All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello! I'm trying to separate the latency results with Eval by dividing in 3 categories and then showing the percentage using the Top command. This was working for the beginning of the project bu... See more...
Hello! I'm trying to separate the latency results with Eval by dividing in 3 categories and then showing the percentage using the Top command. This was working for the beginning of the project but now I need to separated the results by hour instead of the whole day and including the Table command and using the fields from Eval is not working.   Here's my search | eval tempo= case( 'netPerf.netOriginLatency'<2000, "Under 2s", 'netPerf.netOriginLatency'>2000 AND 'netPerf.netOriginLatency'<3000, "Between 2s and 3s", 'netPerf.netOriginLatency'>3000, "Above 3s" ) | top 0 tempo Latency count percent Under 2s 74209 86.5 % Between 2s and 3s 10736 12.5 % Above 3s 803 0.9 %   Ideal scenario would be something like this: _time Under 2s Between 2s and 3s Above 3s 06/07/2024 00:00 97.3 % 2.3 % 2.3 % 06/07/2024 01:00 96.3 % 2.7 % 1.0 %   Appreciate the time and help!
And it’s essential that RF = SF on before and after SmartStore is enabled. If not then there is possibility that bucket which is copied to S3 doesn’t contains searchable metadata and then it’s not wo... See more...
And it’s essential that RF = SF on before and after SmartStore is enabled. If not then there is possibility that bucket which is copied to S3 doesn’t contains searchable metadata and then it’s not working layter!
If you can define which line contains headers and which values, then you can do this with any countable columns. It’s enough to known how many columns you could maximum have.
It's a bit more complicated than that. Hot buckets are normally streamed to other peers to meet RF/SF. But when the bucket rolls to warm, it's uploaded to smartstore (which then takes care of data r... See more...
It's a bit more complicated than that. Hot buckets are normally streamed to other peers to meet RF/SF. But when the bucket rolls to warm, it's uploaded to smartstore (which then takes care of data resilience) and local copies can be evicted to make room for frequently used cached buckets. So initially you might get RF/SF meeting number of copies for a warm buckets but at any time the cache manager can decide to evict such warm copy untill it will be needed - then it will be re-downloaded from smartstore. But yes, for warm buckets there is no longer replication between peers to meet RF/SF. And each bucket is just copied once to smartstore and it's smartstore's responsibility to make sure that bucket is available.
Ahh. OK. That wasn't clear. I thought that maybe there's some "practice" environment with that training. Anyway, you can look for your data by doing either what @marnall said or do a quick summary ... See more...
Ahh. OK. That wasn't clear. I thought that maybe there's some "practice" environment with that training. Anyway, you can look for your data by doing either what @marnall said or do a quick summary | tstats count min(_time) as earliest max(_time) as latest where index IN (*,_*) by index sourcetype | convert ctime(earliest) ctime(latest) to see when and where your data is.  (the underscore-beginning Splunk's internal indexes are just to show you what it should look like). Run this search over All Time
With SmartStore, replication and search factors only apply to hot buckets on the local machines. The idea is that the remote storage takes responsibility for the high availability and redundancy of t... See more...
With SmartStore, replication and search factors only apply to hot buckets on the local machines. The idea is that the remote storage takes responsibility for the high availability and redundancy of the buckets. Thus, even adjusting your RF, it will not change the number of bucket copies on the remote storage.
What happens if you search: index=* ...and set the time to "All Time"? This search should get all non-hidden logs in your Splunk indexes. Hopefully you get logs from several sourcetypes, and you c... See more...
What happens if you search: index=* ...and set the time to "All Time"? This search should get all non-hidden logs in your Splunk indexes. Hopefully you get logs from several sourcetypes, and you can click on the sourcetypes in the fields column on the list and hopefully find the one you specified when you onboarded your logs. If your sourcetype does not appear, then it is likely that something went wrong with the onboarding.
I'm using Splunk Enterprise, version 9.2.2, not a mockup. I'm just using a logfile that I got from the Pluralsight website.  I opened the file and looked at it before I uploaded it, and it appeared... See more...
I'm using Splunk Enterprise, version 9.2.2, not a mockup. I'm just using a logfile that I got from the Pluralsight website.  I opened the file and looked at it before I uploaded it, and it appeared to be the same file being used in the training. The numbers in the file matched what I saw in the video. After I clicked the submit button to upload the file, I got a "success" message, so I believe it worked, but is there some way to see the file after I uploaded it to make sure it's correct?
