Try this for the query <query>index="ABC" sourcetype=XYZ Timeout $OrgName$ | bin span=1d _time | stats count by _time | addinfo | eval first=relative_time(info_min_time,"@d") | eval last=relative_time(info_max_time-1,"@d") | eval prev=last-(60*60*24) | eventstats last(count) as lastcount | where _time = first OR (_time = last AND lastcount > 0) OR (_time = prev AND lastcount = 0) | fields _time count </query> ... View more

What about order for example Index A 101 A01 101 A02 Index B 101 A02 101 A01 Is this 2 mismatches or zero? ... View more

Hi @hongbo_miao  As @thambisetty  suggested, try enclosing the field name with dot "." in single quotes (and adding a space after the "-" in the sort command)   index="my_index" | stats count as total, count(eval('message.logType'="Outgoing Response")) as outgoingCount by log.request.url | table log.request.url, total, outgoingCount | sort - outgoingCount     ... View more

This sort of thing has been answered many times. Essentially, you give your panels an id and then add a css style associated with that id. ... View more

Do you have the sample dashboard examples available to you. There is one for highlighting rows of a table based on a value. Perhaps this will give you a starting point https://splunkbase.splunk.com/app/1603/ ... View more

Obviously, you need to add a time element to your stats with a span of 1d, then you could consider autoregress to get the previous day's stats and do your calculations using those values. ... View more

If you limit your query to -24h, then you will get no results if the last time the log was written to is more than 24 hour ago. The -48h was at least giving you a chance at finding if the log was last written to between 48 and 24 hours ago and showing that in red. You could make it -7d or whatever timespan you want to go back looking for when the log was last written to. ... View more

Can you modify the payload with your middleman? If not, can you use spath to extract the issues array into a multi value field and then mvexpand to separate them into different events? ... View more

You probably need another panel with the data you want to export ... View more

If you want to use tstats try: | tstats latest(_time) as latest where index=* earliest=-48h by host | eval minutesago=round((now()-latest)/60,0) Then set the colour ranges for the minutesago column as appropriate   Obviously, this still only goes back 48 hours so if your latest entry is older than that, you would not see it ... View more

No I don't think it does what I think you want. What if you the latest entries in the index is over 24 hours? You are only going to get entries by host if the latest entry for that host is between 24 hours and 5 minutes ago. ... View more

Try  index="my_index" "Outgoing Response" | head 1 in verbose mode and look to see what fields have been extracted   ... View more

With the calculation you have shown, if you have 20 incoming and 15 outgoing, your total will be 35, your failures will be 5, your error rate will be 1/7 when it should be 1/4. That doesn't explain why you are get zero counts. Can you check that the logType is what you think it is? ... View more

Have you indexed these logs? Have you extracted any fields e.g. timestamp, url, log type? Total requests is then the count of Incoming Requests. Error count is then Total requests - count of outgoing response. | stats count(incoming) as incoming, count(outgoing) as outgoing by url, _time | eval failure=incoming-outgoing | eval errorrate=outgoing / incoming ... View more

The query is OK - you configure the colours by editing the dashboard and formatting the single ... View more

@shashank_24  So a count by req_content by time would give you the counts index=test_prod sourcetype=access_combined_wcookie req_content=/checkout/your-details OR req_content=/checkout/direct-debit OR req_content=/checkout/credit-check OR req_content=/checkout/review-basket OR req_content=/checkout/confirm-order OR req_content=/checkout/order-complete | bin span=1h _time | stats count by req_content _time However, let's say a customer ends their journey between 8 and 9, but started it between 7 and 8, do you want the counts for the earlier steps to be included in the 7-8 slot (which is what the above will do), or do you want the counts in the 8-9 slot which the below attempts to do index=test_prod sourcetype=access_combined_wcookie req_content=/checkout/your-details OR req_content=/checkout/direct-debit OR req_content=/checkout/credit-check OR req_content=/checkout/review-basket OR req_content=/checkout/confirm-order OR req_content=/checkout/order-complete | stats values(req_content) as req_content, latest(_time) as _time by uniqueId | mvexpand req_content | bin span=1h _time | stats count by req_content, _time This doesn't take into account whether they went back and forth during their journey nor where they were when they ended their journey, it counts the pages visited not how many times in the journey it was visited. If you want the number of times the page was requested by the customer, try changing values(req_content) to list(req_content) ... View more

For the example you just gave, what would you want the table to look like? ... View more

You could try something like index= xyz | bin span=1s _time | stats count BY host_name | eventstats max(count) as max BY host_name | where count=max | stats values(count) as count, latest(_time) as _time by host_name | fields host_name, count, _time   ... View more

|eval Assignee= case(substr(Support_tier, -2)="02" AND HR_Country="America", "Jeremy", substr(Support_tier, -2)!="02" AND HR_Country="America","Terri") ... View more