I am guessing this is data in a lookup file rather than event data - if you have event data you would already have a time stamp in the event which may or may not be the same as Timestamp. However, in your specific example, assuming no _time field, the just parse the Timstamp field and use stats latest to get the latest, i.e. | makeresults format=csv data="Name,Status,Timestamp ABC,F, 04/24/2025 15:30:03 ABC, R, 04/24/2025 15:15:01" | eval _time = strptime(Timestamp, "%m/%d/%Y %T") | stats latest(*) as * by Name ... View more

That doesn't sound right - are you referring to a multi-value field? | makeresults | fields - _time | eval value=split("ABC","") | search value=A AND value=C This search above will find a result for A and C, but if you change it to A and D it does not find results. Can you give an example of your results in the OR case ... View more

Note that this means when you select "All" it removes the other options if selected and vice versa, if you have All selected and choose one of the other options, it removes "All" from the list of selections. ... View more

To handle an 'All' static option in the multiselect, add this change element <change> <condition match="$form.webuser=&quot;*&quot;"> <set token="webuser"></set> </condition> <condition> <eval token="form.webuser">case(mvcount($form.webuser$)="2" AND mvindex($form.webuser$,0)="*", mvindex($form.webuser$,1), mvfind($form.webuser$,"^\\*$$")=mvcount($form.webuser$)-1, "*", true(), $form.webuser$)</eval> </condition> </change> ... View more

If you have a timechart split by a field, then it's different to stats, because your field name is not called total. You need to use this type of constrct | foreach * [ | eval <<FIELD>>=round('<<FIELD>>'/7.0*.5, 2) ] Here's an example you can run that generates some random data | makeresults count=1000 | eval p=random() % 5 + 1 | eval player="Player ".p | streamstats c | eval _time=now() - (c / 5) * 3600 | timechart span=1d count by player | foreach * [ | eval <<FIELD>>=round('<<FIELD>>'/7.0*.5, 2) ] However, it's still not entirely clear what you are trying to do. You talk about a week of 700 but are timecharting by 1 day and you say if Lebron has 100 one week - what are you trying to get with the values by day? Are you trying to normalise all players so they can be seen relative to each other or something else? Perhaps you can flesh out what you are trying to achieve if you think of your data as a timechart. ... View more

So if you have the stats that results in the number, e.g. .... | stats sum(amount) as total by source | eval total=total/7*.5 but without knowing what you've tried so far, this may or may not be useful. It's often good to show what you've done with your SPL along with an explanation of your problem as it helps us understand where you're trying to get to.   ... View more

Not entirely sure what you're trying to do, but this is a macro for the haversine formula eval hv_rlat1 = pi()*$dest_lat$/180, hv_rlat2=pi()*$source_lat$/180, hv_rlat = pi()*($source_lat$-$dest_lat$)/180, hv_rlon= pi()*($source_lon$-$dest_lon$)/180 | eval hv_a = sin(hv_rlat/2) * sin(hv_rlat/2) + cos(hv_rlat1) * cos(hv_rlat2) * sin(hv_rlon/2) * sin(hv_rlon/2) | eval hv_c = 2 * atan2(sqrt(hv_a), sqrt(1-hv_a)) | eval distance = round(6371 * hv_c * 1000,0) | fields - hv_rlat, hv_rlat1, hv_rlon, hv_rlon1, hv_a, hv_c Set it up to take 4 parameters and these are the named params source_lat, source_lon, dest_lat, dest_lon Then you can just use  `haversine(a_lat, a_lon, b_lat, b_lon)` to get the distance between two points     ... View more

You can search them and see the raw data in the search window, you can export them as CSV files, but what's your use case? Seems like an odd thing to want to do... 🙂 ... View more

