Hi, You can also achieve this by converting your starttime and endtime into epoch and then you can do the subtraction between them and then you can again convert time to strp format ... View more

I have not violated any quota's ? As you can see in the image, the three violations are for exceeding 0 bytes and in Trial ? not 500MB in free !! This is beyond ridiculous Can I have these restriction removed ? ... View more

The field "event_id" is mostly used for the notable events, in the itsi_tracked_alerts field. but in versions older than 3.* it was also used for the group id in the index=itsi_grouped_alerts, and since 4.* for the Episodes ids too. This can be confusions, as there is also an itsi_group_id field and when you use the API, the id may be referring to the notable or to the group... The best way to avoid confusion is to do an eval or a rename to create a second field group_id to avoid confusion, depending of the context of the data. ... View more

Have you looked at Route and Filtering techniques? http://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Routeandfilterdatad ... View more

No, but it is a MDR service in the similar vein of Rapid7. ... View more

Hi, Can you give some sample of your time format. So if you also have seconds and milliseconds in your events, then you will have to change your TIME_FORMAT in props.conf as below: TIME_FORMAT=%H:%M:%S.%N ... View more

Thank you. I had the same issue with the SQL queries and after i changed the time zone to default and it could be executed! ... View more

Hey You want to measure your electricity consumption per hour for time range of yesterday? Step 1: watts per day Step 2: convert to kw So your search query for kwh per day will be timerange=yesterday index=fibaro name="Youless-Mains" | rename properties.ui.ylmainpwr.value AS Watt | stats sum(Watt) as TotalWatt | eval kWh/day = (TotalWatt*24)/1000 If you want to find kwh per day In a time series with span of 1 day period then try below: timerange=month index=fibaro name="Youless-Mains" | rename properties.ui.ylmainpwr.value AS Watt | timechart span=1d sum(Watt) as TotalWatt | eval kWh = (TotalWatt*24)/1000 | fields - TotalWatt Let me know if this helps you! ... View more

You can remove rest using NOT label= ... View more

I'm not seeing any glaring issues in your search. Is your search time the same? What method of verification did you use to assert that the value should be different than what is shown? ... View more

Hi @, I think the regex above should work for you but still if it's not you can try below regex. index=xyz | rex field=url "\"(selected\w+)\"[=]*(?P(([^&]+)|(.+)))\"" ... View more

Hi @sawgata12345, | eval _raw=even | spath I'm overwriting _ raw with new generated event from even field. So next statement spath will execute as per expectation. This is because your given event contains multiple records. Have you tried to execute this search in parts? like .. 1) index="newjson1" sourcetype="_json" | spath {} output=even 2) index="newjson1" sourcetype="_json" | spath {} output=even | stats count by even 3) index="newjson1" sourcetype="_json" | spath {} output=even | stats count by even | eval _raw=even | spath Can you please execute above searches and give me output? Thanks ... View more

Yeah that's right, I notice that my client need to buy the license in the SAP market, we need to use SAP add-on installation tool (saint) for download the connector BNWVS 400_700.sar https://help.sap.com/saphelp_di46c2/helpdata/en/26/5a8c38e3494231e10000009b38f8cf/frameset.htm ... View more

Hi kaphie2002, you could pass in drilldown one or more tokens (e.g. Account) and then create your search in the secondary dashbord filtering for the maximum value, something like this in the secondary dashboard secondary_search Account=$account$ | rex field=_index ".payload number.(?.)completed.in\s(?.\d+)ms(?.\w+)" | eval TimeSec=round(ProcessingTime/1000,0) | stats count(PayloadID) as Payloads avg(TimeSec) as "AvgSec" max(TimeSec) as "Max Sec" BY Account | where Payloads > 1000 | sort "Max Sec" desc | head 1 | eval "AvgSec"=round(AvgSec, 1) | rename AvgSec as "Avg Sec" if you want more information, add other fields as values in the stats command. Bye. Giuseppe ... View more

