:09 AM
- Tagged Microsoft Graph API Error message="Error retrieving Graph API Messages." exception='NoneType' object is not iterable on Getting Data In. 05-05-2022 11:09 AM
- Karma Re: How to build a query to get the count of opened and resolved incidents every hour in a day? for PickleRick. 02-14-2022 07:25 AM
- Got Karma for Re: How to build a query to get the count of opened and resolved incidents every hour in a day?. 02-14-2022 07:23 AM
- Posted Re: How to build a query to get the count of opened and resolved incidents every hour in a day? on Splunk Search. 02-14-2022 07:21 AM
- Posted Re: How to build a query to get the count of opened and resolved incidents every hour in a day? on Splunk Search. 02-10-2022 11:57 AM
- Posted Re: How to build a query to get the count of opened and resolved incidents every hour in a day? on Splunk Search. 02-10-2022 11:53 AM
- Posted How to build a query to get the count of opened and resolved incidents every hour in a day? on Splunk Search. 02-10-2022 10:07 AM
- Tagged How to build a query to get the count of opened and resolved incidents every hour in a day? on Splunk Search. 02-10-2022 10:07 AM
- Posted Re: How do I solve "Listen Claim" issue when getting Event Hub data through Splunk Add-on for Microsoft Cloud on Getting Data In. 08-17-2021 08:34 AM
- Posted How to fix: " An error occurred while receiving. The exception is KeyError('records')" while collecting event hub data on Getting Data In. 08-16-2021 10:32 AM
- Tagged How to fix: " An error occurred while receiving. The exception is KeyError('records')" while collecting event hub data on Getting Data In. 08-16-2021 10:32 AM
- Got Karma for Re: Microsoft Azure Addon for Splunk throwing error "log_error:309 | _Splunk_ Unable to obtain access token". 05-13-2021 05:09 AM
- Posted Re: Microsoft Azure Addon for Splunk throwing error "log_error:309 | _Splunk_ Unable to obtain access token" on Getting Data In. 05-12-2021 01:16 PM
- Posted Re: Microsoft Azure Addon for Splunk throwing error "log_error:309 | _Splunk_ Unable to obtain access token" on Getting Data In. 04-28-2021 01:37 PM
- Karma Re: Microsoft Azure Addon for Splunk throwing error "log_error:309 | _Splunk_ Unable to obtain access token" for jwalzerpitt. 04-28-2021 01:34 PM
- Tagged Microsoft Azure Addon for Splunk throwing error "log_error:309 | _Splunk_ Unable to obtain access token" on Getting Data In. 04-26-2021 11:56 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
07-31-2023
09:31 AM
Hi @phanikumarcs were you able to resolve this error? I'm getting the same error in my environment.
... View more
01-16-2023
12:41 PM
Hi @maharshidave . Were you able to resolve this issue? I'm getting the same error as you got after upgrading to 8.5. Splunk_TA_nix/bin/uptime.sh: $(dirname /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/uptime.sh)/common.sh: not found Splunk_TA_nix/bin/cpu_metric.sh: $(dirname /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/cpu_metric.sh)/common.sh: not found Please share your solution if you were able to resolve it. Thanks!
... View more
08-17-2022
10:50 AM
Make sure that the addon is version 4.1.4 or above. The older versions have the key error issue. That's what worked for me.
... View more
05-05-2022
11:09 AM
After upgrading the Splunk Add-on for Microsoft Office 365 to version 3.0.0 it is required that we disable ServiceHealth.Read.All in Office 365 Management APIs, and enable ServiceHealth.Read.All in Microsoft Graph as per the app doc. After following the instruction and assigning the delegated type to ServiceHealth.Read.All under the Microsoft Graph , I'm getting the below error in the logs: level=ERROR pid=23448 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api.GraphApiConsumer pos=GraphApiConsumer.py:run:74 | datainput=b'ServiceUpdateMessages' start_time=1651772811 | message="Error retrieving Graph API Messages." exception='NoneType' object is not iterable The inputs under Office 365 Management APIs are working fine, which indicates that the configuration data like client id and secret are correct. Can someone please let me know what might be causing this issue?
... View more
- Tags:
- Microsoft O365
Labels
- Labels:
-
index
-
sourcetype
02-14-2022
07:21 AM
1 Karma
Hey @PickleRick thanks for the explanation! I now understand how it works! I will try it out and let you know if it works in my query!
