I would like to do on splunk something similar to what in microstrategy is colled custom groups. I'll try to explain it as simply as I can. I have a field i use in a multiple selection filters. ex: colours - yellow red white black blue etc... This list of colours is VERY long, so it's quite uncomfortable for the users select in the multiple selection filters which colours he needs. so id like to create a group of colours called "beauty" in which I specify which colour is beautiful e which is not. ex: beautiful colours: red blue green ugly colours: all others I'd like to do this outside of the single dashboard so i can use this for filtering in many dashboards. Before reinventing the wheel I wanted to be sure there are not known solutions. If there are not which ones you suggest. Thanks a lot. ... View more

Hi all! I have the following search which displays a stacked bar chart: <index, filters and sourcetype> | stats count as Events by BU DatabaseName | sort -BU, Events desc | streamstats count as rank by BU | where rank <= 5 | chart max(Events) as Events by BU DatabaseName | addtotals fieldname=_total | sort - _total | fields - _total I would like to set $variable$ <option name="charting.axisY.maximumNumber">$variable$</option> As the max of _total + 10% (before removing it) and without using, if possible, hidden selectors or other queries. Thanks ... View more

Hi all! I have the following code: index=BLA source=BLA | eval Day = strftime(_time,"%F") | eval DateTime = strftime(_time,"%Y-%m-%d %H:%M:%S") | stats Latest(LogType) as Status Latest(Result) as Result Latest(DateTime) as When by PackageName | sort - Status - When | table When, PackageName, Status, Result | eval AlertLevel = case(Result=="OK",1,Result=="WARNING",2,Result=="KO",3) | rangemap field=AlertLevel low=1-1 elevated=2-2 severe=3-3 default=guarded | fields - AlertLevel | join Type=Left PackageName[ search index=BLA source=BLA | eval Day = strftime(_time,"%F") | eval DateTime = strftime(_time,"%Y-%m-%d %H:%M:%S") | eval EndTime = if(Result="OK", _time, null) | eval StartTime = if(LogType ="START", _time, null) | stats Latest(StartTime) as StartTime Latest(EndTime) as EndTime by PackageName ExecutionInstanceGUID | eval Duration = (EndTime-StartTime) | where (Duration != "" OR Duration >= 0) | stats avg(EndTime) as AVGEndTime avg(Duration) as AVGDuration avg(StartTime) as AVGStartTime by PackageName ] Now: if I use, in the columns AVGEndTime, AVGDuration, and AVGStartTime, the format in milliseconds (that come out naturally with the query) I get that -> AVGEndTime - AVGStartTime ≈ AVGDuration. Instead, if I add the following code for converting time in a human friendly format: | fieldformat AVGStartTime = strftime(AVGStartTime,"%H:%M:%S") | fieldformat AVGEndTime = strftime(AVGEndTime,"%H:%M:%S") | fieldformat AVGDuration = strftime(AVGDuration,"%H:%M:%S") I get that the AVGDuration is almost always one hour bigger. WHY? It's really difficult to work with time in Splunk! Any suggestion? ... View more