Sub search is not required. index="iis_logs" (cs_uri_stem="/site1" OR cs_uri_stem="/site1a" OR cs_uri_stem="subsite1" OR cs_uri_stem="subsite2" OR cs_uri_stem="subsite3" OR cs_uri_stem="subsite4")| eval SearchNumber=case(cs_uri_stem=="/site1","site1",cs_uri_stem=="/site1a","site1",cs_uri_stem=="subsite1","subsite",cs_uri_stem=="subsite2","subsite",cs_uri_stem=="subsite3","subsite",cs_uri_stem=="subsite4","subsite") | | timechart span=1h count by SearchNumber ... View more

hi i have given drop down for selecting month and setting date_month as month selected from drop down ... View more

I do not think that there is a bug in the calculation of the number of significant digits of SPLUNK. (I want you to check all the lines here) sourcetype="Test" | reverse | delta TimeStamp AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval counter=round(timeDeltaS / 900) | eval to_add=if(counter > 1, (counter - 1), 0) | accum to_add as total_count | eval counter=1 | accum counter as max_count | eval perc=((max_count - total_count) / max_count) ... View more

Check the information in the search job inspector(i button). earliest? latest? [earliest=-7d@d latest=@d] will be 8 day? ... View more

This worked like a charm! Thank you very much for figuring this out! ... View more

Or you could just do this to get the exact time the event was processed (different for each event) | eval current_time=time() Or this to get the time the search was kicked off: | eval current_time=now() ... View more

Splunkのリアルタイムサーチ＆アラートは最新の情報しかみていないとおもいますので、 head 1は不要で、単純に、 source="～～～/test" keyword というサーチをリアルタイムアラートとして保存すればいけるとおもいます。 イベントにkeywordが含まれるものが入ってくるタイミングで、アラートが発生するとおもいますよ。 ... View more

Using "append" will give you a two charts side by side with the timeframe repeated. If you use "appendcols" instead, it will give you the results of both charts within one timeframe (overlapping instead of side by side). ... View more

Thank you! That worked wonderfully! ... View more

I wonder not that 's field that you can use WildCard. ... View more

Just wondering if |top limit=0 Status by Destination doesn't do what you want? top documentation for the options and the usage for top. ... View more

Timestampの設定に関しては、ドキュメントでは説明されていないものが非常におおくあるので、以下の設定ファイルの仕様を見ていただいたほうがいいかもしれませんね。 /opt/splunk/etc/system/README/props.conf.spec MAX_DAYS_AGO = * Specifies the maximum number of days past, from the current date, that an extracted date can be valid. * For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago. * Defaults to 2000 (days), maximum 10951. * IMPORTANT: If your data is older than 2000 days, increase this setting. ... View more

sure no problem. Glad I could help someone as opposed to getting help from others. ... View more

I ran the query but the CounterValue, min_cv and max_cv values are the same so the diff between min_cv and max_cv is 0 ... View more

Bam this worked! Thank you! ... View more

Get Dev License: http://dev.splunk.com/ Docs: http://docs.splunk.com This site (congrats as you are already here) The Splunk Book - Free at - http://www.splunk.com/goto/book If you have money to spend, the Splunk Conference first week of Oct. http://conf.splunk.com ... View more

こちらこそ！ もし回答に問題がなければ、回答の横のチェックマークをクリックしていただければ、解決済みとなりますので、チェックいただけると嬉しいです。 ... View more

But what about such a feeling? ex. (USER_MST.CSV) USER USER_A USER_B USER_C USER_D USER_E (search) |inputlookup USER_MST.CSV|join type=outer USER [search index=*|stats count by USER] (results) USER count USER_A 10 USER_B USER_C 1 USER_D 5 USER_E ... View more

Also, this app is FREE - it costs you nothing to try it!! ... View more

I figured it out. The files I was interested in all started with exactly the first eleven lines, so Splunk thought they were all the same file. I had to use the crcsalt option in inputs.conf. ... View more

I already have a 4 hour summary as the threshold will be on a 4h period. Will try it, but I think this will work. ... View more

What error is the output? Do you have made ​​well Preferences? For example, this sample program work? Please to save and run the file with the appropriate name by setting the HOST,USERNAME,PASSWORD. ---------(sample program)------------------ import splunklib.client as client HOST = "hostxxxx" PORT = 8089 USERNAME = "username" PASSWORD = "password" try: service = client.connect( host=HOST, port=PORT, username=USERNAME, password=PASSWORD) print "connect OK!" except: print "connect NG!" ... View more

Do not have effect options append command? It has become the default is 60 in the document ... ex. ････ append maxtime=60 [search host="database" ･････ ... View more

earliest=-3d@d+18h | eval run_day=strftime(now(),"%A") | eval today_midnight = strptime(strftime(now(),"%F"),"%s") | eval mond_start = tonight_midnight - (86400 + 86400 + 21600) | eval other_start = tonight_midnight - 21600 | eval stop = tonight_midnight + 28800 | eval start = if(run_day=="Monday",mond_start,other_start) | where _time > start _time < stop This ought to work, even though I have not tested it. Short breakdown; line1: at most we will need to look back to 6PM 3 days ago line2: find out if what day it is today, i.e. when we're running the search line3: determine the epoch timestamp for midnight on the day the search is run line4: define the epoch timestamp for 6PM three days ago line5: define the epoch timestamp for 6PM yesterday line6: define the epoch timestamp for 8AM today line7: depending on todays weekday, define 'start' as 6PM three days ago, or 6PM yesterday line8: restrict results based on _time This could probably be shortened a bit, but for sake of simplicity there are a lot of eval s. Hope this helps, K ... View more