So, do you get the counts you need without the inputlookup? ... View more

Sorry I missed a pipe ( index=windows EventCode = 4627 ) OR ( index=linux type=login ) [ | inputlookup hosts.csv | fields host] | stats count by index | addtotals ... View more

Did you try curl -v -k ... so at least the certificate verification is switched off - alternatively, add the CA certificate to your trust store. Interesting that it works sometimes and not others. Do you have multiple splunk servers (behind a load balancer perhaps)?  ... View more

Try overriding _time in your query   | eval _time=now() Or perhaps  | eval start=now() toward the beginning of your query, and | eval _time=start towards the end   ... View more

Can you change your query so it only counts unhealthy hosts if they weren't unhealthy in the previous time period? This assumes that the hosts that are unhealthy will continue to show up in your search until they are made healthy - consider using autoregress as one possible way of doing this ... View more

You could try adding the verbose option to curl curl -v ... and see what other information you can find out  ... View more

Hi @dall  Thanks. So what part of these log entries identifies the vm? Is it Originator@xxx, where xxx is different for each vm? What identifies the server? is it hostd:[yyy] where yyy is the server id? If so, you can extract these two from the logs and use stats to count them | rex field=_raw "hostd\[(?<server>[^\]]*)\]\s\[Originator\@(?<vm>[^\s]*)" | stats dc(vm) as vms by server   ... View more

Can you provide a sample of the logs you are talking about? ... View more

  | eval A_mod=split(A,",") | mvexpand A_mod | dedup A_mod | stats values(A) as A, count as B by id   Full solution ... View more

@aamirs291 Perhaps another approach is to look at the accessibility checker. Assuming the accessibility checker is looking for ways to identify elements uniquely, (so that accessibility style sheets can be applied?) then unique ids is not the only way. If elements can be uniquely identified by nested ids (as @niketn  suggested), then the accessibility checker should not see this as an error. Can the accessibility checker be changed to accept this way of identifying elements, or ignoring elements inside an element which does have a unique id? ... View more

Have you tried something like ( index=windows EventCode = 4627 ) OR ( index=linux type=login ) [ inputlookup hosts.csv | fields host] | stats count by index | addtotals ... View more

Yes I just checked _internal - still would be useful to have some sample data though ... View more

Your date time format seems a little different, usually there is a space between the date and the time not a colon. Do you have some sample data events you could share? ... View more

| rex field=column "POD(?<number>\d+)\-" where column is the field name your data is in. Is it always POD? If not, is it always ****-****-**POD4-***  4 letters "-" 4 letters "-" 2 letters 3 characters number (at least 1 digit) "-" 3 letters? ... View more

The last 30 days includes today - have there been any timeouts today? Perhaps rather than a line graph, display the results in a table (at least until we figure out what is wrong)? ... View more

I can't see anything wrong with the xml. Can you try different days? Also, can you include screenshots of the time picker with the two panels? ... View more

It is not entirely clear what you are after. if you want to remove the year and build number from the field so that you can then group by build name then do something like this | rex field=BuildInfo mode=sed "s/\d{4}_\d+|/|/g" You can probably then use _time to order your log entries. If you still need the BuildInfo, then copy it to another field and edit that If you need the year and build number extracted as a number so you can do numerical ordering (2020_1, 2020_2, ...2020_9, 2020_10, ...) rather than lexicographical ordering (2020_1, 2020_10, 2020_2, ...) then you could try something like this | rex field=BuildInfo "\w+(?<year>\d{4})_(?<build>\d+)|" | eval combined=(tonumber(year) * 1000) + tonumber(build)  This assumes you don't have 1000+ builds per year. You could also probably just use the last two digits of the year if you like. ... View more

Change the tokStartOfDay calculation slightly <eval token="tokTimeStartOfDay">relative_time(if(isnum('latest'),'latest',relative_time(now(),'latest'))-1,"@d")</eval> Also, can you show the xml for the second panel?  ... View more

Hi @aditsss  Would it be right to say that the single should be the count from the last day of the time period selected? If so, add this to the time picker <change> <eval token="tokTimeStartOfDay">relative_time(if(isnum('latest'),'latest',relative_time(now(),'latest')),"-1m@d")</eval> </change> Then change the single query times to: <earliest>$tokTimeStartOfDay$</earliest> <latest>$field1.latest$</latest> ... View more

@aditsss  Please, please, please read what I suggested carefully! You should have noticed that the first single panel has <earliest>-1d@d</earliest> <latest>@d</latest> whereas you are insisting on leaving it as <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest>  Do you not see the difference? ... View more

So one panel is a simple single with no trend information - you were almost there at the start <panel> <single> <title>TIMEOUT</title> <search> <query>index="ABC" sourcetype=XYZ Timeout $Org$ | stats count</query> <earliest>-1d@d</earliest> <latest>@d</latest> </search> </single> </panel> Your second panel can just be a simple line chart  <panel> <chart> <search> <query>index="ABC" sourcetype=XYZ Timeout $Org$ | bin span=1d _time | stats count by _time</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> </chart> </panel> ... View more

Hi @aditsss  As I said, the query for the single needs to have a time component to the stats so that the query returns a range of values. Single will then display the latest of these (which is what I think you are after). Please try my earlier suggestion <input type="time" token="field1" searchWhenChanged="true"> <label>Date/Time</label> <default> <earliest>-1d@d</earliest> <latest>@d</latest> </default> </input> </fieldset> <row> <panel> <single> <title>TIMEOUT</title> <search> <query>index="ABC" sourcetype=XYZ Timeout $Org$ | bin span=1d _time | stats count by _time</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> This is the important part of the query for single to be able to use the count from the last day and for it to have more than one result in order to work out a trend <query>index="ABC" sourcetype=XYZ Timeout $Org$ | bin span=1d _time | stats count by _time</query> ... View more