What do you mean by bar? The column title? The entire row? A particular cell? Also the condition tags you have there have identical values. Is that correct? ... View more

The data sample you provided is just a single point in time, but I'm guessing the following searches might help Range of hosts: sourcetype="dns_stats" dns_host=dns4*| eval data-{dns_host}-{metric}-{bundle}=data | timechart per_second(data-*) as data-* All hosts sourcetype="dns_stats" | eval data-{dns_host}-{metric}-{bundle}=value | timechart per_second(data-*) as data-* Have a look at these splunk answers https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html http://blogs.splunk.com/2014/05/28/search-commands-delta/ ... View more

You can see the difference between index=A tag="tagM" NOT [ search index=B tag="tagY" | stats count by filename | fields filename] and index=A tag="tagM" NOT [ search index=B tag="tagY" | fields filename] if you check the remoteSearch field in the Job Inspector. You will see the full output of the expanded subsearch. Also try dedup filename as opposed to stats count by filename ... View more

That would be nice, but we have hundreds of users so any naming convention will fall apart in about a day 🙂 ... View more

As the UI says in the define lookup screen "Specify the command and arguments to invoke to perform lookups. The command must be a Python script located in $SPLUNK_HOME/etc/apps/app_name/bin or $SPLUNK_HOME/etc/searchscripts." You could just make a python wrapper that calls an exe - have a look here for starters https://docs.python.org/2/library/subprocess.html#using-the-subprocess-module or just have a look on stackoverflow ... View more

Are you using a Universal Forwarder?; I don't think you can filter data with it. See http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad ... View more

I don't think the Universal Forwarder can filter data. See http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad ... View more

Also try the field extractor if you're not sure how to write the regex - http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/ExtractfieldsinteractivelywithIFX ... View more

If the message is regular (ie if it always says INFO: Server start up in...) then you would be better off making the regex more explicit. INFO:\sServer\sstartup\sin\s(?<ms>\d+)\s You can see the difference between them in the regex debugger on https://regex101.com/ ... View more

Yep you need a minimum of three nodes ... View more

You may want to filter the fields that come back with the subsearch or you risk excluding duplicates other than the filename. EG index=A tag="tagM" NOT [ search index=B tag="tagY" | fields filename] ... View more

Hopefully someone on the forum can help you faster. It's weird you don't see anything for index=_internal. Its like your old indexes are gone. ... View more

Ah. Well I would get in touch with Splunk Support pronto ... View more

I can't answer your question specifically, but you might want to have a look at the distributed deployment options available in splunk. Have a look at http://docs.splunk.com/Documentation/Splunk/6.3.2/Deploy/Distributedoverview A search head cluster or deployment server may be a better way of managing lookup files for you. ... View more

Sounds like your license expired. Is everything OK in the license tab? ... View more

try the metadata command. You can filter with where like any other search. Just modify the time value in the relative_time section to get the time range you are after. Note that as it's a generating search it must come first in the search bar |metadata type=sources index="myindex"|where recentTime > relative_time(now(), "-24h@h") And of course if you want to use the filenames in a subsequent search <main search> [|metadata type=sources index="myindex"|where recentTime > relative_time(now(), "-24h@h")|fields source] | etc If you are instead asking for a generic range picker then just try <your search> _index_earliest=-24h@h | etc Now go and read these: http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/SearchTimeModifiers http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Metadata http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Where ... View more

If you want to avoid using a subsearch altogether you could do something like this: index=starx error | streamstats count as total_results | eventstats p50(count) as average | eval keep=count-average | search keep>0 This avoids any limitations in the subsearch if your index is very large, and saves you from running the index=starx search twice. ... View more

lol. Glad you got it fixed in the end! Do you mind making a new answer in this thread and accepting it? So other people that have the same problem will be able to see how you fixed it ... View more

I'm assuming your events have only a single field, cardID, (apart from the default fields like source and host). You should be able to get around using a subsearch with the following. Depending on the size of your fraud_detect csvs, Iguinns subsearch method could be faster - I would try both. source=*card | stats values(source) as source by cardID | search NOT (source=fraud_detect1_card OR source=fraud_detect2_card) | rename cardID as no_fraud | table no_fraud ... View more