Thank you but that approach doesn't work (or I wasn't able to make it works); I've ended doing a map command from A & B sources and the a join with the C source. I try to avoid join as much as possible but the devices aren't billions and the performances are more than acceptable.
I was playing with Business flow a few weeks ago in the Splunk Oxygen, may worths another look, ty.
The topology apps are all great and I already use them; the issue with this use case is the tons of variables to be handled
Basically I have (just as example):
- Switch 1 connected to Switch 2 with 4 ports; each link has is own metrics/info
- Switch 2 connected to Switch 3 with 8 ports; again, each link with is own info
I tried with multivalues and succesfully build a single line, multivalue topology across all devices/link. Right now I'm stuck on splitting multivalues fields because of they have uneven elements; the "standard" mvjoin/split/rex works well when you have same number of events in each multivalue but that's not my case 😞
Anyway, ty all for your time
... View more
Currently I am using this query to join first two sourcetypes but not sure how to join third one.
index=xyz (sourcetype=sourcetype_1 ) OR (sourcetype=sourcetype_2 )
|rename mm AS MM
|stats dc(sourcetype) as cnt values(ss) AS ss values(CC) AS CC by OO MM
... View more
GUI page doesn't come up, when I click on Apps and select DB Connect, it takes me to the DB Connect page and I see the configuration tabs, etc. for a quick second then it automatically redirects to a welcome page. If you look at the other issues I linked you will see there is a ftr.js error:
Uncaught (in promise) TypeError: Cannot read property 'Symbol(Symbol.iterator)' of undefined
I did verify that DB Connect is using 9998 and ensured the firewall allowed connectivity. I can stop splunk and watch port 9998 disappear by performing netstat and then start it back up and watching port 9998 being used by netstat. I did this a couple of days ago.
I also performed a ./splunk stop and ./splunk start to see if any errors popped up, nothing.
If I remove java, including the installations from /usr/java, environmental variables, and remove the dbx_settings.conf and just leave the jdk installed in /opt/ directory and reboot, I get this error:
Unable to initialize modular input "server" defined inside the app "splunk_app_db_connect": Introspecting scheme=server: script running failed (exited with code 127).
If I ignore the error and try to click on DB Connect I still get the spinning wheel and the ftr.js error, I first assumed based on other community posts that I needed to get java sorted out to get the configuration page to display. So if I configure java and reboot the error message above goes away but the spinning wheel and ftr.js error remains. Basically java configured or not ftr.js on the welcome page occurs.
Can you provide the path to the configuration page? https://:8000/en-US/app/splunk_app_db_connect/
I wonder if I can bypass the welcome page and get to the configuration page.
... View more