All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team, We are trying to build a dashboard for the Azure PIM logs in splunk to visualize who all are elevating their admin roles in Azure and what are the activities they are performing and how of... See more...
Hi Team, We are trying to build a dashboard for the Azure PIM logs in splunk to visualize who all are elevating their admin roles in Azure and what are the activities they are performing and how often they require the role, unfortunately we are not able to filter the action in splunk. In the operations  list we couldn't identify anything related to PIM. please help with the search index index=client* sourcetype="o365:management:activity" Workload=AzureActiveDirectory action Regards, Sai
Hi I have the below code, however, as I grow the number of lines I am giving the MAP is it getting very slow. Is there any way to run the map in parallel?   | map maxsearches=21 search="| sav... See more...
Hi I have the below code, however, as I grow the number of lines I am giving the MAP is it getting very slow. Is there any way to run the map in parallel?   | map maxsearches=21 search="| savedsearch "$ALERT$" host_token=PDT SERVICE_EARLIEST_TIME=1643954400 time_token.earliest=1644213600 time_token.latest=1644268200 Threshold=$Threshold$ | appendcols [ | makeresults | eval Order="$Order$",Threshold=$Threshold$ | fillnull count ] | table ALERT count Order Threshold "   Thanks in advance Rob
My Query is  index=windows Type=Disk host IN (abc) FileSystem="*" DriveType="*" Name="*" | dedup host, Name | table _time, host, Name | sort host, Name | join type=left host [| search index=perfmon... See more...
My Query is  index=windows Type=Disk host IN (abc) FileSystem="*" DriveType="*" Name="*" | dedup host, Name | table _time, host, Name | sort host, Name | join type=left host [| search index=perfmon source="Perfmon:CPU" object=Processor collection=CPU counter="% Processor Time" instance=_Total host IN (abc) | convert num(Value) as value num(pctCPU) as value | stats avg(value) as "CPUTrend" max(value) as cpu_utz by host | eval "Max Peak CPU" = round(cpu_utz, 2) | eval "CPUTrend"=round(CPUTrend, 2) | fields - cpu_utz | sort -"Peak CPU" | rename "Max Peak CPU" AS "maxCPUutil" | dedup "maxCPUutil" | table _time, host, "maxCPUutil"] | table host, "maxCPUutil", Name I have this below output host maxCPUutil Name host maxCPUutil Name abc 5.59 c: abc 5.59 E: abc 5.59 F: What i want is my result has multiple hosts.. Not single host. Output should be  1. abc 35.16 C: 2. ‌ ‌ 3. E: 4. def 45.56 C: 5. I: 6. J Please help me remove the repeated values for drive letter. I need it only once for single host 
Hi people! We've noticed that our VictorOps/Splunk On-Call mobile app asks to log in again from time to time. Question: if the app asks me to re-log in and an incident happens before I do it, wi... See more...
Hi people! We've noticed that our VictorOps/Splunk On-Call mobile app asks to log in again from time to time. Question: if the app asks me to re-log in and an incident happens before I do it, will my mobile app receive a push notification for the incident? Or will I have to log in first to receive further notifications? Thanks in advance!
I have already successfully appdynamics app server agent on seven application servers of my WebSphere network deployment environment. Unfortunately, the setup on the last server I could not successfu... See more...
