thanks! i don't get all cells=0, no results when using the where clause (if i remove `where` i see that cells==0 exist) . i found a ticket: https://community.splunk.com/t5/Splunk-Search/How-to-show-only-fields-over-0/m-p/164589 maybe i can't do it with timechat? | eval _time=strptime(TimeStamp, "%F %T") | timechart span=12h count(Name) AS CountEvents by machine cont=t usenull=f useother=f | where CountEvents=0

@Bisho-Fouad - Why do you want to create input on all heavy forwarders?  * I think this will duplicate the data. There is no necessity to create index on all heavy forwarders. Only where you are configuring the input.

Hi @darkhorse91, you have to use a subsearch, with the limitation that you cannot have more than 50,000 results from the subsearch,  if: the current search is on index=current and runs on the last day, the retrospetive search runs on index=retrospective and the last 30 days,  the common field is my_field and it has the same name in both the searches, you could try something like this: index=retrospective earliest=-30d latest=now [ search index=current earliest=-24h latest=now) | dedup my_field | fields my_field ] You have to adapt my approach to your searches. Ciao. Giuseppe  

Hi @EricLBP   - I’m a Community Moderator in the Splunk Community.  This question was posted 11 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 

Hi @maayan, with this search you can list all the alerts | rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title and with this search yu can list the fired alerts index=_audit action="alert_fired" | rename ss_name AS title | join title [ | rest /services/saved/searches | table title, alert_threshold ] | timechart values(alert_threshold) AS alert_threshold count by title Ciao. Giuseppe

thanks! i use TimeStamp and not _time. how do i use it in my query?   | addinfo | fieldformat info_min_time=strftime(info_min_time,"%c") | fieldformat info_max_time=strftime(info_max_time,"%c") | where strptime(TimeStamp,"%F %T.%3N")>info_min_time AND strptime(TimeStamp,"%F %T.%3N")<info_max_time ```Divide the time to intervals ``` | eval TimeStamp_epoch = strptime(TimeStamp, "%F %T") | bin TimeStamp_epoch span=2d | eval interval_start = strftime(TimeStamp_epoch, "%F %T") | eval interval_end = strftime(relative_time(TimeStamp_epoch, "+2d"), "%F %T") | eval interval_end = if(strptime(interval_end, "%F %T") > now(), strftime(now(), "%F %T"), interval_end) | eval time_interval = interval_start . " to " . interval_end | chart count(Name) over machine by time_interval

Should I expect that the threat intelligence that is streaming in is being ran against the events in my environment automatically?  I would not expect that, most vendors don't intergrade with the Splunk ES threat intel framework they just make the TI data available in Splunk via a lookup file or by putting it in a index. If you want to be sure the TI info is flowing into the threat intel framework I suggest you add the data there either by revering to the app created lookup (if any), by creating your own lookup from the indexed data or by adding a TAXII/STIX feed. See for more info: Splunk Latern  Splunk Docs  

The query is used in a dashboard panel as a statistical table with single row.  the data is usually  not available on regular intervals. Hence we would like to show the last available data instead of “no results found” when there is no data for the selected default time range that we have set.