I have host stop event logged in a summary index Index=summary search_name=feed_status Host_name Host_status Host1a Host_stop Host2b Host_stop Host4a Host_stop Host1b Host_stop Host3a Host_stop I also have a lookup table for failover paired hosts. Host_primary Host_secondary Host1a Host1b Host2a Host2b Host3a Host3b Host4a Host4b I need to generate the host stop alert when both failover paired hosts are stopped. In this case alerting on Host1a and Host1b stopped.

Hello Community, I have quite a strange issue to face... For a project I'm working on, I would need to create a new case if the search returns no events. I've tried to create a dummy example to make myself clear: | makeresults | eval letter1="A", letter2="B", letter3="C" | append     [| makeresults     | eval letter1="D", letter2="E", letter3="F"] | search letter1="K" | appendpipe     [| ??ifnotresults??     | append         [| makeresults         | eval letter1="X", letter2="Y", letter3="Z"]     | where false() ] | table letter1 letter2 letter3   In particular, I have no idea how to evaluate the ??ifnotresults??  part. Do you think it is possible to achieve this? Thanks in advance for your kind support

Hello I have a field called hostName which contains hosts: host1\user1 host1\user2 host2\user2 host3\user3 And I want to basically do a count of the number of times each host appears: so: Host1 = 2 Host2 = 1 Host3 = 1 So I want to cut the data after the backslash (\) and display the host part of the data as a count. I worked out the regex for this is ".+?\\" on Regex 101 but I am not able to figure it out with the rex field commands Thank you! 

hello   In my timechart, I just need to display events between 7h in the morning and 19h in the evening So I am doing this and it works fine   | eval local_time=strftime('_time', "%H%M") | search local_time >="0700" AND local_time <="1900" | timechart span=5min dc(s) as "s"   but I also need to display on my x axis timechart, only the hour between 7h in the morning and 19h in the evening So I add this and it works too   | eval _time=local_time   But the problem I have is that I lost the _time fomat because now the format is in hour minutes How to do for avoid this please?

Hi Splunk Community, I am pretty new to using Splunk for reporting purposes. Below are my use case :   Every month, I am required to generate report to calculate monthly response time for each action report of that is requesting to our service our services.  However, calculating the response time is not straight forward as in the report, we wanted to calculate NetResponseTime, where ResponseTime - MOMDuration (External API call) - EMCDuration (External API call).  By getting the NetResponseTime, this will only contains the internal related processing time. All logs is able to be correlated by cid. Currently, i am able to come up with the query and it is tested working accurately provided the subsearch limit is not reached, however, as the logs are increasing (number of logs/ per month), there is a concern where i noticed the subsearch is auto-finalized and it will be truncating due to some subsearch limits(i.e subsearch only returns 50k rows). Would be helpful if someone is able to provide me some guidance on how can I refractor my query to use multi-search(with proper grouping event from multiple