I am trying to filter out null values from the result of stats. Query looks like below.     index=someindex* some ((somefield1=value1 AND somefield2="value2") AND (somefield1=value3 OR (somefield2=value4 AND somefield1=value5 ) ) ) OR (somefield1=value6) | eval someeval=... | replace "some*" with "SOME" in somefield1 | bucket _time span=1d as daytime | stats max(eval(if(somefield1=value1,_time,null()))) as val1_time min(eval(if(somefield1=value2,_time,null()))) as val2_time min(eval(if(somefield1=value3 ,_time,null()))) as val3_time by somefield3 somefield4 | eval recovered_time=if(isNotNull(val2_time),val2_time,val3_time) | where isNotNull(val1_time)     But this query returns result with null or empty val1_time also. What could be the issue in this query? I further pass the result of this query to another stats query.  But I am stuck here.

Hi! Thanks for your help. I have a question. All this in Dashboard Studio.   I need to add a digital clock (hh:mm:ss) to the dashboard, that looks nice and shows me the time in real-time. Also, the dashboard is updated every minute, and we need to show the time (hh:mm:ss) it was updated in another panel (We don't want to use ShowLastUpdated code) Regards!

I have about 10 indexers, a cluster. For some reason my "master node" turned off and when it turned on. my data has disappeared. there were 18 million data, and it became 9 million for what reason could this happen? I can't find anything in the logs. HELP PLS

Need help for the below, The sourcetypes has different values in it like below,  index=a sourcetype=b |eval details=1 | append [|search index=c sourcetype=d|eval details=2] | append [|search index=e sourcetype=f|eval details=3] |eventstats count by details| Pass%=count(pass)/total*100,2 Fail%=count(fail)/total*100,2 Error%=count(Error)/total*100,2 |table pass fail error total I have a barchart with x-axis with details and y-axis %(pass%,fail%,error%) of ( pass fail error etc).When i click the details(x-axis) in barchart , the single value should show number of individual Pass,fail,error in trellis. Please let me know how this can be achieved .

Hello All, Wondering if anyone can help? I am currently looking at RBA and adding a multiplier to any users that are leaving. At first glance, I was wondering whether to look at risk_object_endDate=*, but am now wondering how the lookup for identity works and if I can be clever and add a category "leaver" to the user (or risk_object_identity_tag that index=risk will pick up). From some research I think the identity lookup is being ran by many searches but mainly from ldapsearch. Does this mean it is picking up categories from LDAP? Not sure how to check what the lookup is running to fill it's contents.  Any help/guidance would be great! Thank you, J.

I have read the explanation on the mrsparkle dir via Solved: So I get the obvious Simpsons reference but what a... - Splunk Community but I am seeing a lot of instances of failed connections from the indexer to the search head via port 8000 trying to initiate a connection with it.  Firstly - should this be trying to connect from the indexer to the search head, and if so, is it still valid that this is required? Then - why would that be failing if there are already connections from the indexer to the search head via 8000?    

Hello everyone,  I have tons of DNS queries in my enterprise on commercial legit domains (eg. partnerweb.vmware.com, login.live.com) which I don't want to log with Splunk Stream. My configuration is as follows but apparently it doesn't work: app: Splunk_TA_stream_wire_data props.conf [streamfwd://streamfwd] TRANSFORMS-blacklist-vmwarecom = vmware.com transforms.conf [vmware.com] REGEX=query\=partnerweb\.vmware\.com DEST_KEY=queue FORMAT=nullQueue Any help would be appreciated. Kind regards, Chris  

Hi All, I need your help in creating cron expression for alert schedule. I need to schedule a alert from Monday 02:00 - Saturday 00:30. If any other information is required please let me know. Any help will be highly appreciated.    Thanks in advance.

Hi, How to call a External URL from Splunk Search and read the JSON results obtained from it in Splunk. Basically i want to hit the URL and the results obtained by hitting the URL is in JSON Format. I then need to read this JSON result in splunk

Hi All, We would like to know for an alternative solution to website monitoring app in Splunkbase. Could someone please let us know if there is an alternate way to monitor website availability in Splunk? Thanks!

we are running an integration with Azure  app TA-MS-AAD sourcetype azure:eventhub  and getting the RoleAsssigment as ID  only from activity logs  what is the best way to import RoleAsssigment  display name  ?