So I think on your streamstats example, the first usage of streamstats should be replaced with at "| stats" command instead. So something like this. | inputlookup direct_deposit_changes_v4_1_since_01012020.csv | eval _time=strptime(_time,"%Y-%m-%d") | stats count as daily_count by _time | sort 0 +_time | streamstats window=28 list(daily_count) as values_added_together, sum(daily_count) as sum_daily_count | table _time, daily_count, values_added_together, sum_daily_count   ... View more

Oh wow okay, you are using dashboard studio which is pretty different than legacy XML dashboards. I can try doing your use-case using dashboard studio and see if I can get it figured it out. ... View more

I agree with @gcusello here. I did notice the use of the | top limit=1 Source_Network_Address in the original subsearch which I think implies that you are trying to scope the search down to a single IP address that shows up the most often in the windows_logs index and not in the 192.168.0.0/16 range. Which I think can be done with a couple of additional lines like this. (index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD") OR (index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe") | eval c_ip=coalesce(Source_Network_Address,c_ip) | stats dc(index) AS index_count, count(eval('index'=="windows_logs")) as win_log_count, values(*) AS * BY c_ip | where index_count=2 AND NOT cidrmatch("192.168.0.0/16", c_ip) | sort 1 -win_log_count   ... View more

You can check if thats the case with this.       | makeresults count=15 | fields - _time | streamstats count as daily_count | streamstats window=5 list(daily_count) as values_added_together, sum(daily_count) as sum_daily_count         As you can see in the column "values_added_together" gives you a list of numbers that are being added together on each step.  This is basically the same thing the foreach loop is doing against the multivalue field just using the previous 4 entries to add instead of the next 4 entries. Ultimately, I think you would get the same results, just shifted a couple of rows depending on which method is used. The streamstats method also will include the first few entries summing up less than 5 values because there is not 5 preceeding values until it gets to row 5. Another screenshot as a POC: And to really drive it home here is a tabled visual representation of both methods together in comparison to their respective row of the original daily_count value. Values are all the same just shifted depending on if the moving window is looking back/forward   ... View more

And seeing how you will be utilizing the final results I think this query would probably give you the same results and would be much simpler.   | inputlookup direct_deposit_changes_v4_1_since_01012020.csv | eval _time=strptime(_time,"%Y-%m-%d") | stats count as daily_count by _time | sort 0 +_time | streamstats window=5 sum(daily_count) as sum_daily_count   ... View more

daily_count should be a multivalue field at the time of invoking the | foreach mode=multivalue daily_count probably something like this | inputlookup direct_deposit_changes_v4_1_since_01012020.csv | eval _time = strptime(_time,"%Y-%m-%d") | stats count as daily_count by _time | mvcombine daily_count ```Your code: renamed nums to daily_count.``` | eval cnt=0 | foreach mode=multivalue daily_count [| eval summation_json=if( mvcount(mvindex(daily_count,cnt,cnt+2))==3, mvappend( 'summation_json', json_object( "set", mvindex(daily_count,cnt,cnt+2), "sum", sum(mvindex(daily_count,cnt,cnt+2)) ) ), 'summation_json' ), cnt='cnt'+1 ] ```My code: Part 2``` | rex field="summation_json" "sum\"\:(?<sum_daily_count>\d+)\}" | fields sum_daily_count | mvexpand sum_daily_count ... View more

