Try this - use your index and I assume that the event _time stamp is the login time. index=bla userID=text123 earliest=-5m@m latest=@m | stats dc(ip) as ips by userID | where ips>1 If your events contain other info than just login details, then you may need to add login_time=* to the search ... View more

Do you have the date_* fields in your data? If so, you can do this search... earliest=-1mon (date_hour>=$start_hour_token$ date_minute>=$start_minute_token$) (date_hour<$end_hour_token$ OR (date_hour=$end_hour_token$ date_minute<$end_minute_token$))) If you don't have those fields extracted, then you will have to do an eval statement to create the date_hour and date_minute fields and then do a where clause to do the same comparison as above. ... View more

As @ITWhisperer has said, subsearches run first, so you can't pass time from the outer to the subsearch, but the addinfo command is generally a way to know what time range you have for your search, so in the subsearch you can do something like this to remove the entries from the lookup that do NOT fit in the time range of the search [ | inputlookup lookup.csv | addinfo | eval first_time=strftime(info_min_time, "%H") | eval last_time=strftime(info_max_time, "%H") | rex field=Time "[^ ]* (?<hour>\d+)" | where hour>=first_time AND hour<=last_time ] This is taking the HOUR part of your lookup Time value and comparing that to the search time range and only retaining the lookup entries that match the time range of your search, so when you combine the entries after this subsearch, only those from the lookup that are relevant to the range are collected with the real time data. ... View more

If you can change the URL parameters then you can create a subsearch that takes the ms parameters as parameters e and l. In the subsearch you can do the division and rename the fields earliest and latest. When passed out of the subsearch they will be treated as earliest and latest ... View more

Can you change the URL in any way or is that all you have to make a search and there's no other component or processed in the middle ... View more

Yes, that technique works - are you saying it doesn't?   ... View more

Ah, so I missed your point somewhat in that the list contains all the values you want and you should alert if one is missing from the data. You can do this | stats count by Time Value | append [ | inputlookup lookup.csv ``` Filter the entries you expect here, e.g. using addinfo ``` ``` | where Time is in the range you want ``` ] | stats count by Time Value | where count=1 which is adding the rows from the lookup to the end of your found data and then doing the stats count again. If count=1 then it has only come from the lookup. The filtering (where...) will need to work out what time range your search covers. Use the addinfo command to get info_min_time and info_max_time fields which you can then use to filter those values from the lookup you want. ... View more

Consequences... Poor performance of your dashboard Poor performance for other users Excessive usage of an SVC licence if using SVC in Splunk Cloud - potentially causing additional licence costs to the organisation Skipped searches Your application will not be liked by others in your organisation Alerts may not fire and as such you may miss critical security detections the could indicate hackers are attacking your system, or that critical infrastructure is having performance issues, resulting in an outage of your primary web site. These are some, but not all of the consequences. All will depend on what you are using Splunk for, but I hope you get the picture. I've seen one such dashboard such as yours with 60 panels all on auto refresh, all searching the same data independently and that one dashboard, out of 1000 others, was using a significant proportion of the compute cost across the search head cluster.   ... View more

Something like | rex "<<<\s*(?<LogType>[^\s]*)\s*:[^:]*:[^:]*:[^:]*:(?<Class>[^:]*).*REQS REQUID\s*::\s*(?<ReqsRequid>[^:]*).*SUB REQUID::\s*(?<SubRequid>[^:]*).*Application\s*:(?<Application>[^:]*::\s*Org\s*:\s*(?<Org>[^:]*)" ... View more

Your examples are round seconds, but if you have epoch times to search between use the epoch with decimal places where required, so your example (which actually has no millisecond time) could be index=my_app earliest=1710525600.000 latest=1710532800.000 env=production service=my-service   ... View more

eventstats is a way to get stats without losing fields you want to retain, but it is not an efficient command. If you do use eventstats, make sure you use the fields statement before eventstats, as all the data is transferred to the search head before the stats are calculated - you will reduce the data transfer from the indexers. Another efficient way to get stats without losing fields is to do | fields a b c etc... client_ip | stats count values(*) as * by client_ip | where count<10 This will do the aggregations but will retain all the values of the other fields in the returned row for the client ip. This may not be how you want to see the data, but from a performance point of view, if you have large datasets, then eventstats can be very slow, whereas stats will be fast. You can refine this further by doing something like | fields a b c d e f client_ip | stats count values(*) as * by client_ip a b c | eventstats sum(count) as total by client_ip | where total<10 where your split will collect some other fields as well as ip and then you can use eventstats on the much smaller dataset to calculate total count for the IP - this will generally be faster than eventstats at the start. Hope this helps   ... View more