... View more
02-10-2022
11:57 AM
In the event you can see that the event timestamp is in EST while the dv_opened_at and dv_resolved_at fields are in GMT
... View more
02-10-2022
11:53 AM
2/10/22 1:01:04.000 PM endpoint="xyz",parent="",dv_parent="",caused_by="",dv_caused_by="",watch_list="",dv_watch_list="",sys_updated_on="2022-02-1018:01:04",dv_sys_updated_on="2022-02-1018:01:04",u_major_incident_duration="",dv_u_major_incident_duration="",u_resolved_by="",dv_u_resolved_by="",u_vendor_problem_number="",dv_u_vendor_problem_number="",skills="",dv_skills="",lessons_learned="",dv_lessons_learned="None",u_activity_code="",dv_u_activity_code="None",state="110",dv_state="Queued",knowledge="false",dv_knowledge="false",u_sub_assembly_1="NA",dv_u_sub_assembly_1="NA",u_sub_assembly_2="NA",dv_u_sub_assembly_2="NA",u_sub_assembly_4="",dv_u_sub_assembly_4="",u_callback_indicator="no",dv_u_callback_indicator="No",impact="4",dv_impact="4-Minimal",active="true",dv_active="true",u_user_participation_triage="Yes",dv_u_user_participation_triage="Yes",u_affected_date="2022-02-1017:50:21",dv_u_affected_date="2022-02-1017:50:21",u_record_producer="",dv_u_record_producer="",group_list="",dv_group_list="",u_escape_ticket="",dv_u_escape_ticket="None",u_location_number="",dv_u_location_number="",major_incident_state="",dv_major_incident_state="None",u_reported_severity="",dv_u_reported_severity="",correlation_display="",dv_correlation_display="",u_ac_jira_ticket_number="",dv_u_ac_jira_ticket_number="",u_service_desk_call_made="no",dv_u_service_desk_call_made="No",u_location_type="-- None--",dv_u_location_type="-- None--",u_voice_trust_reason="",dv_u_voice_trust_reason="None",u_qs_type="Incident",dv_u_qs_type="Incident",u_azure_business_group="",dv_u_azure_business_group="None",service_offering="",dv_service_offering="",u_diagnostics="",dv_u_diagnostics="None",u_integration_state="",dv_u_integration_state="None",follow_up="",dv_follow_up="",parent_incident="",dv_parent_incident="",u_external_source="",dv_u_external_source="",reopened_by="",dv_reopened_by="",u_external_ticket="",dv_u_external_ticket="",u_azure_technology="",dv_u_azure_technology="None",x_pd_integration_incident_key="",dv_x_pd_integration_incident_key="",u_user_request_for_update_re="",dv_u_user_request_for_update_re="",agile_story="",dv_agile_story="",escalation="0",dv_escalation="Normal",correlation_id="",dv_correlation_id="",u_line_of_business="",dv_u_line_of_business="None",u_tech_support_dispatch="0",dv_u_tech_support_dispatch="No",u_business_unit="",dv_u_business_unit="",u_callback="",dv_u_callback="",u_integration_provider_id="",dv_u_integration_provider_id="",u_integration_callback_flag="false",dv_u_integration_callback_flag="false",u_asset_details="",dv_u_asset_details="None",made_sla="true",dv_made_sla="true",u_vendor_closed="",dv_u_vendor_closed="",u_external_details="",dv_u_external_details="",u_remote_take_over="Attempted_but_not_successful",dv_u_remote_take_over="Attempted_but_not_successful",user_input="",dv_user_input="",sys_created_on="2022-02-1018:00:56",dv_sys_created_on="2022-02-1018:00:56",actions_taken="",dv_actions_taken="",route_reason="",dv_route_reason="",u_customer_induced="",dv_u_customer_induced="None",calendar_stc="",dv_calendar_stc="",u_callback_time="",dv_u_callback_time="",closed_at="",dv_closed_at="",u_vendor_confirmation="",dv_u_vendor_confirmation="",u_affected_companies="",dv_u_affected_companies="",u_received="",dv_u_received="",u_opened_by_group="ab5669c44fdf060066e000fe9310c7a4",business_impact="",dv_business_impact="",rfc="",dv_rfc="",time_worked="",dv_time_worked="",u_sla_exclusion_justification="",dv_u_sla_exclusion_justification="",u_escalated="",dv_u_escalated="",work_end="",dv_work_end="",subcategory="",dv_subcategory="None",close_code="",dv_close_code="None",assignment_group="a35669c44fdf060066e000fe9310c79e",business_stc="",dv_business_stc="",description="",dv_description="",u_ibm_mcms="",dv_u_ibm_mcms="",sys_id="9898f1161ba185102d1d8407ec4bcb7a",dv_sys_id="9898f1161ba185102d1d8407ec4bcb7a",u_qs_rca_required="false",dv_u_qs_rca_required="false",urgency="4",dv_urgency="4-Minimal",u_number_of_events="",dv_u_number_of_events="",company="",dv_company="",severity="4",dv_severity="4-Minor",overview="",dv_overview