I have a simple accelerated report that looks like this:   index=hosts | stats count by hostname ip   I now want to dashboard that but use a timechart. However, timechart doesn't work because _time wasn't included in the stats count by section. index=hosts | stats count by hostname ip | timechart span=1d count I can't just add _time to the stats section in the accelerated report because it increase the amount of rows 1000x fold. I assume creating the accelerated report with timechart will cause the same 1000x issue. So is there a way around this with accelerated reports that won't cause my accelerated summary to grow 1000x? How an I access the _time? I'm feeling like it's not possible and that this is a better scenario for traditional summary indexing. Am I wrong?

Hi Everyone, Any help would be appreciated. We have 4 Splunk instances that work together in tandem. All four servers are Virtual Machines running Red Hat Enterprise Linux 8 Splunk Enterprise 8.2.2. VCenter is 6.7 with 4 ESXI Host each running 6.7 as well.   The Four Splunk VMs are running very high CPU capacity at all times: 45.8 GHz 83.44 GHz 45.6 GHz 83.82 GHz   It is basically running our ESXi Hosts to full capacity. I logged onto each server and ran the top -i command and each server states very low CPU usage. Does anyone have any recommendations? Any help would be greatly appreciated.   Thank you,

If my index rolls off data at 30 days, and I run an accelerated report every day to build a summary for that day, will the summary have data going back a year eventually? Or is it limited to 30 days because of my index setting?

I have a index with thousands of operating systems (OS).  I want to remove unwanted operating systems (OS) from my report using wild cards as many of the unwanted share the same value as part of the OS. Here is what I'm trying to do: earliest=-15d@d index="asset" sourcetype="Tenable:SecurityCenter:Asset" WHERE operating_system NOT "[APC*" OR "[AIX*" | stats count by operating_system I want to remove OS that have APC or AIX ( and others not listed) from the query.  But I can't use a wildcard which would mean hundreds of entries just for APC and all the versions I want to exclude.  I've tried NOT IN, NOT LIKE, != and more but either nothing is returned or what I want filtered out is not filtered and all events are returned.  Suggestions?

hello I dont succeed to sort the events by time the format time field is for example :   1632218561 what is wrong please?     index="tutu" sourcetype="toto" | search statustext=TimedOut | sort - time | eval time = strftime(_time, "%d-%m-%y %H:%M") | stats last(time) as Heure, last(statustext) as statustext by desktop      

Hello, I'm building some dashboard statistics from telecom data. I have a data source as follows  : _time OfferedTime  PickedUpTime Offered="0/1" Handled="0/1" _time is populated with OfferedTime   User can use a Time picker that is generating a token. I'm manipulating this token by going 5 days in the past for earliest and 5 days in the future for latest in dashboard to get a wider data set than the one selected by the user. And then using variables in the search to restore time boundaries to initial selection that I use for some specific calculation (not shown in the code sample). I'm trying to Timechart some metrics and to remove all data that is out of the time range initially selected by the user :   [MYSEARCH] | addinfo | eval end=if(info_max_time=="+Infinity",now(),info_max_time)-432000 | eval beginning=if(info_min_time=="0.000",1604260193,info_min_time)+432000 | eval DateBegin = beginning | eval DateEnd = end | eval FormatTime = _time | timechart count(eval(if(strptime(OfferedTime,"%Y-%m-%d %H:%M:%S.%Q") > beginning and strptime(OfferedTime,"%Y-%m-%d %H:%M:%S.%Q") < end,Offered,null()))) as OfferedCalls count(eval(if(Handled="1" AND strptime(PickedUpTime,"%Y-%m-%d %H:%M:%S.%Q") > beginning and strptime(PickedUpTime,"%Y-%m-%d %H:%M:%S.%Q") < end AND BindType_ID!=4 AND BindType_ID!=5,Handled,null()))) as HandledCalls | where _time > beginning and _time < end   I added DateBegin / DateEnd / FormatTime as I wanted to make sure in events tab that my dates had the correct format and could be compared. _time OfferedTime DateBegin DateEnd FormatTime 21/09/2021 18:24:54,000 2021-09-21 18:24:54.0 1630926000.000 1632223379.000 1632241494.000 The result of this search is ... no results found. If I go to events tab, copy the DateBegin and DateEnd and change my search to :   | where _time > 1630926000.000 and _time < 1632223379.000   It works fine and I get the expected result... I don't understand why... If I don't put where condition at the end I get this result : _time OfferedCalls HandledCalls 2021-09-04 0 0 2021-09-05 0 0 2021-09-06 156 115 2021-09-07 215 174 2021-09-08 280 217 2021-09-09 227 176 2021-09-10 223 184 2021-09-11 0 0 2021-09-12 0 0 2021-09-13 336 254 2021-09-14 285 220 2021-09-15 228 172 2021-09-16 243 177 2021-09-17 273 197 2021-09-18 0 0 What I'm trying to get is :  _time OfferedCalls HandledCalls 2021-09-06 156 115 2021-09-07 215 174 2021-09-08 280 217 2021-09-09 227 176 2021-09-10 223 184 2021-09-11 0 0 2021-09-12 0 0 2021-09-13 336 254 2021-09-14 285 220 2021-09-15 228 172 2021-09-16 243 177 2021-09-17 273 197   Basically getting rid of the data before / after my date range (beginning / end) without losing the 0 values which are inside the time range. I tried to play with various functions to replace 0 with NULL outside the range but couldn't manage to have this apply only outside my time range,. If anybody has an idea on how to solve this issue that would be great. Thanks in advance !