For the example you just gave, what would you want the table to look like? ... View more

You could try something like index= xyz | bin span=1s _time | stats count BY host_name | eventstats max(count) as max BY host_name | where count=max | stats values(count) as count, latest(_time) as _time by host_name | fields host_name, count, _time   ... View more

|eval Assignee= case(substr(Support_tier, -2)="02" AND HR_Country="America", "Jeremy", substr(Support_tier, -2)!="02" AND HR_Country="America","Terri") ... View more

Hi @shashank_24  If I understand correctly, you are saying the 70% of all customers ended their journey at the my-offer page. Of the remaining 30%, 50% (i.e. 15% of the original customers) ended their journey at the direct-debit page. Of these 15%, 40% (i.e. 6% of the original customers) ended their journey at the credit-check page. And so on? ... View more

As you say, doing lots of rex can be expensive, so halving this by using the results to classify the event types would surely help. You could add extra matches to your expressions to help classify your events. For example | rex field=event_message "^<(?P<action>Created|Creating) (?P<object>capacity|workflow execution|step execution) sample(\.+| in (?P<sample_creation_time>\d+) ms\.)>$" | rex field=event_message "^<(?P<action>Creating) (?P<object>capacity|workflow execution|step execution) aborted\.)>$"  you would not be able to distinguish these event types purely by the presence of the action and object fields. However | rex field=event_message "^<(?P<action>Created|Creating) (?P<object>capacity|workflow execution|step execution) sample(\.+| in (?P<sample_creation_time>\d+) ms\.)>$" | rex field=event_message "^<(?P<action>Creating) (?P<object>capacity|workflow execution|step execution) (?P<abort>aborted)\.)>$" might give you an extra field which you may not need for anything other than classifying the events. In terms of readability, when evaluating the category, you could repeat the rex but comment it out and actually use alternative methods | eval event_category = case ( /* match( event_message, "^<(?P<action>Created|Creating) (?P<object>capacity|workflow execution|step execution) sample(\.+| in (?P<sample_creation_time>\d+) ms\.)>$") */ if(isnotnull(action) AND isnotnull(object) AND isnull(abort)), action." ".object." sample", You say that you can't ask the developers to use different logs, but can you ask them to include unique patterns in the messages to assist in the classification of the events? Given that you have lots of different event types to categorise, can you put together a presentation for your developers or management to explain why the fast turn around of changing logs is making your job more difficult and if the developers could consider what you need to do with the log messages they are creating new messages, this would save you time and help you keep pace with their changes. Afterall, your dashboards are presumably important (otherwise, why would you be doing it), and the quicker you can get them updated and maintain their accuracy, the more useful they remain. ... View more

| eval Assignee=if(substr(Support_tier,2)="02" OR substr(Support_tier,2)="03","Earl Vieuten","Terri") ... View more

Hi @aditsss  Please read the suggestion carefully - you missed out two important lines ... View more

The first part is your search. This retrieves (matching) event records from your index. The eval will create an additional field for each event for you to use. It would probably be better to do it this way index=main source=windowseventlog sourcetype=access_combined_wcookie | head 1 | eval minutesago=round((now()-_time)/60,0) Since you are interested in when the latest event occurred. Splunk should have put a timestamp on each record in the _time field. This eval calculates  the number of minutes ago that the event was based on this timestamp. In your single, either by editing the XML or by modifying the format of the single in the dashboard editor, your set the range for the different colours you want e.g 0, 10, 30,, 60 etc. for 10 minute, 30 minute, 60 minute thresholds ... View more

| eval secondsago=now()-_time So you can set your ranges to be 10*60 (for 10 minutes) and 24*60*60 (for 24 hours) etc. ... View more

<query>index="ABC" sourcetype=XYZ Timeout $OrgName$ | bin span=1d _time | stats count by _time | addinfo | eval first=round(info_min_time,0) | eval last=round(info_max_time,0)-(60*60*24) | where _time = first OR _time = last | fields _time count </query> ... View more

Yes, edit the XML Add a couple of options to the single <option name="rangeValues">[0,10,20,30]</option> <option name="rangeColors">["0x00FF00","0xFFFF00","0x0000FF","0xFF0000"]</option> You choose appropriate values and colours ... View more

You could make the value of the span in the bin a token and calculate the value of the token in your timepicker. Alternatively, you could take the earliest and latest values from your stats table and remove the other values so that the trend is based on those ... View more

This is discussed in the splunk documentation here  ... View more

This is discussed in the splunk documentation here  ... View more

There as always with splunk a number of different ways to do this. For example, you could have a panel for each log feed with a "<single>" element in each. The data in the single could be driven by the number of days since the latest entry in the log. The number displayed could be coloured depending on its value giving you the various levels of threshold you want. ... View more

The span has to match the difference in days you are interested in i.e. | bin span=6d _time ... View more

Something like this index=test_prod sourcetype=access_combined_wcookie req_content=/checkout/your-details OR req_content=/checkout/direct-debit OR req_content=/checkout/creditcheck OR req_content=/checkout/review-basket OR req_content=/checkout/confirm-order OR req_content=/checkout/order complete | stats latest(req_content) as endofjourney, latest(_time) as _time by uniqueId | bin span=1h _time | stats count by endofjourney, _time | eventstats sum(count) as total by _time | eval percent=round((count * 100) / total, 2) | fields - total, count | xyseries _time, endofjourney, percent If you don't want to include journeys that start with your-details but don't go to any of the other req_content, just remove that from the search ... View more

Connect to the web interface from a browser on your windows machine My guess is that this doesn't work otherwise you wouldn't be asking the question. So the question is, why isn't it working? Firstly, is the web interface running on the linux box? What ip address and port is it listening on? Do you have a network route (through firewalls and the like) to that ip address and port from your windows machine? Are there other ports available which have routes (you might be able to set up a stunnel on your linux box to listen on a port you can reach and redirect traffic to the linux web interface)? ... View more

Have you tried getting the latest req_content by journey, then count these. Then sum these counts and calculate the percentage that each count represents? ... View more

Hi @sumanth_sun  It is not entirely clear what you have in splunk and what search is not working. Can you show an example of the _raw data of a couple of your events and an example of the search which is not working? Obviously, obscuring any sensitive data. ... View more

Hi @jip31  What @thambisetty  has suggested works fine for ABCD "renamed" to AB but I suspect this is just example data and what you want is something more generic, perhaps substr() or replace() might be more useful, you may want to consider using case() and match() to do different "renames" ... View more