I have a KPI for Instance status:   index=xxxxx  source="yyyyy" | eval UpStatus=if(Status=="up",1,0) | stats last(UpStatus) as val by Instance host Status Now the val is 0 or 1 and Status field is Up or Down  The split by field is Instance host and threshold is based on val  The alert triggers fine but I want to put the field in email alert $result.Status$ Instead of $result.val$ But I dont see the field Status in tracked alerts. How can I make this field Status shows in tracked alerts index or events generated so that I can use it in my email (This is to avoid confusuion, instead of saying 0, 1 it will say up or down) ... View more

Hi,   I am trying to form a custom link to the episode/event in the email alert triggered from SPlunk ITSI.   However, when I open the link to that event or episode directly it always opens the alert and episode link and you the have to again search for the events and check the details.   Is there a way to get the link to the episode directly taht a person can open without searching from the ist of the events?   the link to specific episode e.g. https://splunkcloud.com/en-US/app/itsi/itsi_event_management?tab=layout_1&emid=1sdfdff-3cd3-11f0-b7a7-44561c0a81024&earliest=%40d&latest=now&tabid=all-events when opened in separate window does not open that specific episode the above url is modified to not share the exact url for the episode.   ... View more

Hi Team,   I am using splunk otel to gather logs from GKE to splunk cloud platformand I see the below errors: otel-collector 2025-02-25T23:29:46.515Z error reader/reader.go:214 failed to process token {"kind": "receiver", "name": "filelog", "data_type": "logs", "component": "fileconsumer", "path": "/var/log/pods/lxysdsdb/istio-proxy/0.log", "error": "failed to send entry after error: remove: field does not exist: attributes.time"} How can I resolve this?   I am using the below helm template values, can someone point out to what can be changed? I am using cri and otel (not fluentd) to collect the logs. # This is an example of using insecure configurations clusterName: "${cluster_name}" splunkPlatform: endpoint: ${endpoint} token: ${global_token} index: ${index_name} metricsIndex: "${index_name}_metrics" insecureSkipVerify: true logsEnabled: true metricsEnabled: false tracesEnabled: false logsEngine: otel cloudProvider: "gcp" distribution: "gke" agent: enabled: true ports: otlp: containerPort: 4317 hostPort: 4317 protocol: TCP enabled_for: [traces, metrics, logs, profiling] otlp-http: containerPort: 4318 protocol: TCP enabled_for: [metrics, traces, logs, profiling] resources: limits: cpu: ${logging_cpu_requests} memory: ${logging_memory_requests} podLabels: %{ for label, value in labels ~} ${label}: "${value}" %{ endfor ~} clusterReceiver: enabled: false logsCollection: # Container logs collection containers: enabled: true # Container runtime. One of `docker`, `cri-o`, or `containerd` # Automatically discovered if not set. containerRuntime: "${log_format_type}" excludePaths: %{ for path in exclude_path ~} - ${path} %{ endfor ~} # Boolean for ingesting the agent's own log excludeAgentLogs: true   ... View more

Hi All,   Has anyone used TA https://github.com/SplunkBAUG/CCA/blob/main/TA_genesys_cloud-1.0.14.spl and splunk genesys app https://splunkbase.splunk.com/app/6552 ?   I am having issues with TA where the data is stopping after 24 hours, has anyone faced similar issue with genesys cloud TA? ... View more

Hi all,  our regex is unable to extract host from the logs, can you pleas ehelp with the correct regex.though this regex works when checked in regex101, not sure why unable to extract [hostextract] REGEX = ^.*\w+\s+\d+\s+(?:\d+:){2}\d+\s+(?P<test>\w+)\s+ SOURCE_KEY = _raw DEST_KEY = MetaData:Host FORMAT = host::$1     e.g. logs format   May 1 08:35:30 10.98.6.249 May 1 08:35:30 host_abc   Apr 10 08:45:20 10.98.6.249 Apr 10 08:45:20 host_def   May 1 08:35:30 10.98.6.249 May 1 08:35:30 host_ghi     ... View more

Hi All, I am unable to see the logs for the source even after seeing the file is being tailed and read in internal logs. Can you please guide as to what could be wrong here?   I can see in internal logs: INFO Metrics - group=per_source_thruput, series="log_source_path",  kbps=0.056, eps=0.193, kb=1.730, ev=6, avg_age=0.000, max_age=0   But I dont see the logs in Splunk, the recent logs are there in file in the host, other sources are also coming into splunk fine.       ... View more

I have logs being monitored form winodws as below:   [monitor://D:\Logs\*] sourcetype = abc index = def I also currently have info logs being null routed which applies to  all the //D:\Logs\jkl.txt and therefor we dont see any logs from //D:\Logs\jkl.txt in Splunk.   Now without modifying the nullroute in props and transforms, I want to ingest logs from //D:\Logs\jkl.txt, how can i avoid the null route to not apply on this specific logs? ... View more

Hi All,   We have widnows event and other application logs ngested into splunk.   There is no problem with windows event logs but for our application related logs, the logs stop suddenly and starts reporting again but the log file in windows is being continuously updated with recent logs though the modified time does not get updated because of the windows feature. The modified time for the log file is not an issue because the logs starts rolling in even when the modified time is same but the log file had latest logs.   we are using splunk forwarder 9.0.4 version currently. Can someone please help in triaging this issue? It is a problem with only one specific source with this windows host and other sources (windows event logs) are flowing in properly. ... View more

Hi All, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging the issue? Appropriate permissions are provided for the salesforce user. ... View more

Hi team, I am following the below instructions to bring Genesys cloud logs in to splunk  https://splunkbase.splunk.com/app/6552 Under the details and intsallation instruction of the app, I cant find the configuration and it also did not prompted me for the input configuration ... View more

Hi, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging the issue? Appropriate permissions are provided for the salesforce user. ... View more

Hi All, I am using a mstats for a mteric and I am evaluating my hour and minute field something like below:   | mstats rate_avg(abc*) prestats=false WHERE "index"="def" span=3m | rename rate_avg(* as *, *) as * | eval Date=strftime(_time,"%m/%d/%Y") | eval hour=strftime(_time,"%H") | eval minute=strftime(_time,"%M") | transpose column_name=instance | rename "row 1" as MessagesRead | eval MessagesRead=ROUND(MessagesRead,0) | where MessagesRead < 1 Now I am unable to to use the below filter condition | search NOT (instance="*xyz*" AND hour=09 AND (minute>=00 AND minute<=15))     as I dont want to alert for a particular instance only from 9 to 9:15, but it should alert for other instance for this time period.   Now before the transpose the instance does not exist and I cant use the filter and after transpose I am unable to filter on hour and minute.   Can u please help in filtering after transpose? ... View more