Sorry, your initial post made it sound like you already have the tokens $Numerator$ and $Denominator$ ready to go. I'm a bit lost on the error you are describing. But just going off your initial post, Two searches feeding two radial gauges using a "| stats count" to transforms the searches into a single value in a field named "count".  I would use a done tag in the XML to set the resulting field "count" value of search1 to a token named "Numerator" and another done tag for search2 to set resulting field "count" value to token "Denominator". With these two tokens set based on the results of the two searches, they can be used elsewhere on the dashboard, including getting injected into an eval expression directly after a generating command "| makeresults" Here is an example of this methodology used here. And a snippet of XML used to do this. Obviously you would need to put your own searches into the radial gauge panels. <row> <panel> <chart> <title>Search to generate numerator</title> <search> <query> | makeresults count=173 ``` search1 goes here - replace the makeresults above with your own search ``` | stats count as count </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="Numerator">$result.count$</set> </done> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[0,250,500,1000]</option> <option name="charting.chart.style">shiny</option> <option name="charting.gaugeColors">["0x118832","0xcba700","0xd41f1f"]</option> </chart> </panel> <panel> <chart> <title>Search to generate denominator</title> <search> <query> | makeresults count=1026 ``` search2 goes here - replace the makeresults above with your own search ``` | stats count as count </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="Denominator">$result.count$</set> </done> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[0,250,500,1000]</option> <option name="charting.gaugeColors">["0x118832","0xcba700","0xd41f1f"]</option> </chart> </panel> </row> <row> <panel> <title>01/09/2024 - dashboard component show fraction of two search results as percentage</title> <single> <search> <query>| makeresults | eval result=round((tonumber("$Numerator$")/tonumber("$Denominator$"))*100)."%" | fields - _time</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="height">181</option> </single> </panel> </row>  The reason for showing you this is to demonstrate setting tokens based on results of another search by use of the "<done>" and "<set>" tags. Anytime you have a single result in the final output of a search on a dashboard, your should be able to tokenize this value by using these (<done>|<progress>)(<condition>)?(<set>|<eval>) and referencing $result.<fieldname>$ where <fieldname> is the fieldname of the valiue you are trying to tokenize from the search. Apologies if this isn't helpful but I am struggling to follow your questions without more context. And as for the usage of the "fields" command, I was just removing the _time field (| fields - _time) from results as it is not required to display the percentage result on the dashboard panel. ... View more

With the assumption the field MSG_DATA is properly extracted and a valid XML object then I think this SPL will get you a MV field of "file_title". <base_search> | eval file_title=coalesce(spath(MSG_DATA, "Message.additionalInfo.fileDetails{}.fileDetail.title"), spath(MSG_DATA, "Message.additionalInfo.fileDetails.fileDetail.title")) Screenshot of it on my local instance:   ... View more

I'm not sure If I am completely understanding the ask here but will give it a shot. So just going off your 2 sample events I think something like this would work. (There is an assumption that the fields "JOB_RESULT", "JOB_NAME", and "PROJECT_NAME" are already extracted and ready to use) This search is tallying up the success and fails across all jobs grouped into the projects, so each project will have its own row in the final results. <base_search> | stats count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS, count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS by PROJECT_NAME  Output would look something like this. Or if you need it more granular to see the numbers at the Job level you can use this. <base_search> | stats count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS, count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS by PROJECT_NAME, JOB_NAME  This will provide you output that each unique combo of PROJECT_NAME/JOB_NAME will have their own row and output would look like this. For reference, here is the SPL used to simulate your problem on my local instance. | makeresults | eval _raw="{ PROJECT_NAME = project1 JOB_NAME = jobA JOB_RESULT = success }" | append [ | makeresults | eval _raw="{ PROJECT_NAME = project2 JOB_NAME = job2 JOB_RESULT = fail }" ] ``` | extract pairdelim=" " kvdelim="=" | stats count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS, count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS by PROJECT_NAME ``` | extract pairdelim=" " kvdelim="=" | stats count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS, count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS by PROJECT_NAME, JOB_NAME ... View more

You can try putting a makeresults command at the start of your third search an it may work. Assuming the the tokens $Denominator$ and $Numerator$ both populate as expected then running this SPL on your dashboard should do it.   | makeresults | eval result=round((tonumber("$Numerator$")/tonumber("$Denominator$"))*100)."%" | fields - _time    POC on local instance:     ... View more

