I've making some assumptions about your data here. 1. Query 1 returns fields called ProductName00, ProductVersion00, MachineId. 2. Query 2 returns fields called MachineId, Name0 and DOESN'T return a field called ProductName00.   (`software` earliest=-90d latest=now) OR (search `machineID`) | fillnull value="Dummy" ProductName00 | stats latest(ProductVersion00) as ProductVersion00 latest(Name0) as Hostname by MachineId, ProductName00 | eventstats last(Hostname) as Hostname by MachineId | stats last(Hostname) as Hostname by ProductName00 ProductVersion00 I've also experimented with / interchanged LAST and LATEST.  You definitely need to test this against your data set.   ... View more

Is there a way (e.g a combination of interesting fields) to distinguish between events returned by the first search vs the second search?  Perhaps source, index, sourcetype? ... View more

How many results do each of your 2 aggregation searches produce? ... View more

Do you want max value of clientCount for each host?  In which case...  | eventstats max(clientCount) by host Or max value of clientCount regardless of host?  In which case ... | eventstats max(clientCount)   ... View more

Works with multiple log-on/log-off.  And where you have a log-on without a corresponding log-off. | makeresults | eval _raw="Host Account_Name Group Session_Start Session_End Duration fdk-DC01 jim.smith logon 1611665560 fdk-DC01 jim.smith logoff 1611774585 fdk-DC01 jim.smith logon 1611665570 fdk-DC01 jim.smith logoff 1611774595" | multikv forceheader=1 | table Host Account_Name Group Session_Start Session_End Duration | eval Session_End=if(Group="logoff", Session_Start, null()) | eval Session_Start=if(Group="logoff", null(), Session_Start) | fields - Group | stats values(*) as * by Host Account_Name | eval StartEnd=mvzip(Session_Start,Session_End,":") | mvexpand StartEnd | rex field=StartEnd "(?<Session_Start>.*):(?<Session_End>.*)" | eval Duration=tostring(Session_End - Session_Start, "duration")   ... View more

How are you getting on? ... View more

| reverse | streamstats current=f window=0 last(Disconnected_time) as PreviousEventTime by Disconnected_Session_Name ...switch first(Disconnected_time) with last(Disconnected_time). ... View more

Replace window=1 with window=0.   ... View more

Looking at it again, I think you need to reverse your results first... | reverse | streamstats current=f window=1 first(Disconnected_time) as PreviousEventTime by Disconnected_Session_Name   ... View more

| streamstats current=f window=1 first(Disconnected_time) as PreviousEventTime by Disconnected_Session_Name ... View more

index=_internal | rename sourcetype as app | timechart count span=5m by app partial=f limit=0 | untable _time,app,count | sort app, _time | streamstats count as counter by app | eventstats count as total by app | where counter=1 OR counter=total | table app count _time | rename count as value | streamstats count by app | eval count="Row ".count | xyseries app count value Assuming you only have 2 rows per app, and you already have the data as per your table, then you just need the last 3 lines in the above.  Everything above that is to generate some test data in the same format as your table. ... View more

Will each app (app1, app2 etc)  only ever have 2 values? ... View more

I've used | streamstats sum(count) as prevCount by app window=1 current=f global=f   ...instead of delta because I've assumed  you want / need the "by app" clause. I've also assumed you only want to know when the most recent event (per app) has a larger value than the previous event ... View more

index=_internal | rename sourcetype as app | timechart count span=5m by app partial=f limit=0 | untable _time,app,count | sort app,_time,count | streamstats count as counter by app | eventstats count as total by app | streamstats sum(count) as prevCount by app window=1 current=f global=f | eval delta=count-prevCount | where counter=total AND delta>0 How about this?  Lines 1-5 are to create some test data.  The rest is the solution. ... View more

I'm assuming you want Last15MinCount to be the number of events that arrived between 15 and 10mins ago, Last10MinCount to be the number of events that arrived between 10 and 5 mins ago, and Last5MinCount is self-explanatory.  Looks that way from your example. ... View more

index=_internal | timechart count span=1h by sourcetype limit=5 useother=f partial=f | untable _time fields value This might make things clearer.  You can use any value you like where I've used _time, fields & value for the new column headings / field names. ... View more

Improvement... | makeresults 1 | timechart count span=1h | eval count=0 | append [ search YourSearchHere | timechart count span=1h] | timechart sum(count) as count span=1h ... View more

I've spent a lot of time on "ordering columns" recently and its uncovered a subtle difference between the xyseries command and an equivalent approach using the chart command. So I think you'll find this does something close to what you're looking for ... index=_internal earliest=-5d@d latest=@d | bin _time span=1d | stats count by _time sourcetype | eval day=strftime(_time,"%m/%d") | sort - day | streamstats current=t window=0 global=t dc(day) AS dayNo | eval day=dayNo.":".day | chart first(count) over sourcetype by day | foreach : [ rename "< >" AS "< >" ] Play around with the +/- in the sort command (line 4) to get the column order you're looking for. What I found strange is if you rewrite this using the xyseries command in place of the chart command (which is how I began), i.e. like this... index=_internal earliest=-5d@d latest=@d | bin _time span=1d | stats count by _time sourcetype | eval day=strftime(_time,"%m/%d") | sort + day | streamstats current=t window=0 global=t dc(day) AS dayNo | eval day=dayNo.":".day | xyseries sourcetype day count | foreach : [ rename "< >" AS "< >" ] ...the rename command after the xyseries reorders the columns alphabetically. Messing things up. By the way, either example above can be turbo-charged with tstats i.e. | tstats count where index=_internal earliest=-5d@d latest=@d by _time span=1h sourcetype | eval day=strftime(_time,"%m/%d") | sort + day | streamstats current=t window=0 global=t dc(day) AS dayNo | eval day=dayNo.":".day | chart first(count) over sourcetype by day | foreach : [ rename "< >" AS "< >" ] ... View more

Hi Shahzad, I reckon the bit in the docs you want to pay closest attention to is at... http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configureindex-timefieldextraction#Define_a_new_indexed_field Which leads me to conclude you want something like the following. The RegEx is as per the emails you and I exchanged. Add this to transforms.conf... [indexed-extractions] REGEX = ^([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),([^,]*?),(.*) FORMAT = field8::"$8" field9::"$9" field11::"$11" WRITE_META = true Add this to props.conf... [whatever-the-name-of-your-sourcetype] TRANSFORMS-extractions = indexed-extractions Add this to fields.conf... [field8] INDEXED=true [field9] INDEXED=true [field11] INDEXED=true Good luck! ... View more

Thanks @richgalloway. Spot on. ... View more