Good morning Ryan, for the first link doc you passed to me this is the description of the processing time: I must say it doesn't say anything if value is expressed in Seconds or Milliseconds. In the second link the processing time I'm founding is the following and it's about the pre-build metric which was clear to me that was expressed in seconds: My question was the following: I'm in the analytics section I'm investigating the sap_idoc_table I double click one single row I see a field called PROCESSING_TIME = 0011123 like the following How can I know in what measure this is expressed? (from what piece of documentation? or from where in the product?) In AppD I went into the default dashboard provided for the Idoc and I double clicked on table with the title "Idoc Errors". There it seems we have the same field but mapped as follow: Am I correct to assume that this field is equal to the one called "PROCESSING_TIME" seen in the analytics engine ? If so, I'm wondering how comes that here I can see it mapped and explicitly declared and in the analytics I can only see the value as a string of text. Best regards

  thank you. With huge dashboard looks like I am hitting maximum concurrent searches Splunk allows was try to see if I could combine. would append [search…] would be started as new concurrent search?

Hi @Satyapv , as @yuanliu said, I don't understand why to put disomogeneous results in te same search. Anyway, you could use the append command, but you'll have empty values in the columns of the other search: index=IndexA | stats Count(X) AS X Avg(Y) AS Y BY XYZ | append [ search index=IndexB | stats Count(K) AS K Max(M) AS M by KM ] Ciao. Giuseppe

Hi @mlevsh, the easiest way is asking to remove that rule because it isn't useful! Anyway, you should list all the existing indexes in the WHERE condition: | tstats count where index IN (index1,index2,index2) by index host | fields - count to avoid to repeat this list in every command, you could also put all these indexes in a macro or an eventtype and use it in your searches. Ciao. Giuseppe

Hi @Mien, if the days in which you're receiving less data aren't the weekend, you should analyze if in that days there are some scheduled activities or a downtime of that systems. In addition, you should analyze if this behaviour is all weeks or only in one. then compare /opt/splunk/var/log/splunk/metrics.log file dimensions to understand if the issue is on Splunk or on the system. Ciao. Giuseppe

Sorry, but SGT+8 corresponds to UTC. If you want to chenge the time format from the displayed to  "%Y-%m-%d %H:%M:%S" you should use eval with the time functions: | eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S") Ciao. Giuseppe

Forget Splunk.  If there are no common fields between indices, can you illustrate what the stats result would look like?  Please show some sample tables of field values in each index (in text, anonymize as needed).  Then, illustrate the corresponding output table (also in text) that you envision with the two data data tables.  If anonymizing data is difficult, illustrate mock data tables and calculate desired output table by hand, so volunteers can understand your use case. Let me also point out that your illustrated mock code, "Stats Count (X) Avg(Y) by XYZ", is confusing because you mentioned no field named XYZ.  The other mock code, "stats Count (K) Max(M) by K M", also doesn't make sense because when you group by M, Max(M) can only have the value of that group M, unless K and M do not appear in the same event, in which case Max(M) is null.

If any of the codes, including your initial code, give output that doesn't suit the needs, please post sample data (anonymize as needed) that lead to such output, actual output (anonymize as needed) from such code, and explain what the desired output should look like. (And how the desired output is different from actual output if that is not painfully obvious.) Your initial code performs transaction on user.  After excluding closed transactions, what remain in the stream are events with eventcode 4769 that do not have those three eventcodes for the same user, as well as events with eventcodes that are not those three.  Isn't this what you ask for?

Yep, thats a valid and nice SPL(the eval(score>0)).  or the "!=" also should do the trick...  | stats count(eval(score!=0)) as Total_Non_Zero_Vuln by ip the stats, eval commands give us so many options, very nice!  

I tried what you suggested, but I was unable to get the results I expected. To resolve the issue, I had to disable Java log enrichment feature in Dynatrace OneAgent to stop OneAgent from injecting   {dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true}  into my logs. Now things are back to normal.