I have already successfully appdynamics app server agent on seven application servers of my WebSphere network deployment environment. Unfortunately, the setup on the last server I could not successfully finish my setup. If I set the following parameter on my JVM: javaagent:/opt/IBM/AppAgents/AppServerAgent/javaagent.jar -Dappdynamics.agent.tierName=<placeholde> -Dappdynamics.agent.nodeName=<placeholder> I see the following error on the log of the app server agent: [AD Agent init] 09 Feb 2022 16:11:21,251 INFO ConfigurationChannel - Container id retrieval enabled: true [AD Agent init] 09 Feb 2022 16:11:21,252 WARN ConfigurationChannel - Unable to use /proc/self/cgroup for unique hostname, could not locate container ID [AD Agent init] 09 Feb 2022 16:11:21,252 INFO ConfigurationChannel - Agent node meta-info thus far: ProcessID;111140;appdynamics.ip.addresses;21.0.11.44,21.1.11.44;appdynamicsHostName;xxxx [AD Agent init] 09 Feb 2022 16:11:21,252 INFO ConfigurationChannel - Detected node meta info: [Name:ProcessID, Value:111140, Name:appdynamics.ip.addresses, Value:xxxx,xxxx, Name:appdynamicsHostName, Value:xxxx, Name:supportsDevMode, Value:true] [AD Agent init] 09 Feb 2022 16:11:21,252 INFO ConfigurationChannel - Sending Registration request with: Application Name [xxxx], Tier Name [xxxx], Node Name [xxxx], Host Name [xxxx] Node Unique Local ID [xxxx], Version [Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] [AD Agent init] 09 Feb 2022 16:11:21,309 WARN AgentErrorProcessor - Agent error occurred, [name,transformId]=[com.singularity.XMLConfigManager - javax.xml.parsers.FactoryConfigurationError,2147483647] [AD Agent init] 09 Feb 2022 16:11:21,309 WARN AgentErrorProcessor - 4 instance(s) remaining before error log is silenced [AD Agent init] 09 Feb 2022 16:11:21,309 WARN XMLConfigManager - Error refreshing agent configuration javax.xml.parsers.FactoryConfigurationError: Provider javax.xml.parsers.DocumentBuilderFactory could not be instantiated: java.util.ServiceConfigurationError: javax.xml.parsers.DocumentBuilderFactory: Provider org.apache.xerces.jaxp.DocumentBuilderFactoryImpl not a subtype at javax.xml.parsers.DocumentBuilderFactory.newInstance(Unknown Source) ~[?:?] at java.util.prefs.XmlSupport.loadPrefsDoc(XmlSupport.java:252) ~[?:1.8.0] at java.util.prefs.XmlSupport.importMap(XmlSupport.java:388) ~[?:1.8.0] at java.util.prefs.FileSystemPreferences$6.run(FileSystemPreferences.java:598) ~[?:1.8.0] at java.util.prefs.FileSystemPreferences$6.run(FileSystemPreferences.java:591) ~[?:1.8.0] at java.security.AccessController.doPrivileged(AccessController.java:734) ~[?:1.8.0] at java.util.prefs.FileSystemPreferences.loadCache(FileSystemPreferences.java:590) ~[?:1.8.0] at java.util.prefs.FileSystemPreferences.initCacheIfNecessary(FileSystemPreferences.java:573) ~[?:1.8.0] at java.util.prefs.FileSystemPreferences.getSpi(FileSystemPreferences.java:550) ~[?:1.8.0] at java.util.prefs.AbstractPreferences.get(AbstractPreferences.java:298) ~[?:1.8.0] at com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl.<init>(IBMPKCS11Impl.java:464) ~[ibmpkcs11impl.jar:8.0 build_8.0-20200224-2] at java.lang.J9VMInternals.newInstanceImpl(Native Method) ~[?:2.9 (06-01-2020)] at java.lang.Class.newInstance(Class.java:1852) ~[?:2.9 (06-01-2020)] at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:233) ~[?:1.8.0] at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:218) ~[?:1.8.0] at java.security.AccessController.doPrivileged(AccessController.java:678) ~[?:1.8.0] at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:218) ~[?:1.8.0] at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:199) ~[?:1.8.0] at sun.security.jca.ProviderList.getProvider(ProviderList.java:245) ~[?:1.8.0] at sun.security.jca.ProviderList.getIndex(ProviderList.java:275) ~[?:1.8.0] at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:259) ~[?:1.8.0] at sun.security.jca.ProviderList.getProvider(ProviderList.java:265) ~[?:1.8.0] at java.security.Security.getProvider(Security.java:479) ~[?:1.8.0] at com.ibm.jsse2.ac.<clinit>(ac.java:159) ~[?:8.0 build_20200327--103] at com.ibm.jsse2.ag.<init>(ag.java:18) ~[?:8.0 build_20200327--103] at com.ibm.jsse2.ag.<init>(ag.java:111) ~[?:8.0 build_20200327--103] at com.ibm.jsse2.av.a(av.java:87) ~[?:8.0 build_20200327--103] at com.ibm.jsse2.av.