It just so happens the important service is my splunk indexing, and I'm tracking when the queues become so full the network ports are shut off. I found a way to do this, but it requires a set time range, because you have to hack _time a few times in the search. The idea is to turn the single "on" events into four events - the beginning and end times of the "on" status - and the "off" status just before and after the "on". Then use "connect points" to create the shape! The idea is this: Create the transactions, or pull out some sort of events that you can create a starttime and endtime from. In this case, I used periods when the indexer was unable to receive data because its network port was closed due to over 5 minutes of blocked queues. Transaction gives me _time and _time + duration to use. Create starttime and endtime and snap them down to the 5 minute boundary. Create an earlier time by subtracting one 5-minute time period from starttime and a later time by adding one 5-minute period to endtime Create one big field that you will split into four "events" for graphing - earlier and later with 0s, and starttime and endtime with 1s. Split out the field with makemv , and explode into different events using mvexpand re-create the _time, split-by field and value of 0 or 1 for each "exploded" event Graph them, making sure to select "connect points" as the option for null values! search: index=_internal sourcetype=splunkd listening queues *blocked | transaction host startswith="stopping" endswith="started" | where duration>=300 | eval starttime=_time | bucket starttime span=5m | eval earlier=starttime-300 | eval endtime=_time+duration | bucket endtime span=5m | eval later=endtime+300 | eval values=earlier + "," + host + ",0|" + starttime + "," + host + ",1|" + endtime + "," + host + ",1|" + later + "," + host + ",0" | table values | makemv delim="|" values | mvexpand values | table values | rex field=values "(?<_time>[^,]+),(?<host>[^,]+),(?<value>[01])" | table _time host value | timechart span=5m max(value) by host Click image for full size view: ... View more

If it solves your problem, please mark it as the accepted answer and up vote ... View more

From what I understand it's 2 minutes no matter what your phoneHomeInterval is. ... View more

Annnd we have a winner. 2mins was verified by dev. Thanks for your testing folks, I've always wondered about this one. ... View more

As far as I know, the idea with Report Acceleration is to make the base search the same: my_search | bin _time span=5m | stats count by _time .... But, you can take an idea from "PostProcess" dashboards and ensure that your base search (with statistical command on the end) will solve all your use cases - then accelerate it. For example, 5 minute and 10 minute span data can be created from 5 minute span data output by the stats command, by adding another timechart afterwards when running searches: my_search | bin _time span=5m | stats count by _time .... | timechart span=5m .... my_search | bin _time span=5m | stats count by _time .... | timechart span=10m .... Ensure your statistics functions are right when you collapse 5min spans into 10min spans - do things like sum(count) instead of just count. ... View more

I tested and despite the message saying it has no effect, it certainly does have an effect: ... | timechart minspan=30s count by ... makes 30 second buckets on a Last 15 Minutes search. However, ... | timechart minspan=5s count by ... makes 10-second buckets. Case 114952 filed. ... View more

Also on Splunk 5.0.2, just in flashtimeline or charting views. "Span" is likely a time range you're running the search over - the message would not pop up or all time searches or real time searches - but any other timespan had this message appear. http://[splunk instance]/en-US/app/search/charting/?q=search%20index%3D_internal%20|%20timechart%20minspan%3D30s%20count%20by%20sourcetype&earliest=-24h%40h&latest=now&c.chart=area&c.title=&c.stack=stacked&c.split=false&c.nulls=zero&c.legend=right&c.x.title=&c.y.title=&c.y.min=&c.y.max=&c.y.scale= ... View more

bonus! Now I get to decide who is right... ... View more

This would be useful for custom scripts where you need to store a password. The Splunk DB Connect app (http://splunk-base.splunk.com/apps/50803/splunk-db-connect) has automatic encrypting passwords, but perhaps because this app was integrated into Splunk's password encryption routine. ... View more

Just updated it to polish and leave just the basic and extended answer. Enjoy! ... View more

How about sourcetype=wordcount | dedup string | rex field=string max_match=10000 "(?<abc>abc)" | eval abc=mvcount(abc) | table abc - this does the count of abc in the string (since abc does not contain itself, it is an easy calculation) if you're looking to calculate every count of every word, that gets more interesting, but we can play with regex captures and multivalued fields to get there. Things to remember are: Running a regex multiple times will make it pick up where it left off, so for the word SPLUNK, | rex max_matches=10000 "(?<char>..)" will result in "SP LU NK" instead of "SP PL LU UN NK" that you might want. You can use a trick of capturing data in a positive lookahead which doesn't consume any characters If you don't have any characters outside the zero-width assertion, Splunk won't advance in the regex and will pull up to max_matches of... the beginning of the string. It appears you can't capture both the character and the positive lookahead following it in the same field So, I ended up with a search that captures a character, then the x characters after it into two separate fields, then stitches them together afterwards: | stats count | fields - count | eval string="SPLUNK" | rex field=string max_match=9999 "(?<char1>.)(?=(?<char2>.{2}))" | eval chars=mvzip(char1, char2) | fields - char1 char2 string | mvexpand chars | eval chars=replace(chars, ",", "") The {2} are the characters after the first one, so that means that you will get words of length 3. The above produces SPL PLU LUN UNK Repeating it a few times for different length words (make sure to do 1-character last, since the mvzip seems a bit particular) gives us the awesome: | stats count | fields - count | eval string="bbacbacbaabbacbaabbccaacbacbaabbacbacbaabcccbaabccaacbabca" | rex field=string max_match=9999 "(?<char1>.)(?=(?<char2>.{4}))" | rex field=string max_match=9999 "(?<char1>.)(?=(?<char2>.{3}))" | rex field=string max_match=9999 "(?<char1>.)(?=(?<char2>.{2}))" | rex field=string max_match=9999 "(?<char1>.)(?=(?<char2>.{1}))" | rex field=string max_match=9999 "(?<char1>.)(?=(?<char2>))" | eval chars=mvzip(char1, char2) | fields - char1 char2 string | mvexpand chars | eval chars=replace(chars, ",", "") | stats count by chars | sort - count chars count 1 a 22 2 b 19 3 c 16 4 ba 12 5 cb 9 6 cba 9 7 ac 8 8 acb 8 9 acba 8 10 aa 7 ... ... View more

At my client this week they're using HTML modules and custom JS instead of singlevalue modules, due to their lack of drilldown. Now they're getting to the point where they want to drill down further from the HTML modules, so +1 for the ability for HTML to drill down. ... View more

He probably meant this one, posted probably by a teammate a few minutes apart: http://splunk-base.splunk.com/answers/48304/drilldown-for-singlevalue ... View more

They're making a tiered dashboard. Components A, B, and C. Each component has subcomponents 1, 2, and 3 that they want show response times of. So, they show A, B, and C in row 1, then depending on what you click, A1/A2/A3, B1/B2/B3, or C1/C2/C3 should show in row 2. They don't want to show all values for all combinations because it is too much for the user to take in. ... View more

This is a link to itself. Where's the real duplicate? ... View more

I have - but this is a huge XML file that I don't need to waste cpu cycles by fully extracting it out - just certain name value pairs if possible. If rex or spath have a way to set field name as well as value, it would be very helpful ... View more

Thanks Laks. Yes Hexx Splunk is running as the splunk user. It's running on Oracle enterprise linux, apparently a rebadged RHEL 5.6. ... View more

Nope, tried inputlookup, but it's evidently "not supported" by realtime search ... View more