Hi, Please try below: | stats max(A) as ACnt, max(B) as BCnt, max(C) as CCnt by month, id
| stats sum(ACnt) as ACnt, sum(BCnt) as BCnt, sum(CCnt) as CCnt by month
Hi @ucorral, it's really strange, because this seems to be a csv file and you don't have INDEXED_EXTRACTIOS = csv in props.conf of the Universal Forwarder. Ciao. Giuseppe
Hi @Utkc137 , you could try stats with eval: <your_search>
| stats
count(eval(A=1)) AS A_id_cnt
count(eval(B=1)) AS B_id_cnt
count(eval(C=1)) AS C_id_cnt
BY month if it doesn't run...
See more...
Hi @Utkc137 , you could try stats with eval: <your_search>
| stats
count(eval(A=1)) AS A_id_cnt
count(eval(B=1)) AS B_id_cnt
count(eval(C=1)) AS C_id_cnt
BY month if it doesn't run, please try also: <your_search>
| stats
count(eval(A="1")) AS A_id_cnt
count(eval(B="1")) AS B_id_cnt
count(eval(C="1")) AS C_id_cnt
BY month Ciao. Giuseppe
Hi @gcusello , That's correct I used the GUI data extraction feature to obtain the parameters, and the output(showed above) was applied in my props.conf file
hi @Utkc137, if the file name having values A, B and C is "id_cnt", you could use the chart command: <your_search>
| chart count OVER month BY id_cnt Ciao. Giuseppe
Greetings, I am struggling with creating a table in splunk which would do the following transformation: Find the discrete count of id for A, B, and C where value the is 1, by month. Curren...
See more...
Greetings, I am struggling with creating a table in splunk which would do the following transformation: Find the discrete count of id for A, B, and C where value the is 1, by month. Currently, I am calculating values for each column individually using eventstats and combining the results. However, we have a lot of columns (a,b,c,d.....) and thus the SLP does not preform efficiently. Looking for a more efficient approach to this. Thanks in advance!
Thank you Giuseppe, just voted for your EID-I-72 idea.. Then I'll stay with modifying menu using UI. The problem is there is no way to delete local/data/ui/nav/default.xml using UI. Or there is a w...
See more...
Thank you Giuseppe, just voted for your EID-I-72 idea.. Then I'll stay with modifying menu using UI. The problem is there is no way to delete local/data/ui/nav/default.xml using UI. Or there is a workaround?
Hello @drew19, Does `suppression` macro helps? If not, I would suggest creating a custom macro where you can filter based on fields and use the same in all the searches Please accept the solution...
See more...
Hello @drew19, Does `suppression` macro helps? If not, I would suggest creating a custom macro where you can filter based on fields and use the same in all the searches Please accept the solution and hit Karma, if this helps!
Hello @ThuLe, There should be input available in the dropdown menu - Can you please confirm if this is something you are looking for? Please accept the solution and hit Karma, if this helps!
Hello @VK18, If you are using ES, you would be able to see the Retention Period under ES -> Audit -> Data Model Audit - You can also see the retention period through below search - | rest /se...
See more...
Hello @VK18, If you are using ES, you would be able to see the Retention Period under ES -> Audit -> Data Model Audit - You can also see the retention period through below search - | rest /services/admin/summarization by_tstats=t splunk_server=local count=0 | eval key=replace('title',"tstats:DM_".'eai:acl.app'."_",""),datamodel=replace('summary.id',"DM_".'eai:acl.app'."_","") | rename summary.time_range AS retention | eval retention=retention/(60*60*24) | table datamodel retention Please accept the solution and hit Karma, if this helps!
Hello @almomani, First and foremost, if the new SHC build is not in place - you can build a cluster and include the current SH as a member to replicate the KOs along with KVStore. However, if two clu...
See more...
Hello @almomani, First and foremost, if the new SHC build is not in place - you can build a cluster and include the current SH as a member to replicate the KOs along with KVStore. However, if two clusters are already in place, you will manually need to append values for incident_review_comment_lookup, incident_review_lookup, incident_updates_lookup. You may also want to have events under notable and risk indexes if required. Please let me know if you have any follow-up questions. Also, please test it out on dev/pre-prod before appending values in Production.
