Can you post the syntax? ... View more

You could compare what the DB Connect is showing to what is actually in your DB table(s)? Might not be the best method, but doing some field comparisons could be pretty automated, depending on the data. ... View more

use |streamstats https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats it's great for rolling averages. you can do multiple streamstats, one for the 30, 60, and 90 day windows. ... View more

could you do |convert mktime(DATNUM) as epochtime timeformat="%d.%m.%Y"| chart list(VOL_DDC_OUT) by epochtime,host useother=f | tail 15 | sort epochtime|convert ctime(epochtime) as datefield timeformat="%m/%d/%Y"|fields - epochtime ... View more

Could you try |join type=left host IP ? ... View more

Is the join on uidn and timestamp? |inputlook first.csv |join uidn timestamp [|inputlookup second.csv|rename DN as DN2] ... View more

Also, there are much more UI edit features in 6.5 than previous versions, if you're on an older version. ... View more

http://docs.splunk.com/Documentation/Splunk/6.3.5/Report/Embedscheduledreports this is the doc for 6.3.5 the embed.enabled parameter is in savedsearches.conf. you should be able to change it there? ... View more

or create a separate field and convert DATNUM to an epoch field and just sort by that. ... View more

it's because 01 is less than 17, I'd bet. Can you reformat the date to be Month/Day/Year? Or create a separate date field for Month/Day/Year that you sort by and then do a fields - MDY to hide that field in the output? ... View more

Try adding a dc(id) by _time to your searches and see how many ids you actually have per _time ... View more

What I meant was that the table is only bringing back two fields and all other fields are lost and when you run the dedup without table, all other fields are still available (same with when you use "fields" instead of table). That could b e why. Not that field values are missing, but that fields themselves are gone. ... View more

Have you tried to enable it through the original way in the report? In the report, click edit>embed>enable report embedding http://docs.splunk.com/Documentation/Splunk/6.5.0/Report/Embedscheduledreports ... View more

It may be because with the table command the only two fields available are Id and time and without it has all fields? Dedup keeps the first event with the specified fields and dumps the rest. Not sure if that's right but it's the best I've got. https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Dedup ... View more

I know, I ran into this issue this past year with wanting to export panels that were run off of a base search so I had to recreate my dashboard through Sideview. It was a bit tedious, but that was the only work around I could find. I did however talk with some members of the dashboard team at .conf this year, and hopefully that feature is in the pipeline now. ... View more

useother=f just leaves the 'other' field out of the results but still limits the amount of fields returned. ... View more

if you put limit=0, there isn't a limit at all. ... View more

however, richgalloway is correct that it is deprecated. if you can, try to use simple xml. ... View more

You can't simply convert anymore. You'd have to use the Sideview Editor app and create a dashboard with advanced XML. ... View more

do you have db connect v1 or v2? if you are on v2, I think it is OUTPUTNEW instead of OUTPUT. http://docs.splunk.com/Documentation/DBX/2.3.1/DeployDBX/Createandmanagedatabaselookups ... View more

case is for multiple arguements whereas if for three. eval field=if(x=1,y,z) >>> if x is 1, then y, otherwise z eval field=case(x=1,y,x=2,z,1=1,"other") >> if x is 1, then y, if x is 2, then z, if x is anything other 1 or 2, then "other" the performance of them if they have the same x,y,z argument, is probably the same, but they were created for different reasons. http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions ... View more

index=tv_viewing_log |join channel date [search index=tv_program_data] |eval watched=if(startWatch>=startAir AND startWatch<=endAir,1,0)|search watched=1 where startWatch is 0800 is Time began to see, startAir is 0730 is Broadcast start time and endAir is 0900 is Broadcast end time in your example maybe something like this? ... View more

https://regex101.com/ is a great place to learn/practice regex so what (?12[^\s]+)\s(?[^\s]+)\s(?.) is doing is naming the first group host and starting it when it sees '12' stopping at a white space (\s) the second group is HSM and then stops at the next white space. the last group is CONN_STATUS and collects everything until the end of the string (.) ... View more

I run into this problem and have a rough work around. I have to create an mv field using values for a paticular reason, and then match a substring of that value to another field. ...|stats values(field) as fieldname by sourcetype | nomv fieldname |rex mode=sed field=fieldname "s/ /,/g" |rex mode=sed field=fieldname "s/^/,/" |rex mode=sed field=fieldname "s/$/,/" |eval match=if(isnotnull(match(fieldname,",".matchfield.","),1,0) I realize this isn't EXACTLY what you need to do, but it might help start you off. I did a nomv to get it into one row and then replaced my spaces with commas, however it looks like you're already ; delimited so you're a few steps ahead of me. You might be able to get by with just doing something along the lines of ...|eval match=if(isnotnull(match(fieldname,";".2.";"),1,0) |search match=1 ... View more