@bowesmana  Does the "Score" variable on "eval" pipe always indicate a total Score if applied after "addcoltotals"? Thank you so much. | addcoltotals | eval Score = if(isnull(Student), floor(Score), Score)  

Hello @landzaat could you provide screenshot of whole screen showing this error? Thanks. For your information schedule PDF delivery may create ScheduledView like this and maybe there is limit in name size :       * If this helps, please upvote or accept solution *

Thanks @isoutamo . This works as expected and only thing is not grouping the the user_id but rather it's grouping by timeformat/_time every 1 hr.   is it possible to group by user_id? current spl: base search | rex user_id | eval takeIn = case (_time>=relative_time(now(),"@d") ,"take", _time<=relative_time(now(), "-1d"), "take", true(), "drop") | where takeIn = "take" | timechart span=1h count | timewrap d series=short | fields _time s1 s0 | rename s1 as today, s0 as yesterday | where today !=""

Hi @parthiban, ok, you could use this approach: create an alert that doesn't send an email running this search: index= "XXXXX" "Genesys system is available" | spath input=_raw output=new_field path=response_details.response_payload.entities{} | mvexpand new_field | fields new_field | spath input=new_field output=serialNumber path=serialNumber | spath input=new_field output=onlineStatus path=onlineStatus | where serialNumber!="" | lookup Genesys_Monitoring.csv serialNumber | where Country="Bangladesh" | stats count(eval(onlineStatus="offline")) AS offline_count count(eval(onlineStatus="online")) AS online_count earliest(eval(if(onlineStatus="offline",_time,""))) AS offline_time earliest(eval(if(onlineStatus="online",_time,""))) AS online_time | fillnull value=0 offline_count | fillnull value=0 online_count | eval condition=case( offline_count=0 AND online_count>0,"Online", offline_count>0 AND online_count=0,"Offline", offline_count>0 AND online_count>0 AND online>offline, "Offline but newly online", offline_count>0 AND online_count>0 AND offline>online, "Offline", offline_count=0 AND online_count=0, "No data"), search="Device went offline and recovery status" | search condition="Offline" OR condition="Online" OR condition="Offline but newly online" | table search condition | collect index=summary then you can run a search like the following: index=summary search="Device went offline and recovery status" | stats dc(condition) AS condition_count last(condition) AS condition_last values(condition) AS condition | search (condition_last="Offline" condition_count=1) OR (condition_last="Online" condition_count>1) with an email action to informa yo that there's a new offline or there's an online adter te offline. Please check the conditions because I cannot do, but they should be correct. Ciao. Giuseppe

Hi @gcusello  I understood your first point. However, in our case, we don't want that type of requirement. Once we identify the offline message, we don't want to receive repeated alerts because we have already created a ticket for that incident. We only need to be notified once the device becomes online. Throttling won't work for our requirement I believe, as we already have a similar alert mechanism in our observability tools. We aim to implement the same in Splunk. For better understanding, I've provided an example.   Please guide me anyway to achieve this requirement. 1st search  - OFFLINE  - alert will trigger 2nd search - OFFLINE  - alert suppressed 3rd search  - OFFLINE  - alert suppressed 4th search  - ONLINE    - alert will trigger 5th search  - ONLINE    - alert suppressed 6th search  - OFFLINE - alert will trigger 7th search  - OFFLINE  - alert suppressed 8th search  - OFFLINE  - alert suppressed 9th search  - ONLINE  - alert will trigger 10th search  - ONLINE  - alert suppressed . . etc

I don't think any of those addons contains such functionality. You would need to explicitly gather such info with scripted input utilizing probably dmidecode in Linux case (which is an external tool and doesn't have to be installed on your system) and some other tool on Windows (I'm not even sure there is a standardized way of doing that with vanilla Windows installation).

Also please note (it's worth mentioning because that's not obvious) that if you aggregate some values into several multivalued fields (like in your case - multivalued VM field and col2 field) the contents of those multivalued fields are from now on independent on each other. So you can't for example - sort one using the order of the other. Again - it's not a spreadsheet.

I'm still not sure what are the source datasets and what should be the result. I see some attempts at solving this riddle in the thread but I'm not 100% sure we're all on the same page regarding what we're working with and what we want to achieve in the end. Could you please post samples of your data and what the result should look like?

While I didn't do comparison tests myself, the general consensus is that XML-rendered windows logs are the better choice. They do not cause problems with parsing (there were some problems with ambiguous data in the traditionally formated data I recall vaguely; probably more experienced with older versions colleagues could tell you more). Also they tend to be actually smaller than traditionally formatted logs.