<init>(av.java:636) ~[?:8.0 build_20200327--103] at com.ibm.jsse2.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:2) ~[?:8.0 build_20200327--103] at com.singularity.ee.util.httpclient.EasySSLProtocolSocketFactory.createLayeredSocket(EasySSLProtocolSocketFactory.java:135) ~[appagent.jar:?] at com.singularity.ee.util.httpclient.EasySSLProtocolSocketFactory.connectSocket(EasySSLProtocolSocketFactory.java:193) ~[appagent.jar:?] at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.13.jar:4.5.13] at com.singularity.ee.util.httpclient.SimpleHttpClientWrapper.executeHttpOperation(SimpleHttpClientWrapper.java:302) ~[appagent.jar:?] at com.singularity.ee.util.httpclient.SimpleHttpClientWrapper.executeHttpOperation(SimpleHttpClientWrapper.java:217) ~[appagent.jar:?] at com.singularity.ee.rest.RESTRequest.sendRequestTracked(RESTRequest.java:384) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.rest.RESTRequest.sendRequest(RESTRequest.java:337) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.rest.controller.request.AControllerRequest.sendRequest(AControllerRequest.java:130) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.rest.controller.request.ABinaryControllerRequest.sendRequest(ABinaryControllerRequest.java:36) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.registerApplicationServer(ConfigurationChannel.java:1436) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.access$100(ConfigurationChannel.java:121) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel$UnregisteredConfigurationState.nextTransition(ConfigurationChannel.java:784) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.agent.appagent.kernel.config.xml.ConfigurationChannel.refreshConfiguration(ConfigurationChannel.java:554) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.agent.appagent.kernel.config.xml.XMLConfigManager$AgentConfigurationRefreshTask.run(XMLConfigManager.java:656) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.agent.appagent.kernel.config.xml.XMLConfigManager.initialize(XMLConfigManager.java:332) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.agent.appagent.kernel.AgentKernel.start(AgentKernel.java:166) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:451) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:346) ~[appagent.jar:Server Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) ~[?:1.8.0] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) ~[?:1.8.0] at java.lang.reflect.Method.invoke(Method.java:508) ~[?:1.8.0] at com.singularity.ee.agent.appagent.AgentEntryPoint$1.run(AgentEntryPoint.java:655) ~[?:Server IBM Agent #21.11.3.33314 v21.11.3 GA compatible with 4.4.1.0 r1f94344f9fd88fc14fe39a33494b03e4bb555a6d release/21.11.0] Due to this error the agent could not register sucessfully at the controller. Does anyone have an idea how to solve this problem. Is this problem maybe related to the security provider com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl which is listed in the file java.security of the jdk on this server? On the other servers which I could sucessfully register at the controller this security provider is not listed in the java.security file. But maybe the cause for the problem is not related to this security provider. 
Are there any logs maintained by the Splunk Universal forwarder in case of log processing failures? I would like to setup an alert and dashboard for the log processing failures that occur while the U... See more...
Are there any logs maintained by the Splunk Universal forwarder in case of log processing failures? I would like to setup an alert and dashboard for the log processing failures that occur while the Universal forwarder tries  logs to my indexer. I need this for compliance purposes. I checked out the URL - https://docs.splunk.com/Documentation/Splunk/8.2.4/Troubleshooting/WhatSplunklogsaboutitself, and thought splunkd_stderr.log on my servers would do the trick. But when I checked the corresponding logs, I could see only start and stop messages. Can someone provide me the keyword search and the filename for log processing failures in the Splunk Universal Forwarder?
Hi   We have installed Splunk universal forwarder on a remote server but logs are not getting forwarded to Indexer. I have tried to troubleshoot this issue but could not do so. Can you please hel... See more...
