Hey, What are doing it's correct you must juste add \ to ( like n\(s\), and add name of field extract like ?\<accounts\> , for example: | makeresults | eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768" | rex field=_raw "Eex for account\(s\):\s+(?<accounts>[^,]+)" ... View more

Hello, If you try by this: index=_internal | stats count sum(bytes) by version And then select multiseries mode in formt of the chart can you add information please? thanks ... View more

Hello, To extract field from _raw you can use extract field page: http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/FXSelectFieldsstep Or use the rex command: | makeresults | eval _raw="DT=2018-04-13T00:14:19.480-0700 | AppId=R4 | Level=INFO |LogBody=[UID:***:20180413xxxxxx:, Message Timestamp:2018-04-13 00:14:19.329" | rex "DT=(?<DT>.*?) \|.* Timestamp:(?<Timestamp>.*)$" If you have any question comment this post please ... View more

Hello, Can you try this please, index=monitoring sourcetype=Qeueue Account=azbcd ( QueueName="test123") | timechart max(MessageCount) as MessageCount span=30minute | fillnull value=0 Also you can use make continous command: https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Makecontinuous Regards ... View more

Hello, Mr @DiegoAlba, And if you try this, index=_internal | eval date_month=strftime(_time,"%Y-%m-%B") | chart count by date_month log_level | eval date_month=substr(date_month,9) | transpose header_field=date_month column_name=log_level This proposition can sorte the header colulmn ans eleminate the null value You can juste copied and past this solution, if you have any problème comment this response please Regards ... View more

Hey, To optimase your search you can use base search define here: https://answers.splunk.com/answers/239159/multiple-base-searches-in-a-dasboard-with-post-pro.html for example: 1. Define a base search: <search id="base_search"> <query >search1 join type=outer[search 2 ] </query></search> 2. Use the base search like: <search base="base_search"><query>\example\ | stats count .....</query></search> <search base="base_search"><query>your_seconde_query</query></search> ... View more

Hello, Try this, index=maillog size=* | stats count(eval(size<1024)) as "val1" count(eval(size>=1024 AND size<2048)) as "val2" count(eval(size>=2048)) as val3 count as tot | eval perc1=round(100*val1/tot), perc2=round(100*val2/tot), perc3=round(100*val3/tot) | transpose column_name="size_range" | rename "row 1" as count Or This: index=maillog size=* | stats count(eval(size<1024)) as "val1" count(eval(size>=1024 AND size<2048)) as "val2" count(eval(size>=2048)) as val3 | transpose column_name="size_range" | rename "row 1" as row1 | eventstats sum(row1) as total | eval row1=round(100*row1/total) | transpose column_name="size_range" | rename "row 1" as count ... View more

Hello, And if you try this, index=sales sourcetype=csv source= sales_new.csv date_month=september | timechart span=1d count Best ... View more

if it displaying "no result" because all count are > 0 try by where count!=0 to verified ... View more

Hello, If you try this: | makeresults | eval _raw="\"serialNumber\":\"test1234\",\"serviceChannel\":\"test\",\"countryOfPurchase\":\"US\"" | rex field=_raw "\"serialNumber\":\"(?<serialNumber>\w*)" | table serialNumber In any case you can use Field Extractor UI http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/ExtractfieldsinteractivelywithIFX ... View more

Hello, If you try by this: source=ABC OR source=ABD OR source=ADC daysago=1 | stats count by source | where count=0 ... View more

Hello, Yes you can use this: | eval month=strftime(_time,"%m") | eval date_month=month."-".date_month | stats latest(availability) AS availability BY application, date_month | xyseries date_month application availability | rex field=date_month mode=sed "s/(\d+-)//g" ... View more

Hello, You can Try this, | stats latest(availability) AS availability BY application, date_month | xyseries date_month application availability ... View more

Hello, Try this please: |inputlookup mk_ip_list | append [|stats count | eval description="testAppend" | eval ip_address="8.8.8.8"] | fields - count | outputlookup append=true mk_ip_list ... View more

Hello, You must add a pipe "|" between stats ans eval try this: index="wineventlog" (sourcetype="wineventlog:application" SourceName=*endpoint* SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by Type SourceName | eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", (Type=="Avertissement" AND match(sourcetype,"WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", (match(sourcetype,"^WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon", (match(sourcetype,"^WinEventLog\:") AND Type=="Critique"), "Winevents", true(),"OTHERS") ... View more

Hello, I didn't understand very well, try using append command: index=<your_index_here> | fields OS, CPUCount, PhysicalVirtual | chart sum(CPUCount) by OS, PhysicalVirtual | append[ index=<your_index_here> | fields OS, MemoryCount, PhysicalVirtual | chart sum(MemoryCount) by OS, PhysicalVirtual ] Best regards ... View more

Hello, Try this please: | eval PFM =if(departement="Production for Medicine " OR departement="Production for Medicine-PFM",count,0) | eventstats sum(PFM) as sum |appendpipe[departement="Production for Medicine + Production for Medicine-PFM", count=sum] | fields -sum | dedup departement ... View more

Try this, | makeresults | eval today=relative_time(now(),"@d") | eval date2=relative_time(today,"-12h@h") | eval date3=relative_time(today,"+12h@h") | eval status=case((today>date2 AND today<date3) OR (today<date2 AND today>date3),"BETWEEN",true(),"OUTSIDE") Regards ... View more

Hello, May be can help, <form> <label>Edit_Element_Tabl</label> <fieldset submitButton="true"> <input type="text" token="ipAdresses" searchWhenChanged="false"> <label>ipAdresses</label> </input> <input type="text" token="SplunkVersion" searchWhenChanged="false"> <label>SplunkVersion</label> </input> </fieldset> <row> <panel> <table> <search> <query> | inputlookup ipSplunkVersion.csv | appendpipe[ | eval IpAdresses="$ipAdresses$", SplunkVersion="$SplunkVersion$"] | streamstats count | streamstats count | dedup IpAdresses sortby -count | fields - count | outputlookup ipSplunkVersion.csv </query> <earliest>0</earliest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> Regards Youssef ... View more

Thank you for your respense: I checked, it's all temp, I loaded the data by creating another index, but when I restat the server, the event going from 11000 event to 0 event ... View more

Thank you for your respense: I checked, it's all temp, I loaded the data by creating another index, but when I restat the server, the event going from 11000 event to 0 event ... View more

Hello every one, Thank you for your participation, I found the problem , but I did not understand why the problem is that I have more time , I added from the fields of these dates in TIMESTAMP_FIELDS after I left That a single TIMESTAMP_FIELDS field , I'll find out why . and what is the criteria on TIMESTAMP_FIELDS ?? ... View more

after searching , I think the problem comes from three files , I install Splunk entreprise in other computer problems remains with me these three files , I replaced these files by three other files of the same format and size but different data, me the data are added without problem. Thank you all ... View more

this command gives 0 event and null values ... View more