Hi There!    I would like to export more than 50k rows in lookup editor app of the results of kv store lookup file,     I tried even changing the limits.config file, but it is not working fine, [searchresults] maxresultrows = 500000 [stats] maxresultrows = 500000 [top] maxresultrows = 500000 Can anyone say about the solution for this?   Thanks in Advance! ... View more

Hi There,     These results are for a particular serial number, we do have many results like this for several serial number,     Row 1 are the results from index    Row 2 are the results from lookup file, The objective is remove the unwanted data, When the src_name consists of "aap", then its unwanted data, by removing app in src_name field in row1(which is result of index), the same src_name should not be considered, which in the sense, these both records having same src_name of a particular number, these both recors should be excluded in results. Eg. Input item email_new item_model in_inventory is_apple src_name src_name_concat serial_number 5cg01233 hello@company.com HP 1 0 aap-5cg01233 aap-5cg01233 5cg01233 s102910 hai@company.com 1 0 5cg0233 5cg01233 5cg1435 yess@company.com Dell 1 0 5cg1435 5cg1435 5cg1435 s109525 no@company.com   1 0 5cg1435 5cg1435   Output  -since only row is not consists of aap, so considering item email_new item_model in_inventory is_apple src_name src_name_concat serial_number 5cg1435 yess@company.com Dell 1 0 5cg1435 5cg1435 5cg1435 ... View more

Hi There,    I would like to export the results of kv lookup file in a lookup editor, but the results after exporting is only 50k records, even the original results is 80k records, How to download the entire results in a single file? Thanks! ... View more

My requirement is to utilize the results of the sub-search and use it with the results of the main search results, but the sourcetype/source is different for the main search and sub-search, Im not getting the excepted results when using format command or $field_name, inputlookup host.csv - consists of list of hosts to be monitored main search    index=abc source=cpu sourcetype=cpu CPU=all [| inputlookup host.csv ] | eval host=mvindex(split(host,"."),0) | stats avg(pctIdle) AS CPU_Idle by host | eval CPU_Idle=round(CPU_Idle,0) | eval warning=15, critical=10 | where CPU_Idle<=warning | sort CPU_Idle sub-search [search index=abc source=top | dedup USER | return $USER]  there is a field host , which is common in both, ,the events from index=abc source=cpu sourcetype=cpu does not contain a USER field, since the USER field is there when source=top, not in source=cpu ... View more

My requirement is to utilize the results of the sub-search and use it with the results of the main search results, but the sourcetype/source is different for the main search and sub-search, Im not getting the excepted results when using format command or $field_name, inputlookup host.csv - consists of list of hosts to be monitored main search  index=abc source=cpu sourcetype=cpu CPU=all [| inputlookup host.csv ] | eval host=mvindex(split(host,"."),0) | stats avg(pctIdle) AS CPU_Idle by host | eval CPU_Idle=round(CPU_Idle,0) | eval warning=15, critical=10 | where CPU_Idle<=warning | sort CPU_Idle sub-search [search index=abc source=top | dedup USER | return $USER] ... View more

index=sap source=P* (EVENT_TYPE=abc) | fields FDATE FTIME LDATE LTIME QDEEP QNAME FIRSTTID QSTATE EVENT_TYPE source | eval earliestCT = strptime(strftime(now() + `utcdiff("America/Chicago")`,"00:00:00 %m/%d/%Y America/Chicago"),"%H:%M:%S %m/%d/%Y %Z"), latestCT = strptime(strftime(now() + `utcdiff("America/Chicago")`,"23:59:59 %m/%d/%Y America/Chicago"),"%H:%M:%S %m/%d/%Y %Z"), DateCT = strftime(now() + `utcdiff("America/Chicago")`,"%m/%d/%Y"),Created = strptime(FDATE." ".FTIME,"%Y%m%d %H%M%S"), lastupdate=strptime(LDATE." ".LTIME,"%Y%m%d %H%M%S") | where Created >= earliestCT AND Created <= latestCT | dedup source EVENT_TYPE QNAME FIRSTTID | stats sum(QDEEP) as TotalEntries values(DateCT) as DateCT by source EVENT_TYPE | lookup Lookup_SAP_PERF_EntryThresholds.csv source EVENT_TYPE OUTPUTNEW Threshold LastAlertedDate | where (tostring(DateCT) != tostring(LastAlertedDate)) AND match(Threshold,".+") AND (TotalEntries >= Threshold) To add new requirement in the existing alert, When the entries are greater than threshold and staying for more than 10 mins and not reducing further then it should trigger. ... View more

My requirement is to notify when the job runs more than the specified time, condition 1 - the first job of every day should run less than 45mins, if exceeds than 45mins, trigger an alert condition 2 - Rest of all jobs of all days should not exceed 10 mins, if exceeds 10 mins, trigger an alert  condition 3 - Is these jobs does not run every 15 mins (job needs to start its run for every 15 mins), need to trigger an alert ... View more