Depending on, when you are charting the values which one out of max or min you want to take as the response time values (given timechart will automatically aggregate results) you can try this: | timechart max(foobar_call_duration) as callRespTime, avg(foobar_call_duration) as callAvgResp by foobar_call Or | timechart min(foobar_call_duration) as callRespTime, avg(foobar_call_duration) as callAvgResp by foobar_call Or | timechart values(foobar_call_duration) as callRespTime, avg(foobar_call_duration) as callAvgResp by foobar_call Whichever suits your need ... View more

damn...I need to go to get my eyes checked up.. thanks man...editing the rex piece. An upvote will help a lot too. ... View more

try now...I have updated the regex, couple of brackets were here and there... Also try to run the query without last | where timeDiff=125 . So that you can do appropriate divide in the eval timeDiff . I did a divide by 60 assuming the epoch time will be a seconds number for you. If its bigger we might need to divide additionally by 1000 etc depending on which level of "seconds" (milli, nano etc) the result shows up in, ... View more

| rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>" I had pasted it above as well in the ending part of the comment later on. OR alternatively if you wanna focus on the digits part (as above extracts everything till it enounters <, use below. Either should work | rex "\<BusinessPartnerCode\>(?<businessCode>\d{6})\<\/BusinessPartnerCode\>" ... View more

I was riding the same boat as you few days ago. Use the "code Sample" formatting button from text editor whenever you are putting a text which splunk website is messing up for tags. So for example If i type below, then select it and press "Code Sample" button, it will appear as follows: rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>" If I type without highlighting and formatting it as "Code Sample" it looks like below: rex "\"<\"BusinessPartnerCode>(?[^\"]+)\"<\"\/BusinessPartnerCode>" See how ?<businessCode> disappears in above in comparison to code sample piece. So use "Code Sample" button and give the exact sample of line for which you want the regex to be modified and I can paste it here in response. However if there are no quotes in your sample above and your sample then is below: <BusinessPartnerCode>005003</BusinessPartnerCode> Then you can use this regex: | rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>" ... View more

No, that is not true. It is same command which was showing you eventtypes with their timeDiffs and all I did was appended the logic of first transaction on the eventTypes so that all the timeDiffs come as a multivalue field and from here pick only those eventtypes which have only single timeDiff. Try to remove everything after |where timeDiff>0 and you will see that this commands does bring you all the eventTypes with their timeDiffs and all it then does is chooses the ones which only have timeDiffs which are count=1 ... View more

If you are ok with slightly unconventional gaps between 59th sec and the next full minute u can actually try to do minutes+sec/100 and plot that. That's only if you need max and assuming seconds automatically will never go above 59 in your sample data. Averages might be a pain and will need some tweaking then. But below will work for just the max's and min's. yourSearch to get fields person, minute and second | eval newField=minute+second/100 | timechart max(newField) by person Let's hope someone gets a better solution of making the y series a modulo 60 to detect min:sec. ... View more

just curious, when u created the lookup definition did u ensure to keep its type as external_type=geo Thought of mentioning so. ... View more

Yes its possible to sum your mutivalue field "watched". If the emailId and watched fields are already extracted then try below query: yourBaseSearch to return events containing emailId and watched | rex field=watched max_match=0 "(?<watchcount>[\d]+)" | mvexpand watchcount | stats sum(watchcount) by emailId If the fields are not extracted use below query to extract the fields emailId and watched first and then do then counting: yourBaseSearch to return events |rex "email\":\s\"(?<emailId>[^\"]+)" | rex "watched\"\:\s\[(?<watched>[^\]]+)\]" | rex field=watched max_match=0 "(?<watchcount>[\d]+)" | mvexpand watchcount | stats sum(watchcount) by emailId ... View more

ok, if you want to find the events that have only a single time difference all the time then modify the search as follows, updating the same in answer as well: yourBaseSearch to return the events | rex "(?[A-Za-z_]+)" | reverse | sort eventType |autoregress _time as newTime p=1 |autoregress eventType as newEventType p=1 | eval timeDiff=if(eventType=newEventType,(_time - newTime)/60, 0) | table eventType, _time , timeDiff, newEventType | where timeDiff > 0 | transaction eventType | table eventType, timeDiff | mvexpand timeDiff | stats count by eventType | where count=1 ... View more

@lakromani try the query I put in as answer, it will give u all that u need per event rather than working for only one event. ... View more