Lots of good comments from people who know here, so just to add my thoughts specifically regarding your use of a lookup as a search constraint Subsearches with large search constraints coming from a lookup are less efficient than using the lookup as a lookup, i.e. | rest /services/authentication/users splunk_server=local | search type=SAML | fields title | rename title AS User | lookup 12k_line.csv User OUTPUT Found | where isnotnull(Found) ... The general issue is that a subsearch will first run and in your case will return the SPL phrase (User=1 OR User=2 OR ... User=5000 OR ... User=12000) and THEN it will add that to your SPL that gets executed, so that huge block of expanded SPL will have to be parsed whereas the lookup is likely to be far more efficient. You can see what the subsearch will expand to by running this search | inputlookup 12k_line.csv | fields User | format ... View more

Improving the DM acceleration searches can be tricky, as others have pointed out, so can you identify other non DMA searches that are at the top of the list. Searches that just take a long time are not necessarily the bad searches, they may just be handling large datasets. Poor performing searches can come from badly written dashboard searches that use joins or other poor techniques. They can also come from bad saved searches, again due to bad search techniques. It's often these user written searches that can bring Splunk to its knees. Of course it's also possible that you just don't have enough grunt - what licence model is your Splunk Cloud using, SVCs or ingest? ... View more

See @chrisyounger number viz app https://splunkbase.splunk.com/app/4537 It can do what you want   ... View more

Like the others, not totally sure what you're after, but given your example data, this SPL | stats latest(version) as last_version max(_time) as last_time count(version) as count_version dc(version) as dc_version by hostname model system will tell you the count of version records, the last version/date, the distinct version count for each host/system/model However, if you want to detect "NEWER" vs going backwards in versions, you'll need to define that rule in the version data. Also, this will only tell you within the search range, how far back do you want to go?   ... View more

If _time is empty then it's probably not finding the data, or it may be hitting join limitations. If you run the inner search and look for ONE of the messageGUID values, does it come up with a result? If you run the search without looking at a particular messageGUID how many results do you get - join has a limit of 50,000 results from the inner search. join has many limitations and you are often best off using stats to do the same thing. This is a stats version and may help. (index=aws* Method response body after transformations: sourcetype="aws:apigateway" business_unit=XX aws_account_alias="xXXX" network_environment=test source="API-Gateway-Execution-Logs*") OR (kubernetes_cluster="eks-XXXXX*" index="awsXXXX" sourcetype = "kubernetes_logs" source = *XXXX* "sendData") ``` Search both data sets above ``` ``` Now get fields from data set 1 ``` | rex field=_raw "Method response body after transformations: (?<json>[^$]+)" | spath input=json path="header.messageGUID" output=messageGUID1 | spath input=json path="payload.statusType.code" output=status | spath input=json path="payload.statusType.text" output=text ``` Now get fields from data set 2 ``` | rex field=_raw "sendData: (?<json>[^$]+)" | spath input=json path="header.messageGUID" output=messageGUID2 ``` Find the common GUID ``` | eval messageGUID=coalesce(messageGUID1, messageGUID2) ``` Filter first data set to status=200 and all of second data set where we have a guid ``` | where status=200 OR isnotnull(messageGUID2) ``` Get request time ``` | eval request_time=if(status=200, _time, null()) | stats values(_time) as times values(request_time) as request_time by messageGUID | fieldformat request_time=strftime(request_time, "%F %T") | fieldformat times=strftime(times, "%F %T")     ... View more

Actually, it's the sort command that is capping the results to 10k - always bites me, if you want to sort ALL results you must do sort 0 - ... Glad to hear it worked. As @yuanliu said, recommending map is not often found here, as it will run the map command sequentially, but if you have few errors, then the map will not have to make many iterations, but by default it will only run over 10 results unless you override the params.    ... View more

