Hello Experts, I am stuck with a timechart % query and I want to sort basis a field count and not the default sort on alphabetical order it is counting There are two queries, it be best if I can get a help or workaround in both the one   Query - 1 index=xyz catcode="*" (prodid="1") (prodcat="*") success="*" | eval TheError=if(success="false" AND Error like "%%",count,0) | timechart span="15m" eval(round(sum(TheError)*100/sum(count),2)) by catcode useother=f In above query I want to find an option to sort it by catcode and not the default in alphabetical order   OR   Query 2 index= xyz (prodid="1")  (prodcat=*) (catcode=*) success=* | timechart span=1w sum(count) by catcode limit=10 useother=f usenull=f | untable _time catcode count | eventstats sum(count) as Total by _time | eval Fail_Percent=round(count*100/Total,2) | table _time, catcode, Fail_Percent | xyseries _time catcode Fail_Percent | sort -catcode In above query all is fine but I dont want 'eventstats count as Total' as it counts all events. I want to have this counted as Total by catcode and then calculate the % Can you help please.   Thanks in advance Nishant

Hi,  I habe a table after using stats: | stats values(durationSum) as duration by Fauf Station. How can I convert it to a table with only one line in such a format: Fauf duration_Station1 duration_Station2, duration_Station7, duration_Station10 Thanks for helping in advance!    

Hello everyone, I have a csv file which shows me the power status of the server i.e if the server is powered on or off. I want to make a table with powered on as individual row and powered off as another individual row and show the total no of powered on servers and powered off servers as count

Hello Members, I have a basic question - I am not sure how to get data into splunk, into a custom index, use a source type, and then exrract fields. I have the add-0n installed for Cisco network devices, but not sure it is the correct app to use for my case. I have a remote syslog server (running rsyslog) that builds log files for cisco switches and routers. I have a universal forwarder installed on the syslog server, it forwards data to splunk IF I configure it correctly.  I have tried configuring the Splunk receiver two ways: one using the "Forwarding and receiving" option from the "DATA" area - this works - but only allows showing data from the host sending the log info. And uses only 1 port, I am using 9997. I have not seen how to set a data source or source type for the incoming data.   The second way seems to be using the "Data Inputs" part of the "DATA" area.  This seems to not be possible, as the data is coming from a Universaly forwarder not a Splunk Enterprise configured as a forwarder.   How can I assign a source type and index to the data that does come in from the host that is configured with port 997 as a receiver?  Sorry for such a confusing question, Regards, eholz1    

I have data that looks like the following: Week               Employee        Project# 6/3/2022         A                      001 6/3/2022         A                      002 6/10/2022       A                      002 6/10/2022       B                      002 6/17/2022       A                      003 6/17/2022       B                      001 6/17/2022       B                      002 6/24/2022       B                      001 I would like to get a count of the total of the number of distinct weeks that employees appear in the data regardless of how many projects they have an entry for .  So, for the above the count should be 6 as below: 6/3/2022 > Employee A > Count=1 6/10/2022 > Employee A and B > Count=2 6/17/2022 > Employee A and B > Count=2 6/24/2022 > Employee B > Count=1 Is there some way I can use multiple fields in Distinct Count to accomplish this?  

I have a lookup table with only one field, named host. The table contains a list of hostnames.  I'm trying to find a way to get a count of events by host using this lookup table as the input (i.e. the hosts I want a count for).  I've tried a variety of approaches. For example:      |inputlookup file.csv | stats count by host     Every host returns a count of 1.      |inputlookup file.csv | join type=left host [|tstats count by host]     About a dozen hosts return counts; the rest return null values.  Complicating this problem seems to be case. If I crunch all the hosts to upper or lowercase, I get different results, but neither returns a complete result set. That seems super odd given that field values aren't case sensitive. I've tried crunching case with eval as well as in the lookup table itself, to no avail.  We're stumped. What is the best approach to use a lookup table of hostnames to get an event count by host?

I'm trying to run a query to figure out the top 10 src_ip's along with their top 10 urls visited. When I try the below query it's giving me every src_ip instead of just the top 10. Any suggestions on how to limit the search for just the top 10 src_ip by top 10 url? I've been running something like this: index=firewall | stats count by src_ip, url | sort 0 src_ip -count | streamstats count as standings by src_ip | where standings < 11 | eventstats sum(count) as total by category | sort 0 -total src_ip -count