hi how to do a total of these 3 fields please? | stats count(hang_process_name) as "h", count(crash_process_name) as "c", count(web_app_duration_avg_ms) as "w" by name I tried [ eval Total=(h+c+w) but it doesnt works thanks

Hi All  I would like to calculate active weeks (weeks count where there is data). The below is the scenario RepoName     *Week1*         * Week2*          * Week3*      **Active Weeks**  repo1                     10                         5                          7                             3 repo2                    abc                    <data>                                                  2 repo3                                                                              fslkdfs                     1    any help would be highly appreciated. 

Hi Splunkers, Below is my sample event, [2021-02-06 15:30:03] production.INFO: {"uri":"https:\/\/platform.ringcentral.com\/restapi\/v1.0\/account\/5706\/call-log\/SU7GHYajgzUA?view=Simple","id":"SU7GHYaeMpjgzUA","sessionId":"886240004","startTime":"2022-02-04T07:27:31-08:00","duration":36,"type":"Voice","internalType":"TollFreeNumber","direction":"Inbound","action":"Phone Call","result":"Rejected","to":{"phoneNumber":"+18558"},"from":{"name":"EAR NOS","phoneNumber":"+1509","location":"Spokane, WA"},"telephonySessionId":"s-a0d16c80326f9z135c880000"} 1. I have to extract startTime using query 2. I have to convert the extracted startTime which is in GMT to PST, again using query I want to do 1 and 2 in the same query. How to do this?

Data: SERVICEPERFDATA::'total 120m'=8%;95;97 SERVICECHECKCOMMAND::check_nrpe3!check_cpu!-a!"warn=load > 95" "crit=load > 97" "time=120m"!"detail-syntax=%(load)% load for %(time) - Thresholds: Warn gt 95%, Crit gt 97%"!show-all!!! HOSTSTATE::UP HOSTSTATETYPE::HARD SERVICESTATE::OK SERVICESTATETYPE::HARD SERVICEOUTPUT::OK: 8% load for 120m - Thresholds: Warn gt 95%, Crit gt 97%   I just need one of the "8%" to be extracted as a number so I can see the average over time for example.   Am I correct in thinking regex can do this?

I recently created a Summary Index to use with some planned dashboards. To generate the Summary Index I run a report each night with Time Range set to Yesterday, "bucket _time span=day" to summarize each day into one entry, then add it to the Summary Index. Right now I wish I had more historical data in that Summary Index so I'm wondering if its OK to establish the Summary Index freshly, perhaps with a timeframe of Last 30 Days or Last 45 Days, then the next day update the report schedule to look just for Yesterday and continue on like that.

I have a dashboard and some queries in the panels are taking longer than the allowed 60 seconds to complete.  They are using stats count but there are a lot of instances of events to count so it takes some time. I'm looking at making the queries rely on summary indexes instead in order to speed them up. But in the meantime users of the dashboard passively get inconsistent results because they aren't aware the query exited before finishing. That is, data is rendered but its not clear to the user that its incomplete data. Is there a way in a dashboard to signal to the user that a panel reached the auto-finalize limit?  Right now I can click the "information"  icon ("i") and see this error: "The search auto-finalized after it reached its time limit: 60 seconds." But I'd like to detect and surface it, if its possible. Thanks!

Dear Support, We use X509 certificates provided by our customer certificate authority, in order to use HTTPS protocol for web pages and to encrypt the communication between instances in TLS 1.2. - Modification of the file /opt/splunk/etc/system/local/web.conf for the Web Pages - Modification of the file /opt/splunk/etc/system/local/server.conf for the encryption of the communication between the instances   If these certificates are expired, can you tell us if an issue is expected or if the solution will still work in a degraded mode, with warning messages indicating that the certificates are expired?   Thank you in advance for your answer. BR Malik GHALEB  

I have a dataset that looks like: (id, foo, bar, user) that I want to show results for on a dashboard. Given an input combination of values for foo and bar, I want to know which ids both     a) have at least one row that has BOTH of those values; and     b) have at least one row that has NEITHER of those values and then count the number of such ids by user. For example, a search on (foo=A, bar=1) for the data id foo bar user 1234 A 1 admin 1234 B 2 admin 1234 C 3 other_user abcd A 1 admin abcd A 2 admin   would count 1234, but not abcd, and return user ids admin 1 other_user 1   Each search parameter can be a single value or a comma-separated list. Empty values are permitted in up to one field at a time. This is the closest I have been able to get: index="data" [     | tstats count where index="data" AND foo IN (A) AND bar IN (1) by id     | fields id ] AND NOT (foo IN (A) OR bar IN (1)) | fields id, user | stats dc(id) as ids by user I believe the query does what I want it to, but unfortunately am constrained by the hard limit of 10,500 results for subsearches. Is there a way to get the data I want without an intermediate command limiting my results?