Hi, is this true all sow with eventtypes? ... View more

All of these answers are excellent, but just to add a little more colour to subsearches ... Any time you use a subsearch, think of it like backticks in the unix shell. (If you don't get that reference then look at https://unix.stackexchange.com/questions/27428/what-does-backquote-backtick-mean-in-commands ) So the thing inside the subsearch runs, and then its output textually replaces the subsearch itself. (Commands like foreach , apppend , join , etc that use subsearch syntax don't necessarily apply here. This is the context of using a subsearch as part of search criteria) Subsearches normally return field-value pairs. You can cheat to see what a subsearch is going to return by running it in conjunction with the format command. Like suppose I had a lookup file like your example: src_ip,servername 1.2.3.4,server1 5.6.7.8,server2 9.10.11.12,server3 If I do a | inputlookup serverlist.csv then I see the CSV file itself as a search result. But if I do a | inputlookup serverlist.csv | format then I get something different / more interesting ... ( ( servername="server1" AND src_ip="1.2.3.4" ) OR ( servername="server2" AND src_ip="5.6.7.8" ) OR ( servername="server3" AND src_ip="9.10.11.12" ) ) This gives me a picture of what a search like: sourcetype=pan:traffic index=firewalls [ | inputlookup serverlist.csv ] Will look more like this after the subsearch has returned: sourcetype=pan:traffic index=firewalls ( ( servername="server1" AND src_ip="1.2.3.4" ) OR ( servername="server2" AND src_ip="5.6.7.8" ) OR ( servername="server3" AND src_ip="9.10.11.12" ) ) Ultimately, this probably won't return ANYTHING because pan:traffic likely does not have a field named servername . What if I instead ran: sourcetype=pan:traffic index=firewalls [ | inputlookup serverlist.csv | fields src_ip ] The return command works similarly to format and outside of a subsearch will give you an idea of what it is up to as well. Compare: | inputlookup serverlist.csv | return src_ip to | inputlookup serverlist.csv | return 1000 src_ip One other thing that is interesting about subsearches is that return is not required! If you don't call return then as I demonstrated above, some default functionality happens. Another piece of default functionality includes specially named fields. If your subsearch outputs a field named query then the field name disappears from the subsearch output., like so: | inputlookup serverlist.csv | fields src_ip | rename src_ip as query | format will return ( ( "1.2.3.4" ) OR ( "5.6.7.8" ) OR ( "9.10.11.12" ) ) "Look ma, no field names!" Hopefully this helps you peer a little more into how your subsearches are working.... ... View more

One step closer. I swapped out the field "EventCode" with "host" and now I'm seeing transactions. | transaction host startswith=5014 endswith=5004 maxspan=5m Next step would be to change this so that a transaction is created only when a "5004" or "1206" is not found (within 5 minutes of the error event, e.g., 5014 or 5008). ... View more

Thanks Kamlesh. ... View more

Perfect! Love u! ... View more

Let me rephrase the question. When my host is in distress (i.e. it encounters a specific error), I want to do a search of something during that time. I know the query to find the host in distress (i.e. Host="A" AND "B" "error_code_1"). Now if there is no error this search won't give me any events. (event count =0). I want to be able to calculate the number of events this search generates (if event count > 0) , then I have to run another query. The other query is something like (i.e. Host="A" AND "B" "who_did_it" "what_happened"). The second query should only execute if first one generates any event. How can I achieve the above scenario ? ... View more

Your answer is correct @493669 remove of the NT_EVENT_ID= made it. I think my initial "Search is waiting for input...." happened because I hadn't refreshed the form. The DB_NAME is OK whenever as a value or as * Thank you very much, best regards Altin ... View more

Hello - Thank you. I've tried your query but the issue is when the month is november which is 11 it should get the data for january onwards. So i dont think the | search Report_Month>10 query is okay? and since January is 01, i dont know if > can be use. ... View more

@patricianaguit please use the code button (101010) for adding data and code so that special characters do not escape ... View more

I think I've found a way to reach my goal. I will separate the querys and use summary index. Thanks for the support guys. Thanks for the advice. ... View more