Give this a try If looking for revisit to be within past 3 months | inputlookup US.csv | rename COMMENT as "Below converts revisit column to epoch" | eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S") | eval 3month=30*24*60*60 | rename COMMENT as "Below finds 3 months from today (past date)" | eval revisit_date=relative_time(now(),"-3mon") | rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire" | eval duration = if(current_date <= revisit_date, "Expired", "Valid") | table current_date, user, category, department, description, revisit, duration  If looking for revisit to be within | inputlookup US.csv | rename COMMENT as "Below converts revisit column to epoch" | eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S") | eval 3month=30*24*60*60 | rename COMMENT as "Below finds 3 months from today (past date)" | eval revisit_date=relative_time(now(),"+3mon") | rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire" | eval duration = if(current_date >= revisit_date, "Expired", "Valid") | table current_date, user, category, department, description, revisit, duration 3 months in future   ... View more

Is data coming in same format every day? (try to run the search with time-range "Yesterday" and check.   Also give this a try your base search | rex field=_raw "Total Assets on Pricing Date:\s+(?P<TotalAsset>\S+)" offset_field=_extracted_fields_bounds | eval mytime=strftime(_time, "%b%d") |chart values(Total_Assets_Price) by mytime ... View more

Give this a try index=SampleData | where _time>relative_time(now(),"-2w@w") | convert timeformat="%m-%d-%Y" ctime(_time) | chart sum(Cost) over Employee by _time | eval diff=-1 | foreach 0* 1* [| eval diff=if(diff=-1,'<<FIELD>>','<<FIELD>>'-diff)] ... View more

I will try The data in Splunk stored in index (treat it like a database). An index can contain data for multiple sourcetypes (consider it like table). The data for an index is stored on disk on "buckets" (this is actual disk directory where data is saved).  Buckets have different stages- hot (when data is written into it), warm (data writing stops i.e. read-only, only searching happens, data is actively searched), cold (read-only, less frequently searched), frozen (read-only, retired, condensed) Each bucket will have data for a range of timestamp (e.g. bucketA has data from 05/01/2022 01:01AM to 05/02/2022 08:09PM). The timestamp of oldest data is called age of bucket. The retention for an index is either size based (total size of that index, set as attribute "maxTotalDataSizeMB") OR age based (timestamp of data in buckets, set as attribute "frozenTimePeriodInSecs"). If the total size of index has reached maxTotalDataSizeMB value, it'll start freezing oldest bucket (bucket with lowest timestamp). This will be checked first. The bucket will be deleted even if age of the bucket is within its retention period. If the age of the bucket is lower than retention period (default is 6 year, set as  attribute "frozenTimePeriodInSecs"), it'll be frozen. By default frozen buckets are deleted, but they can be moved to a specific directory (set as attribute "coldToFrozenDir") OR you can write a script which can do whatever you want to do with that frozen bucket (set as attribute "coldToFrozenScript").   So for each index you want to setup higher retention and don't want to delete frozen bucket, set following attributes maxTotalDataSizeMB Determines rolling behavior, cold to frozen. The maximum size of an index. When this limit is reached, cold buckets begin rolling to frozen. 500000 (MB) frozenTimePeriodInSecs Determines rolling behavior, cold to frozen. Maximum age for a bucket, after which it rolls to frozen. 188697600 (in seconds; approx. 6 years) coldToFrozenDir Location for archived data. Determines behavior when a bucket rolls from cold to frozen. If set, the indexer will archive frozen buckets into this directory just before deleting them from the index. If you don't set either this attribute or coldToFrozenScript, the indexer will just log the bucket's directory name and then delete it once it rolls to frozen. OR     coldToFrozenScript Script to run just before a cold bucket rolls to frozen. If you set both this attribute and coldToFrozenDir, the indexer will use coldToFrozenDir and ignore this attribute. If you don't set either this attribute or coldToFrozenDir, the indexer will just log the bucket's directory name and then delete it once it rolls to frozen. ... View more

Read comments inline below for explanation of the search inindex=myIndex sourcetype=mySource Systems IN ("SYSTEM 1" , "SYSTEM 2" , "SYSTEM 3" , "SYSTEM 4") | eval weekday="Wday-".strftime(_time,"%A") | rename COMMENT as "Above will set the value as Wday-Mon instead of Mon.. and so forth for other days" | eval EndHour=substr(time, 50, 1) | eval EndMin=substr(time, 52, 2) | eval time = EndHour.":".EndMin | eval Time = " (" .EndHour. ":" .EndMin. "am)" | eval category="CATEGORY 1" | chart values(Time) over Systems by weekday | rename COMMENT as "After the chart command, you will see a column for each value of weekday i.e. Wday-Mon, Wday-Tue....etc)" | eval ExpectedTime = case( System="SYSTEM 1", "6:30am", System="SYSTEM 2", "6:35am", System="SYSTEM 3", "6:45am", System="SYSTEM 4", "6:40am" ) | eval CurrentSLO= case( System="SYSTEM 1", "7:15am", System="SYSTEM 2", "7:20am", System="SYSTEM 3", "7:10am", System="SYSTEM 4", "7:10am" ) | eval category="CATEGORY 1" | table category Systems ExpectedTime CurrentSLO Wday-* | rename ExpectedTime as "Expected Time" | rename CurrentSLO as "Current SLO" | rename category as "Category" | eval hasMissingValues="false" | rename COMMENT as "Now the foreach command will be run against each of week day fields that i.e. Wday-Mon, Wday-Tue..etc. It will than find out if there are missing values" | foreach Wday-* [ | eval hasMissingValues=if(isnull('<<FIELD>>'),"true",hasMissingValues)] | where hasMissingValues="true" | rename COMMEND as "Finally, renaming the Wday-Mon to just Mon..and so forth" | rename Wday-* as * ... View more

Change  <set token="results" >$row.c$</set> with  <set token="results" >$result.c$</set>   The $row.xxx works when you drilldown using a click. ... View more

Try this earliest=-7d@h latest=-7d@h+60m OR earliest=-7d@h-60m latest=-7d@h ... View more