cheers 🙂 this worked after i followed it ... View more

Hi @woodcock In the end i can't get the | tstats first stuff | tstats append=t second stuff | stats values (*) AS * BY NPID to work. I think because i have to use GROUP by MXTIMING.Context+Command as i need to see unique lines of each of them. I did get the Group by working, but i hit such a strange bug. After the GROUP by i had to remove all my evals: |eval time_slice_per_min = (stop-start)/60 | eval Throughput_per_minute= count/time_slice_per_min | eval average = round(average, 1) | eval average=tostring(average, "commas") | eval stdev = round(stdev, 1) | sort - average | as it was removing lines before the stats could get to them!!! - I have no idea why. working code <query>| tstats summariesonly=$summariesonly_token$ avg(MXTIMING.Elapsed) AS average, count(MXTIMING.Elapsed) AS count, stdev(MXTIMING.Elapsed) AS stdev, median(MXTIMING.Elapsed) AS median, exactperc95(MXTIMING.Elapsed) AS perc95, exactperc99.5(MXTIMING.Elapsed) AS perc99.5, min(MXTIMING.Elapsed) AS min, max(MXTIMING.Elapsed) AS max,earliest(_time) as start, latest(_time) as stop FROM datamodel=MXTIMING_TEST WHERE host=$host_token$ AND MXTIMING.source_path = *$source_path_search_token$ AND MXTIMING.UserName2=$MXTIMING_UserName_token$ AND MXTIMING.NPID=*$MXTIMING_NPID_token$* AND MXTIMING.TYPE8=$MXTIMING_TYPE_TOKEN$ AND MXTIMING.Context+Command = *$MXTIMING_Context_token$#* AND MXTIMING.Context+Command = *#$MXTIMING_Command_token$* AND MXTIMING.Time = * GROUPBY MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Time | rename MXTIMING.Context+Command as Context+Command |rename MXTIMING.NPID as NPID | join NPID [| tstats summariesonly=$summariesonly_token$ count(SERVICE.NPID) AS count2 FROM datamodel=SERVICE WHERE ( host=$host_token$) AND SERVICE.NICKNAME = $NICKNAME_TOKEN$ GROUPBY SERVICE.NICKNAME SERVICE.NPID | rename SERVICE.NPID AS NPID ] | stats avg(average) as average count(count) as count stdev(average) as stdev median(median) as median exactperc95(perc95) AS perc95, exactperc99.5(perc99.5) AS perc99.5, min(min) AS min, max(max) AS max,earliest(_time) as start, latest(_time) as stop by Context+Command |</query> Not working code <query>| tstats summariesonly=$summariesonly_token$ avg(MXTIMING.Elapsed) AS average, count(MXTIMING.Elapsed) AS count, stdev(MXTIMING.Elapsed) AS stdev, median(MXTIMING.Elapsed) AS median, exactperc95(MXTIMING.Elapsed) AS perc95, exactperc99.5(MXTIMING.Elapsed) AS perc99.5, min(MXTIMING.Elapsed) AS min, max(MXTIMING.Elapsed) AS max,earliest(_time) as start, latest(_time) as stop FROM datamodel=MXTIMING_TEST WHERE host=$host_token$ AND MXTIMING.source_path = *$source_path_search_token$ AND MXTIMING.UserName2=$MXTIMING_UserName_token$ AND MXTIMING.NPID=*$MXTIMING_NPID_token$* AND MXTIMING.TYPE8=$MXTIMING_TYPE_TOKEN$ AND MXTIMING.Context+Command = *$MXTIMING_Context_token$#* AND MXTIMING.Context+Command = *#$MXTIMING_Command_token$* AND MXTIMING.Time = * GROUPBY MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Time | rename MXTIMING.Context+Command as Context+Command |rename MXTIMING.NPID as NPID | join NPID [| tstats summariesonly=$summariesonly_token$ count(SERVICE.NPID) AS count2 FROM datamodel=SERVICE WHERE ( host=$host_token$) AND SERVICE.NICKNAME = $NICKNAME_TOKEN$ GROUPBY SERVICE.NICKNAME SERVICE.NPID | rename SERVICE.NPID AS NPID ] |eval time_slice_per_min = (stop-start)/60 | eval Throughput_per_minute= count/time_slice_per_min | eval average = round(average, 1) | eval average=tostring(average, "commas") | eval stdev = round(stdev, 1) | sort - average | stats avg(average) as average count(count) as count stdev(average) as stdev median(median) as median exactperc95(perc95) AS perc95, exactperc99.5(perc99.5) AS perc99.5, min(min) AS min, max(max) AS max,earliest(_time) as start, latest(_time) as stop by Context+Command </query> ... View more