If you look into the opening message of this thread you'll see a json entity with a message field containing a string which - when parsed out from the original event and then parsed as a json structu... See more...
If you look into the opening message of this thread you'll see a json entity with a message field containing a string which - when parsed out from the original event and then parsed as a json structure returns fields. And I suppose that's the problem - the "sub-json" is actually a string within the original json structure.
Pluralsight is an external entity. We don't know each and every training on Splunm that is out there. We don't know what the video shows, what is the scope of the training and whatever "the window to... See more...
Pluralsight is an external entity. We don't know each and every training on Splunm that is out there. We don't know what the video shows, what is the scope of the training and whatever "the window to the right" is. Is it a real Splunk interface or some mockup? How are we supposed to know that?
Thank you, but I am already using All Time. I've tried to follow the tutorial as closely as possible, and I think I've been successful in that, which is why this "No Results Found" is so confounding.
SQL Monitoring - I'd like to know how to write a Splunk SPL query to alert on the top users running long running SQL queries on my databases.  I'm currently using the MS SQL add-on for Splunk and ... See more...
SQL Monitoring - I'd like to know how to write a Splunk SPL query to alert on the top users running long running SQL queries on my databases.  I'm currently using the MS SQL add-on for Splunk and monitoring the included monitors for  Perfmon:sqlserver:* and sourcetypes "mssql:agentlog" and "mssql:errorlog"   Thank you in advance!
Hi Manjunatha, Are you having a Splunk issue? Otherwise, If this is an issue just about a (Cisco) switch, that is out of scope for this forum, and you should check with Cisco support.
Thank you for reposting data as plain text and not emojis .  Let this be a lesson for everyone using this board: make use of the text block (that </> button in editor) and you can avoid mishaps.  An... See more...
Thank you for reposting data as plain text and not emojis .  Let this be a lesson for everyone using this board: make use of the text block (that </> button in editor) and you can avoid mishaps.  Another good practice is to use Splunk's autoformat function in search window. Anyway, the logic behind | spath | eval message="{\"message\":".message."}" escapes me, because first, without any prompt, Splunk should have given you a whole number of multi-valued fields such as {}.TARGETSYSTEM and {}.ARUNAME.  Adding another spath only doubles their entry.  Second, I do not see any field name message.   Are your event illustrations of _raw events or of a particular field named message that has been extracted by Splunk?  If it is the latter, there is no reason why your search wouldn't give the desired results. Here is an emulation of "message" field in your illustrations:   | makeresults | eval message=mvappend("[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":6,\"FAILED\":6,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":7295,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00052Med\",\"TOTAL\":0,\"PROCESSED\":273,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00011H\",\"TOTAL\":0,\"PROCESSED\":23,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00303\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00355\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":22,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01015\",\"TOTAL\":0,\"PROCESSED\":3,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00011H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":38,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00355\",\"TOTAL\":0,\"PROCESSED\":44,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00364\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":6,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00302\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00364\",\"TOTAL\":0,\"PROCESSED\":7177,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00302\",\"TOTAL\":0,\"PROCESSED\":116,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":37,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00086\",\"TOTAL\":0,\"PROCESSED\":215,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00061\",\"TOTAL\":0,\"PROCESSED\":4,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":14,\"FAILED\":14,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00030\",\"TOTAL\":0,\"PROCESSED\":21,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00075Med\",\"TOTAL\":0,\"PROCESSED\":546,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00030\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":801,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":150,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00473H\",\"TOTAL\":0,\"PROCESSED\":69,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00075Med\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":542,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":335,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00473H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":10,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":12,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":637,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00396\",\"TOTAL\":0,\"PROCESSED\":2,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00079MEDICA\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":88,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00086\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00079MEDICA\",\"TOTAL\":0,\"PROCESSED\":24,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5}]", "[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00797H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00365\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":511,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00365\",\"TOTAL\":0,\"PROCESSED\":210,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00410\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00396\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00410\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":21,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4}]") | mvexpand message ``` the above emulates the "message" field from index = ***** host=**** source=*** ```   Apply your search (skip that first spath) with Splunk autoformat   | eval message="{\"message\":".message."