@kiwiglen  As has been said by @PickleRick , there is no recursion here, so this example handles up to 5 levels of subtask. | makeresults format=csv data="USER,JOBNAME,TRAN,TRANNUM,PHAPPLID,PHTRAN,PHTRANNO,USRCPUT_MICROSEC ,APP3,CSMI,43856,APP7,QZ81,70322,72 ,APP5,CSMI,20634,APP7,QZ81,70322,8860 ,APP7,QZ81,70322,APP3,QZ81,43836,16043 GPDCFC26,APP3,QZ81,43836, , ,0,897 ,APP3,CSMI,41839,APP5,QZ61,15551,51 ,APP3,CSMI,41838,APP5,QZ61,15551,64 ,APP3,CSMI,41837,APP5,QZ61,15551,79 ,APP5,QZ61,15551,APP3,QZ61,41835,5232 GOTLIS12,APP3,QZ61,41835, , ,0,778 ,APP5,QZ61,12,APP3,QZ61,1,5232 GOTLIS12,APP3,QZ61,1, , ,0,778 ,APP5,CSMI,111,APP7,QZ81,110,8860 ,APP7,QZ81,110,APP3,QZ81,100,16043 ABCDEF,APP3,QZ81,100, , ,0,897" | fields USER,JOBNAME,TRAN,TRANNUM,PHAPPLID,PHTRAN,PHTRANNO,USRCPUT_MICROSEC ``` Now initialise level 0 numbers ``` | eval level=if(PHTRANNO=0, 0, null()), root_trannum=if(PHTRANNO=0, TRANNUM, null()) ``` This logic handles 5 levels of "recursion" - as discussed earlier, it's not true recursion as you have to specify the operations for the max level count you need. The logic works by cascading the USER and root TRANNUM down the events for the related subtasks. It performs the following actions - Create a parent id field containing TRANNUM, root TRANNUM USER and level for the specific level wanted - in this case level 0 is PHTRANNO=0 in the IF test - Collect all the values of those ids across all events - Find the PHTRANNO value of the event in the list of parents - Extract the user and root TRANNUM from the result if found ``` ``` Get level 1 ids ``` | eval parent_id=if(PHTRANNO=0, TRANNUM.":".root_trannum.":".USER.":".1, null()) | eventstats values(parent_id) as parents | eval data=split(mvindex(parents, mvfind(parents, "^".PHTRANNO.":")), ":") | eval root_trannum=if(isnotnull(data), mvindex(data, 1), root_trannum), root_user=if(isnotnull(data), mvindex(data, 2), root_user), level=if(isnotnull(data), mvindex(data, 3), level), USER=coalesce(USER, root_user) ``` Get level 2 ids ``` | eval parent_id=if(level=1, TRANNUM.":".root_trannum.":".USER.":".2, null()) | eventstats values(parent_id) as parents | eval data=split(mvindex(parents, mvfind(parents, "^".PHTRANNO.":")), ":") | eval root_trannum=if(isnotnull(data), mvindex(data, 1), root_trannum), root_user=if(isnotnull(data), mvindex(data, 2), root_user), level=if(isnotnull(data), mvindex(data, 3), level), USER=coalesce(USER, root_user) ``` Get level 3 ids ``` | eval parent_id=if(level=2, TRANNUM.":".root_trannum.":".USER.":".3, null()) | eventstats values(parent_id) as parents | eval data=split(mvindex(parents, mvfind(parents, "^".PHTRANNO.":")), ":") | eval root_trannum=if(isnotnull(data), mvindex(data, 1), root_trannum), root_user=if(isnotnull(data), mvindex(data, 2), root_user), level=if(isnotnull(data), mvindex(data, 3), level), USER=coalesce(USER, root_user) ``` Get level 4 ids ``` | eval parent_id=if(level=3, TRANNUM.":".root_trannum.":".USER.":".4, null()) | eventstats values(parent_id) as parents | eval data=split(mvindex(parents, mvfind(parents, "^".PHTRANNO.":")), ":") | eval root_trannum=if(isnotnull(data), mvindex(data, 1), root_trannum), root_user=if(isnotnull(data), mvindex(data, 2), root_user), level=if(isnotnull(data), mvindex(data, 3), level), USER=coalesce(USER, root_user) ``` Get level 5 ids ``` | eval parent_id=if(level=4, TRANNUM.":".root_trannum.":".USER.":".5, null()) | eventstats values(parent_id) as parents | eval data=split(mvindex(parents, mvfind(parents, "^".PHTRANNO.":")), ":") | eval root_trannum=if(isnotnull(data), mvindex(data, 1), root_trannum), root_user=if(isnotnull(data), mvindex(data, 2), root_user), level=if(isnotnull(data), mvindex(data, 3), level), USER=coalesce(USER, root_user) | fields - root_user parents parent_id data ``` This counts all occurrences of the PHTRAN and joins the USER field into the child events ``` | eventstats count(eval(PHTRANNO!=0)) as subTasks by USER root_trannum ``` Now count the executions of each USER and evaluate the timings ``` | stats count(eval(PHTRANNO=0)) as Executions sum(USRCPUT_MICROSEC) as tot_USRCPUT_MICROSEC avg(USRCPUT_MICROSEC) as avg_USRCPUT_MICROSEC sum(eval(if(PHTRANNO=0,subTasks, 0))) as subTasks by USER ``` And adjust the subtask count, as we treated the main task as a subtask and then calculate the average subtask count ``` | eval avg_subTasks=subTasks/Executions Hopefully the comments help explain what's going on - however, without knowing really what you want from averages and totals, you may need to tweak, however, this is an EXPENSIVE search - so if you're dealing with a large data set it may be slow. If you have questions about the implementation just ask. Note, as with Splunk things, there may be a way to improve this, but with no correlation information other than the TRANNUM, it's tricky. ... View more

