Hi...here is my search:
sourcetype="isc:dhcp" earliest=-10m@s latest=now | stats count as dhcp_count by _time | where dhcp_count<5000
I'll usually get returned stats:
4800
10,0...
Hi Guys! It's me again!
A few days ago i was asking how can i eval some fields and get the total from them. Now i want to show those in a table format and for that, i made this search:
index=M...
Hi Guys,
Less Event displayed while searching as * then search hostname while its showing if I search at the beginning with hostname
Please suggest why it is misbehaving and what is the S...
I'm trying to divide my query into two parts, D>8000 as X and D<=8000 as Y, so i put it .... my search | eval count(if(D<=8000)) AS Y, count(if(D>8000)) AS X | transpose.....................
...hat I am not interested in rows where the frequency is less than 1,000, is there a way to limit the table so it only shows the rows above 1,000? Would this also improve memory usage?
I would like to index less data into Splunk by modifying several XML sources so that I'm only including certain fields and formatting it as a key-value pairs. I believe I can do this by creating a s...
I'm trying to get a chart that displays the number of events where ProcessingTime was less than 1 second, between 1 and 2 seconds, and greater than 2 seconds within a certain time frame, and d...
Hi,
let's say I want to create a 5 step-funnel for customers depending on their max step.
My first approach would be like
...
| stats max(funnel_step) AS max_step BY customer
| stats dc(...
Hello everybody,
I have a problem with incomplete searchresults.
When I use clever mode I get 1125 events but in verbose-mode I only get 969.
I wounder why this behaviour because verbose shou...