Hi @vijaysri, if you have a key (e.g. host or transaction_key) to correlate events you can use the following: your_search | stats earliest(_time) AS request latest(_time) AS response BY key | eval duration=response-request if you haven't a correlation key, you can use the thansaction command that's slower than the previous and there's the problem is you have more request or response times: your_search | transaction startswith="request" endswith="response" | table _time duration Ciao. Giuseppe ... View more

Hi @aditsss, please try    0 6 * * *   here you can find a description of cron configuration https://en.wikipedia.org/wiki/Cron or https://crontab.guru/ Ciao. Giuseppe ... View more

Hi @splunkcol, let me understand: you have two indexes and you want to list all the IPs in both the archives indicanding if they are present in both or only in one, is it correct? if this is your need, you could run something like this: index=linux OR index=firewall | eval ip=coalesce(src,UserIP) | stats dc(index) AS dc_index values(index) AS index BY ip | eval status=if(dc_index=2,"Both indexes",if(index="linux","Linux Index","Firewall Index")) | sort ip | table ip status Ciao. Giuseppe   ... View more

Hi @SA2, try something like this: index=hrdata | rename "Age in Company _Years" AS age | eval range=case(age<6,"0-5", age<11,"6-10", age<16,"11-15", age<21,"16-20", age>20,">20") | stats count BY range It's never a good idea using spaces in field names. Ciao. Giuseppe ... View more

Hi @ekenne06, at first, you have to understand how much time takes your search and choose a relative time period and schedule, e.g. if it takes 2 minutes to be executed, you can schedule your execution frequency overy 5 minutes. I usually use as minor time for my alerts 5 minutes because using less time is unless: to schedule an alert every minute having a reaction time of 5-10 minutes. About the time-frame ir related to the schedule frequency: if the alert is scheduled every 5 minutes, it has a time frame of 5 minutes. At the end (but probably it should be the first thing!), verify if your hardware resources are sufficient for the volumes that you have to manage, so, if you have too long execution times for your alert, maybe there's a resources problems . In other words, every search takes a CPU and release it only when finished, so how many CPUs have your Indexers? hown many scheduled searches there are on your Indexers? how many users uses your Splunk? You can use the Monitoring Console to understand if you system is correctly dimensioned. For this reason, don't use real-time search because it takes a CPU and doesn't never release it. Ciao. Giuseppe ... View more