HI Experts , I want to rigger an alert based on below scenario 1) Get license utilization in GB for yesterday and day before yesterday . 2) Show difference in GB and if the difference is increased by 40GB then trigger an alert Something like below , I want to trigger alert only for line 2 that is for database index_name yesterday day_before_yesterday diff application 20GB 10GB 10GB database 30GB 70GB 40GB security 40GB 20GB 20GB

Hello, Our test environment uses production LM and we never had any compatibility issue upgrading first test nodes : 6.2.3 > 6.5.2 6.5.2 > 7.1.4 7.1.4 > 7.3.4 We plan to upgrade 7.3.4 to 8.2.2, any possible issue? In fact https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Configurealicensemaster rather looks best practice and not a requirement. Thanks    

hello I need to display 0 in a single panel if there is no results I tried the 2 solutions below but it doesnt works how to do this please?   | stats avg(Response) | eval Response=if(Response="0","0",Response) | stats avg(Response) | eval Response=if(Response="","0",Response)  

I have my splunk Jason in below format   { [-] delete_me: True vendor: Dbruzy name: Rahul date: [ [-] 10-jan-2022 30-dec-2022 ] count_target: [ [-] 1700 300 ] site: India type: Sales }       I am looking for a query to get output like this: Vendor Name Date Count_Target Site Type Dbruzy Rahul 10-jan-2022 1700 India Sales Dbruzy Rahul 30-dec-2022 300 India Sales   But I am getting as below: Vendor Name Date Count_Target Site Type Dbruzy Rahul 10-jan-2022 30-dec-2022 1700 300 India Sales Dbruzy Rahul 10-jan-2022 30-dec-2022 1700 300 India Sales   Query I am using:     my index | rename count_target{} as target | rename Date{} as voltage | spath input=voltage path=voltage output=someOtherField | spath input=someOtherField | foreach voltage* [ eval voltage=mvappend(voltage, '<<FIELD>>')] | spath input=target path=target output=someOtherField1 | spath input=someOtherField1 | foreach target* [ eval target=mvappend(target, '<<FIELD>>')] | mvexpand target| mvexpand voltage | stats values(voltage) as Date values(target) as Count_Target by Vendor, Name,Site,Type     Can you please help?

Newbie here...! I have a list of IP's in a CSV from which I need to exclude few IP's (IP1, IP2, IP3, etc.,) from the results of a query. Here's how my search looks. Example search:  base search | join type=left ip [| inputlookup iplist.csv |fields ip] |fields Any help would be appreciated. Thanks

Hi, I'm having trouble with a regex field extraction. I'm looking to extract the numeric ID after the "x-client-id" key: .........pp_code":["{IVR-US}. CPC"],"x-client-id":["1234567890"],"x-requested-with":["DA_ONLINE_IV............ This is how that field appears in the event string. This (client-id) is the only field I need in the entire string. The quotes are throwing off all of my normal regex formats. Any help would be super appreciated.

Hi - I have a few dashboards that use expressions like eval var=ifnull(x,"true","false") ...which assigns "true" or "false" to var depending on x being NULL Those dashboards still work, but I notice that ifnull() does not show up in any of the current documentation, and it seems the current way to get the same result would be eval var=if(isnull(x),"true","false") Did I miss some kind of deprecation of that syntax ages ago (must have been before 6.3.0), and it just happens to still be parsed?

Hi guys, Does anyone have any advice on what would be a good search to carry out on local performance data. I am trying to create some sort of dashboard that shows the performance of my local machine and not sure what I could be searching for to put in the dashboard. If anyone has any advice on what I could search for please let me know.   Thank You