sources and performing computation within each sources) instead of subsearch. Below is the query(it will be quite long): --------------------This is the main search: Get The Response Time for each request------------------------------------------ index=someindex sourcetype= DiagnosticsLog host=DiagServer |eval ActionEnum= if(like(CsUriStem,"%StampTransactions%"),2,if(like(CsUriStem,"%/kiosk/api/Transactions/Stamp%"),2,if(like(CsUriStem,"%/kiosk/api/Transactions/Search/Passport%"),1,if(like(CsUriStem,"%/kiosk/api/Refund/emcpayAccount/%"),3,if(like(CsUriStem,"%/kiosk/api/Refund/emcpayAccountConfirmation%"),4,null()))))) |eval CsUriStem = if(like(CsUriStem,"%/kiosk/api/Refund/emcpayAccount/%"),(mvindex(split(CsUriStem,"/kiosk/api/Refund/emcpayAccount/"),0))+"/kiosk/api/Refund/emcpayAccount/",CsUriStem) |eval DateTime_Unix=strptime(DateTime,"%Y-%m-%d %H:%M:%S.%7N") |eval nStart=relative_time(now(),"-1mon@mon") |eval nStart=relative_time(nStart,"-8h") |eval nEnd=relative_time(now(),"@mon") |eval nEnd=relative_time(nEnd,"-8h") |where DateTime_Unix>=nStart AND DateTime_Unix<nEnd |table LogId CsUriQuery CsUriStem DateTime DateTime_Unix SComputerName SPort SiteName TimeTaken TransferTime ActionEnum |join type=left CsUriQuery [search index=someindex sourcetype= DiagnosticsLog host=DiagServer |eval DateTime_Unix=strptime(DateTime,"%Y-%m-%d %H:%M:%S.%7N") |eval nStart=relative_time(now(),"-1mon@mon") |eval nStart=relative_time(nStart,"-8h") |eval nEnd=relative_time(now(),"@mon") |eval nEnd=relative_time(nEnd,"-8h") |where DateTime_Unix>=nStart AND DateTime_Unix<nEnd |eventstats values(CsUriQuery) by cid |eval SearchPassportEndDateTime_Unix = if(like(CsUriStem,"%/kiosk/api/Transactions/Search/Passport%"),DateTime_Unix+(TimeTaken/1000),null()) |eval SearchPassportEndDateTime = strftime(SearchPassportEndDateTime_Unix,"%Y-%m-%d %H:%M:%S.%5N") |table CsUriQuery SearchPassportEndDateTime SearchPassportEndDateTime_Unix |where isnotnull(SearchPassportEndDateTime_Unix)] |eval TimeTakenMilli=TimeTaken/1000 |eval TimeTakenNew=if(like(CsUriStem,"%RetrieveTransactions%") AND isnotnull(SearchPassportEndDateTime),if(DateTime_Unix>SearchPassportEndDateTime_Unix,TimeTaken,(DateTime_Unix+TimeTakenMilli-SearchPassportEndDateTime_Unix)*1000),TimeTaken) |table LogId CsUriQuery CsUriStem DateTime SComputerName SPort SiteName TimeTaken TimeTakenNew TransferTime ActionEnum |rename CsUriQuery as cid --------------------This is the main search------------------------------------------ |join type=left cid,ActionEnum --------------------This is the sub search:Computing MOMDuration (External API call)------------------------------------------ [search index=someindex Application=ExternalValidation (host=ValidationServer1 OR host=ValidationServer2) (Event="MomGateway_GetEP_Begin" OR Event="MomGateway_GetEP_End" ) |eval nStart=relative_time(now(),"-1mon@mon") |eval nStart=relative_time(nStart,"-8h") |eval nEnd=relative_time(now(),"@mon") |where (Event="MomGateway_GetEP_Begin" OR Event="MomGateway_GetEP_End" ) |rex field=_raw "(?<epdate>\d\d\d\d-\w+-\d\d\s+\d\d:\d\d:\d\d\.\d+)" |transaction cid startswith=(Event="MomGateway_GetEP_Begin") endswith=(Event="MomGateway_GetEP_End" ) mvlist=epdate |eval MOM_start_time=mvindex(epdate,0) |eval MOM_end_time=mvindex(epdate,1) |eval MOM_end_timeUnix=strptime(MOM_end_time,"%Y-%m-%d %H:%M:%S.