This is a really neat problem! Does doing something like this get you where you are trying to go?       | makeresults | fields - _time | eval nums="1,2,3,4,5,6,7,8,9,10" | makemv nums delim="," | eval cnt=0 | foreach mode=multivalue nums [ | eval moving_window_size=3, summation_json=if( mvcount(mvindex(nums,cnt,cnt+('moving_window_size'-1)))=='moving_window_size', mvappend( 'summation_json', json_object( "set", mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1)), "sum", sum(mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1))) ) ), 'summation_json' ), cnt='cnt'+1 ]       End result looks something like this:   I'm sure this can be standardized more and not sure how you want the final results to be formatted but you should be able to parse out the final MV json objects to get what you need out of them. Update: With the addition of the field "moving_window_size" it is a bit more standardized. And here it is in a slightly different format (summations associated with their own fields):   | makeresults | fields - _time | eval nums="1,2,3,4,5,6,7,8,9,10" | makemv nums delim="," | eval cnt=0 | foreach mode=multivalue nums [ | eval moving_window_size=3, iter_count="iteration_".'cnt', summation_json=if( mvcount(mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1)))=='moving_window_size', if( isnull(summation_json), json_object('iter_count', sum(mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1)))), json_set(summation_json, 'iter_count', sum(mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1)))) ), 'summation_json' ), cnt='cnt'+1 ] | fromjson summation_json | fields - summation_json, iter_count, cnt | fields + nums, iteration_*     And this SPL to try and simulate your original use-case (also added some addition context in the output): | makeresults count=1500 | eval low=1, high=100, rand=round(((random()%'high')/'high')*('high'-'low')+'low') | stats list(rand) as nums | eval cnt=0 | foreach mode=multivalue nums [ | eval moving_window_size=5, summation_json=if( mvcount(mvindex(nums,cnt,cnt+('moving_window_size'-1)))=='moving_window_size', mvappend( 'summation_json', json_object( "set", mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1)), "sum", sum(mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1))), "average", sum(mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1)))/'moving_window_size', "min", min(mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1))), "max", max(mvindex('nums', 'cnt', 'cnt'+('moving_window_size'-1))) ) ), 'summation_json' ), cnt='cnt'+1 ] | eval average_sum=sum(mvmap(summation_json, tonumber(spath(summation_json, "sum"))))/mvcount(summation_json), min_sum=min(mvmap(summation_json, tonumber(spath(summation_json, "sum")))), max_sum=max(mvmap(summation_json, tonumber(spath(summation_json, "sum")))) You can see by the screenshot below that I hit some Splunk limits when trying to put together a MV field with 1,500 entries (truncates to 250). But other than that it seems to work.   ... View more

Just want to pop in and let you know that I think this SPL you shared is not actually capturing the minutes>55 but including the minutes between 0 and 9 just because of the way that Splunk buckets time windows. You should be able to see this demonstrated with this SPL <base_search> | eval true_minute=strftime(_time, "%M"), true_hour=strftime(_time, "%H") | bin span=10m _time | eval bucketed_minute=strftime(_time,"%M"), bucketed_hour=strftime(_time, "%H") | where 'bucketed_minute'>54 OR 'bucketed_minute'<6 | dedup true_minute  Results I'm seeing look something like this. To stay in the spirit of the simpler SPL and to build on your methodology, I think something like this would do the trick. Here is sample code as a POC of the minutes being bucketed properly. <base_search> | where tonumber(strftime(_time, "%M"))<=5 OR tonumber(strftime(_time, "%M"))>=55 | eval date_minute=strftime(_time, "%M"), date_hour=strftime(_time, "%H"), original_time=strftime(_time, "%Y-%m-%d %H:%M:%S"), snap_time=case( 'date_minute'>=55, strftime(relative_time(_time, "@h+1h"), "%Y-%m-%d %H:%M:%S"), 'date_minute'<=5, strftime(relative_time(_time, "@h"), "%Y-%m-%d %H:%M:%S") ) | fields - _time | fields + original_time, snap_time, date_hour, date_minute   And to use this method with your original ask it would look something like this. <base_search> | where tonumber(strftime(_time, "%M"))<=5 OR tonumber(strftime(_time, "%M"))>=55 | eval date_minute=strftime(_time, "%M"), date_hour=strftime(_time, "%H"), _time=case( 'date_minute'>=55, relative_time(_time, "@h+1h"), 'date_minute'<=5, relative_time(_time, "@h") ) | stats count as count by _time  Examples:     Both 07:57 AM and 08:04 would fall into the 8:00 AM bucket in the stats count by. ... View more

Looking at the conf files and navigation for app https://splunkbase.splunk.com/app/3786 It looks like the "Teams Call QoS" dashboard should be located at. From the App navigation menu:     Teams ==> Call Record Monitoring ==> Teams Call QoS There is also a file in <app>/default/data/ui/views/teams_call_qos.xml on the most recent version I just looked at. so not really sure why it wouldn't be available ... View more

