Extending answer from Ayn -> |inputlookup File1 | fields Hostname | append [|inputlookup File2 | fields Hostname] | append [|inputlookup File3 Hostname] | dedup Hostname | join type=outer Hostname [|inputlookup File1] | join type=outer Hostname [|inputlookup File2]| join type=outer Hostname [|inputlookup File3] ... View more

With search you're executing, _time value will get stored in the summary index _time = time of events which will be the time -20 min from the time it is scheduled to run. all the evetns in summary index from one execution will have same _time value So the things which are doable you asked Yes, you will be able to sum the counts of the evets for each host/index/sourcetype over various span of time. Beware, the change in _time value so your time range should be appropriate. Yes, your events in the summary index will be like any other indexed events, with _time value appearing at 15 min interval. ... View more

Thanks. This helps. ... View more

You are running this search in a dashboard?? ... View more

You can try the following "base search"| stats last(*) as * by user,date_mday This should give you all the fields from the last event for each user for each day. ... View more

You can use "| timechart max(*)" which will return max count for all the fields and then can remove unwanted fields by using "|fields - ,- " ... View more

This is certainely possible with Advanced xml (using sideview util). ... View more

Other simpler option on the similar line woud be:- sourcetype=ltm_log | lookup dnslookup clientip as host | rename clinethost as hostname| "your filter" ... View more

For getting list of apps to which the current user has permission, you can use following: | REST /services/apps/local splunk_server=local |search [ | rest /services/authentication/current-context | table username | rename username as eai:acl.perms.write] | table label Any app where write permission is given to Everyone will not listed here. The reason for this is for Everyone, splunk uses "*" which can be escaped in a search string. To get list of apps to which the current user has explicit write permission, use above. For explicit read, changed eai:acl.perms.write to eai:acl.perms.read. ... View more

When you will put this search in a dashboard/view, you can specify which format you want it to be displayed in view-panel (chart or table). ... View more

All the hosts (whether they are sending data or not) send heartbeat to indexer in _internal index. you can query that to identify if a host is down or not. index=_internal source=*metrics.log group=tcpin_connections earliest=-7d@d | eval sourceHost=coalesce(hostname, sourceHost) | eval age = (now() - _time ) |stats first(age) as age, first(_time) as LastTime by sourceHost | convert ctime(LastTime) as "Last Active On" | eval Status= case(age < XXX,"Running",age > XXX,"DOWN") Where XXX=duration in second for which is their are no heartbeat from host, the host is down. Typically is can be 2-3 min (120 or 180) ... View more

My suggestion would be to create a summary index search which will run daily and store the no of unique users for past 7 days into the summary index. Once this is scheduled and running, you can create your search out of that summary index. ... View more

Will these range values will always be in ascending order? ... View more

You may try the following provided 1. The common field has unique value for each transaction (between source A and source B). 2. All transactions are getting completed with duration less then 5 min (considering you're doing your Summary Index Search for 5 min) |set union [search index=myindex sourcetype=sourcea | stats values(A1_Field) as A1_Field, values(A2_Field) as A2_Field by Common_Field | join max=0 Common_Field [search index=myindex sourcetype=sourceb earliest=-10m@m | stats values(B1_Field) as B1_Field, values(B2_Field) as B2_Field by Common_Field] ] [search index=myindex sourcetype=sourceb | stats values(B1_Field) as B1_Field, values(B2_Field) as B2_Field by Common_Field | join max=0 Common_Field [search index=myindex sourcetype=sourcea earliest=-10m@m | stats values(A1_Field) as A1_Field, values(A2_Field) as A2_Field by Common_Field]] What I am going here is taking data from source A for time say 10:05 AM to 10:10 AM and joining those events with events from 10:00 AM to 10:10 AM for source B. This will give all completed transactions within 10:05 to 10:10 plus any transaction which started in 10:00 to 10:05 and got completed during 10:05 to 10:10. Similar thing is done other way around. Finally a Union operation is done which will give list of transactions which got initiated and completed during this 5 min window as well as which got initiated in previous 5 min window and got completed in this one. ... View more

You would not be able to add earliest or latest value in a query (within search bar or a dashboard query) involving '|history'. The only option is the use timerangepicker (from searchbar) or from param "earliest" or latest within dashboard xml. ... View more

I am not sure if this is applicable in your situation, but I have faced similar issues of count of actual events not matching with event count in summary index due to a bug in Splunk version 5.0.3 or earlier. Please refer to this question. This bug was fixed in 5.0.5 and higher version. Worth looking. http://answers.splunk.com/answers/94725/issue-with-summary-indexing-saved-searches-runs-fine-but-summary-index-data-is-not-written-sometimes ... View more