%5N") |eval MOM_start_timeUnix=strptime(MOM_start_time,"%Y-%m-%d %H:%M:%S.%5N") |eval MOM_request_type = "EP" |eval differences = MOM_end_timeUnix-MOM_start_timeUnix |where MOM_start_timeUnix>=nStart AND MOM_start_timeUnix<nEnd |union [search index=someindex Application ="ExternalValidation" (host=ValidationServer1 OR host=ValidationServer2) (Event="MomGateway_GetWP_Begin" OR Event="MomGateway_GetWP_End" ) |eval nStart=relative_time(now(),"-1mon@mon") |eval nStart=relative_time(nStart,"-8h") |eval nEnd=relative_time(now(),"@mon") | where (Event="MomGateway_GetWP_Begin" OR Event="MomGateway_GetWP_End" ) |rex field=_raw "(?<wpdate>\d\d\d\d-\w+-\d\d\s+\d\d:\d\d:\d\d\.\d+)" |transaction cid startswith=( Event="MomGateway_GetWP_Begin") endswith=(Event="MomGateway_GetWP_End") mvlist=wpdate |eval MOM_start_time=mvindex(wpdate,0) |eval MOM_end_time=mvindex(wpdate,1) |eval MOM_end_timeUnix=strptime(MOM_end_time,"%Y-%m-%d %H:%M:%S.%5N") |eval MOM_start_timeUnix=strptime(MOM_start_time,"%Y-%m-%d %H:%M:%S.%5N") |eval MOM_request_type = "WP" ```8. Calculate the differences between start/end time for each transactions``` |eval differences = MOM_end_timeUnix-MOM_start_timeUnix |where MOM_start_timeUnix>=nStart AND MOM_start_timeUnix<nEnd ] |sort 0 cid MOM_start_time |streamstats current=f window=0 global=f min(MOM_start_time) as MinTime max(MOM_end_time) as MaxTime min(MOM_start_timeUnix) as MinTimeUnix max(MOM_end_timeUnix) as MaxTimeUnix by cid |eval overlapped=if(MOM_start_timeUnix<= MaxTimeUnix ,1,0) |eval NetMOMDuration=if(overlapped>0,if(MOM_end_timeUnix>MaxTimeUnix,MOM_end_timeUnix-MaxTimeUnix,0),differences) |join type=inner cid [search index=someindex (host=ValidationServer1 OR host=ValidationServer2) (*TransactionsController_SearchByPassport_Begin* OR *TransactionsController_Stamp_Begin* OR *TransactionsController_SearchByPassport_End* OR *TransactionsController_Stamp_End*) |where Application="ApiFacadeKiosk" |rex field=_raw "(?<date>\d\d\d\d-\w+-\d\d\s+\d\d:\d\d:\d\d\.\d+)" |eval nStart=relative_time(now(),"-1mon@mon") |eval nStart=relative_time(nStart,"-8h") |eval nEnd=relative_time(now(),"@mon") |eval date_Unix=strptime(date,"%Y-%m-%d %H:%M:%S.%5N") |eval startTime_SearchPassport = if(like(_raw,"%TransactionsController_SearchByPassport_Begin%"),date,null()) |eval startTime_Stamping = if(like(_raw,"%TransactionsController_Stamp_Begin%"),date,null()) |eval endTime_SearchPassport = if(like(_raw,"%TransactionsController_SearchByPassport_End%"),date,null()) |eval endTime_Stamping = if(like(_raw,"%TransactionsController_Stamp_End%"),date,null()) |where date_Unix>=nStart AND date_Unix<nEnd |stats values(startTime_SearchPassport) AS startTime_SearchPassport values(startTime_Stamping) AS startTime_Stamping values(endTime_SearchPassport) AS endTime_SearchPassport values(endTime_Stamping) AS endTime_Stamping by cid ] |eval startTime_Stamping_Filled=if(isnull(startTime_Stamping),null(),strptime(startTime_Stamping,"%Y-%m-%d %H:%M:%S.%5N")) |eval startTime_SearchPassport_Filled=if(isnull(startTime_SearchPassport),null(),strptime(startTime_SearchPassport,"%Y-%m-%d %H:%M:%S.%5N")) |eval endTime_Stamping_Filled=if(isnull(endTime_Stamping),null(),strptime(endTime_Stamping,"%Y-%m-%d %H:%M:%S.%5N")) |eval endTime_SearchPassport_Filled=if(isnull(endTime_SearchPassport),null(),strptime(endTime_SearchPassport,"%Y-%m-%d %H:%M:%S.