you could add a table showing the min and max _time, like that: index=main | stats min(_time) AS startDate, max(_time) AS endDate | convert timeformat="%F %T" ctime(*Date) Just add it as another element to the Dashboard in a table format. ... View more

Seems to be a bug, the workaround is to add the quotes as you did, it worked for me: index=main | eval test=[ search index=other_index | head 1 | eval fieldA="\""+fieldA+"\"" | return $fieldA] ... View more

Just change the line: <div class="dashboard-cell" style="width: 33.3333%;"> and define the "width: 20%;", it'll look like that: <div class="dashboard-cell" style="width: 20%;"> I did that using the HTML Editor inside Splunk and works for me. ... View more

Hello, there are couple of way to get things done... depending how you would like to see the data at the end. If you just want to keep fields that don't match you could use "append" command and "dedup" things at the end, something like that: index=main source=a | append [search index=main source=b] | dedup pk, fieldA The example above you make an union of both sources and after that, keep only one occurrence for every pk, fieldA combination. The dedup command has some option, to determine which event is to be kept. Another way you might want to simply show if the event repeats or not, like: index=main source=a | append [search index=main source=b] | eventstats count AS occurrences BY pk, fieldA This last example you add a field named "occurrences" to each event and which will tell you the number of time the fields "pk" and "fieldA" repeated. After that you could filter based on that, like "| where occurrences > 1" Let me know if that gets close to what you need... Cheers ... View more

The "top" command will return count and percentage. You can remove the count column by adding "| fields - count" at the end. ... View more

if you already have the fields extracted, just use the "case" example I posted, adjusting it for the field and ranges you wish, like: index=main | eval range=CASE(myField < 0, "veryfast", myField < 3, "normal", myField < 5, "slow") | top range. It'll show a table, or chart with the values and %. ... View more

Could pls post some example of the raw data? ... View more

The other option is to do a JOIN for each field you need... index=temp sourcetype=syslog type=B dst=* | join max=1 type=left sessionod, dst [ search index=temp sourcetype=syslog type=B deliver=* | eval dst=deliver | fields sessionid, dst, deliver ] | join max=1 type=left sessionid [ search index=temp sourcetype=syslog type=A sender=* | fields sessionid, sender ] | join max=1 type=left sessionid [ search index=temp sourcetype=syslog type=A subject=* | fields sessionid, subject ] | table sessionid,sender,subject,dst,deliver ... View more

What sort of stats do you need? For mvexpand, you probably need to "|mvexpand dst | mvexpand deliver | where dst=deliver| table..." ... View more

Here a feedback from Splunk Support: ==== Hi Musskopf, I just wanted to let you know that this issue has been fixed in development. The functionality will return in 6.1.4 when that is released. Best Regards, Louis Agnone Splunk Support ... View more

Sorry, I couldn't understand your question. Do you have an example of your data and an example how the report should look like? The only thing I can think now is using the command: | eventstats count AS calls BY Country,caller_no It would add to each event the number of calls a "caller_no" did to each country (computed over all events). From there you might be able to extract what you're after, like: | stats max(calls),min(calls) by caller_no ... View more

Sounds to be a bug or need to change an undocumented variable. Meanwhile just create a symblink 🙂 ... View more

What's your IIS version? Have you try to install the "MS Advanced Logging Module"? http://www.iis.net/downloads/microsoft/advanced-logging ... View more

Create an alert based on this search: index=main earliest=-24h@h latest=now | fields host,source | dedup host,source | eval hasData=0 | append [ search index=main earliest=-5m latest=now | stats count AS hasData by host,source ] | table host,source,hasData | dedup host,source sortby -hasData | search hasData=0 The idea is basically first list all sources/hosts we know about for the last 24h. Later you append a search on the data you have for the last 5 minutes. You'll endup with duplicated record for source/host combination you have data and single record for source/host you don't. Eliminate the duplicate and see the ones with 0. You can tune the 24h and the last 5 minutes according to you needs. Hope it helps. Cheers! ... View more

Good stuff! Don't forget to accept the answer to help others finding this information. Btw, have a look on this App: http://apps.splunk.com/app/1151/ is says Active Directory but you can use with any LDAP and might do what you're after. Cheers! ... View more

Go to your $SPLUNK_HOME/etc/system/bin and look for the script "external_lookup.py". That's a very simple example. For you to understand, the lookup script receives the data via PIPE in CSV format and return the same data with the lookup fields populated, for example (on Linux): Create a file /tmp/test.csv with the content: host,ip google.com, microsoft.com, Run the commands (adapt to your environment): export SPLUNK_HOME=/apps/splunk export PYTHONPATH=$SPLUNK_HOME/lib/python2.7 cat /tmp/test.csv | $SPLUNK_HOME/bin/python $SPLUNK_HOME/etc/system/bin/external_lookup.py host ip You should see an CSV output like that: host,ip google.com,131.242.32.38 google.com,131.242.32.42 (...) google.com,131.242.32.37 microsoft.com,134.170.185.46 microsoft.com,134.170.188.221 The output above is how the lookup works... it injects a CSV with all fields, including the empty ones and your script will be responsible to handle it and fill the gaps. Now if you decide to use any Python library, make sure it exists inside $SPLUNK_HOME/lib/python2.7, and Splunk will run all Python scripts using it's own Python and not the Python the your OS. If you can't find a required library you might need to compile it using an Python 2.7 and copy there... you might get around by copying the OS one there, but I already have trouble doing that as my OS uses Python 2.6. Hope it helps! ... View more

One more thing, the data for all lookups might be the same on all servers you're deploying it, right?! if that's the case you might decide to use a NFS or Samba share to store this file instead of re-create it on all servers each night. ... View more

I have something similar. I've create a "core" app with my important and shared lookups so I can play with the other apps without worrying about it. Just make sure you configure the permissions for the lookup file and definitions to "all apps" ... View more

Hello, You could use like that: index=downtimes | addinfo | eval reportDuration=info_max_time-info_min_time | stats sum(downTimeInSec) AS totalDowntime, values(reportDuration) AS reportDuration by site | eval percentDown=(totalDowntime*100)/reportDuration the addinfo will add some information related to your search, and now you can use it. You report will show the % based on the period you searched. ... View more

Just tried now and it didn't work. Created a saved search with no results, still showing: Encountered an error while reading file '/xxxx/splunk/dispatch/scheduler_admin_dxxxxjcmVlbg_RMD5edaa75325ad60f36_at_140999940_5127/results.csv.gz'. ... View more

So, in my view you'll need to use the lookup approach, having a table like that: client, date_wday, date_hour, SLA clientA, monday, 1, 2 clientA, , 2, 2 (...) clientB, , 8, 4 After the lookup you'll have the SLA column for each event, where you can use a eval to define if the ticket met the SLA or not... could of IFs or CASEs. ... View more

You can use couple o thing, maybe use date_wday together with date_hour to filter your results and will be enough for you... index=test AND (date_wday="monday" OR date_wday="tuesday" OR...) AND (date_hour>=8 AND date_hours<=18) | stats count AS tickets_business_hours But a more sophisticated approach might be using a lookup table to check those values and return what sort of SLA it fits in. For example, Create a csv like: date_wday, date_hour, sla monday, 1, "24x7" monday, 2, "24x7" (...) monday, 8, "8x5" and use it as lookup: index=test | lookup sla_periods date_wday, date_hour OUTPUT sla | count by sla You can even do another lookup with the holiday after that, which will override the sla from the first lookup. Hope it helps! ... View more