="None",u_boolean_3="false",dv_u_boolean_3="false",approval="notrequested",dv_approval="NotYetRequested",u_boolean_1="false",dv_u_boolean_1="false",u_support_language_pref="english",dv_u_support_language_pref="English",reopen_count="0",dv_reopen_count="0",sys_tags="",dv_sys_tags="",u_contact_number="",dv_u_contact_number="",u_sra_number="",dv_u_sra_number="",u_issue_start_time="",dv_u_issue_start_time="",u_work_item="",dv_u_work_item="None",u_resolution_subcategory="",dv_u_resolution_subcategory="None",location="822e0224dbb55300a86b5068dc961934",dv_location="YYZHC",u_mi_duration="",dv_u_mi_duration="",u_mi_managed_by="",dv_u_mi_managed_by="None",u_mi_impact_time="",dv_u_mi_impact_time="",u_ac_status_time="",dv_u_ac_status_time="",promoted_by="",dv_promoted_by="",u_total_duration="",dv_u_total_duration="",u_call_information="",dv_u_call_information="",u_integration_state_2="",dv_u_integration_state_2="",upon_reject="cancel",dv_upon_reject="CancelallfutureTasks",u_temporary_workaround="",dv_u_temporary_workaround="",u_left_courtesy_card="",dv_u_left_courtesy_card="None",approval_history="",dv_approval_history="",u_qs_major_incident="false",dv_u_qs_major_incident="false",u_shipping_carrier="",dv_u_shipping_carrier="None",number="INC1326925",dv_number="INC1326925",proposed_by="",dv_proposed_by="",u_kiosk_on_site_response_arrival_time="",dv_u_kiosk_on_site_response_arrival_time="",u_workaround_date="",dv_u_workaround_date="",u_qs_fcresolve="false",dv_u_qs_fcresolve="false",x_pd_integration_incident="",dv_x_pd_integration_incident="",u_device_name_ref="0da9ffdcdb863b00a86b5068dc961970",u_vendor_service="",dv_u_vendor_service="None",u_tech_time="",dv_u_tech_time="",order="",dv_order="",u_waybill_number="",dv_u_waybill_number="",cmdb_ci="52310ab14f4a5600329b9acf9310c7cb",work_notes_list="",dv_work_notes_list="",priority="4",dv_priority="4-Low",sys_domain_path="/",dv_sys_domain_path="/",u_non_business_related_support="",dv_u_non_business_related_support="None",business_duration="",dv_business_duration="",u_aimia_incident_number="",dv_u_aimia_incident_number="",u_ipad_serial_number="",dv_u_ipad_serial_number="",u_storage="",dv_u_storage="None",approval_set="",dv_approval_set="",x_pd_integration_incident_id="",dv_x_pd_integration_incident_id="",u_shipped="",dv_u_shipped="",universal_request="",dv_universal_request=",dv_assigned_to="",u_mfp_hostname="",dv_u_mfp_hostname="",sla_due="",dv_sla_due="UNKNOWN",u_travel_time="",dv_u_travel_time="",u_integration_source_ci_id="",dv_u_integration_source_ci_id="",upon_approval="proceed",dv_upon_approval="ProceedtoNextTask",u_opportunity_details="",dv_u_opportunity_details="",u_integration_source_system="",dv_u_integration_source_system="",u_asset_name="",dv_u_asset_name="",x_pd_integration_conf_bridge="",dv_x_pd_integration_conf_bridge="",u_sra="",dv_u_sra="None",u_critical_application_1="",dv_u_critical_application_1="None",promoted_on="",dv_promoted_on="",u_vendor_scheduled="",dv_u_vendor_scheduled="",child_incidents="0",dv_child_incidents="0",u_number_of_opportunities="",dv_u_number_of_opportunities="",task_effective_number="INC1326925",dv_task_effective_number="INC1326925",resolved_by="",dv_resolved_by="",u_imaging_reimaging="",dv_u_imaging_reimaging="None",opened_by="964ede251be46c102d1d8407ec4bcbec",u_mi_start_time="",dv_u_mi_start_time="",u_service_restore_time="",dv_u_service_restore_time="",sys_domain="global",dv_sys_domain="global",u_restoral_action="NA",dv_u_restoral_action="NA",proposed_on="",dv_proposed_on="",u_operational_impact="0",dv_u_operational_impact="None",u_actual_start="",dv_u_actual_start="",u_tmpchtktemlsent="false",dv_u_tmpchtktemlsent="false",u_vendor_po_number="",dv_u_vendor_po_number="",business_service="",dv_business_service="",u_detected_by_monitoring="false",dv_u_detected_by_monitoring="false",u_location_floor="",dv_u_location_floor="",u_on_hold_reason="",dv_u_on_hold_reason="",u_failed_attempts="",dv_u_failed_attempts="None",expected_start="",dv_expected_start="",opened_at="2022-02-1017:50:21",dv_opened_at="2022-02-1017:50:21",u_business_feature="",dv_u_business_feature="",reopened_time="",dv_reopened_time="",resolved_at="2022-02-1018:50:21",dv_resolved_at="2022-02-1018:50:21",u_kiosk_on_site_response="",dv_u_kiosk_on_site_response="None",cause="",dv_cause=""
