While using the mvexpand command, i am getting the below error.
ERROR -
command.mvexpand: output will be truncated at 1000 results due to excessive memory usage. Memory threshold of 50...
...atest |makecontinuous d span=1d start=earliest end=latest | chart .....
This thing gives an error indicating it is not accepting earliest and latest field values.
How can I pass the values of e...
I need to use tstats vs stats for performance reasons. I would like tstats count to show 0 if there are no counts to display.
| tstats count where index="abc" by _time span=1h
This would re...
I'm looking for another way to run the search below and expand the computer field. This search is pulling systems belonging to a specific group in AD and then cleaning up the name from the member_dn ...
Attached screenshot is a list of 15 query ids with started, ended, bstarted (15 minute bucket) and query duration. Tried with concurrency cmd: |where started <= "2...
Hello, fellow Splunkers.
I am currently trying to create a stacked timechart column using a simple search query: timechart count by type limit=0
Since Splunk uses lexicographical ordering by def...
Hello Splunk community, I need to do one prediction for two different time ranges in different span in one report. The objective is making alert on the prediction of rate of messages: 1- from 5 am ...
So I have this basic search for a line graph visualization:
(search goes here) | timechart count
Let's say I've had 10 events/hour up until 7:00am this morning. Between 7:00-10:00am I've ha...
This is my code, the data includes a field labeled "callId" (for this particular search there are 3 distinct callId) and the stats are as below:
The yellow highlighted portion is where the fi...
Hi 🙂
I have a chart with one line for Usage (span=1d) and another line for 95th_Percentile (span=30d) but I am using "append" with "makecontinuous _time" - there has gotta be a better way...
A...