%5N")) |eval ActionType=if(isnull(startTime_Stamping_Filled),"SearchPassport",if(startTime_Stamping_Filled<MOM_start_timeUnix,"Stamping","SearchPassport")) |eventstats sum(NetMOMDuration) as TotalMOMDurationByAction count(cid) As TotalMOMRequest by cid ActionType |eval ActionEnum= if(like(ActionType,"SearchPassport"),1,2) |table cid TotalMOMDurationByAction ActionType TotalMOMRequest ActionEnum |dedup cid TotalMOMDurationByAction ActionType TotalMOMRequest ActionEnum] --------------------This is the sub search:Computing MOMDuration (External API call)------------------------------------------ |join type=left cid,ActionEnum --------------------This is the sub search:Computing EMCDuration (External API call)------------------------------------------ [search index=someindex Application=RefundControl (host=ValidationServer1 OR host=ValidationServer2) (Event="PostFirstemcpay_Begin" OR Event="PostFirstemcpay_End" ) |where (Event="PostFirstemcpay_Begin" OR Event="PostFirstemcpay_End" ) |rex field=_raw "(?<emcpayfirstdate>\d\d\d\d-\w+-\d\d\s+\d\d:\d\d:\d\d\.\d+)" |eval nStart=relative_time(now(),"-1mon@mon") |eval nStart=relative_time(nStart,"-8h") |eval nEnd=relative_time(now(),"@mon") |transaction cid startswith=( Event=PostFirstemcpay_Begin) endswith=(PostFirstemcpay_End) mvlist=emcpayfirstdate |eval emcpay_start_time=mvindex(emcpayfirstdate,0) |eval emcpay_end_time=mvindex(emcpayfirstdate,1) |eval emcpay_end_timeUnix=strptime(emcpay_end_time,"%Y-%m-%d %H:%M:%S.%5N") |eval emcpay_start_timeUnix=strptime(emcpay_start_time,"%Y-%m-%d %H:%M:%S.%5N") |eval emcpay_request_type = "emcpayAccount" |eval NetemcpayDuration = emcpay_end_timeUnix-emcpay_start_timeUnix |where emcpay_start_timeUnix>=nStart AND emcpay_start_timeUnix<nEnd |sort 0 cid emcpay_start_time |eventstats max(emcpay_start_timeUnix) As Maxemcpay_start_timeUnix by cid |where emcpay_start_timeUnix = Maxemcpay_start_timeUnix |table cid emcpay_start_time emcpay_end_time overlapped NetemcpayDuration emcpay_request_type |union [search index=someindex Application=RefundControl (host=ValidationServer1 OR host=ValidationServer2) (Event="PostSecondemcpay_Begin" OR Event="PostSecondemcpay_End" ) |where (Event="PostSecondemcpay_Begin" OR Event="PostSecondemcpay_End" ) |rex field=_raw "(?<emcpayseconddate>\d\d\d\d-\w+-\d\d\s+\d\d:\d\d:\d\d\.\d+)" |eval nStart=relative_time(now(),"-1mon@mon") |eval nStart=relative_time(nStart,"-8h") |eval nEnd=relative_time(now(),"@mon") |transaction cid startswith=( Event=PostSecondemcpay_Begin) endswith=(Event=PostSecondemcpay_End) mvlist=emcpayseconddate |eval emcpay_start_time=mvindex(emcpayseconddate,0) |eval emcpay_end_time=mvindex(emcpayseconddate,1) |eval emcpay_end_timeUnix=strptime(emcpay_end_time,"%Y-%m-%d %H:%M:%S.%5N") |eval emcpay_start_timeUnix=strptime(emcpay_start_time,"%Y-%m-%d %H:%M:%S.%5N") |eval emcpay_request_type = "emcpayConfirm" |eval NetemcpayDuration = emcpay_end_timeUnix-emcpay_start_timeUnix |where emcpay_start_timeUnix>=nStart AND emcpay_start_timeUnix<nEnd |sort 0 cid emcpay_start_time |eventstats max(emcpay_start_timeUnix) As Maxemcpay_start_timeUnix by cid |where emcpay_start_timeUnix = Maxemcpay_start_timeUnix |table cid emcpay_start_time emcpay_end_time overlapped NetemcpayDuration emcpay_request_type] |union [search index=someindex Application=RefundControl (host=ValidationServer1 OR host=ValidationServer2) (Event="Writeemcpay_Begin" OR Event="Writeemcpay_End" ) |where (Event="NcsWriteGateway_WriteNcsemcpay_Begin" OR Event="NcsWriteGateway_WriteNcsemcpay_End" ) |rex field=_raw "(?