In fact this does not seem to work (I thought it did at the start, sorry) One small comment, needed to add - | tstats prestats=true append=t to get it to run The final command looks like below however i have a token for SERVICE.NICKNAME when i change it nothing updates, so the second tstats is not having any effect. The overall issues is i have 2 tables that i am trying to run maths off. They have a NPID in common. I am looking for a way to include/exclude the data both ways, so a user enters NICKNAME "MX" NPID 1 and 2 are selected in SERVICE-DATAMODEL, then maths is driven off MXTIMING-DATAMODEL table on NPID's 1 and 2. Also there is the reverse, where a user can pick TYPE "STANDARD" and NPID's 1 and 3 are used SERVICE-DATAMODEL NPID NICKNAME 1 MX 2 MX 3 ENGINE MXTIMING-DATAMODEL NPID TYPE Elapsed 1 STANDARD 2 1 STANDARD 1 1 WAREHOUSE 3 1 REAL_TIME 1 2 AAA 3 2 AAA 4 2 AAA 1 2 WAREHOUSE 1 3 REAL_TIME 4 3 STANDARD 1 This i how i tried to applay your solution, but the second tstats is having no affect, perhaps i am missing something. | tstats summariesonly=true avg(MXTIMING.Elapsed) AS average, count(MXTIMING.Elapsed) AS count, stdev(MXTIMING.Elapsed) AS stdev, median(MXTIMING.Elapsed) AS median, exactperc95(MXTIMING.Elapsed) AS perc95, exactperc99.5(MXTIMING.Elapsed) AS perc99.5, min(MXTIMING.Elapsed) AS min, max(MXTIMING.Elapsed) AS max,earliest(_time) as start, latest(_time) as stop FROM datamodel=MXTIMING_TEST WHERE host=RABO_SYSTEM_TEST_MXTIMING2 AND MXTIMING.source_path = ** AND MXTIMING.UserName2=* AND MXTIMING.NPID=*** AND MXTIMING.TYPE8=STANDARD AND MXTIMING.Context+Command = **#* AND MXTIMING.Context+Command = *#** AND MXTIMING.Time = * GROUPBY MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Time | rename MXTIMING.Context+Command as Context+Command |rename MXTIMING.NPID as NPID | tstats prestats=true append=t summariesonly=true count(SERVICE.NPID) AS count2 FROM datamodel=SERVICE WHERE ( host=RABO_SYSTEM_TEST_MXTIMING2) AND SERVICE.NICKNAME = mx GROUPBY SERVICE.NICKNAME SERVICE.NPID | rename SERVICE.NPID AS NPID | stats avg(average) as average count(count) as count stdev(average) as stdev median(median) as median exactperc95(perc95) AS perc95, exactperc99.5(perc99.5) AS perc99.5, min(min) AS min, max(max) AS max,earliest(_time) as start, latest(_time) as stop by Context+Command ... View more

did you get a fix to this, i have the same issue? ... View more

Hi I have found a Hardcoded solution to this, that i am 50-50 with. I have created multiple datamodles tables each filling in the blanks bit by bit and then i pass it on to the next datamodel. So it is like filling in the swiss cheese, hower the only issue is when a new MXTIMING COMES along i will have to update the datamodel with new REGEX. This is the bit i dont like. if(isnull(WAREHOUSE),NULL,"WAREHOUSE") if(isnull(TYPE), if(isnull(RATE_CURVE),NULL,"RATE_CURVE"),TYPE) if(isnull(TYPE2), if(isnull(REALTIMEREFRESH),NULL,"REALTIMEREFRESH"),TYPE2) if(isnull(TYPE3), if(isnull(TRADE_REPOSITORY_ENGINE),NULL,"TRADE_REPOSITORY_ENGINE"),TYPE3) if(isnull(TYPE4), if(isnull(OBJECT_REPOSITORY_RISK_ENGINE),NULL,"OBJECT_REPOSITORY_RISK_ENGINE"),TYPE4) if(isnull(TYPE5), if(isnull(DATAPUBLISHER),NULL,"DATAPUBLISHER"),TYPE5) if(isnull(TYPE6), if(isnull(ACCOUNTING),NULL,"ACCOUNTING"),TYPE6) if(isnull(TYPE7), if(isnull(STANDARD),NULL,"STANDARD"),TYPE7) ... View more

Thanks very much. In fact i went for the last option. Cheers ... View more

HI Thanks for your help. I have created this file however when i log in from DUBLIN with two users Admin = Default Time Zone Consultant = Paris Time Zone I still get the issues that after i do an action in my GUI it acts differently to when i log in Via CITRIX from PARIS. ... View more

Hi Thanks for this, however i was trying to get an answer on the system level and not have to add code into the configuration. However it is looking like it is not possible. ... View more

I Have also tried to change my splunk/etc/apps/user-prefs/local/user-prefs.conf However a user consultant logged in from Dublin is still converting time to + 1. [default] tz = Europe/Paris [role_consultant] default_namespace = murex_mlc tz = Europe/Paris [role_consultant_read] default_namespace = murex_mlc tz = Europe/Paris ... View more

