Events in my sourcetype contain a build time, and an ID field. A given ID can have multiple events, and each event contains a build time. I'm trying to get the sum of build times across IDs. So far, my query looks like: index=... | stats sum(buildTime) AS sum by id | stats mean(sum) This provides the mean of the total build time per ID. But what I want is to build a timechart of this. How would I propagate the time field across to do that? If I do: | timechart limit=0 sum(buildTime) as Sum by id| timechart mean(Sum) It doesn't build the table properly, because id becomes the column names and time becomes the row labels. How do I set the initial query up so that I can build a chart to see net buildTime over time? ... View more

I'm trying to find a way to create multiple field aliases across many sourcetypes. Much of our data being fed into splunk is done through JSON format, so field names are entire paths - something.something.moreannoyingthings . While it doesn't directly affect querying, I wanted to set up multiple field aliases to make our users lives easier. However, we have a variety of sourcetypes that, while containing similar JSON data, are split for good reasons. As a result, any field alias I create would have to be duplicated many times, and I want to create many. In addition, any time we create a new sourcetype, I would need to retread the same work. Is there a way to apply some sort of regex to sourcetypes to be able to apply a given field alias across many sourcetypes? Even something simple like *-prod . ... View more

I want to join events within the same sourcetype into a single event based on a logID field. However, this logID field can be named in two different ways: primary.logID or secondary.logID . Our sourcetype has both primary and secondary events, and we use a common logID between them if they are related. If I do |transaction primary.logID it obviously doesn't work, but I can't rename the two primary and secondary logID's to a new logID field, because it is in the same sourcetype. How do I transaction these events together on the same name? ... View more

Is there a way to make a single panel in a dashboard autorun? I know I can set the refresh field in the dashboard itself to make the whole thing refresh on a timer, but I only want a single panel to do so. ... View more

I'm trying to add a single value to a table I use to dynamically populate a selector in a dashboard. The search I use to populate the dropdown is: index=initial search|dedup pageURL| table pageURL I want to add to the end of the search something that can be a * value. The reason for this is that in my dashboards built off of the input, I use $pageURL$ to allow viewers to select the specific page they wish to see stats for. However, I want a specific value where I set pageURL=* so that viewers can see what all the pages look like. I tried doing the following as the search to populate the dropdown: index=initial search|dedup pageURL| table pageURL | append [|table pageURL | eval pageURL="*"] But that didn't add a value of * to the end of the table. Is there a way I can do this? ... View more

I'm trying to make a timechart to show percentage of error rates over a given time period. What I am looking for from a visualization perspective is a line chart that shows for any binned time period, what the total count of a specific error was, and what the overall percentage that was, and to have the chart be drawn based on the percentage. Ideally, I'd have both counts and percents on the same chart, but percentage is the important one so I can calculate percentage error over a given timeperiod. So far, my query is as follows: Initial Search to create the necessary variables|table errorCode _time|bin span=5m _time| eventstats count as total by _time | stats count values(total) as total by _time, errorCode errorCode contains a variety of values, with one value corresponding to success. In theory this should give me a table that looks like _time errorCode count total Bucket1 ErrorCode1 X X+Y+Z Bucket1 ErrorCode2 Y X+Y+Z Bucket1 Success Z X+Y+Z From there I would be able to use an eval perc=count/total*100 to be able to build the timechart. However, the total column is incorrect and does not result in the correct values. What would be a better way to build this query out, and is it possible to have the chart be drawn based on percent, but have in any given tooltip percent and count values? ... View more

My data is structured into a JSON with a field inside a block that is as follows { "SomeField":"Value", "serviceInfoBlock":{"SomeOtherField":"Value", "logID":"Value"} } The LogID can be either null or have an actual value populated in it. I am trying to use eval to create a new field "isNull" that can tell me if the logID is null, or has a value in it. If I do |eval isNull=if(serviceInfoBlock.logID==null, "True", "False") it creates the field but assigns every value to be false. If I do |eval isNull=if(isnull(serviceInfoBlock.logID), "True", "False") it creates the field but assigns every value to be true. If in my intial search, however, I add in serviceInfoBlock.logID=null or serviceInfoBlock.logID!=null it properly filters my results. Why can I filter properly in the search, but not create a field of the same type of filtering through eval? ... View more

Hi, I'm trying to pull a multivalue field from a JSON array to get statistics from it. The data looks as follows: "APIHEADERRESPONSE":{...specific information... }, "SERVICES": [ { "HTTPStatus":"200", "ServRespCode":"Success", "ServRespTime":"1200", "ServRespCached":"Y", "ServiceShortName":"Service1", "DataSource":"Source1", "ServiceURI":"Service1Url" }, { "HTTPStatus":"200", "ServRespCode":"Success", "ServRespTime":"1200", "ServRespCached":"Y", "ServiceShortName":"Service2", "DataSource":"Service2Source", "ServiceURI":"Service2URL" }, { "HTTPStatus":"200", "ServRespCode":"Success", "ServRespTime":"12", "ServRespCached":"Y", "ServiceShortName":"Service3", "DataSource":"Service3Source", "ServiceURI":"Service3URL" } ] Our data follows the structure of an initial block of identifying information, followed by specific details of further backend calls our APIs make. We are printing the results of those backend calls into an array in the JSON (services block) we print out to splunk. However, it is not a standardized amount of elements within the array. We can have 1 to many different services printed, and it varies from event to event. Further, the order is not normalized either, so we have no idea which service will print first. Is there a way for us to extract the details of a specific service without using regex? If we had multiple events, how would I get something like the median response time of service1? Is there a way we can use SPATH to get this information without relying on the expensive nature of regex? ... View more