I don't think there is a leading space (I know the docs say there is, but maybe it's because we are still in the single digit days of the month), because even if I do... earliest=-72h latest=now index=_internal log_level=ERROR | stats count as ErrorCount by date_mday sourcetype | sort sourcetype | streamstats current=f last(ErrorCount) as LastErrorCount by sourcetype | eval ErrorCountDiff=ErrorCount-LastErrorCount | eval today_mday=strftime(now(), "%e") | replace " " with "" in today_mday | eval today_mday=tonumber(today_mday) | where today_mday=date_mday I still get 0 results. This is starting to look like a bug. ... View more

This also returns 0 results ... View more

I'm guessing you didn't run my test query, because it's pretty obvious that it does. ... View more

I am assuming you have two boxes, one with a UF, the other acting as an Indexer+SH. Is that correct? If so, what happens if you search: index=_internal *test* Does anything show up? Any errors? If not, you may want to check network connectivity between the UF and Indexer/SH. You can do that using the telnet command, or by searching for TcpOutput in splunkd.log on the UF. If you can post your outputs.conf that might be helpful too. ... View more

This also returns zero results. ... View more

Looks like you are missing sourcetype. Also, I'm not sure why you have C:\ in there. I think your stanza should be something like: [monitor://H:\MonitorTest\] disabled = 0 index = main sourcetype = test Then, restart the Splunk forwarder and see if it picks up your test files. ... View more

Just a side note, I realize I could limit the time range more and do a fillnull on ErrorCountDiff, but this is a simplified version of the search I'm doing, which does require multiple days of counts. ... View more

Yes, you would use a subsearch if you wanted to use the results from one search as search criteria in another search. Subsearches are created by putting the first search you want executed in brackets with a search command in front. They are treated as a boolean AND to your outer search. One thing to note is that you do need to have matching field names between the outer and inner search for it to work properly. Here's a mock-up of how you might do it: index=linux_audit authenticationtype=* [search index=linux_syslog netgroup=my_servers* user@email.com | rex field=_raw "sendmail\[\d+\]: (?<SendmailMessageID>\w+):" | stats count by SendmailMessageID] | rex field=_raw "sendmail\[\d+\]: (?<SendmailMessageID>\w+):" | stats count by sendmailID, authenticationtype, etc See also: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchTutorial/Useasubsearch In my example I used the rex command to create the SendmailMessageID because you have to have similar field value contents in both sources. You may have to rex some other field, do a rename, or tweak your original extraction to get matching field values (i.e. you must have user=bob in one search, and user=bob in your other search for it to work). You could also try adding a join command to the end of your first search. The same principle of having matching field names/similar values applies to join as wel. See: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Join ... View more

Take a look at the SUM App: https://splunkbase.splunk.com/app/2678/ ... View more

BTW, I am assuming that when you say "Browser in BST (UTC+1)", that you have gone into your user preferences within Splunk and changed the time zone for your account to "BST (UTC+1)". The time zone configured on your OS isn't used by Splunk. ... View more

Right, I think the query I posted should do just that though. What exactly is not working? Could you use the job inspector to see where it's failing? ... View more

Assuming it's just two indexes, you could simply do: index=xyz OR index=yzx | rename proj_n as project_names | eval project_names=if(isnull(project_names), project_n, project_names) | table project_names | dedup project_names ... View more

As a workaround you could probably do: | inputlookup temp.csv | replace " " with "_" in field1 | map search="| sendemail to=$field2$ subject="subject line" from=def@456.com message="test test $field1$ test test "" ... View more

Can you post some sample data and perhaps a mock-up of your desired result? ... View more

If this works for you, please click "Accept Answer"... index="ecom" eventName=pageLoad | regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.*?)?" | rex field=new_referrer mode=sed "s/^http://www.example.com/ /g" | stats count as pageViews, count(eval(new_referrer="*")) as clicksOut by currentPage | fillnull value=0 pageViews clicksOut ... View more

The subsearch I gave will find the maximum value by NAME, filer to results >10, then produce a list of NAMEs. The NOT against the subsearch causes those NAMEs to be excluded from your results. ... View more

What I want is to get the list of "NAME" for which there is not at least one VAL > 10 So, I should get D and E ...and F? ... View more

Try it in a test environment first. ... View more

I tested in an Active Directory environment and it still showed the login/logouts of AD users. Not sure about SSO though. Have you tested? ... View more

Going for the accepted answer here... index=_audit sourcetype=audittrail user=* action=log* | rename info as status | replace succeeded with success in status | replace failed with failure in status | replace "login attempt" with login in action | stats count by user action status | append [search index=_internal sourcetype=splunk_web_service user=* action=log* | stats count by user action status] | join user [search index=_internal sourcetype=splunk_web_service | stats first(clientip) as clientip by user] | table user clientip action status count Or with timestamps... index=_audit sourcetype=audittrail user=* action=log* | rename info as status | replace succeeded with success in status | replace failed with failure in status | replace "login attempt" with login in action | stats count by user action status _time | append [search index=_internal sourcetype=splunk_web_service user=* action=log* | stats count by user action status _time] | join user [search index=_internal sourcetype=splunk_web_service | stats first(clientip) as clientip by user] | table _time user clientip action status count ... View more