It's worked very well. I put count>11 because I change my criterias. I just put count because count allows to count the number of events returns by the search and it's exactly that I want to do. Thanks very much to your help.

Laura

Ok, the count(Event) was some type of pseudo-code? In any case, I am happy that it works for you, but you are now saying count>11, rather than count<11. I do not think that is what you want, at least not according to your original post.

Please mark as "answered" if your question has been resolved.

Thanks,

K

My problem is resolved. Thanks very much.

This is my final search:

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") |stats count by date_hour |rangemap field=count severe=0-0 elevated=1-50 default=low | eval range=if(date_hour>9 AND date_hour<16 AND count>11, "severe", range)

Updated and confirmed that it works. Had to fix a few typos, sorry about that. Do you want count(Event) or just count, which is the same as count(_raw), i.e. the raw event.

If you want to run your search over more than 24 hours, you'll need to combine date_hour with other date_* fields, or use timechart.

/k

Please don't post questions as answers. It makes it very hard to actually see the questions you're asking.

The problem is that I want to count the number of events by hour and with the result by hour, I want to apply the range on the results but actually I've got this search:

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low by| eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

Thanks by advance if you know the solution of this problem.

Laura

The field date_hour is extracted by default for almost all sourcetypes (like punct, timestartpos etc), but not for Windows Event Logs.

The problem is also present in a search bar. I think the problem is "stats count values(date_hour) AS dh" because in my table there aren't the values of dh so next, it can't compare dh with 9 and 16...

Thanks by advance if you know the solution of this problem.

Laura

The problem is that I want to count the number of events by hour and with the result by hour, I want to apply the range on the results but actually I've got this search:

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low by| eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

Thanks by advance if you know the solution of this problem.

Laura

Not my field of expertise, but you might benefit from this question and answer regarding characters being interpreted as part of the XML:

http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex

/k

Thx very much. How can I put in a xml file because when I put it in my dashboard xml file, I got an error. I thinks it's the "<" which is the problem.

Thx by advance,

Laura

Updated. However, what do you want to happen when a search spans from 08:00 to 13:00?

/kristian