Dear Splunk community:   I have the following search query: <BASIC_SEARCH> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2), "<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total Attached is a sample of the current output based on the above search. I am trying to do the same thing except only show the 500, 502,503 columns (but still do all the calculation based on the total count of everything). How do i change the above search to achieve this? Thanks, Daryoush

Hi, we are trying to configure a MSSQL query in DB Connect App. Some how we are not be able to select timestamp field. Field is present in output results. Any idea what could be issue. Query:       use XXXXX DECLARE @OFF_SET NUMERIC(1), @PREV_START_DATE VARCHAR(21), @PREV_END_DATE VARCHAR(21) SET @OFF_SET = (select DATEDIFF(HH, GETUTCDATE(), GETDATE())) SET @PREV_START_DATE = (SELECT CONVERT(VARCHAR(11),DATEADD(d,-1,DATEADD(dd, DATEDIFF(d,0,GETDATE()), 0)),106)+' 00:00:00') SET @PREV_END_DATE = (SELECT CONVERT(VARCHAR(11),DATEADD(d,-1,DATEADD(dd, DATEDIFF(d,0,GETDATE()),0)),106)+' 23:59:59') SELECT SUBSTRING(J.JOB_NAME,CHARINDEX ('_',J.JOB_NAME)+1, CHARINDEX ('_',J.JOB_NAME, CHARINDEX ('_',J.JOB_NAME)+1) - CHARINDEX ('_',J.JOB_NAME)-1) as APP_CODE, J.JOB_NAME, J.JOB_TYPE, DATEADD(HH,@OFF_SET,R.START_DATE_TIME) START_DATE_TIME_EST, DATEADD(HH,@OFF_SET,R.END_DATE_TIME) END_DATE_TIME_EST, DATEDIFF(ss,DATEADD(HH,@OFF_SET,R.START_DATE_TIME),DATEADD(HH,@OFF_SET,R.END_DATE_TIME)) as RUN_TIME_IN_SECONDS, S.NAME as JOB_STATUS, R.EXIT_CODE FROM dbo.RPT_AS_JOB_DEF_DIMENSION J, dbo.RPT_AS_JOB_RUN_FACT R, dbo.RPT_AS_STATUS_DIMENSION S, dbo.RPT_AS_MACHINE_DIMENSION M WHERE J.JOB_DEF_ID=R.JOB_DEF_ID and R.STATUS_ID=S.STATUS_ID and R.RUN_MACHINE_ID=M.MACHINE_ID and J.JOB_NAME like 'PAT_%' and (DATEADD(HH,@OFF_SET,R.START_DATE_TIME) > @PREV_START_DATE AND DATEADD(HH,@OFF_SET,R.START_DATE_TIME) < @PREV_END_DATE) ORDER BY SUBSTRING(J.JOB_NAME,CHARINDEX ('_',J.JOB_NAME)+1, CHARINDEX ('_',J.JOB_NAME, CHARINDEX ('_',J.JOB_NAME)+1) - CHARINDEX ('_',J.JOB_NAME)-1), R.START_DATE_TIME        

Hi, Could you help in extracting the fields from this json events. sample json event1 {"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":[{"data":"","action":"deny","selector":"","tag":"IPBLOCK", sample jason event 2 {"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":"tag":"IPBLOCK/ADAPTIVE/BURST" qualification(4) rate on category bucket(2,Page View Requests)),"tag":"IPBLOCK/ADAPTIVE/SUMMARY" output of the new field : IPBLOCK BURST SUMMARY   Thanks..

Hello Splunkers,    I come to you in order to gather some tips and tricks around look-ups management. For example, I have several look-ups used to whitelist some machine, and after a time a part of these machine aren't used anymore. I bet we are not the only one to face this, so I was wondering, how you manage the review and update of these?  I first had the idea to use the [fschange] stanza on ours to get mofications (with time information and details about the change Add/Delete/Edit). But i also saw that is was deprecated. Is it still a good thing to use in order to manage our look-ups? Is there something that replace this stanza? Because I unfortunately have not found anything.  I also thought adding columns to have the "Creation date"/"Modification date"/"Too old" or stuff like that for each row. Is that a good enought workaround?   Thanks for your tips! Happy Splunking, A-D

I have a use case where about 50% of my windows clients have IIS running on them.  I'd like to have a server class just for those 50% to ingest IIS logs.  I have IIS logs coming in but I have to manually list each client in the whitelist.  Is there a way to determine if a server has IIS, then deploy a specific server class?  I was thinking by an installed Windows Feature perhaps?  I'm at a loss.

Hi,   I am struggeling with field extractions. I have two fields that I want to extract. But the problem is sometimes te value is in 'Documentid : 123456789' and sometimes in 'DocumentId 123456789' so without the :  Is it possible to make an extraction that extracts only the numbers after 'DocumentId' ?

I have a query that returns an avg calculation over time and I am using a sparkline to try to show the results for each 'period' over that time, however although my results are showing a correct value, my sparkline only shows a value of 0 or 1. My search is:       | tstats SUM(ABC) as ABC, sum(DEF) as DEF where index=FOO earliest=-4h latest=-45m by _time platform span=5m | eval AVG_ABC=((sum(DEF)/sum(ABC))/60) | stats sparkline avg(AVG_ABC) by platform         Instead of the single line result with the sparkline over time, I get the following: Can anyone point me in the right direction? Essentially I am looking to create something like a single number value viz with a trendline. Thanks.