Hello, I have 3 rows with numeric data, trying to visualize this in a pie chart. The first value (totalval) is the total value I want to the other values to be a percentage of the total value and so only show the 2 other values (typeA and typeB) type           total --------------------- totalval    4151 typeA       1442 typeB        17 Trying for some hours, i am stuck, any help is appreciated Regards, Harry

Dear Splunk Community, I have the following query. The main query looks for errors in certain log files. If they are found, an list of events is returned. The RUNID is fetched from the events and is used in the JOIN to fetch profiles that are related to the events. Not all events from the main search have a profile. In that case, the result will be all events from the main search with empty profile collumns. I do not wish to see those events. Example: I have 10 events that show errors. 5 of these events have no profile. An event with no profile looks like this: And an event with a profile looks like this: My question is: How do I exclude events with no profiles attached to it? I want to get rid of the entire row if no profile is found. How do I achieve this/ index="myIndex" host="myHostname1*" OR host="myHostname2*" source="/opt/IBM/taddm/dist/log/sensors/*/*.log" CTJTD3028E | table _time, errorcode, IP, runid, profile, _raw | rex "(?<errorcode>CTJT\w{6})" | rex field=_raw "(?<runid>\w{16}#)" | eval runid = replace(runid,".$","") | eval _time=strftime(_time,"%d/%m/%Y %H:%M:%S") | rex field=_raw "(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "CTJTD3028E(?<_raw>.+)" | rename errorcode AS "Foutcode" | rename _raw AS "Foutmelding" | rename runid AS "RUNID" | rename _time AS "Datum" | dedup Foutcode, IP | join type=left RUNID [ search index="myIndex" host="myHostname1*" OR host="myHostname2*" source="/opt/IBM/taddm/dist/log/services/ProcessFlowManager.log" OR source="/opt/IBM/taddm/dist/log/services/ClientProxy.log" "started with profile" myProfileName | rex field=_raw "Discovery\srun,\s(?<RUNID>[^\s]+)\sstarted\swith\sprofile\s(?<profile>[^\s\r]+)" | stats count by profile RUNID | fields profile RUNID] | rename profile AS "Profiel"  

Hi How can I extract duration with below condition? (it is important to check these condition to find correct match) 1)A=A+10 2)B=B FYI: AFAIK stat command is faster than transaction command. I want to extract duration in large dataset. Here is the log: 2022-01-17 00:14:19,600 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Normal Packet Received: A[000] B[9999] C[000000] 2022-01-17 00:14:20,622 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Packet Processed: A[010] B[9999] 2022-01-17 16:50:48,383 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Normal Packet Received: A[900] B[33322] 2022-01-17 16:50:48,414 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Packet Processed: A[910] B[33322] C[000000] expected output: name                                                    duration CUS.AbCD-APP1-12345      1.022 CUS.AbCD-APP1-54321       0.031 Any idea? Thanks

Hello Splunkers, for our email alerts i want a custom footer, but it seems no linebreak works. i already tried \ like it is in the standard footer, \r\n and just pressing enter and shift + enter. If it matters, i use the config explorer for that in Splunk Enterprise 8.2.0. thanks for help

Hi,Splunkers, I have a dashboard with 2 Panels， which share one droplist  input. droplist has  name/values  as  ALL/*,     a/a, b/b, c/c, etc. for panel 1, whatever is selected,      | search  fieldname = $tokename$,  but for panel 2, when ALL/* selected,   |search fieldname = $tokenname$ as panel1, but when other values are selected,  Iwant a  suffix  _CB  to be added at the end, for example, when   a/a selected,   search should be built like |search fieldname=a_CB. thx in advance.   Kevin  

I have been trying to figure out why this doesn't work. |inputlookup ioc_domain.csv | table query | search NOT [inputlookup ioc_domain.csv | table query]   Obviously the above is a useless query but I think the reason it won't work is the same reason my query wont' work which is basically |tstats count where index=dns by PREFIX(query=) PREFIX(srcip=) | rename *= AS * | search NOT [inputlookup ioc_domain.csv | table query] It's not that exactly but close enough. The main part of the search works fine, if I search without the exclusion everything goes as expected. If I try and use a set of values from a field in a lookup table to act as a filter of events not to include it doesn't work no matter what I try. I've tried in the subsearch piping to: | rename field AS search | format], I 've tried just | table field], I've tried using return. Nothing seems to work.  Although it seems to work if the subsearch before any other pipe command, but I'm not interested in that I'm trying to convert some alerts to using tstats and need to be able to scrub against a lookup table. For more info, I'm not using tstats against datasets or datamodels, this is against indexes. Anyone have any ideas