I want to combine two search results, whereby I'm only interested in the last x/y events from each subquery. Something like this: | multisearch
[search index="sli-i...
Hello,
How do I combine two searches in an eval command? In the example below, I'm trying to create a value for "followup_live_agent" and "caller_silence" values. Splunk is telling me this query i...
Hello,
In order to clean our filtering rules we'd like to check if some of our old URL's are still in use (an if yes - how many times in last 90 days). Basically we'd like to perform the query bel...
...ex commands. I am now trying to merge them into a single one, but I am having trouble doing so. Following is a run anywhere search where I've put the unstructured data into a string that is then u...
...imes events as it has different cat values and therefore multiplies the sum x-times in my stats sum command.
After wasting hours with appends and evals I had to pause before I smashed my keyboard.
A...
...tatus=none")
| collect index="old_logs_index"
| eval _raw=old_raw
| delete
The pipe fails to execute - any thoughts if it's possible to combine collect and delete in one pipe ?
My fields in this example are (row, column, data and count)
I want to combine the features of this command:
chart sum(count) by row, column
This would make something like :
c...
So, if I have an index=abc with fields a,b Also, I have index=xyz with fields b,c Now I want to count the results where a="foo", c="bar" and b from both indices are common. I want to do this withou...
...s -30d@d.
B has less UserName than A (B is a subset of A) and what I want is to use B's UserName and combined with A, then return A's other fields.
Since both sourcetype A and B are huge. I tried t...