Thanks The problem is that it returns '1' in the current size column for all the indexes ... View more

well... there is no error but the time not changing if i'm changing it in the time picker  it gives the earliest and latest time of the search itself but the user does not have a control of the period he wants to search ... View more

ok .. so.. it returns no results ... View more

no error but also no results 🙂 'info_min_time' came from addinfo ? ... View more

"The expression is malformed " ... View more

the only thing is working in the eval command is the timestamp configuration  ... View more

Hello only the first raw in the eval is running but then im getting error that the rest command should be the first one  ... View more

If i add it to dashboard panel then im getting error  "error in eval : the expression is malformed. expected )   this is the query again : | rest /servicesNS/admin/search/alerts/fired_alerts/- | fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered | eval timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"), trigger_time_earliest=strptime($Time.earliest$,"%Y/%m/%d%H:%M:%S"), trigger_time_latest=strptime($Time.latest$,"%Y/%m/%d%H:%M:%S") | search timestamp>trigger_time_earliest timestamp<trigger_time_latest | join savedsearch_name [ | rest splunk_server=local count=0 /services/saved/searches | rename title as savedsearch_name | lookup mailingList.csv "action.email.to" OUTPUT teamName | table action.email.to savedsearch_name teamName]   ... View more

I don't have any dashboard, it is a simple query  ... View more

only timestamp and  trigger_time_rendered has values, all the rest are empty maybe im getting the wrong token, i took it from  settings -->user interface » Time ranges ... View more

still nothing 😞 ... View more

ok.. so ive added the token and still nothing   |rest /servicesNS/admin/search/alerts/fired_alerts/- |fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered | eval timestamp=strptime(trigger_time_rendered,"%Y/%m/%d%H:%M:%S"), trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"), trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S") | search timestamp>trigger_time_earliest timestamp<trigger_time_latest | join savedsearch_name [ | rest splunk_server=local count=0 /services/saved/searches | rename title as savedsearch_name | lookup mailingList.csv "action.email.to" OUTPUT teamName | table action.email.to savedsearch_name teamName] ... View more

no results for both what is it 'Time' ? I don't have such field ... View more

i have 1 field with date and time trigger_time_rendered   |rest /servicesNS/admin/search/alerts/fired_alerts/- |fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered | eval timestamp=strptime(trigger_time_renderede,"%Y/%m/%d%H:%M:%S"), trigger_time_earliest=strptime($trigger_time_rendered.earliest$,"%Y/%m/%d%H:%M:%S"), trigger_time_latest=strptime($trigger_time_rendered.latest$,"%Y/%m/%d%H:%M:%S") | search timestamp>trigger_time_earliest timestamp<trigger_time_latest | join savedsearch_name [ | rest splunk_server=local count=0 /services/saved/searches | rename title as savedsearch_name | lookup mailingList.csv "action.email.to" OUTPUT teamName | table action.email.to savedsearch_name teamName]   the fact that it contains also the TZ related ? maybe it should be also part of the convert ? ... View more

still no results 😞 ... View more

this is my query : |rest /servicesNS/admin/search/alerts/fired_alerts/- |fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered | join savedsearch_name [ | rest splunk_server=local count=0 /services/saved/searches | rename title as savedsearch_name | lookup mailingList.csv "action.email.to" OUTPUT teamName | table action.email.to savedsearch_name teamName]   trigger_time_rendere looks like : 2022-09-28 09:20:31 UTC when inserting this part :  | eval timestamp=strptime(date.time,"%Y/%m/%d%H:%M:%S") | search timestamp>$trigger_time_rendere.earliest$ timestamp<$trigger_time_rendere.latest$ im getting no result at all ... View more