Hey people, my requirement is as such   I have extracted these columns from my data using the query  my query | rex "filterExecutionTime=(?<FET>[^,]+)" | rex "ddbWriteExecutionTime=(?<ddbET>[^)]+)" | rex "EXECUTION_TIME : (?<totalTime>[^ ms]+)" | eval buildAndTearDowTime=(tonumber(FET)) + (tonumber(ddbET)) |table totalTime FET ddbET buildAndTearDownTime     I want to have buildAndTearDown as totalTime - (FET+ ddbET)   once I have all the three values required (FET, ddbET, buildAndTearDown) I want to put these values in a pie chart.   Another question I have is why is  This statement  eval buildAndTearDowTime=(tonumber(FET)) + (tonumber(ddbET)) is giving me null value   Thanks   

    index=servicenow assignment_group_name="security" status=* | stats count by number,status,group_name,created_on     The above query will produce the following: I need to calculate the number days from the "created on" date shown above in the example to the current date.   Any help with this is greatly appreciated.

Hello, I'm wondering if there is a possibility that it can be extracted with a variable for a mail form since the client wants to see the disk health rule in which the problem is found Thanks in advance

From here i need to extarct the identification=MLAS, MLA, LAS and VAM My sample logs: [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=MLAS&timeRange=EVERYDAY&timePeriod=MINUTES [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=MLA&timeRange=EVERYDAY&timePeriod=MINUTES [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=LAS&timeRange=EVERYDAY&timePeriod=MINUTES [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=VAM&timeRange=EVERYDAY&timePeriod=MINUTES in my selected fileds or intresting fileds  indeentification fileds  should appear has below: MLAS MLA LAS  VAM

Hello! I have many events, and I have a search that returns only the events that contain the to field.     index="my_index_qa" sourcetype="example-qa" to=*       The results are a list of events that have the following pattern:     db271cf8678c -2023-01-12 15:08:32.157 [app=app-name, traceId=traceid-value, spanId=spanid-value, INFO 1 [llEventLoop-5-5] filter.FilterBeingUsed : c=class, m=method, method=GET, to=http://example.url.com/path/extra, route=https://example.url.com/redirect/route, headers={X-Forwarded-For=[IPADDRESS, IPADDRESS2], X-Forwarded-Proto=[http], X-Forwarded-Port=[80], Host=[EXAMPLE-HOST], app-device=[DEVICE-INFO], app-user=[devicce-info-os-info], app-os=[APP-OS-VERSION], user-agent=[user-agent-example], app-version=[app.version.example], Origin=[origin-app]}       I want to be able to group by the to= values, so I can count the number of times they repeat, create charts and do some other metrics. Is it possible? How can I do this? Thank you for any help in advance. And sorry if I wrote anything wrong, english is not my main language.  

We are trying to troubleshoot some memory consumption issues with one of the SH cluster nodes. We found that this instance shows high concurrency of scheduled reports 46/15 historical while the other nodes are way below this number. Also in the running historical scheduled reports panel we got a column Mode that shows "historical" as value. What does a "historical" report mean in this context? The Splunk documentation for DMC doesnt explain it. https://docs.splunk.com/Documentation/Splunk/9.0.3/DMC/Scheduleractivity Regards.

Hi all, I'm currently using Splunk Cloud and my focus is to display status icons as values based on the search results in my classic dashboard table. I found a way to display only the icon with html but at the same time im struggling to assign the icon based on the result from the search query (if result active, pass icon check-circle else default pass icon warning/error etc.). How can I achieve this ? Any tweaks from this code attached will be much appreciated! <row> <html> <div> <td class="icon-inline numeric"> <i>Range icon: </i> <i class="icon-check-circle" style="color: green"><var>low</var></i> <i class="icon-alert" style="color: orange">warning</i> <i class="icon-alert-circle" style="color: red">error</i> </td> </div> </html> </row> <row> <panel> <table id="t1"> <search> <query>index=XXX host=* | eval host=upper(host) | stats count BY host | eval count=1, host=upper(host) | fields host count | stats sum(count) AS total BY host|rangemap field=total low=1-10 default=severe</query> <earliest>-30m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row>