Try this which will do following: yourBaseSearch to return the events | rex "(?<eventType>[A-Za-z_]+)" | reverse | sort eventType |autoregress _time as newTime p=1 |autoregress eventType as newEventType p=1 | eval timeDiff=if(eventType=newEventType,(_time - newTime)/60, 0) | table eventType, _time , timeDiff, newEventType rex the eventType out as a field if not already done. If already extracted remove the rex command portion and use yourField in place of "eventType" in all the places. Get all your events in reverse chronological order using reverse Sort events on field eventType so all the Event_As are one after the other followed by all of Event_B and so on. autoregress to add the interested data from prev event (which is time for us) to current event. So _time of prev event is added to current event as newTime. p=1 which is also by default is ensuring to go back only one event. autoregress on the eventType as well as we want to know when do our events Switch from Event_A to Event_B. eval the difference of current event time and prev event time based on whether event switched or stayed same. Since the index time (assuming goes only upto seconds HH:MM:SS) I did a (/60) to calculate the seconds. If its different for you, do the appropriate division to get difference the seconds. Tabulate the eventType, the actual time of event and time seconds difference between previous and current event. Updated query that gives the eventTypes which only have single timeDifference value. yourBaseSearch to return the events | rex "(?[A-Za-z_]+)" | reverse | sort eventType |autoregress _time as newTime p=1 |autoregress eventType as newEventType p=1 | eval timeDiff=if(eventType=newEventType,(_time - newTime)/60, 0) | table eventType, _time , timeDiff, newEventType | where timeDiff > 0 | transaction eventType | table eventType, timeDiff | mvexpand timeDiff | stats count by eventType | where count=1 ... View more

Similar to @lukejadamec answer but with index in context: Let's say you uploaded a data for which your index was called "mysearchindex" and you created a default sourcetype called "mySourceType" in the default app "Search and reporting". Then the raw data that you uploaded, which SPlunk uses can be found in subdirectories here, assuming default path locations which Splunk uses were given while creating "mySearchIndex" : SplunkHomeDirectory\var\lib\splunk\mysearchindex\db In general assuming "C:\Program Files\Splunk" is your SplunkHomeDirectory then for every index, raw data file (which has raw data in a slightly "customized" format) can be found in subdirectories here: C:\Program Files\Splunk\var\lib\splunk\<yourIndexName>\db\ NOTE: The file that you uploaded from local directory will always stay in that local directory untouched. "Splunk's copy" (if you can call it) is as is stated above. ... View more

Asset priority , if required specifically, as per your comment is defined in answer I have provided. ... View more

To answer asset priority in simple terms, it means which asset's event will be prioritized if an (similar severity) event occurred at the same time on two assets. Straight from the docs is this: The priority field (high) is combined with the severity of the search to create the urgency for the notable event. http://docs.splunk.com/Documentation/PCI/3.2.0/User/AssetManagement#How_asset_fields_are_used Prioritization. The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a desktop machine is less urgent than the same issue against an externally facing web-server that processes credit card information. Asset management allows an urgency to be computed based on the priority of hosts and assign higher urgency to high priority assets. http://docs.splunk.com/Documentation/PCI/3.2.0/User/AssetManagement ... View more

At search time you can use eval command to pick the timefield from your log and assign it to _time field and then complete your searches on this new log time. Try this. yourBaseSearch that extracts the field yourLogTimestampField | eval _time=strptime( yourLogTimestampField, <format of your Log Time>) | complete the search where results returned will take _time as new time What this will do is pick up the time from "yourLogTimestampField" field and assign it to _time variable, thereby ensuring anything you write after this eval command in your search picks up the event time as "yourLogTimestampField" . How to achieve it on a timechart is here: https://answers.splunk.com/answers/145562/how-to-use-a-field-as-timestamp-for-a-timechart.html More about strptime and strftime here: https://answers.splunk.com/answers/80521/time-function.html More about _time here: https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/SearchTimeModifiers ... View more

Can you please post your sample log line and what are you trying to extract from that log line. We can help thereafter. ... View more

Try this if parm is already extracted field with value "xxxx=yyyy", below will get you yyyy: yourBaseSearchThatExtracts parm | rex field=parm "\=(?<parmValue>[\S]+)" | use your parmValue here UPDATED If you want to extract the key as well: yourBaseSearchThatExtracts parm |rex field=parm "(?<parmKey>[^\=]+)\=(?<parmValue>[^\s]+)"| table parmKey, parmValue ... View more

I apologize if the solution is not working as that's the only way I know to get the countries data manipulated. Let's see if someone comes with a better solution. ... View more

which one did this below regex miss...I have updated the same in answer as well based on your comments. (IP-)*(?<hostName>[^\.\s]+) ... View more