Hi, take a look at the command | getservice , with this command you'll be able to create a table with all the data you need and export it as csv. ... View more

If you have the episodeID, you can link directly to it: https://YOURSPLUNKSERVER:8000/en-US/app/itsi/itsi_event_management?earliest=-7d%40h&latest=now&form.earliest_time=-7d%40h&form.latest_time=now&episodeid=YOUREPISODEID Please be aware of the time span, if episode is older than 7d it won't be found because in THIS link -7d is set. ... View more

was awesome, like it to talk to the experts and discussing about everything around ITSI! ... View more

do you see something in _internal regarding the execution of the script? What about other scripts, if you create a new action rule with a different script, does this work or are all scripts failing? ... View more

You can open a glass table by sharing the URL, of course you have to log in to see it. ... View more

Your syntax is invalid. By an append command you start a complete ausbrächte which could start with | search index=abcd … . And then an eval could follow but then you don’t need a stats in front of it. ... View more

As mentioned, you can use this app. This app can be installed ie on a heavy forwarder. You have to configure a list which hosts must be pinged. Of course, you can generate this list and transfer it „somehow“ to the pinging machine. But keep in mind it’ll generate traffic and pinging takes time.  ... View more

There are some apps in Splunkbase for pinging like "TA-Connectivity", but I hope you don't want to ping all the hosts within a few seconds 😉 ... View more

You have imported your entities (I assume you check them in the entity management) and you have added them to your service. But you have also configured in your KPIs to split by host and take only entities which are for this service? ... View more

I recreated your case. A csv might not be a valid csv for importing if there is no separator. Please try to add something to your csv so it might look like this: DisplayName;myfield -----------;foo server1.corpnet.abv;server1.corpnet.abv server2.corpnet.abv;server2.corpnet.abv While I haven't had the second column, I also have had no results for importing. ... View more

You just have to take the first part of your search, index=indexname tag=oshost host=hostname . The aggregation is done while you are doing your settings in the wizard. That means, your interval is 15mins, you split by host, you calculate an average for the cpu and you also have to define how what you want to see as aggregated information for the KPI itself. ... View more

So please try to figure out if your source, field extractions and permissions are correct. This must be working before creating KPIs. ... View more

I've got problem understanding this middle thing because it will only work if there are 3 or 5 results. Let's start the easier way. If you have 5 results, you can do a streamstats count as counting by sessionID. After this, you can do something like a sorting - counting sessionID  and write down the max counting by sessionID in each line. Then you calculate marker=(maxcounting+1)/2 and search where marker=counting. That means, if you have 5 results, for a sessionID it will look like this: ID=1234, value=a, counting=1, maxcount=5, marker=3 ID=1234, value=b, counting=2, maxcount=5, marker=3 ID=1234, value=c, counting=3, maxcount=5, marker=3 ID=1234, value=d, counting=4, maxcount=5, marker=3 ID=1234, value=e, counting=5, maxcount=5, marker=3 But what will you do if there are 6 events, what's the middle? ... View more

| rex field=CellserialNumber "978499-5-(?<testnumber>.*)" ... View more

You have to investigate your data. Compare your number of events (and length), compare events by loglevel/allowDeny, figure out if your  sending or receiving behaviour is different for some devices/IPs etc. ... View more

if they are from different indexes (I suppose this is ment by different data sets?) you can also do something like "index=a OR index=b", so you'll get events out of both indexes ... View more

You have configured an anomaly detection but you have to many entities, maximum ist 30. https://docs.splunk.com/Documentation/ITSI/4.13.1/SI/AD ... View more

Does your search end with a stats command? If you do something like table or timechart in the end of your query it looks like the search will run but ITSI tries an aggregation again and then it fails. ... View more

You have to buy both, the core license and the itsi license. ITSI only works if you buy a license for it and a core license is also installed. That means in your example, 50GB core and 50GB ITSI. The ITSI license doesn't include core. ... View more

I'd do this with an episode. As you mentioned, you can do this without ITSI a a normal alert but the better way would be doing this out of ITSI. You can close the episode automatically if the service is up again or on the other hand it will can be configured to send a message only once until episode breaks. But regarding the usage of itsi, normally you are monitoring a service availability and for this availability you need running Windows-Services. Won't it be better to cover it like this than just looking for "running-services-on-a-windows-host"? ... View more

Make sure, - your combination OS and UFW will match - there are all apps working with the newer version - you don’t have copied apps manually on UFWs (but eventually a deploymentclient-app). If you do the Deinstallation they could be erased.   You also have to update HFs? Keep in mind the python version change! ... View more

In general, you are right, each role a separate VM. But for your lab and non productive environment of this size you can consolidate deployment server and cluster master. ... View more

You can do it by replace command: | replace "/Server*" with "*" ... View more