You won't find events without a timestamp because Splunk always stores every event with a timestamp.  If the event does not come with a timestamp or if the timestamp is invalid then Splunk will use the timestamp from the previous event. The timestamp warning cited does not apply to same sourcetype as the nullQueue transform.  The warning is for wlc_syslog and the transform is for wlc_syslog_rt0.

Hi @richgalloway, @ITWhisperer  I have similar doubt but little tedious:  Use case:In my org primarily Mission Control events are investigated by SOC as soon as they pop up, if futher investigation is needed the incident is escalated to Enterprise security TEAM who is responsible to perform deeper/detailed investigation and update back in Mission Control.  USE CASE:  The enterprise security manger wants a DASHBOARD which will inform him about :  if the investigation is being performed by his team (ES)> how much average time his team member takes to resolve an incident (for now I'm only focusing on this)> averaged over a month.  jeff is ES resource  & stephen is SOC resource  i want to pick end_time where resource is Stephen and notes is "Escalation to ES" and start_time where resource is jeff and subtract them in order to get claim_time_by_ES.  SO far the query I'm using but not successful yet is:    | mcincidents unwind_to=task | search incident_id="3e864839-xyzab" | eval is_es_team=if(IN(owner, "Jeff","Rama", "Mel"), 1, 0) | eval is_soc_team=if(IN(owner, "Stephen", "Crossman", "Ruby","Cole"), 1,0) | eval end_time_for_soc=if(is_soc_team==1 AND name=="Escalation to ES", end_time, null()) | eval start_time_for_ES=if(is_es_team==1, start_time, null()) | eval total_time_claimed=end_time_for_soc - start_time_for_ES   in the below snapshot of log the columns name are in sequence of:  owner > start_time > end_time > total_time_taken> notes    

  #!/bin/bash ########################## FUNC function UFYUM(){ cd /tmp rpm -Uvh --nodeps `curl -s https://www.splunk.com/en_us/download/universal-forwarder.html\?locale\=en_us | grep -oP '"https:.*(?<=download).*x86_64.rpm"' |sed 's/\"//g' | head -n 1` yum -y install splunkforwarder.x86_64 sleep 5 } function UFDEB(){ cd /tmp wget `curl -s https://www.splunk.com/en_us/download/universal-forwarder.html\?locale\=en_us | grep -oP '"https:.*(?<=download).*amd64.deb"' |sed 's/\"//g' | head -n 1` -O amd64.deb dpkg -i amd64.deb sleep 5 } function UFConf(){ mkdir -p /opt/splunkforwarder/etc/apps/nwl_all_deploymentclient/local/ cd /opt/splunkforwarder/etc/apps/nwl_all_deploymentclient/local/ cat <<EOF> /opt/splunkforwarder/etc/apps/nwl_all_deploymentclient/local/app.conf [install] state = enabled [package] check_for_updates = false [ui] is_visible = false is_manageable = false EOF cat <<EOF> /opt/splunkforwarder/etc/apps/nwl_all_deploymentclient/local/deploymentclient.conf [deployment-client] phoneHomeIntervalInSecs = 60 [target-broker:deploymentServer] targetUri = XXXXXXXXXXXXXXXXXXXXXXX:8089 EOF cat <<EOF> /opt/splunkforwarder/etc/system/local/user-seed.conf [user_info] USERNAME = admin PASSWORD = XXXXXXXXXXXXXXXXXXXXXXXX EOF /opt/splunkforwarder/bin/splunk cmd btool deploymentclient list --debug /opt/splunkforwarder/bin/splunk start --accept-license } ######################################################### MAIN # Check for RPM package managers if command -v yum > /dev/null; then UFYUM UFConf else echo "No YUM package manager found." fi # Check for DEB package managers if command -v dpkg > /dev/null; then UFDEB UFConf else echo "No DEB package manager found." fi

got nasty gram for posting links search online for freeload101 github   in scripts Splunk_UniversalForwarder_Installer.bash got nasty gram for posting links search online for freeload101 github in scripts Splunk_UniversalForwarder_Installer.bash

Hi. Perhaps you can show what your output looks like but basically whatever the final fields are in the search results, those are the fields that can be used in email. What I often do is format up special fields to use in email/slack that are easier for the user to see. For example, I have a search that shows me missing indexers in a cluster manager. My code snippet is | eval cluster_manager=host | stats count by missing_indexer,cluster_manager | eval missing_indexer_cm=missing_indexer + " (" + cluster_manager + ")" | eventstats values(missing_indexer_cm) as missing_indexer_cm   I create a new field missing_indexer_cm which combines 2 fields missing_indexer and cluster_manager So the output is approximately this missing_indexer cluster_manager count missing_indexer_cm --------------- --------------- ----- ------------------- idx1.foo.com cm3.foo.com 42 idx1.foo.com (cm3.foo.com) And then in alerting I use $result.missing_indexer_cm$ but when users click on the results of the search they see the above with all the info  

@pujan - To tell you simply what "Universal Forwarder Credentials" is: * An App that contains an SSL certificate and other stuff for Splunk UF to send data to your Splunk cloud stack. * Also, I think it contains outputs.conf, to specify where data will going to be forwarded (address of your cloud stack).   To collect the Windows logs, as I can see you have already downloaded the Add-on for Windows. You can follow its' documentation to see how to configure the inputs - https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows   If you have more than 2-3 windows forwarders to deploy same Windows input on, I would prefer to deploy all these Apps including UF Cloud Credentials App via deployment server. Reference - https://docs.splunk.com/Documentation/Splunk/9.1.3/Updating/Configuredeploymentclients   I hope this helps!!!

Does adding | addinfo help you @Mindy_McTiernan  https://www.splunk.com/en_us/blog/tips-and-tricks/i-cant-make-my-time-range-picker-pick.html   | eval unixtime_Opened_At | eval _time=unixtime_Opened_At | addinfo | timechart ...

@raghul725 - You can use the token inside a subject of the Splunk email action. But it will take first value from the field instead of the total. To do that use this instead in your query instead of addcoltotals: my_search |chart count AS XXXX by YYYY | | appendpipe [| stats sum(File_Count) by Total_Delivered]   Use something like this in the subject of the email Files count is $result.Total_Delivered$   Reference - https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Alert/EmailNotificationTokens   I hope this helps!!! 

Thanks @gcusello . That's a great suggestion.  I added | delta EpochOT p=1 to the search and it gave me the following results Is there a way we can do every other row in delta. I want Row 3 - Row 2, Row 5 - Row 4, Row 7 - Row 6 etc. Thanks again for your help