Hi. Your search is so close to what I do.. change search -> where   | tstats count where index=aws by host | table host | where NOT [| tstats count where index=windows by host | table host] ... View more

Glad to hear this is what you needed.    You can accept this solution to indicate the question was answered to your liking.  thanks! ... View more

Hi so how is are the events being split by Splunk? And do you have any props to tell splunk how to split the events? ... View more

Hi so what's the patching schedule? Every 28 days starting in Feb 1? ... View more

Have a look at Replicate a subset of data to a third-party system You can modify it and do something like this props.conf [your-sourcetype-here] TRANSFORMS-routing = routeAll transforms.conf [routeAll] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=yourIndexer,ThirdParty outputs.conf [tcpout] defaultGroup=nothing [tcpout:yourIndexer] disabled=false server=10.1.12.1:9997 [tcpout:ThirdParty] disabled=false sendCookedData=false server=10.1.12.2:1234   ... View more

Sorry I misread this as wanting a leading space. Ignore my answer. ... View more

Try using printf | makeresults | eval test=printf(" %s","this is a test") | table test ... View more

Hi. Perhaps you can show what your output looks like but basically whatever the final fields are in the search results, those are the fields that can be used in email. What I often do is format up special fields to use in email/slack that are easier for the user to see. For example, I have a search that shows me missing indexers in a cluster manager. My code snippet is | eval cluster_manager=host | stats count by missing_indexer,cluster_manager | eval missing_indexer_cm=missing_indexer + " (" + cluster_manager + ")" | eventstats values(missing_indexer_cm) as missing_indexer_cm   I create a new field missing_indexer_cm which combines 2 fields missing_indexer and cluster_manager So the output is approximately this missing_indexer cluster_manager count missing_indexer_cm --------------- --------------- ----- ------------------- idx1.foo.com cm3.foo.com 42 idx1.foo.com (cm3.foo.com) And then in alerting I use $result.missing_indexer_cm$ but when users click on the results of the search they see the above with all the info   ... View more

Does adding | addinfo help you @Mindy_McTiernan  https://www.splunk.com/en_us/blog/tips-and-tricks/i-cant-make-my-time-range-picker-pick.html   | eval unixtime_Opened_At | eval _time=unixtime_Opened_At | addinfo | timechart ... ... View more

hi. Any fields you want to have reported in the email have to be available in the search results. ... View more

Here's the answer https://community.splunk.com/t5/Splunk-Search/how-to-use-a-field-as-timestamp-for-a-timechart/m-p/145037 Use strptime to format your field Opened_At and create a unixtimestamp Then assign that to _time     ... View more

Hi. Can you show what props you are currently using? ... View more

Hi so why not just put the whole search as a saved search: the search part with the subsearch. It is simpler. Then run the saved search as i suggested  | savedsearch "mysaved_search_name" Don't put search at the beginning.   ... View more

If I try searching for a lookup that can't be found I get   ERROR SearchMessages - orig_component="SearchOperator:inputcsv" app="search" sid="1692127130.1422" message_key="INPUT_CSV:INVALID_LOOKUP_TABLE_TYPE" message=The lookup table 'maintenance_window.csv' requires a .csv or KV store lookup definition.  this in /opt/splunk/var/log/splunk/search_messages.log ... View more

Maybe the inputlookup is restricted to permission in a given app. You are using that app in your splunk search via the web. The api is running the search app? Just an idea. ... View more

Hi. Sorry I missed that you had passed in earliest and latest. A few ideas 1) can you create a saved search and then run that. e.g. savedsearch "mysavedsearch" 2) is the splunk search you are running with username and password got the permission to view the lookup table? 3) break down the search to find the issue e.g. maybe just run the inputlookup with a | stats count to make sure that part is working? 4) if you are an admin, you could look in the audit log to find out the number of results returning from your search ... View more

Hi.  Isn't this saying  indexer inputs1.XXXX.splunkcloud.com has full queues? Can you look at the queues there? Messages? ... View more

Hi.  So when you test you are specifying a time range, I assume (not all time). But for the python api search if you don't pass in earliest and latest, wouldn't it do an all time search? ... View more

I am not expert on this but I guess one thing is to run btool and make sure you are getting the settings that you think you are. A few months ago I did a quick test to remove double quotes in order that I could use tstats. props.conf [my_sourcetype] SEGMENTATION = no_double_quotes   segmenters.conf [no_double_quotes] MAJOR = [ ] < > ( ) { } | ! ; , ' * \n \r \s \t & ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29  Then I could search with tstats where I had myfield="123" | tstats count where index=myindex by PREFIX(myfield=)   ... View more

hi @rrovers What version of Splunk did you hit this bug with long search name and you couldn't view the search ... View more