This sounds like a good use case to utilize the WILDCARD(keyword) capability within advanced settings in lookup definitions. I tried it out on a local instance and think I got what you are looking for.   Wildcards will need to be included in the lookup though so would look like this. And if you are only looking for matches against the beginning of the "Asset" field value then you can also just set up the wildcards on the end of the values in lookup (This example also has a net-new field in lookup to retain the original keyword value in the lookup in case it is needed elsewhere) and under the advanced settings checkbox in the lookup definition you would configure the field "keyword" to match with wildcards like this (you can turn off case-sensitivity too.   Note: If you decide to go with the wildcard match using a new "keyword_wildcard" field from lookup you will have to adjust the lookup definition advanced settings to WILDCARD(keyword_wildcard) instead.   Example SPL:     <base_search> | lookup splunk_community_keyword_association keyword as Asset OUTPUT country as match_country | eval country=coalesce(if(NOT match(country, "^(?i)(?:unknown|not\s+available|n\/a|na)$"), 'country', null()), 'match_country')     Full SPL to simulate:   | makeresults | eval Asset="braiskdidi001", country="Britain" | append [ | makeresults | eval Asset="breliudusfidf002", country="Unknown" ] | append [ | makeresults | eval Asset="bruliwhdcjn001", country="not available" ] | rename country as country_from_index ``` lookup wildcard match against Asset field value to the keyword_wildcard field in lookup and return the country if match is found ``` | lookup splunk_community_keyword_association keyword_wildcard as Asset OUTPUT country as country_from_lookup ``` evaluate new country field that uses derived country from lookup if a match is found and the country_from_index indicates that it was not found ``` | eval coalesced_country=coalesce(if(NOT match(country_from_index, "^(?i)(?:unknown|not\s+available|n\/a|na)$"), 'country_from_index', null()), 'country_from_lookup') | fields + _time, Asset, country_from_index, country_from_lookup, coalesced_country     Referenced splunk_community_keyword_association.csv country keyword keyword_wildcard Britain bru bru* Britain bre bre* USA usa usa* ... View more

I also was looking for something that did this for a really long time and could never find anything.  I know about the CMD+SHIFT+E to expand macros on the UI but needed the same functionality inline in a search to use for meta-analysis (breaking down SPL to its components and analyzing). I feel like there is some way of doing this that exists somewhere but have not had much luck finding it.  So went ahead and tried making a custom command to do it and it actually seems to work out pretty well. I do want to note that this custom command is recursive in a sense that it expands the macros all the way down. Meaning that if there are nested macros that this will expand the nested ones as well all the way unil there are no more macros to expand. So end result should be a fully detailed SPL that is being executed. It will also replace the input args with the values it finds in the input field so it will also return that SPL that would run for that specific search with the given arguments. You can see an example of the output here (this particular example is derived from a dashboard, so input arguments are still tokenized and will be represented as such in the "expanded_spl" field): If you are still interested in this than you can give this a try, I think it will require entries in a commands.conf, searchbnf.conf metadata/local.meta and a custom python script in bin/ There is also a dependency on Splunk Python SDK. Send me a message and I can get it packed up in a custom app to share if you still are needing this functionality. ... View more

You can try utilizing a foreach mode=multivalue loop to gather deltas between the timestamps and then do descriptive statistics around the new delta MV field. Something like this: <base_search> ``` sorting event_time mvfield values ``` | eval event_time=mvsort(event_time) ``` initializing field current for the nex foreach loop ``` | eval current=mvindex(event_time, 0) ``` loop through each value in event_time and subtract the preceding value to get a delta ``` | foreach mode=multivalue event_time [ | eval tmp_delta='<<ITEM>>'-'current', delta=mvappend(delta, tmp_delta), current='<<ITEM>>' ] ``` removing these fields as they are no longer needed ``` | fields - current, tmp_delta | eval ``` stripping off first entry from delta mvfield since it will always be zero and skew stats ``` delta=mvindex(delta, 1, -1), ``` calculate avergae delta betwwen timestamps ``` avg_delta=avg(delta), ``` diff is a temp field to assist with evaluating the standard deviation s=√(Σ((delta-avg_delta)^2/(n-1))) ``` diff=mvmap(delta, 'delta'-'avg_delta'), diff_2=mvmap(diff, pow(diff, 2)), stdev_delta=sqrt(sum(diff_2)/(mvcount(diff_2)-1)), ``` evaluate variance ``` variance_delta=pow('stdev_delta', 2) ``` remove diff fields as they were temporary to calculate standard deviation ``` | fields - diff, diff_2 ``` zscore for more detail ``` | eval zscore_delta=mvmap(delta, (('delta'-'avg_delta')/'stdev_delta')) ``` human readable format (duration) of deltas for context ``` | eval stdev_duration=tostring(stdev_delta, "duration"), range_delta=max(delta)-min(delta), range_duration=tostring(range_delta, "duration") ``` just sorting fields list for final display ``` | fields + event_time, delta, zscore_delta, avg_delta, stdev_delta, variance_delta, range_delta, stdev_duration, range_duration  It should return you a table that looks like this.   ... View more

