It is not clear what you are trying to do here - the second one generates a count for each unique value of kmethod - which presumably is a number since the first one is summing these? Please can you clarify what you are trying to do, perhaps provide some sample (anonymosed) events so we can see what you are dealing with, and an example of your expected result?

Do you have the date_* fields in your data? If so, you can do this search... earliest=-1mon (date_hour>=$start_hour_token$ date_minute>=$start_minute_token$) (date_hour<$end_hour_token$ OR (date_hour=$end_hour_token$ date_minute<$end_minute_token$))) If you don't have those fields extracted, then you will have to do an eval statement to create the date_hour and date_minute fields and then do a where clause to do the same comparison as above.

It's worth noting, however, as @bowesmana pointed out, that eventstats is a relatively "heavy" command because it needs to generate whole result set and gather it on a search-head in order to create the statistics which it later adds to results. With a small data set you can get away with just calling eventstats and processing the results further. If your initial result set is big you might indeed want to limit set of processed fields (including removing _raw if it's no longer needed).

As @ITWhisperer has said, subsearches run first, so you can't pass time from the outer to the subsearch, but the addinfo command is generally a way to know what time range you have for your search, so in the subsearch you can do something like this to remove the entries from the lookup that do NOT fit in the time range of the search [ | inputlookup lookup.csv | addinfo | eval first_time=strftime(info_min_time, "%H") | eval last_time=strftime(info_max_time, "%H") | rex field=Time "[^ ]* (?<hour>\d+)" | where hour>=first_time AND hour<=last_time ] This is taking the HOUR part of your lookup Time value and comparing that to the search time range and only retaining the lookup entries that match the time range of your search, so when you combine the entries after this subsearch, only those from the lookup that are relevant to the range are collected with the real time data.

the INDEXED_EXTRACTIONS configuration belongs in props.conf of the universal forwarder.   |tstats count where index=* sourcetype=my_json_data by host | stats values(host) The search above should tell you which hosts need to be looked at where you would remove INDEXED_EXTRACTIONS = json from the SHs and Indexers and move this configuration (INDEXED_EXTRACTIONS = json) to the forwarders props.conf. Make sure the forwarder inputs.conf for the json source you are ingesting is tagging the data with the appropriate sourcetype, then in props.conf reference that sourcetype stanza for your config: ie (UF): inputs.conf [monitor:///file] sourcetype=foo_json index=bar props.conf [foo_json] INDEXED_EXTRACTIONS = json     see:https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Configurationparametersandt[…]A.&_ga=2.147263155.568450395.1710801981-1206481253.1693859797 INDEXED_EXTRACTIONS are unique in that they happen in the structured parsing queue of the universal forwarder where usually parsing happens at a HF or indexer if there is no HF. if you use a HF as the first point of ingest and no UF then you place it there on the HF. see: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Extractfieldsfromfileswithstructureddata If you have Splunk Cloud Platform and want configure the extraction of fields from structured data, use the Splunk universal forwarder.  

In Email alerts, there is a checkbox for "Inline", which would put the search results table into the body of the email. If you would like more control over it, you could do some SPL magic to make a single field containing the html for a table in the arrangement you want, then put that field in the body.

At first glance it seems your field/argument "userAccountPropertyFlag" ends with a 'd' character when passed to the script: "userAccountPropertyFlad"   If that doesn't fix it, you may be able to find more informational errors by searching in the internal error logs relating to this script: index=_internal user_account_control_property.py log_level=ERROR  

Hi @titchynz , was wondering if you found a solution for this.  We are experiencing the exact same thing verbatim and was hoping perhaps you'd done all of the hard work and have a solution that you could share. Thanks!

One thing to note is that the strptime does not work with just a month and year, it needs a day value as well. ref: https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions If the RegUser string has only a year and month, you could format it to include the day 01. E.g. | eval RefUser = RefUser+"/01" | eval RefUser = strptime(RefUser,"%Y/%m/%d") For the RefAtual, I assume you are taking 1 month earlier than the current _time value: | eval RefAtual = relative_time(_time, "-1mon") Once you have these two timestamps in unixtime format, then you can take the absolute difference between them, and divide by the number of seconds in a month (assuming 30 days in a month, that is 60*60*24*30). Then set the number of digits to round to | eval months_between = abs(RefAtual - refUser) / (60*60*24*30) | eval months_between = round(months_between,1)

Without knowing about your changes, it's hard to say what's happening. If you manually created or changed any .conf files though, I would check ownership and make sure they are owned by the splunk user. I've seen bundle validations fail when something doesn't have proper ownership.  

I try today with  that "allowSorting": false in my json code and is not working. Share my code: {     "type": "splunk.table",     "dataSources": {         "primary": "ds_z5csywhv"     },     "title": "Hits",     "description": "Daily",     "options": {         "columnFormat": {             "Daily_Hits": {                 "width": 65,                 "align": [                     "center"],                 "allowSorting": false             }         },         "tableFormat": {             "headerBackgroundColor": "#FFA476",             "headerColor": "#772800"                     },         "count": 5,         "fontSize": "small",         "font": "proportional",         "showRowNumbers": true             },     "context": {},     "showProgressBar": false,     "showLastUpdated": false }

The filldown command is not going to help me here. I don't think that I properly explained what I wanted to do. The original table looks like this: Hostname Vendor Product Version hostname1 Vendor1 Vendor2 Vendor3 Vendor4 Product1 Product2 Product3 Prodcut4 Version1 Version2 Version3 Version4 hostname2 Vendor1 Vendor2 Vendor3 Vendor4 Product2 Product4 Product3 Prodcut6 Version2 Version1 Version5 Version3 I want the new table to look like this: Hostname Vendor Product Version hostname1 Vendor1 Product1 Version1 hostname1 Vendor2 Product2 Version2 hostname1 Vendor3 Product3 Version3 hostname1 Vendor4 Product4 Version4 hostname2 Vendor1 Product2 Version2 hostname2 Vendor2 Product4 Version1 hostname2 Vendor3 Product3 Version5 hostname2 Vendor4 Product6 Version3