... View more
02-10-2022
10:07 AM
Hi,
I'm trying to build a query to get the count of opened and resolved incidents every hour in a day but the numbers are not tallying. Not sure if the issue might be the fact that ServiceNow uses GMT and therefore all the tickets have the dv_opened_at and dv_closed_at field in terms of GMT and the _time field is the local time which in my case is EST. I'm using the following query but not getting the correct numbers:
index=xyz
|eval _time = strptime(dv_opened_at,"%Y-%m-%d %H:%M:%S")
| sort 0 - _time
| addinfo
| where _time >= info_min_time AND _time <= info_max_time
| eventstats min(_time) AS earliest_time BY sys_id
| where _time = earliest_time
| timechart span=1h dc(sys_id) AS "Opened Tickets"
| appendcols
[ search index=xyz
|eval _time = strptime(dv_resolved_at,"%Y-%m-%d %H:%M:%S")
| sort 0 - _time
| addinfo
| where _time >= info_min_time AND _time <= info_max_time
| eventstats min(_time) AS earliest_time BY sys_id
| where _time = earliest_time
| timechart span=1h dc(sys_id) AS "Closed Tickets"]
Does anyone know how I can fix the query to get the correct number of incidents opened and closed every hour on a specific day?
... View more
- Tags:
- servicenow
08-17-2021
08:34 AM
Hi @pratik_18 , Were you able to find the solution for the KeyError('records') ? I'm also facing the same issue with the Microsoft Cloud Services Addon.
... View more
08-16-2021
10:32 AM
The EventHub input is throwing error while trying to collect eventhub data from Microsoft Azure. The Microsoft Cloud Services addon is installed on a Heavy Forwarder and is supposed to send data to the SH. Following is a snippet of error : 2021-08-06 10:28:23,488 level=WARNING pid=1876189 tid=Thread-1 logger=azure.eventhub._eventprocessor.event_processor pos=event_processor.py:_do_receive:334 | EventProcessor instance '605f0c65-227a-435c-8a26-4018c4a498a6' of eventhub 'xyz' partition '1' consumer group 'abc'. An error occurred while receiving. The exception is KeyError('records').
We have double-checked all the access and permissions that are specified in the addon doc.
I'm not sure if this error is due to permission issue or data format.
Has anyone else faced the same issue with the addon?
... View more
Labels
- Labels:
-
heavy forwarder
05-12-2021
01:16 PM
1 Karma
Hey @jwalzerpitt I was able to fix the error. Added the Directory.Read.All in the API permissions along with the other permissions mentioned in the addon document for the sign-in input. Earlier I had configured the API permissions with the type "delegated" on the Azure Portal but after changing it to type "Application" I'm getting all the sign-in data. Hope this helps.
... View more
04-28-2021
01:37 PM
Hey @jwalzerpitt , thanks so much for letting me know! I followed what you did and I'm now getting the exact same error as you (HTTPError: 403 Client Error: Forbidden for url). I'm trying to troubleshoot it now. Were you able to fix it?
... View more
04-26-2021
11:55 AM
After configuring the addon as specified in the document, the error logs are showing "log_error:309 | _Splunk_ Unable to obtain access token". I have been unable to find what the root cause of this error might be. The addon has been installed on the IDM. Can anyone help me out with this issue?
... View more
Labels
- Labels:
-
indexer
03-10-2021
12:23 PM
Hi Splunkers I would like to know if anyone has faced the issue of multiple incidents getting created in ServiceNow for the same entity/issue if the incident is not resolved in ServiceNow and the Splunk custom alert generates another ticket for the same issue when it sweeps through the data again and finds the same entity/issue. The correlation id is supposed to prevent that from happening as it tells servicenow that a ticket already exists for that issue but it doesn't seem to be working as multiple incidents are getting created in snow for the same asset. I have added $result.asset_tag$ as the asset_tag is a unique field but that hasn't helped either. Any advice? Thanks, Akriti
... View more
11-04-2020
07:26 AM
Has anyone forwarded Cisco Finesse logs to Splunk Cloud? If yes, it would be great if they can share the steps to do the same.
... View more
Labels
- Labels:
-
heavy forwarder
-
index