This helped me so much. When I say that I've been racking my brain on why this wouldn't work for the last 9 hours. I found this earlier, but I put it in the powershell. I was defeated. I then came back and read this again and saw that you said to put it into the cmd. It worked immediately. I'm so grateful.

Slight variation on @PickleRick example, your foreach statement only needs to be | foreach "*" [ eval <<FIELD>>=case('<<FIELD>>'=0, " ", '<<FIELD>>'>0, " ", 1==1, '<<FIELD>>') ]  The above allows for count > 1 with the green tick, but if it will either be 0 or 1 then you can make it so There is no need to test for the queue name, as long as it's never numeric

Your search= statement is simply looking for that index=oracle somewhere in the dashboard. If you have index="oracle" or index = oracle then it won't match, so it may be better to do a regex where clause, where you do ... | where match('eai:data', "(?i)index\s*(=[\s\"]*|in\s+\([\w,]*)oracle") what is an example of a metrics index search that is not showing up?  

What I am saying is that @gcusello's solution is the most generic because day, hour, minute can be algorithmically determined with no ambiguity.  These are time units, whereas year and month are calendar concepts.  You cannot have month as duration because there is no meaningful definition of a month. (Week, on the other hand, can be calculated.)  Using year is not very accurate.  Yes, you can use 365.25 but that is still an approximation.  If you insist on using year (but forego month), you can continue to use your formula, or this simplified one   | eval duration=strptime(till,"%m/%d/%Y %I:%M %p")-strptime(from,"%m/%d/%Y %I:%M %p") | eval years = round(duration / 86400 / 365.25) | eval duration = years . " year(s) " . tostring(duration - years * 365.25 * 86400, "duration")   The only way to define a "month" with time interval (duration) is if you choose a reference calendar.  For example, use the Unix epoch zero calendar, namely 1970.   | eval duration=strptime(till,"%m/%d/%Y %I:%M %p")-strptime(from,"%m/%d/%Y %I:%M %p") | eval years = tonumber(strftime(duration, "%Y")) - 1970 | eval months = tonumber(strftime(duration, "%m")) - 1 | eval ymdt = years . " year(s) " . months . " month(s) " . strftime(duration, "%d") . " day(s) " . strftime(duration, "%T")   Of course, you can also change reference calendar to a different year.  But honestly I cannot see any useful application of this format. Here is an emulation:   | makeresults format=csv data="from, till 11/28/2023 03:38 PM, 11/28/2024 04:08 PM" ``` data emulation above ```   It will give the following duration from months till years ymdt 31624200.000000 11/28/2023 03:38 PM 0 11/28/2024 04:08 PM 1 1 year(s) 0 month(s) 01 day(s) 16:30:00

Hi this depends on your use case and where and how you have installed Splunk. In on premise in most cases block storage is the best/only suitable solution. You haven’t enough good (fast+bandwith) storage network + storage for object storage. But in cloud e.g. AWS you could use object storage (S3) if/when you could build your environment with enough big local cache (NVMe). Basically most of your requests must hit into cache and then it works, but if too many requests goes to S3 then you suffer bad response time and user experience. r. Ismo

Hi it’s like @richgalloway said, but I think that you could try to write your own “backend” and use scripted authentication method in splunk? But I’m quite sure that this is not worth of needed work for create and update that backend? r. Ismo

The field name is log.stdout. | spath input=log.stdout See my earlier comment https://community.splunk.com/t5/Splunk-Search/How-to-use-spath-with-string-formatted-events/m-p/670776/highlight/true#M229914 

Hi @QuantumRgw , this should be a different issue: it seems that there's a delay in search executions. This could be caused by insufficient hardware resources or too many scheduled searches. Wait for a while and see if this issue continue to be present. Then analyze the load of your system using the Monitoring Console. Ciao. Giuseppe

Hi @Mr_Adate , it isn't a good idea to add a new post, even if on the same topic, to an existing question (especially when closed!) because it's more difficoult to have an answer, so, next time open a new question. Anyway, what do you mean with "compare": do you want to filter the rows of one lookup with the ones of the second? or do you want to know if a value is present in both the lookups or in one of them? if the first, please try something like this: | inputlookup Firewall_NEW_Database.csv WHERE [ | inputlookup Firewall_OLD_Database.csv | rename Firewall AS Hostname | fields Hostname ] | table Hostname Location Datacenter if the second, please try: | inputlookup Firewall_NEW_Database.csv | eval lookup="Firewall_NEW_Database.csv" | append [ | inputlookup Firewall_OLD_Database.csv | rename Firewall AS Hostname | eval lookup="Firewall_OLD_Database.csv" | fields Hostname Location Datacenter lookup ] | stats values(Location) AS Location values(Datacenter) AS Datacenter dc(lookup) AS lookup_count values(lookup) AS lookup BY Hostname | eval lookup=if(lookup_count=2, "Both lookups",lookup) | table Hostname Location Datacenter lookup Ciao. Giuseppe