As @PickleRick says, it should work on the data you gave us, but one assumption it's using is that all your example rows show that the PHTRAN field always referring to the ROOT transaction QZ81 (for USER=GPDCFC26), despite your example showing 2 sub-levels of task, i.e. USER=GPDCFC26 calls APP7, with TRANNUM 70322 and APP7 is the parent for all its own subtasks through APP3 and APP5. IFF this is the case, then it will probably handle all levels you have, but as he also states, you can only program recursion to a fixed level, so if you only have the parent/child transaction numbers, then it's more difficult. ... View more

If I understand you correctly, this example should give you what you want. The first makeresults section is crafting your data, so you actually need from the eval statement following the data setup. | makeresults format=csv data="START,STOP,USER,JOBNAME,TRAN,TRANNUM,PHAPPLID,PHTRAN,PHTRANNO,USRCPUT_MICROSEC 2:10:30 p.m.,2:10:30 p.m., ,APP3,CSMI,43853,APP7,QZ81,70322,76 2:10:30 p.m.,2:10:30 p.m., ,APP3,CSMI,43850,APP7,QZ81,70322,64 2:10:30 p.m.,2:10:30 p.m., ,APP3,CSMI,43848,APP7,QZ81,70322,64 2:10:30 p.m.,2:10:30 p.m., ,APP3,CSMI,43846,APP7,QZ81,70322,74 2:10:30 p.m.,2:10:30 p.m., ,APP3,CSMI,43845,APP7,QZ81,70322,68 2:10:30 p.m.,2:10:30 p.m., ,APP3,CSMI,43844,APP7,QZ81,70322,71 2:10:30 p.m.,2:10:30 p.m., ,APP3,CSMI,43857,APP7,QZ81,70322,65 2:10:30 p.m.,2:10:30 p.m., ,APP3,CSMI,43856,APP7,QZ81,70322,72 2:10:30 p.m.,2:10:30 p.m., ,APP5,CSMI,20634,APP7,QZ81,70322,8860 2:10:30 p.m.,2:10:30 p.m., ,APP7,QZ81,70322,APP3,QZ81,43836,16043 2:10:30 p.m.,2:10:30 p.m.,GPDCFC26,APP3,QZ81,43836, , ,0,897 2:10:17 p.m.,2:10:17 p.m., ,APP3,CSMI,41839,APP5,QZ61,15551,51 2:10:17 p.m.,2:10:17 p.m., ,APP3,CSMI,41838,APP5,QZ61,15551,64 2:10:17 p.m.,2:10:17 p.m., ,APP3,CSMI,41837,APP5,QZ61,15551,79 2:10:17 p.m.,2:10:17 p.m., ,APP5,QZ61,15551,APP3,QZ61,41835,5232 2:10:17 p.m.,2:10:17 p.m.,GOTLIS12,APP3,QZ61,41835, , ,0,778" ``` In the task case, PHTRAN is empty, so this will copy the TRAN to PHTRAN giving you correlation ``` | eval PHTRAN=coalesce(PHTRAN,TRAN) ``` This counts all occurrences of the PHTRAN and joins the USER field into the child events ``` | eventstats count as subTasks values(USER) as USER by PHTRAN ``` Now count the executions of each USER and evaluate the timings ``` | stats count(eval(PHTRANNO=0)) as Executions sum(USRCPUT_MICROSEC) as tot_USRCPUT_MICROSEC avg(USRCPUT_MICROSEC) as avg_USRCPUT_MICROSEC max(subTasks) as subTasks by USER ``` And adjust the subtask count, as we treated the main task as a subtask and then calculate the average subtask count ``` | eval subTasks=subTasks-1, avg_subTasks=subTasks/Executions   ... View more