}" | spath input=message message{} output=collection | mvexpand collection | spath input=collection | eval totalCount = SKIPPED + PROCESSED | chart sum(SKIPPED) as SKIPPED,sum(PROCESSED) as Processed sum(totalCount) as TotalClaims by DAYHOUR DATE   I get this table: DAYHOUR Processed: 7/9/2024 SKIPPED: 7/9/2024 TotalClaims: 7/9/2024 4 218 536 754 5 16644 1862 18506 If the two illustrations are for raw events, emulation is like the following:   | makeresults | eval data=mvappend("[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":6,\"FAILED\":6,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":7295,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00052Med\",\"TOTAL\":0,\"PROCESSED\":273,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00011H\",\"TOTAL\":0,\"PROCESSED\":23,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00303\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00355\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":22,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01015\",\"TOTAL\":0,\"PROCESSED\":3,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00011H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":38,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00355\",\"TOTAL\":0,\"PROCESSED\":44,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00364\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":6,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00302\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00364\",\"TOTAL\":0,\"PROCESSED\":7177,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00302\",\"TOTAL\":0,\"PROCESSED\":116,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":37,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00086\",\"TOTAL\":0,\"PROCESSED\":215,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00061\",\"TOTAL\":0,\"PROCESSED\":4,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":14,\"FAILED\":14,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00030\",\"TOTAL\":0,\"PROCESSED\":21,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00075Med\",\"TOTAL\":0,\"PROCESSED\":546,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00030\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":801,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":150,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00473H\",\"TOTAL\":0,\"PROCESSED\":69,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00075Med\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":542,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":335,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00473H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":10,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":12,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":637,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00396\",\"TOTAL\":0,\"PROCESSED\":2,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00079MEDICA\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":88,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00086\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00079MEDICA\",\"TOTAL\":0,\"PROCESSED\":24,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5}]", "[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00797H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00365\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":511,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00365\",\"TOTAL\":0,\"PROCESSED\":210,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00410\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00396\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00410\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":21,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4}]") | mvexpand data | rename data as _raw | spath ``` the above emulates index = ***** host=**** source=*** ```   Use a slightly modified search from your original,   | fields - {}.* ``` opitional - just to clear view during development ``` | spath path={} ``` you can directly use {} as fieldname, no need to append ``` | mvexpand {} | fields - _* | spath input={} | eval totalCount = SKIPPED + PROCESSED | chart sum(SKIPPED) as SKIPPED,sum(PROCESSED) as Processed sum(totalCount) as TotalClaims by DAYHOUR DATE   This gives the exact same result.  Could you clarify?
Finally it is working now Thank you so much. You made my day.  
Check that the timeframe for the search covers the times your events have been timestamped with (or simply use all time).
OK try it with double quotes on the stats command (which is counter-intuitive!) index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR... See more...
OK try it with double quotes on the stats command (which is counter-intuitive!) index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode') | stats count by "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode"
If I increase the RF on a SmartStore enabled indexer cluster what happens on SmartStore? Is a 2nd copy actually created on SmartStore, or is the same copy referenced by more than 1 indexer in the clu... See more...
If I increase the RF on a SmartStore enabled indexer cluster what happens on SmartStore? Is a 2nd copy actually created on SmartStore, or is the same copy referenced by more than 1 indexer in the cluster? 
@ITWhispererthanks for being patient with me. I have copied the same query which you have mentioned and this is the result index="apigee" sourcetype!="apigee:nginx" (ProxyPath="/xyz" OR ProxyPat... See more...
@ITWhispererthanks for being patient with me. I have copied the same query which you have mentioned and this is the result index="apigee" sourcetype!="apigee:nginx" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode') | stats count by 'BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode'  
I am taking the Pluralsight tutorial. I have followed all the steps very carefully in the "Demo: Getting Data into Splunk" video.  I first run into trouble about two minutes in. I uploaded the logfil... See more...
I am taking the Pluralsight tutorial. I have followed all the steps very carefully in the "Demo: Getting Data into Splunk" video.  I first run into trouble about two minutes in. I uploaded the logfile successfully and successfully set the source type as access_combined_wcookie. My Event Break and Timestamp settings are the same as what is shown in the video. But in the large viewing window to the right, mine says "No results found. In the video there are Times and Events in this pane.  I thought that perhaps I just needed to follow all the steps through to see Times and events, so I created the new index, as per the tutorial, and submitted successfully. But then I got the same "No Results Found" message on the New Search screen. I should note that the only difference between me and the tutorial video is that in the bar underneath the words "New Search," the host = my computer's name instead of "thenson-desktop." What do I need to do to see results?