Search

varun99 · ‎04-17-2018

I have a panel which provides us a list of transactions along with the StartTime of the transactions. I want a drill down panel which searches for a specific transaction within the time range (StartT...

rudy_dom · ‎10-03-2013

...his: | eval (distinct_count(host)) < 3 But it does not work. I guess I need to assign a key to the value derived from "stats distinct_count(host) by fruit" so I can use that key for the evaluation....

mngeow · ‎05-29-2017

Hi, I am trying to create an anomaly detector for unusually high thruputs across all sourcetypes in my Splunk internal logs. I have used the following code to compile a table of the sourcetype by ...

narduk · ‎10-23-2014

...ollowing search: index=app_logs env=prod | makemv delim="," ids | mvexpand ids Does not yield the expected results of 5 new events. It seems like this is a bug in the way Splunk evaluates m...

nittalasub · ‎08-14-2017

Streamstats can produce sum of differences like (fieldB- fieldA)+ (fieldC-fieldB)+(fieldD - fieldC) = a total of 30 min. Can we achieve this evaluation through streamstats ? (fieldB - f...

wrangler2x · ‎11-08-2011

...as to use the dc() function to get a count of unique user-ids, and the list() function to put them together as multivalues associated with their given, common, IP address. Here is the search: i...

shayhibah · ‎01-07-2020

Hi, I am trying to add new evaluation for a field in search-time. For some reason, when I run query from my search head, I get the old values and it seems that the props.conf is not working....

bobbycrispbox · ‎02-14-2017

...hange> </input> The issue is that only the first instance of the space is replaced - so with my example above I'm ending up with ('a','b c d') Documentation on the replace evaluation function...

jclemons7 · ‎10-15-2015

Hello all, I have the following eval function which functions properly: | eval my_count=if(match(lower(FieldName),"\\\filename.exe"),1,0) But I want to evaluate a few things in the if s...

kausar · ‎12-22-2016

I have multiple queries for same index and therefore trying to avoid subsearches. Looking for right syntax, trying to do something like: index=abc sourcetype=xyz | eval w=case("keyword1", "k1", ...

Search

Search the Community

eval Not working with time functions while evaluat...

Function results and evaluating them

How to use evaluate function across multiple multi...

Is there a way to force rex to be evaluated before...

how to tweak streamstats function to get sum of di...

How to save the results of a function and reuse th...

Issues with props.conf and EVAL function

How to use the eval replace function in dashboard ...

How do I edit my "eval if match" syntax to evaluat...

Can I do string search inside case() func?