@robertlynch2020 to answer your composite field question: Creating composite fields is simply a pattern to join MV fields where you have an equal correlation between those fields, i.e. for your example ... | fields traceId spanId parentSpanId start end | eval composite=mvzip(mvzip(mvzip(mvzip(traceId, spanId, "###"), parentSpanId, "###"), start, "###"), end, "###") | fields composite | mvexpand composite | eval tmp=split(composite, "###"), | eval traceId=mvindex(tmp, 0), spanId=mvindex(tmp, 1), parentSpanId=mvindex(tmp, 2), start=mvindex(tmp, 3), end=mvindex(tmp, 4) | fields - tmp composite so it's just a pattern that fits the scenario where using stats will not solve your problem. Note always use fields to ensure ONLY the fields you want expanded, so as to minimise memory usage - that also will mean using | fields - _time _raw as they will remain after a positive fields statement because they are _ prefixed fields so are not automatically excluded. Do NOT use table before an mvexpand as table causes the data to be sent to the search head, so the expansion is done on the SH. (There is a possibility that it will be optimised away, but don't rely on that). Explicitly use fields so that it remains in the indexing tier and if you have multiple indexers, the memory footprint will be distributed.   ... View more

How many levels deep can the parent/child relationship be? Anyway you can do this with a couple of lines of SPL, see this example which creates some dummy data and then the final two lines will create the sum of time per USER/TRANNO | makeresults count=4 | eval TRANNO=random() | eval USRCPUT_MICROSEC=random() % 10000 | streamstats c as USER | eval USER="TASK ".USER | appendpipe [ | eval children=mvrange(1,5,1) | mvexpand children | rename TRANNO as PHTRANNO | eval USRCPUT_MICROSEC=random() % 1000000 ] ``` The above is just creating some example data ``` | eval TRANNO=coalesce(TRANNO, PHTRANNO) | stats sum(USRCPUT_MICROSEC) as USRCPUT_MICROSEC by USER TRANNO If this is not what your data looks like, please post some anonymised examples of your data. ... View more

You're not actually showing us how you are using mvexpand. There is also no 1:1 relationship with parentSpanId with the other MV fields. The general way to expand multiple MV fields in an event is to create composite fields and then expand that or to use stats by that field, but we'd need a better idea of what you're trying to end up with. ... View more

Use  | outputlookup mycsv.csv output_format=splunk_mv_csv That keeps the lookup file with proper MV fields. ... View more