Hi   We have installed Splunk universal forwarder on a remote server but logs are not getting forwarded to Indexer. I have tried to troubleshoot this issue but could not do so. Can you please help me to get rid of this issue. Below are the steps I have tried so far. Remote server is communicating with Indexer root@host1:/opt/splunkforwarder/etc/system/local# telnet host2 9997 Trying 10.20.30.40... Connected to host2 Escape character is '^]'. ^] telnet> quit Connection closed. Below is the content of outputs.conf           root@host1:/opt/splunkforwarder/etc/system/local# cat outputs.conf            [tcpout]            defaultGroup = splunk            [tcpout:splunk]             server = host2.ce.corp:9997 Below is the content of inputs.conf          root@host1:/opt/splunkforwarder/etc/system/local# cat inputs.conf          [default]          host = host1          [monitor:///var/log/messages]          disabled = false          sourcetype = web_haprx          index = webmethods_haprx Ran ./splunk list forward-server            root@host1:/opt/splunkforwarder/bin# ./splunk list forward-server            Your session is invalid. Please login.            Splunk username: admin            Password:            Active forwards:            host2:9997            Configured but inactive forwards:             None port 9997 is enabled on receiver  Also I did check splunk.log to see any error but no luck. Can you please help me to fix this issue? Regards, Rahul Gupta
Greetings!!!! Dear All, I really need your help and guidance,  I want to create a "Test environment " that is similar to the Live production , **What I want to have in the test environment , ... See more...
Greetings!!!! Dear All, I really need your help and guidance,  I want to create a "Test environment " that is similar to the Live production , **What I want to have in the test environment ,       -  In my production, i have 7 servers (one for Search Head, second for Search head management(splunk instance), and other 5 remaining are the indexers), AND I WANT TO HAVE THE SAME IN TEST ENVIRONMENT, I have read the splunk documentation, but It is not guide me well. I want your help and advice me, how to create this???? SO far I have downloaded Virtualbox and centos 7,  Kindly help me and guide me, what the requirements i need to have so that i can create this test environment same as the production one? - what splunk enterprise software i will use, is it the free 60 day or i will have to take copy the one i used in the production and use it in test env? I'm lost kindly help how i can have this distribution in environment , what i must have to successfully create this Test environment same as production one I mentioned above and have ALL those components in test environment, Thank you in advance.
Hello peeps, Does anyone know a better accelerator command that can help to correlate data? Im trying to correlate proxy server logs and AD logs.  Please see my base search; (index=proxy OR in... See more...
Hello peeps, Does anyone know a better accelerator command that can help to correlate data? Im trying to correlate proxy server logs and AD logs.  Please see my base search; (index=proxy OR index=ad) src_ip!="-" | transaction src_ip | eval MB=round(((bytes_in+bytes_out)/1024/1024),2) | stats sum(MB) as "Bandwidth", values(WorkstationName) as Hostname by src_ip | sort 10 - Bandwidth | rename src_ip as "Source IP" Please help me to sort out this issue. Thank you.
Hi,  I have installed universal forwarder in a cloud instance(linux),  then I installed splunk enterprise in my local machine(laptop) which is running win 10. I want to forward logs from linux machi... See more...
Hi,  I have installed universal forwarder in a cloud instance(linux),  then I installed splunk enterprise in my local machine(laptop) which is running win 10. I want to forward logs from linux machine to my laptop's splunk's indexer. The problem is , what server IP should I be given in Linux universal forwarder/etc/system/local/outputs.conf [tcpout:example] server=????? I tried giving my IP ***.***.**.*** :9997, but there is no use. In my laptop, the splunk is running at localhost:8000. Please help me with this. Thanks.
Hi all,   I have a table called active_services.csv. One of the fields is called Report_Date Date value is in the following format 20220124. The CSV file is automatically updated weekly but s... See more...
