Hi vikas_gopal, take a look at this run everywhere command, this will compare event count from 3 minutes ago with event count 2 minutes ago: index=_internal earliest=-3min@min | bucket _time span=1min | stats last(_time) AS last_time count AS per_min_count by _time, host | eval 2min_ago = if(last_time > exact(relative_time(now(),"-3min@min")) AND last_time <= exact(relative_time(now(),"-2min@min")) , per_min_count ,"0") | eval current_count = if(last_time > exact(relative_time(now(),"-2min@min")) AND last_time <= exact(relative_time(now(),"-1min@min")) , per_min_count ,"0") | stats max(last_time) AS _time, values(host) AS host, max(current_count) AS current_count, max(2min_ago) AS 2min_ago | eval diff = '2min_ago' - 'current_count' Hope this helps to get you started ... cheers, MuS ... View more

Hi sanjay.shrestha, take a look at this run everywhere example to get an idea how this can be done, it uses Splunk internal_server data model and two of its child objects: | tstats values(server.licenser.quota.gb) AS gb values(server.scheduler.scheduled_reports.scheduled_time) AS scheduled_time from datamodel="internal_server" by _time | streamstats last(gb) AS last_gb last(scheduled_time) AS last_schedule | stats count by _time last_gb last_schedule | fields - count To break this down I'll explain each search pipe: Obviously we need to get something first, so we get gb from the server.licenser.quota child / nodename and scheduled_time from the server.scheduler.scheduled_reports child / nodename (makes no sense I know, but this is only to show how you can do it) : | tstats values(server.licenser.quota.gb) AS gb values(server.scheduler.scheduled_reports.scheduled_time) AS scheduled_time from datamodel="internal_server" by _time Next use the result in streamstats to get rid of those empty results: | streamstats last(gb) AS last_gb last(scheduled_time) AS last_schedule use this result in a stats remove the count field and here we go: | stats count by _time last_gb last_schedule | fields - count This is just an example, modify it to your needs to match your use case. Hope this helps ... cheers, MuS ... View more

Hi evang_26, Okay after reading the update, it makes sense, try this: sourcetype=nessus severity!=informational | rex max_match=1 "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>[\w+\s]+)\" This will match only one occurrence for each field in the regex Hope this helps ... cheers, MuS ... View more

Hi rajendra_b, use either eval TotalOrders=if(match(OrderStatus,"In Progress"),count,"0") or eval TotalOrders=if(match(OrderStatus,"In Progress"),count,null()) Hope this helps ... cheers, MuS ... View more

Hi chris, I cannot answer why it is this way; but from my experience and tests I can try to answer on how to use it. Let's start with the difference of where and search : Use where if you want to compare two fields value Use search if you want to search for a field containing a string or value Next, there is a little hint in the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'. If the expression references literal strings that contains non-alphanumeric characters, it needs to be surrounded by double quotes; for example, new="server-"+count. Now, let's test this with this run everywhere commands, all done on the same server over Previous week timerange: | datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>='foo' | datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>=foo | datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>=15 | datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">=15 All the above searches will work, because they use the correct search syntax and the result is 108 events. | datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">="15" | datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>="15" The above searches will return wrong events, because they search for literal string values of 15, the result is 566 events. | datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">='foo' | datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">="foo" | datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">=foo The above searches will not work, because it will references literal strings that contains non-alphanumeric characters as field, the result in this case is 811 or all events. | datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where server.active_hist_searches>=foo | datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>="foo" This will not work at all, returning 0 events. So, after all this testing I can say the following: use ' single quotes when using the where command use " double quotes or no quotes when using the search command Hope this helps .... cheers, MuS PS: if you need the **why* it is this way, open a support case or ask the same on the IRC channel #splunk @ efnet.org* ... View more

Hi awurster, regarding the first requirement, the list of all lookup's and their app, you can use this simple REST call: | rest /services/data/lookup-table-files/ | table title eai:acl.app eai:data updated Don't be confused by the updated field, this only shows the last time Splunk did read this lookup files, not when the file was updated! For this requirement, I would setup a [monitor:..] or [fschange:...] to get the time of change and some combination of summary indexing search and outputlookup to populate another lookup containing the lookup files name, time of change and the count of entries for each. Use this as automated lookup and the dashboard will look pretty fancy .... Hope this helps ... cheers, MuS ... View more