I have two charts that work as expected when separate, but I'm having  a hard time combining them into one chart as they have different search criteria (but from the same index/source) so search2 ends up being wrong when using the criteria from search 1.  I tried combining using the chart overlays but I couldn't get it to work.  Any pointers would be very much appreciated! search 1 - last 30 days     index=foo source=bar criticality=high state=open | bin _time span=1d | stats count AS warnings by _time     search 2 - last 30 days     index=foo source=bar | bin _time span=1d | stats dc(accountId) AS Accounts by _time      

I've been working with Splunk for many years and have always made changes via the .conf files.  However, I recently added the /var/logs directory by using ./splunk add monitor /var/log -index main -sourcetype linux It's working, but I want to modify it a bit.  However, I have been pulling my hair out trying to figure out which inputs.conf file was modified with the command. Any assistance appreciated. Tim

Hi Splunkers,   I have prepared a regex extraction using regex101 site, and now trying to extract "Failure Reason" as per below log but for some reason fails.   Where is the catch? Should be pretty simple but I am out of ideas now.   Search:     | from datamodel:"Authentication"."Insecure_Authentication" | search "*Failure*" | rex "Failure\sReason:\t\t(?<Failure_Reason>.*)\n"     Log:   ComputerName=ot.mydomain.com TaskCategory=Logon OpCode=Info RecordNumber=41462650 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: usergeorge$ Account Domain: dm Logon ID: 0x3E7 Logon Type: 8 Account For Which Logon Failed: Security ID: NULL SID Account Name: george1$ Account Domain: mydomain.com Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x2t20     Regards, vagnet

I'd like to add a percentage into the following panel:  I've added severity since I just want to see it for critical and high severity. now I'd like to define an sla value of , let's say 2 hours, and then want a percentage of each rules percentage of it's count breached.  so in other words:  in this statistic I want to have an additional field that tells me the percentage of how many of the counted events for those rules have a longer max time to triage than 2h.    rule 1 count 20 (10 breached over 2h sla) -> a field that tells me 50%    I can't seem to find a good way to get a percentage in. here is the whole SPL (from ES mostly):  | tstats summariesonly=true allow_old_summaries=false earliest(_time) as _time FROM datamodel=Incident_Management BY source, "Notable_Events_Meta.rule_id" | rename "Notable_Events_Meta.*" as "*" | lookup update=true correlationsearches_lookup _key as source OUTPUTNEW annotations, security_domain, severity, rule_name, description as savedsearch_description, rule_title, rule_description, drilldown_name, drilldown_search, drilldown_earliest_offset, drilldown_latest_offset, default_status, default_owner, next_steps, investigation_profiles, extract_artifacts, recommended_actions | eval rule_name=if(isnull(rule_name),source,rule_name), rule_title=if(isnull(rule_title),rule_name,rule_title), drilldown_earliest=case(isint(drilldown_earliest_offset),('_time' - drilldown_earliest_offset),(drilldown_earliest_offset == "$info_min_time$"),info_min_time,true(),null()), drilldown_latest=case(isint(drilldown_latest_offset),('_time' + drilldown_latest_offset),(drilldown_latest_offset == "$info_max_time$"),info_max_time,true(),null()), security_domain=if(isnull(security_domain),"threat",lower(security_domain)), rule_description=case(isnotnull(rule_description),rule_description,isnotnull(savedsearch_description),savedsearch_description,true(),"unknown") | eval governance_lookup_type="default" | lookup update=true governance_lookup savedsearch as source, lookup_type as governance_lookup_type OUTPUT governance, control | eval governance_lookup_type="tag" | lookup update=true governance_lookup savedsearch as source, tag, lookup_type as governance_lookup_type OUTPUT governance as governance_tag, control as control_tag | eval governance=mvappend(governance,NULL,governance_tag), control=mvappend(control,NULL,control_tag) | fields - governance_lookup_type, governance_tag, control_tag | join rule_id [| inputlookup incident_review_lookup | eval _time=time | stats earliest(_time) as review_time by rule_id] | eval ttt=(review_time - '_time') | stats count,values(severity) as severity avg(ttt) as avg_ttt,min(ttt) as min_ttt,max(ttt) as max_ttt by rule_name | search severity=high OR severity=critical | `uptime2string(avg_ttt, avg_ttt)` | `uptime2string(max_ttt, max_ttt)` | `uptime2string(min_ttt, min_ttt)` | sort severity -avg_ttt | rename "*_ttt*" as "*(time_to_triage)*" | fields - "*_dec"