<emcpaythirddate>\d\d\d\d-\w+-\d\d\s+\d\d:\d\d:\d\d\.\d+)" |eval nStart=relative_time(now(),"-1mon@mon") |eval nStart=relative_time(nStart,"-8h") |eval nEnd=relative_time(now(),"@mon") |transaction cid startswith=( Event=Writeemcpay_Begin) endswith=(Event=Writeemcpay_End) mvlist=emcpaythirddate |eval emcpay_start_time=mvindex(emcpaythirddate,0) |eval emcpay_end_time=mvindex(emcpaythirddate,1) |eval emcpay_end_timeUnix=strptime(emcpay_end_time,"%Y-%m-%d %H:%M:%S.%5N") |eval emcpay_start_timeUnix=strptime(emcpay_start_time,"%Y-%m-%d %H:%M:%S.%5N") |eval emcpay_request_type = "emcpayRefund" |eval NetemcpayDuration = emcpay_end_timeUnix-emcpay_start_timeUnix |where emcpay_start_timeUnix>=nStart AND emcpay_start_timeUnix<nEnd |sort 0 cid emcpay_start_time |eventstats max(emcpay_start_timeUnix) As Maxemcpay_start_timeUnix by cid |where emcpay_start_timeUnix = Maxemcpay_start_timeUnix |table cid emcpay_start_time emcpay_end_time overlapped NetemcpayDuration emcpay_request_type] |eventstats sum(NetemcpayDuration) as TotalemcpayDurationByAction count(cid) As TotalemcpayRequest by cid emcpay_request_type |eval ActionEnum= if(like(emcpay_request_type,"emcpayAccount"),3,if(like(emcpay_request_type,"emcpayConfirm"),4,if(like(emcpay_request_type,"emcpayRefund"),2,null()))) |table cid TotalemcpayDurationByAction emcpay_request_type TotalemcpayRequest ActionEnum |dedup cid TotalemcpayDurationByAction emcpay_request_type TotalemcpayRequest ActionEnum] --------------------This is the sub search:Computing EMCDuration (External API call)------------------------------------------ |eval startTime_Stamping_Filled=if(isnull(startTime_Stamping),null(),strptime(startTime_Stamping,"%Y-%m-%d %H:%M:%S.%5N")) |eval startTime_SearchPassport_Filled=if(isnull(startTime_SearchPassport),null(),strptime(startTime_SearchPassport,"%Y-%m-%d %H:%M:%S.%5N")) |eval endTime_Stamping_Filled=if(isnull(endTime_Stamping),null(),strptime(endTime_Stamping,"%Y-%m-%d %H:%M:%S.%5N")) |eval endTime_SearchPassport_Filled=if(isnull(endTime_SearchPassport),null(),strptime(endTime_SearchPassport,"%Y-%m-%d %H:%M:%S.%5N")) |eval TotalemcpayDurationByAction=if(isnull(TotalemcpayDurationByAction),0,TotalemcpayDurationByAction*1000) |eval TotalMOMDurationByAction=if(isnull(TotalMOMDurationByAction),0,TotalMOMDurationByAction*1000) |eval NetResponseTime = TimeTakenNew-TotalMOMDurationByAction-TotalemcpayDurationByAction |table LogId cid CsUriStem DateTime SComputerName SPort SiteName TimeTaken TimeTakenNew TransferTime ActionType TotalMOMDurationByAction TotalemcpayDurationByAction NetResponseTime

Hi,  I just install a new cluster with 3SH and 3IDX and 1CM. I login to CM from WebUI as admin to change password and create users, roles. Then I try to use the new password to login from SH WebUI as admin, but fail, then I try the old password , succeed. Then I found the users and roles I created on CM WebUI are not list in SH. Do CM and SH manage two different user scheme? I can't find this information in document, can anyone point me the right way? Thanks.