I have 2 tax calls (CalculateTax and LookupTax) and want to count their errors for the previous day's hour. I then added a row which would sum the totals up. So My table looks like this Tax Call | YesterdayLastHour CalculateTax | 70 Total | 70 But I want it to look like this Tax Call | YesterdayLastHour CalculateTax | 70 LookupTax | 0 Total | 70 Currently, if there are values for both CalculateTax and LookupTax then it will display correctly like this Tax Call | YesterdayLastHour CalculateTax | 70 LookupTax | 10 Total | 80 Here's my search index=vertex7-access RTG_Error="500" earliest=-26h@h latest=-25h@h | stats count AS YesterdayLastHour by RTG_Tax | addtotals col=t row=f labelfield=RTG_Tax label=Total | table RTG_Tax, YesterdayLastHour | rename RTG_Tax AS Total So the problem I'm facing is, if there is a zero count for a LookupTax call, then the tax call will not display. I want the LookupTax call to display, but show a 0 for the count ... View more

I have an alert set which will compare the errors for the current day's previous hour to yesterday's previous hour.. So it will run a search every hour and count the number of errors from 1pm-2pm today and compare them to the number of errors received yesterday from 1pm-2pm. If the number of errors for today's hour is 25% higher than yesterday's hour of errors, then the alert will fire. I set the search up and it's working as expected, but I believe I misconfigured the alert because I just got 2 alert emails. The first email is showing Calculate Tax errors, then the next alert email is showing the total number of errors. I want the alert to fire if ONLY if the total value for 'TodayLastHour' is 25% greater than 'YesterdayLastHour'. Tax Call | TodayLastHour | YesterdayLastHour CalculateTax | 290 | 100 LookupTax | 100 | 90 TOTAL | 390 | 190 Here's my search: index=vertex7-access RTG_Error="500" earliest=-1h@h latest=@h | stats count AS TodayLastHour by RTG_Tax | addtotals col=t | table RTG_Tax, TodayLastHour | appendcols [search index=vertex7-access RTG_Error="500" earliest=-25h@h latest=-24h@h | stats count AS YesterdayLastHour by RTG_Tax | addtotals col=t | table RTG_Tax, TodayLastHour, YesterdayLastHour] | where TodayLastHour > 1.25 * YesterdayLastHour ... View more

I'm currently the Splunk admin and I have about 40 users of Splunk. I want to put a dashboard on the app/launcher/home showing what indexes are available. I don't want to do this manually, but rather add the dashboard once and have it apply to all their accounts. How would I do this? ... View more

I have an index which has around 50,000 errors per day and I need to create an alert which will take the number of errors for the previous day, by the hour, and will compare it to the current day, by the hour, and the alert will fire if the current days hour is atleast 10% higher then the previous days hour. Example: Yesterday 7:00am-7:59am we had 10,000 errors 8:00am-8:59am we had 6,000 errors 9:00am-9:59am we had 4,000 errors Today 7am we had 11,000 errors 8am we had 20,000 errors 9am we had 3,000 errors The alert will fire for only 7am and 8am because the errors were 10% higher than the previous day.. I need this for all 24 hours I have a previous thread here which is similar to what I'm looking for now, but this one is slightly different http://answers.splunk.com/answers/302401/moving-average-of-errors-for-a-2-hour-time-period.html?minQuestionBodyLength=80 My current search index=vertex7-access RTG_Error="500" | eval date_hour = strftime(_time, "%H") | where date_hour=0 | bucket _time span=1d | timechart count | where count > 1.1 * [ search index=vertex7-access RTG_Error="500" earliest=-1d@d latest=@d | eval date_hour = strftime(_time, "%H") | where date_hour=0 | bucket _time span=1d | stats count by _time | stats avg(count) as AvgDailyError500Count | return $AvgDailyError500Count ] Lastly, should I create a separate alert for each hour? ... View more

I have an index which has around 600,000 events per day. Each day between 12am-2am, we get a lot of errors due to maintenance on the website. I want to find the average number of errors for each day between 12am-2am and create an alert which will go off if at anytime the number of errors goes 10% higher than the average. Here's a similar thread I made about 2 weeks ago, but this will be slightly different as I don't want the average errors from the whole day but rather the average errors from 12am-2am http://answers.splunk.com/answers/294662/how-to-set-an-alert-on-a-moving-average.html Here's my current search index=vertex7-access RTG_Error="500" | bucket _time span=1d | timechart count | where count > 1.1 * [ search index=vertex7-access RTG_Error="500" earliest=-7d@d latest=@d | bucket _time span=1d | stats count by _time | stats avg(count) as AvgDailyError500Count | return $AvgDailyError500Count ] ... View more

I have a few indexes which have around 2.5 billion events each. Unfortunately we don't have a lot of CPU to sort through this massive data and make it meaningful in a dashboard. We're currently in the process of setting up a summary index, but the requirements/fields can change at anytime which mean's we'd have to re-summerize that data. So my question is, can we use Amazon EMR as a temporary boost in horsepower to Map and Reduce this data back into the summary index? How difficult would this be to do? ... View more