Can you share your full query? ... View more

Would this work? | inputlookup lookup_table_1.csv | lookup lookup_table_2.csv | append [| inputlookup lookup_table_2.csv ] | dedup Id | outputlookup lookup_table_2.csv Essentially, add the extra fields for "known" Ids, then add all the known rows (in case some are missing from table 1), dedup the rows and write away ... View more

How are you including all source types in your search? index=* sourcetype=A OR sourcetype=B OR sourcetype=C OR sourcetype=D Note that you have to use capitals for "OR" not "or" ... View more

The second rex effectively overwrites the first. What this appears to be doing is counting the distinct VMs by assuming they are uniquely identified by whatever is between the last / and the .vmx -- your search | rex "(?<VMX>[^\/]+)\.vmx" | stats dc(VMX) Is this what you intended?  Also, for the second part, what events in the log tell you whether the vm is running or stopped? ... View more

I am afraid I can't help you unless you explain what data you have in splunk. Imagine I asked you to find all the mentions of the name John on my bookshelf. How would you do that? Oh and I also want you to check all the books I have stacked on the floor, but you could only look at them if I put them on the shelf? ... View more

Please check carefully - for example you had "... -d search=\"search ..." whereas I had "... -d search="search ...". Having said that, perhaps you also need to escape the backslashes in the string ' curl -s -ku admin:admin -o ?Users/Vivek/Desktop/09012020.csv https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index=network host=SGC01* OR host=APR01* earliest=09/01/2020:00:00:00 latest=09/01/2020:23:59:59 | rex field=_raw \"^[^ \\n]* (?P<host>[^ ]+)\\s+%(?P<mnemonic>[^ ]+)[^ \\n]* \\[(?P<fault_code>[^\\]]+)[^\\[\\n]*\\[(?P<state>[^\\]]+)\\]\\[(?P<severity>[a-z]+)\\]\\[(?P<dn_mo>.*)\\]\" | stats count by host mnemonic fault_code state severity dn_mo" -d output_mode=csv --data-urlencode -d preview="False" '   ... View more

It looks like you are escape the wrong double quotes - try ' curl -s -ku admin:admin -o ?Users/Vivek/Desktop/09012020.csv https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index=network host=SGC01* OR host=APR01* earliest=09/01/2020:00:00:00 latest=09/01/2020:23:59:59 | rex field=_raw \"^[^ \n]* (?P<host>[^ ]+)\s+%(?P<mnemonic>[^ ]+)[^ \n]* \[(?P<fault_code>[^\]]+)[^\[\n]*\[(?P<state>[^\]]+)\]\[(?P<severity>[a-z]+)\]\[(?P<dn_mo>.*)\]\" | stats count by host mnemonic fault_code state severity dn_mo" -d output_mode=csv --data-urlencode -d preview="False" ' ... View more

OK so what data do you already have in splunk? ... View more

Logged into where? What data do you have in splunk to help you determine this? ... View more

-- your search | rex "^(?<day>\d+)/(?<month>\d+)/(?<year>\d+)," | rex "^(?<year>\d+)-(?<month>\d+)-(?<day>\d+)," | eval _time=strptime(year."/".month."/".day, "%Y/%m/%d") ... View more

Can you provide example log events and show what you already have tried? ... View more

If you want FieldB separated into events use mvexpand instead of mvcombine | rex max_match=0 field=FieldA "\/(?<FieldB>[^\/]*)(https:|\n|$)" | mvexpand FieldB   ... View more

Try this to split the URL string into multiple events ... your search | makemv tokenizer="(\S+)" URL | mvexpand URL | rex field=URL "-(?<fieldA>\d{2}).*\/(?<fieldB>\d+$)" ... View more

OK if I understand correctly -- your search | lookup accountfile clientId This will add PRIMARY, PRIMARYMIDDLE, PRIMARYLAST,  SECONDARYFIRST  SECONDARYMIDDLE  and SECONDARYLAST fields to your event (from the file). I am assuming the lookup file is correctly formatted for this already or is that the issue? Is this what is already happening? What more do you need? ... View more

<search> <query>...</query> <earliest>...</earliest> <latest>..</latest> <done> <set token="search_results">$job.resultCount$</set> </done> </search> ... View more

OK This is getting complicated. The idea is that for each day we add an extra day with count as zero. We then sum the counts by day, and take only the last day of the original time period index="ABC" sourcetype=XYZTimeout* | bin span=1d _time | stats count by PAGE_URL _time /* create an event for following day with count = 0 */ | eval tomorrow=_time+(60*60*24) | eval time=mvappend(_time,tomorrow) | mvexpand time | eval count=if(time=tomorrow,0,count) | eval _time=time | fields - time tomorrow /* autoregress to get previous day's count */ | autoregress count p=1 /* set previous day's count to 0 for the first event for the PAGE_URL */ | eventstats first(_time) as firsttime by PAGE_URL | eval count_p1=if(_time = firsttime,0,count_p1) /* join the daily counts together */ | stats sum(count) as count sum(count_p1) as count_p1 by URL, _time /* only keep the event for the last day of the query time */ | addinfo | where _time=relative_time(info_max_time-1,"@d") /* calculate the difference between the counts for the last day and the previous day */ | eval diff=count_p1 - count | rename count as count1, count_p1 as count2 | fields PAGE_URL count1 count2 diff | sort diff ... View more

Rather than blurred screenshots, please can you share a raw event or two in a code block, anonymising the data appropriately because there seems to be something that we are all missing which might become clearer if we could see the raw data? ... View more

How is this data coming into splunk? Are the comma-separated lines? Is it XML? Is it JSON? Can you share the raw data (anonymised)? That is, you share it is a format that rex can be applied to? ... View more

  ... your search | eval URL=split(URL,"\n") | mvexpand URL | rex field=URL "-(?<fieldA>\d{2}).*\/(?<fieldB>\d+$)"   ... View more

What do the source file records actually look like? (Obviously, you should anonymise any real data.) ... View more

It is hard to keep up with these ever-changing requirements! However, rather than removing the first occurrence for the URL, how about setting the count_p1 to zero index="ABC" sourcetype=XYZ Timeout* | bin span=1d _time | stats count by PAGE_URL _time | autoregress count | eventstats first(_time) as firsttime by PAGE_URL | eval count_p1=if(_time = firsttime,0,count_p1) | eval diff=count - count_p1 | rename count as count1, count_p1 as count2 | fields PAGE_URL count1 count2 diff|sort diff   ... View more

Panels can be shown/hidden depending on the presence of a token. This token could be set/unset based on the number of results in the query of the panel   <panel depends="$results1$"> ...   ... View more