an accurate number so movement + or - is tracked. ... View more

Hi Martin, What you have described with distinct count is the challenge for me. The events come in a csv input once month which is then summarized. This is a sample event, 2016/05/01,9810440,Infrastructure,Distributed Storage,Backup,Backup,Backup,0.05,DCI Backup,USER SERVICES (blah),WORKSPACE SERVICES (blah),WORKSPACE SERVICES (blah),1580962,S1005WIF790,182976,ORG TRANSFER - TELEPHONY 802,$0 ,0 Cost = $0 Cost Center = 123456 Cost_Center = Distributed Storage Date = 2016/05/01 Feed_Name = blah Backup Host_Name = myhost Org L4 = USER SERVICES (blah) Org L5 = WORKSPACE SERVICES (blah1) Org L6 = WORKSPACE SERVICES (bah2) Org_Description = ORG TRANSFER - TELEPHONY 123 Org_L5 = Backup (Blah5) Org_L6 = 0.05 PPGL1 = Infrastructure PPGL2 = Distributed Storage PPGL3 = Backup PPGL4 = Backup Product = Backup Standard Price = 0.05 Volume = 0 date_mday = 1 date_month = may date_wday = sunday date_year = 2016 date_zone = -240 field1 = 2016/05/01 field2 = 9810440 host = myindexer index = blahblah linecount = 1 punct = //,,_,_,,,_(),.,_,___(),__(),___(),,,,__-__,$_, source = May billing detail.csv sourcetype = blah splunk_server = myindexer indexer tag = index ... View more

Hi Rich, What do you think? Is there away to show that movement of host? Cheers ... View more

Also if I add 1 host and remove another host in a month, the stats will be the same and the delta zero but we had movement... ... View more

This seems to be getting there! | timechart span=1m dc(Host_Name) as Count_Of_Hosts | streamstats window=2 last(Count_Of_Hosts) AS Last, first(Count_Of_Hosts) AS First | eval Delta=Last-First I'm seeing this in the UI The specified span would result in too many (>50000) rows. Could be faster without span and timechart? Maybe just stats? Thanks! ... View more

Error in 'eval' command: The expression is malformed. Expected ). ... View more

link not working. ... View more

username as shown in screen shot a123456 b123456 c123456" followed by /username as shown. It wont let me post as written. ... View more

Thats great thanks. We have one issue that the username can be a multi value entry. This is because support may be remotely logged onto same host so could have 1 2 or 3 entries of username. The one we are interested in is the last value so could be: username= a123456 b123456 c123456 username= b123456 c123456 username= c123456 Any way of exluding the others and ensuring the last one is always picked up in query? Thanks ... View more

Tried to add it and listed the master connected. But then it flaps about not being able to communicate with the license server. Which is odd as the mast is also the license master. Any ideas? ... View more

great thanks. ... View more

Thanks but it does not look like a valid stanza for props. ... View more

Thanks. So in a distributed environment where would that sit? Forwarder IDX or SH? ... View more

The username field can contain sometimes the first character of the users ID is uppercase, and other times they are lower case. In other cases, an engineer logs in for remote assistance and two or three sets of IDs where the right most ID is the one we want. ... View more

updated. thanks ... View more

That's cool and runs quicker. Can date be converted as it was? | convert timeformat="%Y-%m-%d" ctime(_time) AS date Also there a way to Aggregate the number of events per day/ per user? Thanks! ... View more

cool thanks! ... View more

Yeah cool thanks! ... View more