Timechart has an option that does exactly this, and it's called "minspan", and it was created precisely for summarized data: ... | timechart minspan=10m count This will have bins that are at least 10m, but perhaps wider, depending on the timerange of the search. This option is compatible with bins, but not span, which is explicit. ... View more

Your best bet is to use the "head" command which can take a predicate instead of an absolute count. For example, the following search only takes (all of) the events from the most recent second from index=_internal: index=_internal | streamstats dc(_time) as dc_time | head dc_time==1 ... View more

Absolutely. | inputlookup <lookup name> will pull the full lookup table. ... View more

An explicit sourcetype in the stanza of inputs.conf should always override the source->sourcetype mapping in props.conf. Removing the inputs.conf configuration will make the props.conf configuration take effect. Another way to fix this is to add another stanza to inputs.conf to monitor /log/syslog-ng/10.1.1.2-*.log and add the sourcetype= directive there. As of 4.1, inputs.conf supports configurations like this. ... View more

You have at least one problem here with your POST. You have to escape the = with %3d in the sourcetype=... Could you try: curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl' You can also try the "export" mode: curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl' This gives you the results directly. If you want CSV out, you can run this as: curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl&output_mode=csv' ... View more

The output of a subsearch is a valid search expression that will match an event when it matches all the fields of any of the rows of the subsearch. So, if your subsearch only emits a single field, nonce , then it will yield a search expression like: nonce=row_1_nonce OR nonce=row_2_nonce OR ... . With this you can compose your search like: sourcetype="log4j" source="*server*" | rex field=_raw "nonce created : (?<nonce>[0-9a-z-]*)" | transaction thread startswith="startTx" endswith="closeTx" | search [search sourcetype="log4j" failed nonce | rex field=_raw "Failed with nonce (?<nonce>[0-9a-z-]*)" | dedup nonce | fields nonce] ... View more

You should use bonnie++. The IO/s is reported as the last column, random seeks/sec. ... View more

I'm pretty sure that's how it has always behaved. To get more series, you need to use the limit argument like: * | timechart span=1h count by splunk_server limit=100 ... View more