Ayn is right. Use a summary index. Do something like this: Every day just after midnight run: earliest=-1d@d latest=-0d@d your search | timechart span=1d count as dailycount | collect index=yoursummaryindex marker="datalabel=onedaycount" Then run this a bit later after that count is done: earliest=-5d@d latest=-0d@d index=yoursummaryindex datalabel=onedaycount | stats avg(dailycount) | collect index=yoursummaryindex marker="datalabel=fivedayavg" Then your search can be something like this instead: index=yoursummaryindex datalabel=fivedayavg | timechart span=1d ... to make your chart. ... View more

The objects are stored in $splunkhome/users/$username/ with saved searches in $splunkhome/users/$username/search/local/savedsearches.conf specifically. Based on the testing I just did, deleting a user no longer removes those files, so you may be able to go grab copies of that user tree. There may be some housekeeping done at some point to remove those, but you can go look. Simply copy the objects you want out of those files (make a backup of the tree somewhere) into the user you want to own it or at the system level and restart Splunk. ... View more

Well, the formatting is hosed, but hopefully what I'm getting at is clear. ... View more

Use timechart. If you mean you want a result for every non-null 15 minute block, do: search ... | timechart span=15m sum(FILESIZE) If you need the minutes in between, you can get meta with something like: search ... | timechart span=15m sum(FILESIZE) as filesum | timechart span=1m filesum Or maybe: search ... |bucket _time span=15m|Stats sum(FILESIZE)by _time as filesum| timechart span=1m filesum You'll have to experiment to get the exact syntax for what you need, but I've used similar types of searches and timechart syntax before to accomplish this. ... View more

This is fairly straight forward. Use rex: http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Rex Example from that page: ... | rex field=savedsearch_id "(?<user>\w+);(?<app>\w+);(?<SavedSearchName>\w+)" So, yours would be something like: ... | rex field=Message ".*:.*:\s(?<accountname>\w+)\s.*" I'm fairly sure you need to tweak that regex as I just roughed it out and didn't test it at all, but you ought to get the idea. ... View more

I'm fairly sure the roles and accounts options don't allow for this. You could do something fancy with a UI using the REST API, but that's a huge amount of work. You could, also, create an account on a search head with the summary index data stored locally on the SH and have the role account only have access to the summary index in question and not regular indexes. Then you could have the user use the indexer for non-summary data, which would be restricted to your 30 day parameters. ... View more

At this time I'm fairly certain you can't do it this way. However, you ought to submit a feature request for this. ... View more

Might I suggest either experimenting with your field extraction to not have these entries OR just append: NOT "*Unknown User*" Does that fix it? ... View more

I used this same timechart using a dataset I knew would hav enull results for certain seconds, and I still have an entry for every second in the timechart. I tried doing the |table fieldname... but I got 0 results doing that. Are you looking for the timechart output, or just the list of results? The table at the end would just get you the list of results, right? if you need 86400 entries in the table, you might have to do funny stuff with eval to change the value of the count if it is 0. I'm not entirely clear what the end result you are looking for should be. Could you clarify? ... View more

First, to get results from multiple sources, use this in your search: source=WMI:FOO* So, something like: source=WMI:FOO* BAR=* | timechart span=1m sum(BAR) useother=false Could you clarify (in comments or by editing the question) what specifically you are trying to ignore? You can specify stuff like NOT BAR=0 or things like that... ... View more

I should add that my above search has | collect... after it to send my results into the summary, of course. ... View more

I look at the timestamp of the summary index event last placed into the summary index, then I use it as the starting point of where to start pulling new data from the index with original data. You could expand this by doing an eval to compare the last event in the index and the last event in the summary, but I don't bother since it will get any gap at the end of the summary. If there are no index events after the last entry in the summary, then the search returns nothing places nothing into the summary. The result of that is that the search runs, finds nothing to update, so it doesn't update. ... View more

If you mean to have any searches done on dev to not have a direct impact on production performance, then sure, that will work. However, there is still a performance hit on the prod indexer due to pulling that data from the buckets to supply the dev search head with raw results. As for near real-time, you can run the search every minute if it completes the search in less than 60 seconds, yes. However, you can run a real-time search piped to collect into a summary index. As the docs at http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Collect state: The collect command also works with all-time real-time searches. ... View more

Anonymous posting is likely not allowed in order to build community and to reduce spam problems on Answers. ... View more

I check the last timestamp on the newest entry in a summary index that has the same marker - I tag every entry with something related to the search populating the data so I can use a summary index for multiple results and easily sort them out. I've checked for gaps manually in the past, but I plan on automating this in some way so that when I launch a job to populate the summary index, it will figure out for itself what timestamp to start the search in order to backfill correctly. This would mean no gaps, in theory, so even if I run the job daily but it doesn't get run for days for some odd reason, I still get all my data complete in the summary index. I'm experimenting with something like this: sourcetype=mylogs [search index=summary_mylogs | head 1 | eval earliest=_time | return earliest] latest=now | timechart span=1m count This subsearch gets the timestamp of the last event in the summary index and outputs earliest=### into the main search, which then uses it as the earliest start time for the search. So far it seems to work... ... View more

I suspect in this case, the first search contains a total population of events that have the field EventCode with any value (even null) and the latter search contains a total population of events both with and without the field EventCode in it. ... View more