Hi, The code is like index=main host=server10 (EventCode=4624 OR  EventCode=4634) Logon_Type=3 NOT user="*$" NOT user "ANONYMOUS LOGON" | dedup user | where NOT MsgID==AUT22673 | eval LoginTime=_time | table user LoginTime   The output will list active RDP user.  No idea how to fix the rest of it, either 1: If number of user == 0, then print "No Remote desktop user" 2: Or put number of user into a Single Value, Radial Gauge (not username) Sounds so easy but I cannot figure out how to fix it.  Too little Splunk experience. Rgds Geir

      I am appending results from below query,which will display difererent objectype suppliedMaterial: index="" source="" "suppliedMaterial" AND "reprocess event" |stats count | rename count as ReProcessAPICall | appendcols "" "suppliedMaterial" AND "data not found for Ids"| eval PST=_time-28800 | eval PST_TIME3=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=dataNotFoundIds path=dataNotFoundIds{}| stats values(*) as * by _raw | table dataNotFoundIds{},dataNotFoundIdsCount, PST_TIME3 | sort- PST_TIME3 ] | appendcols [search index="" source="*" "suppliedMaterial" AND "sqs sent count" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath sqsSentCount output=sqsSentCount | stats values(*) as * by _raw | table sqsSentCount PST_TIME4 | sort- PST_TIME4 ] | appendcols [search index="" source="" "suppliedMaterial" AND "request body" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=version path=eventBody.version | spath output=objectType path=eventBody.objectType | stats values(*) as * by _raw | table version, objectType ] | table objectType version dataNotFoundIdsCount sqsSentCount ReProcessAPICall For Material index="" source="" material" AND "reprocess event" |stats count | rename count as ReProcessAPICall | appendcols*" "material" AND "data not found for Ids"| eval PST=_time-28800 | eval PST_TIME3=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=dataNotFoundIds path=dataNotFoundIds{}| stats values(*) as * by _raw | table dataNotFoundIds{},dataNotFoundIdsCount, PST_TIME3 | sort- PST_TIME3 ] | appendcols [search index="" source="*" "material" AND "sqs sent count" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath sqsSentCount output=sqsSentCount | stats values(*) as * by _raw | table sqsSentCount PST_TIME4 | sort- PST_TIME4 ] | appendcols [search index="" source="" "material" AND "request body" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=version path=eventBody.version | spath output=objectType path=eventBody.objectType | stats values(*) as * by _raw | table version, objectType ] | table objectType version dataNotFoundIdsCount sqsSentCount ReProcessAPICall My actual is : objectType version dataNotFoundIdsCount sqsSentCount ReProcessApiCall suppliedMaterial all 4 15 12 suppliedMaterial latest 2 19   suppliedMaterial all 3 11   Material latest 6 10   Material latest 5 4   Material all 4 1   Material all 2 3     My Expected is : Basically I needed to count the two fields (dataNotFoundIdsCount & ssqsSentCount based on what version whether 'all' or 'latest') from the previous queries .  I am thinking to use the version as dynamic values , and bring conditional check  in those queries to add the field values for each version and name it as dataNotFoundIdsCount_all ,dataNotFoundIdsCount_latest. Finally in the last query again check the version and show the sum Please advise if there's a easy way of doing this ..  objectType version dataNotFoundIdsCount sqsSentCount ReProcessApiCall suppliedMaterial all 4 15 12 suppliedMaterial latest 2 19   Material all 3 11   Material latest 6 10  

Hi Splunk gurus, Just wanted to enquire if anyone has seen any correlation between high IOWait and CPU utilization? I have a client that is experiencing some search performance issues after upgrading from version 8.2.9 to version 9.0.6. Their users are complaining about search lag and overall slowness in Splunk Web when running searches. Just curious if anyone has encountered this? Thank you in advance for any answers given   Mikhael

Hi, May i know if i can push data from splunk to Dynatrace through this API https://docs.trustar.co/api/v20/index.html#tag/Submission/operation/searchSubmissions ? We're looking to have just one dashboard through Dynatrace. Hence the need to ingest data from Splunk. Thanks

Hello Team, By refering below attach screenshot. I updated Splunk from 8.1.1 to 9.1.0.2 . Below are the failed messages I can ( attached screenshot). Please let me know how I can overcome or fix this errors. ?

When i click on Sync with ThousandEyes button in User Experience i got the error message Sync with ThousandEyes failed.Please try again by inspecting the page, i found a 500 HTTP error to   "https://cisco-thousandeyes.saas.appdynamics.com/controller/restui/network/fullsync" [HTTP/1.1 500 Internal Server Error 3755ms] I used my AOuth token from ThousandEyes in the Integration settings in AppD and i can receive Alerts in AppD from ThousandEyes, so this error is not related to the token, and it looks more an internal error from AppD server side