Hi all,   I have a table called active_services.csv. One of the fields is called Report_Date Date value is in the following format 20220124. The CSV file is automatically updated weekly but sometimes fails and requires manual intervention. I need help with a query so I can setup an alert to notify me when the report date value is older than X amount of days. Please help. Thank you for your help in advance.
Hello Splunkers!    I used the | delete command to delete the data, but to my knowledge, the actual data is still in the storage.      Therefore, is it possible to delete the actual data that I ... See more...
Hello Splunkers!    I used the | delete command to delete the data, but to my knowledge, the actual data is still in the storage.      Therefore, is it possible to delete the actual data that I deleted in search??   Thank you in advance. 🥸  
How would I find sAMAccountName(s) - more than one. I have tried boolean operators and(&) or(|) to no avail. Currently only one works.  | ldapsearch domain=xxxx basedn="DC=xxxx,DC=xxxx" search="(&(o... See more...
How would I find sAMAccountName(s) - more than one. I have tried boolean operators and(&) or(|) to no avail. Currently only one works.  | ldapsearch domain=xxxx basedn="DC=xxxx,DC=xxxx" search="(&(objectClass=user)(sAMAccountName=specificuser))"
Hi all, I am struggling a bit with incorporating a lookup into my searches.  I have a lookup file that is a single column of IP addresses and a header of TORIP. It should be a pretty basic search i... See more...
Hi all, I am struggling a bit with incorporating a lookup into my searches.  I have a lookup file that is a single column of IP addresses and a header of TORIP. It should be a pretty basic search index=* src_ip=* followed by the lookup. I added the lookup file and lookup definition but when I run a search it fails saying the lookup table doesnt exist.   
Hi. I've got a search looking for times and dates with "index=main host=web1 "/blarg=foo"| table _time" how can I use the results to to search with "index=main host=app1 blarg" during the times from ... See more...
Hi. I've got a search looking for times and dates with "index=main host=web1 "/blarg=foo"| table _time" how can I use the results to to search with "index=main host=app1 blarg" during the times from the first search?
What is the best way to trim a timestamp formatted like 2022-01-06 01:51:23 UTC so that it only reflects the date and hour, like this  2022-01-06 01? I need to be able to search for events by just th... See more...
What is the best way to trim a timestamp formatted like 2022-01-06 01:51:23 UTC so that it only reflects the date and hour, like this  2022-01-06 01? I need to be able to search for events by just the date and hour.
I use the following to define an icon, to display on my dashboard: eval coldImg = "/weatherAssets/apps/ics_analysis/lowTemp.png" in the Simple XML for the dashboard. Here is the path fo... See more...
I use the following to define an icon, to display on my dashboard: eval coldImg = "/weatherAssets/apps/ics_analysis/lowTemp.png" in the Simple XML for the dashboard. Here is the path for the image: /opt/splunk/etc/apps/ics_analysis/weatherAssets/lowTemp.pngwhere  ics_analysis is the name of the app and weatherAssets is the folder for the icons.   It used to display, when I had the following: eval coldImg = "https://image.flaticon.com/icons/png/512/1312/1312331.png" but now it only shows a broken image icon.   What could be wrong? How can I debug the problem? It's frustrating that I don't know how to find out the error message to the issue. Do I have to restart the Splunk server, or bump my dashboard? (I just did reload the web page.)   Thanks for your help!       
I am looking the 6.5 x86 release of Splunk. It is no longer listed under the older downloads. Can anyone help?
Is there any step by step guide to setup splunk home lab. I am trying to learn and does not know where to start?
Hello, I want to calculate a ratio between two fields (i know it suppose to be an easy one but looks like im missing something) i want to count all the Totals and then check where Total > 200  a... See more...
Hello, I want to calculate a ratio between two fields (i know it suppose to be an easy one but looks like im missing something) i want to count all the Totals and then check where Total > 200  as latency and count them all  after i have both of them i want to check if the ration between them is > 0.3   sourcetype="*user-program*" | rename AdditionalData.Total as Total | eval Latency=if(Total>200,Total,null()) |eval Ratio = Total/Latency   this one returning no results