So I have a search I run for an alert which looks for a missing event, it's a simple tstats that shows stuff within the last 30 days I would like to compare the 90 days variant in the same search and determine the missing events.    Any ideas? 

Hello, I have the below SPL with the two mvindex functions. mvindex position '6' in the array is supposed to apply http statuses for /developers.  mvindex position '10' in the array is supposed to apply http statuses for /apps.  Currently position 6 and 10 are crossing events. Applying to both APIs. Is there anyway I can have one mvindex apply to one command?    (index=wf_pvsi_virt OR index=wf_pvsi_tmps) (sourcetype="wf:wca:access:txt" OR sourcetype="wf:devp1:access:txt") wf_env=PROD | eval temp=split(_raw," ") | eval API=mvindex(temp,4,8) | eval http_status=mvindex(temp,6,10) | search ( "/services/protected/v1/developers" OR "/wcaapi/userReg/wgt/apps" ) | search NOT "Mozilla" | eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API) | eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)  

hello all. i have a .csv report that gets generated regularly and that I'm monitoring. working fine there. trying to figure out how to display it because the data(events?) are in columns. is this possible? example data here. Hosts server1 server2 IPLevel median median Tip1662 N/A N/A Tip1663 PASSED PASSED Tip1664 FAILED FAILED Tip1666 PASSED PASSED Tip1667 PASSED PASSED Tip1668 PASSED PASSED Tip1669 N/A N/A Tip1671 PASSED PASSED Tip1674 SKIPPED SKIPPED Tip1675 FAILED FAILED Tip1676 PASSED PASSED Tip1677 PASSED PASSED Tip1680 PASSED PASSED Tip1685 PASSED PASSED Tip1687 PASSED PASSED Tip1688 SKIPPED SKIPPED Tip1689 SKIPPED SKIPPED Tip1690 FAILED FAILED

I am looking to create a simple pie chart that contrasts the total number of users during any give timeframe vs how many logged into a specific app. I am probably over thinking this, but what I did is a search for distinct_count of users during a period and then joined another search that calculates the distinct_count of users that logged into a specific app over that same period. For example:  index="okta" "outcome.result"=SUCCESS displayMessage="User single sign on to app" | stats dc(actor.alternateId) as "Total Logins" | join [ | search index="okta" "target{}.displayName"="Palo Alto Networks - Prisma Access" "outcome.result"=SUCCESS displayMessage="User single sign on to app" | stats dc(actor.alternateId) as "Total Palo Logins"] | table "Total Palo Logins" "Total Logins" Only issue is I can't get a proper pie graph of the percentage of Palo Logins vs Total Logins. Any help would be appreciated. I am sure I am missing something simple here. 

     Without the ability to remove testing errors in uptime calculation when reporting monthly numbers, I spend a lot of time doing it manually (multiple teams).  To alleviate this, I plan on writing a Pandas script to automate this process, but I need to export a CSV with a column that includes success or failure of each run (HTTP Check).  I fail to see CSV as an export option aside from the comparison reports.  The comparison reports only allow me to use RB tests.  Can anyone direct me to a mechanism to export run data (success/failure) for HTTP checks via CSV? Legacy Synthetics (Rigor)

Hi, We have a new implementation of Splunk ITSI, running on Splunk Cloud, in a new search head. Since the day the search head was installed, every search that we run is followed by a warning message related to a missing eventttype. Warning message is similar to below: "[idx-1.my-company.splunkcloud.com,idx-2.my-company.splunkcloud.com] Eventtype 'wineventlog-ds' does not exist or is disabled." Anyone have ever experienced this behavior on Splunk ITSI? Or have any knowledge of which is the source app/add-on that contains this eventtype that is being referenced by ITSI? Thanks!

I have the following search query that I've been using so far to display the unique values in lists of Ids: <search> | eval ids=if(group_id >= 4, id, '') | eval type_x_ids=if((group_id >= 4 AND is_type_x="true"), id, '') | eval non_type_x_ids=if((group_id >= 4 AND is_type_x="false"), id, '') | stats count as total_count, values(type_x_ids) as list_of_x_ids, values(non_type_x_ids) as list_of_non_x_ids, values(ids) as list_of_all_ids by some_characteristic Now that I've seen which Ids are in the lists, I would like to change the query to count the number of unique ids in the lists split up by some characteristic. mvcount doesn't seem to work in the stats command the way I tried it: attempt 1: | stats count as total_count, mvcount(type_x_ids) as num_of_x_ids, mvcount(non_type_x_ids) as num_of_non_x_ids, mvcount(ids) as num_of_all_ids by some_characteristic attempt 2: | stats count as total_count, mvcount(values(type_x_ids)) as num_of_x_ids, mvcount(values(non_type_x_ids)) as num_of_non_x_ids, mvcount(values(ids)) as num_of_all_ids by some_characteristic How should I write the stats line so I would get a table that shows the number of unique of Ids in each list of Ids split by some characteristic? I would like the following fields in my resulting table: |  some_characteristic  |  total_count  |  num_of_x_ids  |  num_of_non_x_ids  |  num_of_all_ids  |  I would appreciate any help you can give!!