Hi Guys I am trying to create report for calendar week/month rather then last X days, which means if I run the report on Thursday, it will give me result relate to Monday Tuesday Wednesday Thursday If I run the report on Sunday, it will give me the full week report. I also need option can pick previous calendar week/months. Do I have to use time picker each time and choice the specific time? is there option just one click say give me this calendar week/month report and it will dynamically adjust the search time? Thank in advance Regards Sam ... View more

HI Guys I am doing a report for my ticketing system. there is a field call open_time which indicate when is the ticket open, and each time the ticket got an update, there will be a log entry. If I want to create a report that shows ticket opened in last 7 days I will need to exclude the log message relate with a ticket that opened before 7 days but has an update in the last 7 days. I tried following code it works | eval 7daysago=now()-604800 | where opentime>7daysago The limit on this is if you want to run a report for last 30 days, then I have to change the number to 2592000 in the SPL which is not very flexible. I am just wondering if there is a better way to do it. Thx ... View more

Hi I have a table as below, each time run the query it may return different result run 1 day1 10 day2 20 day3 25 run second time day1 10 day2 20 day3 30 day4 10 I want to calculate the average base on how many line there are. So for each table will be calculate as below day1 10 day2 20 day3 25 avgT 18.333 calculation: (10+20+25)/3=18.333 day1 10 day2 20 day3 30 day4 10 avgT 17.5 Calculation: (10+20+30+10)/4=17.5 Any suggestion how I can achieve that? Thanks in advance ... View more

I want to produce a table that show as below hostname ThisWeek LastWeek Different worksta1 223423 2434234 4323 worksta2 223423 2434234 4323 serve1 223423 2434234 4323 What is the best way to achieve that cross all indexs and all hosts? In our environment we have about over 100 index and over 25000 workstation/servers so I cant ready do index=* to load everything. I remember reading something about _internal index has all the information when message coming in is that the case? What about if I do not have access to _internal index, is there any other way can do it? I tried use |metadata type=hosts index=* but the problem is | metadate does not take earliest=-7d latest=now() so I cant put it into one search, I am doing something wrong? Thanks in advance. ... View more

HI I want to use | metadata commend to display sourcetype host and sources at the same time, so far I cant make connection between them. As we know when I run | metadata type=sourcetypes search it will return me sourcetype information,like below firstTime lastTime recentTime sourcetype totalCount type 151572 1515399 152170 RT2RO 108 sourcetypes the output I am looking for is firstTime lastTime recentTime sourcetype totalCount source host 151572 1515399 152170 RT2RO 108 \var\log\a rt2.server.com Can this be done using | metadata command? The reason I want to use it is just because it give result fast 🙂 Thanks in advance ... View more

Currently I have a table generate by my query as below query: index=a | stats count by name code signature name code signature count host1 111 aaaaaaa 34 host1 222 bbbbbb 25 host1 333 cccccccc 7 host2 111 aaaaaaa 26 host2 222 bbbbbb 98 host2 333 cccccccc 75 is there a way to make the table display like below, which only display the hostname once. name code signature count host1 111 aaaaaaa 34 222 bbbbbb 25 333 cccccccc 7 host2 111 aaaaaaa 26 222 bbbbbb 98 333 cccccccc 75 Thanks in advance. ... View more

HI Everyone Is there a way you can see how lookup table examed each value and make the call whether it is match or not. something like you read value A then go into lookup table check line one not match, check line two not match, check line three matched, return value B. I have this time based lookup table looks like below user1 gain_access 24/11/17 11:00 user2 gain_access 24/11/17 12:00 user1 gain_access 23/11/17 10:00 user1 gain_access 24/11/17 15:00 user2 gain_access 24/11/17 11:20 My data is standard Sysmon log I run following queue index=windowslog Image=*\\userinit.exe ParentImage=*\\winlogon.exe | eval AccountName=mvindex(User,1) | stats dc(_time) as eventNums by AccountName _time | rex field=AccountName "(?<Account_Name>\w*\.\w*)" | lookup swipe FullUserName AS Account_Name OUTPUT Action AS hereitis | table Account_Name _time hereitis | sort - _time and the lookup result shows non of the record is match in the lookup table. but I know there are time and Account_Name is matching. I test the lookup table by remove the timebased setting and only let it match the name and it works fine get following result user1 24/11/17 11:00 gain_access gain_access gain_access user2 24/11/17 12:00 gain_access gain_access that make me think it is the time format failed the lookup but I cant tell the different between the lookup table and the actual search time field. Any advice please? Regards Sam ... View more