Bad news i added this to splunk/etc/apps/user-prefs/local/user-prefs.conf I log into my two different sights(same user consultant) - One in paris via Citrix and on in Dublin, the one in Dublin is not behaving like the one in paris. [default] tz = Europe/Paris [role_consultant] default_namespace = murex_mlc tz = Europe/Paris [role_consultant_read] default_namespace = murex_mlc tz = Europe/Paris ... View more

hi I get this with that command /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf [general] /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf datasets:showInstallDialog = 1 /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_assistant = compact /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_auto_format = 0 /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_line_numbers = 0 /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf search_syntax_highlighting = light /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf [general_default] /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf appOrder = search /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_earliest_time = -24h@h /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_latest_time = now /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf default_namespace = $default /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf hideInstrumentationOptInModal = 0 /dell425srv3/apps/splunk/etc/apps/user-prefs/default/user-prefs.conf showWhatsNew = 1 /dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf [role_consultant] /dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf default_namespace = murex_mlc /dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf [role_consultant_read] /dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf default_namespace = murex_mlc so when i open it up i get this. /dell425srv3/apps/splunk/etc/apps/user-prefs/local/user-prefs.conf [role_consultant] default_namespace = murex_mlc [role_consultant_read] default_namespace = murex_mlc Not sure if i should try and add in my TZ here or create etc/system/local/user-prefs.conf ... View more

OF the two suggestions , what one worked? ... View more

Hi Yes, i have tried this. But no Luck. Paris display correctly but Dublin is still one hour + when i click the button. Cheers anyway. ... View more

I also tried to set up epoc time, however the graph does not display it so i cant reference it. Unless there is a way to do that? <viz type="timeline_app.timeline"> <search> <query>eventtype=mlc sourcetype=lts_timings host=$host_token$ | eval duration_seconds=duration_seconds*1000 | eval task_name2=task_name | eval Start_epoc=start | eval Stop_epoc=end | eval Start_epoc = strptime(Start_epoc,"%Y-%m-%d %H:%M:%S") | eval Stop_epoc = strptime(Stop_epoc,"%Y-%m-%d %H:%M:%S") | table _time task_name task_name2 duration_seconds Start_epoc Stop_epoc | sort $Name_or_Duration2$ | rename task_name as Event_Name | rename task_name2 as Event_Name2 | search Event_Name=*$Task_Search$*</query> <earliest>$tps_selection.earliest$</earliest> <latest>$tps_selection.latest$</latest> </search> <option name="height">399</option> <option name="timeline_app.timeline.axisTimeFormat">SECONDS</option> <option name="timeline_app.timeline.colorMode">categorical</option> <option name="timeline_app.timeline.maxColor">#DA5C5C</option> <option name="timeline_app.timeline.minColor">#FFE8E8</option> <option name="timeline_app.timeline.numOfBins">6</option> <option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option> <option name="timeline_app.timeline.useColors">1</option> <drilldown> <set token="TEST_GANTT_VALUE">$row.Event_Name$</set> <set token="TEST_GANTT_start">$row.Start_epoc$</set> <set token="TEST_GANTT_end">$row.Stop_epoc$</set> </drilldown> </viz> ... View more

Thanks for this, if fixed this issues. I had epoc stored and i was able to use it to set the time so i did not need to convert it with eval. However i have another issues that has not arisen in relation to Timezones. I have made a new question "Timezones issues 1 site, 3 users in different timezones"... I am trying to apply what you said in this question however i am not sure it is the same thing. ... View more

Woodcock, sorry for the delay on your great answer. Before i start changing things, i have to tell you one more factor. I have created one user = PARIS (CET). I can log in with this user from PARIS(Via Citrix) Or On my desktop in Dublin (-1H Behind Paris). I am displaying epoc _time. From Both DUBLIN and PARIS i see PARIS time, In a timechart graph and this works well. The issues is when i try to move time using the below command. <eval token="form.time_token.earliest">strptime('row.Start',"%m/%d/%Y %H:%M:%S")</eval> <eval token="form.time_token.latest">strptime('row.Stop',"%m/%d/%Y %H:%M:%S")</eval> I have a table with Start[16:45:00] and End[16:51:10] time in it. When i click on this table to re-drive time, in paris i get what i want. However in Dublin i get Start[17:45:00] and End[17:51:10]. So it pushes the data on + 1. In the past i put in a + 3600, however as SPLUNK is now gettign bigger in the company i need PARIS to be the main server and all users to see PARIS time and all Action to be on PARIS time. ... View more

Hi Thanks for the advice, in the end we copied an SPLUNK over to the server and we tested it. The speed was the same so we moved the original copy over. Thanks Robert Lynch ... View more

Hi - Thanks for this. However i was hoping for a quick command to be able to tell me what is the best option here. At the moment i only have one INDEX in the one install i have, to use BONNIE++ i have to create more indexers etc.. Cheers Robert ... View more

Hi Thanks for this and it works for some of my graphs. But is there a way to make the box bigger please :). In the below image i use this graph for code line analysis and this can get very large ... View more