Not sure if you still need this answered but figure I'd give it a shot in case anybody else has a similar problem they need to solve. I think something like this would do what you are looking for. <base_search> ``` lookup historical values for each user (potentially mv field) ``` | lookup <lookup_name> user OUTPUT Amount_Hist ``` loop through Amount_Hist values and finding the diff of each compared to the users current value, then take the minimum value and assign it to it's own field "Amount_Hist_min_diff" ``` | eval Amount_Hist_min_diff=min( case( mvcount(Amount_Hist)==1, abs('Amount_Hist'-'Amount'), mvcount(Amount_Hist)>1, mvmap(Amount_Hist, abs('Amount_Hist'-'Amount')) ) ), ``` loop back through historical values and only return the values whos diff is equal to the minimum diff value assigned previously ``` Closest_Amount_Hist_value=mvdedup( case( mvcount(Amount_Hist)==1, if(abs('Amount_Hist'-'Amount')=='Amount_Hist_min_diff', 'Amount_Hist', null()), mvcount(Amount_Hist)>1, mvmap(Amount_Hist, if(abs('Amount_Hist'-'Amount')=='Amount_Hist_min_diff', 'Amount_Hist', null())) ) )  You can see that the field "Closest_Amount_Hist_value" holds the value closest the the user's current value, this can potentially hold multiple values if they are are equidistant from the current value. As show below.     ... View more

Ahh okay, Give this a try.   <base_search> | where ('_time'>=relative_time(_time, "@h-5m@m") AND '_time'<=relative_time(_time, "@h+5m@m")) OR ('_time'>=relative_time(_time, "+1h@h-5m@m") AND '_time'<=relative_time(_time, "+1h@h+5m@m")) | eval upper_hour_epoch=relative_time(_time, "+1h@h"), lower_hour_epoch=relative_time(_time, "@h"), upper_hour=strftime(relative_time(_time, "+1h@h"), "%Y-%m-%d %H:%M:%S"), lower_hour=strftime(relative_time(_time, "@h"), "%Y-%m-%d %H:%M:%S"), upper_hour_diff=abs('_time'-'upper_hour_epoch'), lower_hour_diff=abs('_time'-'lower_hour_epoch'), diff_minimum=min(upper_hour_diff, lower_hour_diff) | foreach *_diff [ | eval snap_hour=if( 'diff_minimum'=='<<FIELD>>', '<<MATCHSTR>>', 'snap_hour' ) ] | stats count as count, min(_time) as min_time, max(_time) as max_time by snap_hour | convert ctime(min_time), ctime(max_time)    The output should only include results +/- 5 minute window around each hour And if you need to differentiate between the event_counts that fall in the lower 5 minutes and upper 5 minutes you could do something like this. <base_search> | where ('_time'>=relative_time(_time, "@h-5m@m") AND '_time'<=relative_time(_time, "@h+5m@m")) OR ('_time'>=relative_time(_time, "+1h@h-5m@m") AND '_time'<=relative_time(_time, "+1h@h+5m@m")) | eval upper_hour_epoch=relative_time(_time, "+1h@h"), lower_hour_epoch=relative_time(_time, "@h"), upper_hour=strftime(relative_time(_time, "+1h@h"), "%Y-%m-%d %H:%M:%S"), lower_hour=strftime(relative_time(_time, "@h"), "%Y-%m-%d %H:%M:%S"), upper_hour_diff=abs('_time'-'upper_hour_epoch'), lower_hour_diff=abs('_time'-'lower_hour_epoch'), diff_minimum=min(upper_hour_diff, lower_hour_diff) | foreach *_diff [ | eval snap_hour=if( 'diff_minimum'=='<<FIELD>>', '<<MATCHSTR>>', 'snap_hour' ) ] | fields - diff_minimum, lower_hour, lower_hour_diff, lower_hour_epoch, upper_hour, upper_hour_diff, upper_hour_epoch | eval snap_hour_epoch=strptime(snap_hour, "%Y-%m-%d %H:%M:%S"), group=if( '_time'-'snap_hour_epoch'>=0, "+5m", "-5m" ) | stats count as count by snap_hour_epoch, group | sort 0 +snap_hour_epoch | rename snap_hour_epoch as _time  Example output:   ... View more

Are you wanting the the 3 5-minute buckets added together or is okay if they are separated? You can try something like this but is still separated out into their respective 5 minute buckets. <base_search> | bucket span=5m _time | stats count as count by _time | eval count=if( '_time'==relative_time(_time, "+1h@h-5m@m") OR '_time'==relative_time(_time, "@h+5m@m") OR '_time'==relative_time(_time, "@h"), 'count', null() ) | where isnotnull(count) | sort 0 +_time Example output:   ... View more