Hi,  I am using following search into Windows EventViewer System logs  that I extracted for testing: index="503461" host="hp-laptop" "Sleep Time"  Log looks like below: Information,4.2.2022 г. 12:55:47,Microsoft-Windows-Power-Troubleshooter,1,None,"The system has returned from a low power state. Sleep Time: ‎2022‎-‎02‎-‎04T10:38:18.391571900Z Wake Time: ‎2022‎-‎02‎-‎04T10:55:46.701556600Z Wake Source: Device -USB Composite Device"     I am trying to calculate the two time stamps into total duration. Can someone help with the search string, thank you

My Query is    index=windows Type=Disk host IN (abc) FileSystem="*" DriveType="*" Name="*" | dedup host, Name | table _time, host, Name | sort host, Name | join type=left host [| search index=perfmon source="Perfmon:CPU" object=Processor collection=CPU counter="% Processor Time" instance=_Total host IN (abc) | convert num(Value) as value num(pctCPU) as value | stats avg(value) as "CPUTrend" max(value) as cpu_utz by host | eval "Max Peak CPU" = round(cpu_utz, 2) | eval "CPUTrend"=round(CPUTrend, 2) | fields - cpu_utz | sort -"Peak CPU" | rename "Max Peak CPU" AS "maxCPUutil" | dedup "maxCPUutil" | table _time, host, "maxCPUutil"] | table host, "maxCPUutil", Name   I have this below output host maxCPUutil Name host                               maxCPUutil       Name abc                                  5.59                       c: abc                                  5.59                       E: abc                                   5.59                       F:   What i want is host                                   maxCPUutil                     Name abc                                          5.59                                     C:                                                                                                  E:                                                                                                  F:

Dear All,  Need your help I have case  to compare transaction data with lookup file, for example i have lookup file account.csv it contain : Name AccountNo Jack 1234 Bobby 4321 Bobby 3214 Donny 7890   and then i have daily transaction like : Name AccountNo Amount Bobby 4321 1000 Jack 1234 500 Donny 7890 500 Bobby 8888 5000 i want to marking this daily transaction base on Name that has no AccountNo in lookup table account.csv the marking can be a note or something else thanks in advance for your help Rahmat

Good morning everyone, for my customer, i have a Splunk deployment as follow: 1 Search head 3 Indexer in cluster 1 Monitoring Console/License Master/Master node I need to integrate our Qualys solution with Splunk, but i'm reading the Technology Add-on should be installed on a forwarder. However, we do not have an Heavy forwarder. Hence, could i install it on an Indexer? Is data replication still available for index qualys? Thanks in advance, Luca

Hello everyone I'm trying to get a list of ip addresses from an internet page and put them after that into a lookup table. My issius is that I can't use mvexpand to put every ip addresses into a single row... here my search: | curl method=get uri=https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt | fields curl_message | rex field=curl_message mode=sed "s/.*#//g" | rex field=curl_message mode=sed "s/DstIP//g" | rex field=curl_message mode=sed "s/^\s+//g" and as results I will get a big block of data in one single row. How can I split these in multiple rows?   Thank you all for the support.

I have JSON that is really an array of values but has been encoded as objects, something like this   { "metrics": { "timers" : { "foo_timer": { "count": 1, "max": 452603, "mean": 452603, "min": 452603 }, "bar_some_other_timer": { "count": 1, "max": 367110, "mean": 367110, "min": 367110 } } } }   I can display this in a table by iterating using foreach, but what I really want to do is search for events where max > 400000, and then display it with the name of the timer - so in above that would match foo_timer.  The names of the timer can be anything and the order is not guaranteed. I've tried all sorts today and keep coming up short.

Hi , I need a help in solving one of the issue, I have a table which is Shown below, I just want to hide the rows with the name consisting of "Raju", also if we export this table to CSV , it should export all the results including the name "Raju" Can any one Please help us to solve this. Thankyou.

I have a Data Model called Web_Events with a root object called Access.  There is a field in Access called 'status_category' with values "client error", "server error", "okay" or "other". I am trying to list the count of events which have 'status_catgory' as "client error" and "server error" hour by hour So I want to generate a table of following format _time client_error_count server_error_count 2022-01-26:17:30:00 <count of client error> <count of server error> 2022-01-26:18:30:00 <count of client error> <count of server error>   Can anyone help me with this? The closest I could achieve was as following:  _time Access.status_category error_count 2022-01-26:17:30:00 server error 2 2022-01-26:18:30:00 client error 6 2022-01-26:18:30:00 server error 7   with help of this query: (status_code is another field which contains values of HTTP status codes) | tstats count(Access.status_code) as error_count from datamodel=Web_Events.Access where Access.status_code!=200 earliest="01/26/2022:00:00:00" latest="02/02/2022:23:59:59" BY Access.status_category _time span=1h | table _time, Access.status_category, error_count | sort _time