while searching through all time  in filter  drop down, i am getting NaN value for "$tokLatest$", I don't know why its coming. For others like- week to date, month to date its coming fine. Only issue  is coming for All time.   I don't know why its coming. Below is the code snippets. Any solution for this??????? How  can we use if else case condition in case of NaN.  so that I can use now() in case of NaN. Any solution????????? <search> <query> |makeresults </query> <earliest>$timepicker.earliest$</earliest> <latest>$timepicker.latest$</latest> <progress> <eval token="tokEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> <eval token="tokLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> <eval token="tokEarliest1">strftime(relative_time(tokEarliest,"-330m"),"%Y-%m-%d %H:%M:%S.%3N")</eval> <eval token="tokEarliest1">strftime(relative_time(tokLatest,"-330m"),"%Y-%m-%d %H:%M:%S.%3N")</eval> </progress> </search> <description>draft event ingestion rate by wfm at day or hour level</description> <fieldset submitButton="true" autoRun="false"> <input type="time" token="timepicker" searchWhenChanged="false"> <label>Time Range</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset>

Hi everybody, I have the following problem and cannot seem to be able to wrap my head around it: I have a bunch of eventtypes (close to 1000). Some of those eventtypes have certain thresholds which are greater than zero. I look the values up from a csv For a single host, I'd like to Chart the number of occurrances for an eventtype IF That number of occurrances is higher than the aforementioned threshold The chart shall also contain a static line depicting the threshold value Here is what I have so far. I believe I am always getting lost when using an aggregate function such as count() because added something to the result using eval just wont work.     index="my_index" eventtype=* host="$HOST_FROM_DROPDOWN$" | lookup my-events eventtype | eventstats count by eventtype | where alert_threshold > 0 AND count > alert_threshold | stats count by eventtype | eval Threshold = alert_threshold    What I do understand is that I have to add the "Threshold" variable in the overlay Options of the chart. Any help is much appreciated. Thank you

Hi, have  SPL that generates months of data. I want subtract just the last two columns. The fields will change month to month, so I can't hard code. Given the below sample, how can I get lastMonthDiff without hardcoding the field values? Thank you! Chris       | makeresults | eval "2202-01"=1 | eval "2202-02"=2 | eval "2202-03"=5 | eval "2202-04"=4 | append [| makeresults | eval "2202-01"=4 | eval "2202-02"=5 | eval "2202-03"=7 | eval "2202-04"=3 ] | append [| makeresults | eval "2202-01"=5 | eval "2202-02"=2 | eval "2202-03"=7 | eval "2202-04"=9 ] | fields - _time |foreach * [eval lastMonthDiff = '2202-03' - '2202-04']      

Hello everyone! Currently I am integrating Splunk into our project, working with a local installation of Splunk Enterprise to test the waters and find my way around with Splunk itself. I am using the HttpEventCollectorSender class from the Splunk Package. My issue is the following: No matter in which format I send a message with the HEC Sender, I will always get the following exception:      Web Exception: Server Reply: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0} Response: StatusCode: 400, ReasonPhrase: 'Bad Request', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers: { Date: Mon, 02 May 2022 10:39:30 GMT X-Content-Type-Options: nosniff Vary: Authorization Connection: close X-Frame-Options: SAMEORIGIN Server: Splunkd Content-Type: application/json; charset=utf-8 Content-Length: 78 } HResult: -2146233088     The code that I use for sending is almost line by line from the HEC Tutorial from Splunk (Added some more Send-commands at the bottom to try out different formats)     var middleware = new HttpEventCollectorResendMiddleware(0); var ecSender = new HttpEventCollectorSender( new Uri("https://splunkserverdefaultcert:8088/"), <token>, null, HttpEventCollectorSender.SendMode.Sequential, 0, 0, 0, middleware.Plugin ); ecSender.Send(Guid.NewGuid().ToString(), "INFO", null, <message>); ecSender.Send(Guid.NewGuid().ToString(), "INFO", <message>); ecSender.Send(data: <message>); ecSender.Send(message: <message>); ecSender.Send(Guid.NewGuid().ToString(), "INFO", null, data: new { testProperty = "testing" }); ecSender.Send(data: new { testProperty = "testing" }); ecSender.FlushAsync().Start();     No matter how I format the message that I send, I will get the error that I mentioned above. Since the error seems to indicate a formatting issue, I already tried different formats of sending the message. Looking into the errors that are getting logged I can see how the actual message that is getting sent looks, so I can confirm that the following formats do not work:     {"time":"1651492587,089","event":{"data":"This is an event"}} {"time":"1651492587,089","event":{"message":"This is an event"}} {"time":"1651494076,162","event":{"id":"00588efd-f403-4cf7-95ce-4ef2a28b0f93","severity":"INFO","data":"This is an event"}} {"time":"1651494076,162","event":{"id":"00588efd-f403-4cf7-95ce-4ef2a28b0f93","severity":"INFO","message":"This is an event"}}     However, if I just do it with curl as follows, everything seems to work perfectly fine!     https://splunkserverdefaultcert:8088/services/collector/event/1.0 -k -H "Authorization: Splunk <token>" -d "{\"time\":\"1651492587\",\"event\":{\"data\":\"This_is_an_event\"}}"     Do you know what could be causing this error, and what I am doing wrong? Edit: I can now say that this happens also with other Splunk servers, not only with my local one. Curl works, but the HEC Service Implementation always throws the error mentioned above. If you have any ideas, I would be really thankful for some input!

I'm going to the page below and selecting Windows OS,  I'm then redirected to the download page. I get the error: There was an error loading this page Please try again in some minustes. I'm tried on different browsers and another computer but still not working. Anyone let me now, how can I download it? 

Hi All, I need to correlate data from 2 different Indexes wherein the field name is common.   Index=idx1  ( This index has general user info)  Field Name:  sys_created_by Value: <email id of the user> Other fields in idx1 of interest: login_time Index=idx2  ( This is the Index which has URLs accessed by the user) Field Name:  sys_created_by Value: <email id of the user> The url  information is stored in a field called "url" in idx2. Use case is to take the sys_created_by field from IDX1  and lookup/search for all urls  in IDX2  accessed by  the   sys_created_by coming from idx1.    I cannot rely on sys_created_by field from idx2 alone as it doesn't have all the other user attributes that are in IDX1 such as login_time.   Hence i need to correlate data across the two indexes. Do i need to do which will merge the sys_created_by from both indexes ?   eval common_field = coalesce(sys_created_by, sys_created_by)   I tried something like :   (index=idx1 sys_created_by!="") OR (index=idx2 sys_created_by!="" url!="") | stats values(url) values(login_time) BY sys_created_by   But this doesn't show results as expected.  Is there a way to reference my common field like shown below in BY ;  to tell Splunk which idx it needs to refer ?   | stats values(url), values(login_time) BY ( idx2.sys_created_by)