I have a search which uses the transaction command to group 2 events together. I then added a where clause to sort the events that had a duration>2 seconds.. I then saved the search as an alert.. Now every time the duration>2 seconds, I get 3 identical emails with a different trigger time for each. I'm viewing the logs in real time and verified that only 1 event came in that was greater than 2 seconds, even though I'm getting 3 emails. How can I change this where I will only get 1 email anytime duration>2? My Search index=unleashed Call="<CreateOrder*" | transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" | where duration>2 ... View more

I'm using ...| transction to group together a web service request and response. I'm then finding the avg(duration) from the response and request. This works successfully and groups the request and response into one event then it adds a new field called duration and shows the response time. I want to find all events that have a response time greater than 5 seconds. Most of the events are in the 1 second range, but there are a few that are above 5 seconds. Whenever I add the ...| where duration &gt; 5 at the end, it's still showing me events that have a duration of less than 5 seconds. Nothing is being excluded, and I'm getting the same number of events back as I did without the where clause Here's my search index=unleashed Call="<CreateOrder*" | transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" | timechart avg(duration) | WHERE duration>5 ... View more

I have an index which is not timestamping the events. I looked in the Docs and it said I have to define it in my props.conf If this is true, can someone help me with the correct stanza? Here's what a few of my non-timestamped events look like 1451406708913 172.xx.xx.xx - 160195 98610 3.12 1.19 200 21105 0 8 /graph?node=10904&profiles=roomsOnly 1451406708879 172.xx.xx.xx - 160194 13073 4.50 3.69 200 6 0 8 /graph?node=10930 ... View more

I have 2 indexes which both have a common filed (JSESSIONID).. One index has an IndexOutOfBoundsException and another index has the user agent string along with the web request. So I want to join these 2 indexes by their JSESSIONID so I have 1 event which is made up of both the index=main and index=web-access .. Once I have this event I can then find out how many of those IndexOutOfBoundsExceptions were bots or humans by looking at their web request and user agent string. Index=main has indexoutofboundsexception and the JSESSIONID but does not include the web request or user agent string.. index=web-access has the User Agent string/Web Request and the JSESSIONID but does not include the indexoutofboundsexception Here's my current search that is not working index=main AND index=web-access | transaction JSESSIONID ... View more

I extracted deployment time from events and it's currently in this format 0:04.645 and 1:30.123 and is in terms of Minutes, Seconds, Milliseconds. I need to sum this time up every day and graph it. How can I put this in a time format in seconds? Example: 0:04.645 1:30.123 sum = 94.768 seconds ... View more

I need to have a Gantt chart in Splunk so we can quickly look over different periods of time on a rolling basis. I downloaded the Gantt chart app and tried using that, but it didn't work and looked very confusing. I made a Gantt chart in Excel (pictured below) but I'd prefer to do it in Splunk because I need that rolling data to come in rather than having Excel's static chart ... View more