Hi, Given the below search:     index="my_index" source="mysource" _index_earliest=-1h | rex field=_raw "\:\sPT(?P<respt>\d+\.\d+)" | fields response_time_ms respt| convert num(respt) as response_time_ms | eval response_time_ms = response_time_ms*1000 | stats exactperc95(response_time_ms) as myPercent     Works fine in the UI, but when I try to execute through the API i get no data back and an obscure message.     myPercent Specified field(s) missing from results: 'response_time_ms' myPercent       Can't figure out what is going on, I have listed the field in "rf" with no luck. I do have search API working for other info, so I know credentials and my POST is accurate. Is there a limitation on stats? Thanks   Chris ... View more

Hi, I must be missing something. I have a simple search using a time modifier: index=MyIndex earliest=-30m My expectation is when I search, the results will be searched and returned only over the last 30 minutes of events. When I use the time picker and set to ALL TIME, it still only returns the last 30 minutes but searches over ALL EVENTS? Is this the correct behavior? I looked at the job log and it did have the earliest event as the first event in the index (ALL TIME) with the time modifier. Read this a few times, https://docs.splunk.com/Documentation/Splunk/8.0.3/Search/Specifytimemodifiersinyoursearch and didn't see any verbiage to this behavior. Thank you! Chris ... View more

Hi, I'm trying to create a search that returns certain hosts that are NOT found returning data. I know I can do this with a lookup table, but I wanted to see if I could just embed the hosts in the SPL to prevent the need for a lookup (less maintenance). Below is what is working, but the append is taking a long time. Any suggestions on how I can get this to perform better? Thank you! Chris | makeresults | eval host="hosta hostb hostc" `comment("This uses a events that create an event for each host")` | makemv delim=" " host | mvexpand host | append [ search index=_internal sourcetype=splunkd component=Metrics (host=hosta OR host=hostb OR host=hostc) | fields host ] | stats count by host | search count=1 | mvcombine host delim="name:" | nomv host | eval hoststring= "name:" + host | fields hoststring |`comment("This is evaluated against the search and if no host exists, a value of 1 event will be returned with a formated string")` ... View more

Hi, I have data in One event listed as TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3. I want to have them show up on separate rows in a table as: TestName 1 TestValue 1 TestName 2 TestValue 2 TestName3 TestValue 3 Tried several examples but nothing worked. Any idea? Thank you, Chris ... View more

Hi, reading the docs but can't find what I'm looking for. We have the Splunk App for AWS, is there a way to just receive Cloudwatch Alarms in Splunk? We do not want to ingest all the cloudwatch metrics. Thanks! Chris ... View more

Hi, Given the below: inputs.conf [monitor://\\MyServer\MyFolder] disabled = false host = MyServer index = MyIndex sourcetype = MySourceType ignoreOlderThan = 2d recursive = false whitelist = (MyLog1\d+-\d+\.txt)|(MyLog2\d+-\d+\.txt) props.conf [MySourceType] TRANSFORMS-trash = badError, badError2 BREAK_ONLY_BEFORE_DATE = TRUE SHOULD_LINEMERGE = TRUE TIME_FORMAT = %m/%d/%Y %T TRUNCATE = 0 MAX_DAYS_AGO = 2 sourcetype = MySourceType [source::.../\\Myfolder\\MyLog2*.txt] TRANSFORMS-removejunk = setnull , setparsing [source::..../MyServer\\MyFolder\\MyLog2*.txt] TRANSFORMS-removejunk = setnull , setparsing [source::\\\\MyServer\MyFolder\MyLog2*.txt] TRANSFORMS-removejunk = setnull , setparsing I'm trying to have a transform just for one of the log files (MyLog2) in the white list. The file is a UNC path and I have tried the 3 naming entries and nothing works. I use setnull and setparsing elsewhere so I know they function properly. Is there a way to do this by source? I have a workaround by creating a separate stanza just for this file, but it would be less configuration to be able to use the white list and execute a transform by source name. Thank you, Chris ... View more

Hi, This search below is working great.... index=logs AND (sourcetype=eMetrics) | JOIN type=outer OrderNumber [ search index=logs AND LogLevel=ERROR AND ErrorType="BAD_ORDER" ] | stats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders | eval percent_bad=100*bad_orders/good_orders | where percent_bad > 30 However, adding the table command does not work. index=logs AND (sourcetype=eMetrics) | JOIN type=outer OrderNumber [ search index=logs AND LogLevel=ERROR AND ErrorType="BAD_ORDER" ] | stats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders | eval percent_bad=100*bad_orders/good_orders | where percent_bad > 30 | table OrderNumber, ErrorMessage Any ideas? I'm trying to use this as an alert and it will display a table of bad_orders with a few Event fields. Thank you! Chris ... View more