What is your data and what is the visualisation you want to show. If it's a Splunk table, then look at this documentation for how to colour table cells https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/TableFormatsXML Perhaps you can say more about what your data looks like, how many entries you are talking about and how to plan to visualise it.   ... View more

stats count as Value by Time cannot give you a non numeric value that you have in your lookup. but aside from that, if you have a lookup table with time and value then you can just lookup time in the lookup to get the values. In your stats by time, what is "time" in your example, is it a formatted time representation, the unprocessed Splunk _time field or the _time field with a | bin bucket alignment set. If, what you want is something along these lines search bla | bin _time span=1h | stats count by _time category | eval Time=strftime(_time, "%A %d:[%H%M - "). strftime(relative_time(_time, "+1h"), "%H:%M]") | eval Value=count." ".category | lookup lookup.csv Time Value OUTPUT Value as Found | where isnull(Found) so that if your Time field in the lookup is Day DayOfMonth [TIME_FROM - TIME_TO] and the Value is the expected count + the category (AA/BN/TY), then the above search just does a lookup and expects to find the value - if it does not, Found will be null. ... View more

Also note that transaction will be slow and can, if you have a lot of data, just give you wrong results, as it can be affected by memory usage and just discard results. transaction can often be avoided through stats, although it does take some extra steps to get your data to a state where you can use stats, but it's not obvious how you would do that here.   ... View more

I am not quite sure what you're trying to do with the append command - it doesn't look valid to me, but it doesn't appear to make sense anyway, as you can just add the additional index search to your existing primary search with an OR between the two conditions.   ... View more

@victorcorrea Have a look at the time modifiers for the concept of 'snap to', which is the @ component of a time constraint. Generally with an alert, it is a good idea to understand whether you have any "lag" in data being generated by a source and then arriving and being indexed in Splunk. Consider an event generated at 6:59:58 by a system, which is sent to Splunk at 7:00:02 and is indexed at 7:00:03.  If your alert runs at 7am and searches earliest=-5m@m latest=@m then that event that has a time stamp of 6:59:58 will not yet be indexed in Splunk, so it will not be found by your alert. If this is one of your "Waiting" events, then you may trigger an alerts for a count of 2, but if you look later at that data, you will find the count is actually 3, because that latest event is now in the index. So, consider whether this is an issue for your alert - you can discover lag by doing index=foo | eval lag=_indextime-_time | stats avg(lag) if lag is significant, then shift your 5 minute time windows back sufficiently so you do not miss events.  ... View more

You can make panels dependent on the existence of a token. You do this with a <change> block on the input and setting or unsetting the tokens that a panel requires to display. You can be as fine or as coarse as you like, i.e. you could make a token for each panel and set/unset the panels as needed and then each panel definition will "depend" on its own token. You will also need an <init> section at the start of your XML to set the default state of the tokens if you want the panels to display immediately when the dashboard is loaded.   <change> <condition value="Pass_srvc"> <set token="show_panels_1">true</set> <unset token="show_panels_2">true</unset> </condition> <condition> <set token="show_panels_1">true</set> <set token="show_panels_2">true</set> </condition> </change> ... <panel depends="$show_panels_1$">... .. <panel depends="$show_panels_2$">... ..     ... View more

You still haven't said if my suggested solution is valid in your case. Did you try it, did it give you what you want or not? That will give you a single value for each of the categories of data you have in your timechart. The other question is what do you want to do with this data, is this to be displayed in another dashboard panel or are you trying to show this somehow in the same timechart without splitting by host for these two fields or something else? ... View more

If there is only one index, then you are saying you want to find one user from a query where eventname=xxx and index=a and then find all other events for that user where some other condition exists then the following logic is how you do things. index=a (condition 1 OR condition 2) | eval x=if(condition=1, 1, 0) | eval y=if(condition=2, 1, 0) | stats sum(x) as x sum(y) as y by user | where x>0 AND y>0 I still think I am missing something from your question - if this is not what you are after, please try to describe all of your data inputs and the output you want to get as a result.   ... View more

I would ask, if all the values are the same for all hosts, then what are you producing a timechart for? ... View more

Did you try my suggestion? ... View more