If I have the following table using columns DATE and USAGE, is there a way to create a 3rd column to display the difference in the USAGE column from Day X to previous day?   DATE USAGE Feb-28 Feb-29 Mar-01 Mar-02 Mar-03 Mar-04 Mar-05 Mar-06 Mar-07 Mar-08 Mar-09 Mar-10 Mar-11 Mar-12 17.68 gb 18.53 gb 19.66 gb 21.09 gb 22.04 gb 23.21 gb 24.20 gb 24.94 gb 25.64 gb 26.80 gb 27.79 gb 29.07 gb 30.09 gb 31.01 gb

I'm running stats to find out which events I want to delete. Basically I'm finding the minimum "change_set" a particular "source" has. Now, I want to delete these sources with the least "change_set".   Note: the events also has a lot of attributes apart from change_set and source.   index=test | stats min(change_set) by source   (Now delete the events which has that source and change_set. ```   How can I write the delete operation with this query? (the most optimal way) @gcusello @ITWhisperer @scelikok @PickleRick    Thanks

We are using the Android agent for AppDynamics and R8 to obfuscate the code. The corresponding mapping file was uploaded, AppDynamics recognizes it and "deobfuscates" the stacktrace, but in the end both versions are identical and include obfuscated method names. This happened with multiple app releases and crashes. Locally I am perfectly able to retrace the stacktrace provided by AppDynamics with the uploaded mapping file.  Does someone have an idea what may be the reason for this? AppDynamics Gradle Plugin version: 23.6.0 Android Gradle Plugin version: 8.1.4

index="abc" aws_appcode="123" logGroup="watch" region="us-east-1" (cwmessage.message = "*Notification(REQUESTED)*") |stats latest(_time) as start_time by cwmessage.transId |join cwmessage.transId [search index="abc" aws_appcode="123" logGroup="watch" region="us-east-1" (cwmessage.message = "*Notification(COMPLETED)*") |stats latest(_time) as cdx_time by cwmessage.transId ] [search index="abc" aws_appcode="123" logGroup="watch" region="us-east-1" (cwmessage.message = "*Notification(UPDATeD)*") |stats latest(_time) as upd_time by cwmessage.transId ] |join cwmessage.transId |eval cdx=cdx_time-start_time, upd=upd_time-cdx_time |table cwmessage.transId, cdx,upd From above query I'm using index query in multiple times, i want to use it as base search and call that in all nested searches for the dashboard. Please help me. Thanks

Hi Everyone, I am trying to replicate log modification that was possible with fluentd when using splunk-connect-for-kubernetes.       splunk_kubernetes_logging: cleanAuthtoken: tag: 'tail.containers.**' type: 'record_modifier' body: | # replace key log <replace> key log expression /"traffic_http_auth".*?:.*?".+?"/ # replace string replace "\"traffic_http_auth\": \"auth cleared\"" </replace>       Now since the above charts support ended we have switched to splunk-otel-collector. Along with this we also switched the logsengine: otel  and now having a hard time replicating this modification. Per the documentation I read this should come via processors (which is the agent), please correct me if I am wrong here. I have tried two processors but both doesn't work.  What I am missing here?     logsengine: otel agent: enabled: true config: processors: attributes/log_body_regexp: actions: - key: traffic_http_auth action: update value: "obfuscated" transform: log_statements: - context: log statements: - set(traffic_http_auth, "REDACTED")       This is new to me, can anyone point me where this logs modifiers can be applied.  Thanks, Ppal