hi all, I have 2 accelerated data models defined, both having a common field (AccountId in one and account_id in another). The events run into millions of events for the first data model and hundreds of thousands for the second data model. I am now trying to get data across these 2 sets, can you please help me get the best approach. First Data Model is a JSON file, from which i've extracted fields: Field1, Field2, Field3, AccountId...... Second Data Model is a search ---> index=index1 sourcetype=st1 Fieldx, Fieldy, account_id, Fieldz....... I have tried: Left Join : This one takes way too long to return the search result, but have noticed that the results from the inner search are duplicated - not really correlating the data correctly. | datamodel DM1 DS1 search | rename AccountId as account_id | join type=left account_id [datamodel DM2 DS2 search] | table DS1.Field1 DS2.Field2...... Multisearch : Unable to send value of a field from one search as a parameter into another. Also, the multisearch returns the results of 2nd query only Subsearch : I believe this is the best approach based on my limited knowledge of Splunk, but am not able to get this working across the data models. Appreciate any pointers helping me solve the issue. Thanks, Krishna ... View more

Hi all, I have a JSON file output from a RESTful API service and the log looks something like this: { "Provider": "Provider1", "AccountId": "Account1", "Status": "NON_COMPLIANT", "AggregatedStatus": { "Control1": "COMPLIANT", "Control2": "NON_COMPLIANT", "Control3": "COMPLIANT" }, "ResourceCounter": 3, "DetailedResult": [ { "RuleName": "Rule1", "ResourceID": "ID65329083", "ResourceType": "Type1", "Timestamp": "2019-07-25T06:53:13.030000", "Status": "NON_COMPLIANT", "Severity": "medium", "Category": "Control1", "SubCategory": "SubCat1" }, { "RuleName": "Rule2", "ResourceID": "ID234ti4", "ResourceType": "Type1", "Timestamp": "2019-07-25T06:53:13.030000", "Status": "NON_COMPLIANT", "Severity": "medium", "Category": "Control2", "SubCategory": "SubCat2" }, { "RuleName": "Rule3", "ResourceID": "ID7523427", "ResourceType": "Type1", "Timestamp": "2019-07-25T06:53:13.030000", "Status": "NON_COMPLIANT", "Severity": "medium", "Category": "Control3", "SubCategory": "SubCat3" } ] } Is it possible to split the JSON into multiple events and filter/index the output based on "Category": "Control2". Ideally, I would like to view the broken down events like this and may be filter events based on the "Category" field. Is this even possible? { "Provider": "Provider1", "AccountId": "Account1", "Status": "NON_COMPLIANT", "AggregatedStatus": { "Control1": "COMPLIANT" }, "ResourceCounter": 1, "DetailedResult": [ { "RuleName": "Rule1", "ResourceID": "ID65329083", "ResourceType": "Type1", "Timestamp": "2019-07-25T06:53:13.030000", "Status": "NON_COMPLIANT", "Severity": "medium", "Category": "Control1", "SubCategory": "SubCat1" } ] } { "Provider": "Provider1", "AccountId": "Account1", "Status": "NON_COMPLIANT", "AggregatedStatus": { "Control2": "NON_COMPLIANT" }, "ResourceCounter": 1, "DetailedResult": [ { "RuleName": "Rule2", "ResourceID": "ID234ti4", "ResourceType": "Type1", "Timestamp": "2019-07-25T06:53:13.030000", "Status": "NON_COMPLIANT", "Severity": "medium", "Category": "Control2", "SubCategory": "SubCat2" } ] } { "Provider": "Provider1", "AccountId": "Account1", "Status": "NON_COMPLIANT", "AggregatedStatus": { "Control3": "COMPLIANT" }, "ResourceCounter": 1, "DetailedResult": [ { "RuleName": "Rule3", "ResourceID": "ID7523427", "ResourceType": "Type1", "Timestamp": "2019-07-25T06:53:13.030000", "Status": "NON_COMPLIANT", "Severity": "medium", "Category": "Control3", "SubCategory": "SubCat3" } ] } Thanks, Krishna ... View more

Hi all, Apologies if this topic has already been discussed already, but wondering if you could help me with a Splunk app that does application/service monitoring. We are already using NIX app to monitor the VM level metrics, but want to drill down further into the application/service layer. We have applications deployed in linux topology and wondering what is the best approach to monitor whether the application is up/down. If the application goes down, raise an alert. For a weblogic server, how do we monitor the applications deployed (for ex., Business Services and Proxy Services deployed on OSB server). We have already installed Weblogic App for Splunk, but do not seem to get this feedback from the OSB server. Many Thanks, Krishna ... View more

Hi team, I am trying out the nmon app and add-on for splunk. I have installed the app on the Splunk Indexer (Single instance containing Indexer, Heavy Forwarder and Search Head). I am able to see csv files created in the $SPLUNKHOME/var/log/nmon/var/csv_repository folder of the server and I am able to see corresponding reports on the NMON app on the Splunk console. However, on the Universal Forwarder, I have downloaded and extracted the ta-nmon-technical-addon-for-nmon-performance-monitor_1331.tgz file in the $SPLUNKHOME/etc/apps. I have copied across inputs.conf and props.conf from $SPLUNKHOME/etc/apps/TA-nmon/default to $SPLUNKHOME/etc/apps/TA-nmon/local directory. Restarted Splunk on the UF server. However, I am neither seeing the csv files being created nor any logs coming through to the Splunk console. Both the Splunk server and the UF are Red Hat Linux servers. Both of them have Perl (v 5.10.1) and Python (v 2.6.6) installed. Happy to provide more info as required. Thanks, Krishna ... View more