I found the problem. Turns out that in the Main App's local.meta, it had [views/Phone...] stanzas that overrode the ones in the CCM's default.meta. Not sure how they got there, but once I removed them the views showed up. ... View more

If you have the events that indicate logon and logoff, you could build a transaction and then grab the duration, a la: YourSearch | transaction Username startswith=LogonEventID endswith=LogoffEventID | eval DurationInMin = round(duration/60,2) | stats avg(DurationInMin) as "Average Session Duration (Minutes)" by Username http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction ... View more

It sounds like what you want is the transaction command: http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction You would need to define a field that matches your session ID using perl-compatible regular expressions with either props.conf or the rex command, such as: YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" That will package all the lines for a particular user as one event, and give you access to things such as: YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" | search NetworkService.queryOutages to find only sessions that query network service outages or: YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" | search NetworkService.queryOutages Query.Result=Error to get sessions where they both queried network service outages and where one of the different actions they took had an error. You also get the duration field, which tells you how long the session lasted, and the eventcount field, which tells you how many individual lines were packaged into that transaction. If you're not familiar with PCRE syntax and rex/props.conf, you can run with what I put above, or start your search with the following: http://www.splunk.com/base/Documentation/latest/SearchReference/rex http://www.splunk.com/base/Documentation/latest/admin/Propsconf http://www.splunk.com/wiki/Community:RegexSyntaxInSplunk I hope that all is helpful. ... View more

If I'm following, I think you should be able to get what you want by adding earliest=-1d@d latest=-5m@d to get all the entries from yesterday during those hours. @d refers to the start of the current day, so you can say 1 day before the start of today until 5 minutes before the start of today. That would be: sourcetype="Cron_SendNotificationEmail" source="*asia*" earliest=-1d@d latest=-5m@d | rex field=_raw "send_to_email ?\[(?P<send_to_email>\S+)\]" max_match=100 | search send_to_email="*" | stats count(send_to_email) FYI: I believe daysago is deprecated now. The new method is at: http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch ... View more

I'd simplify your statement a touch: host="weblogic*" JMS_Destination_Queue="CustomerAccountServiceQueue" JMS_Event="Produced" earliest=-10m | timechart span=10m count | delta count as difference | eval percdif=round(abs(difference/count)*100,0) So you can then alert on if percdif > 50. Without knowing your data, though (and knowing that this may be very obvious to you already), note that the above will alert on any sudden drops / increases into the number of times that message is logged, which will not necessarily equal your queue length. If that full message contains a QueueLength field, or anything like that, you might get more useful information by going for that field: host="weblogic*" JMS_Destination_Queue="CustomerAccountServiceQueue" JMS_Event="Produced" earliest=-10m | timechart last(QueueLength) as CurrentQueueLength span=10m | delta CurrentQueueLength as difference | eval percdif=round(abs(difference/CurrentQueueLength)*100,0) ... View more

This may be slightly off, because I've never use this datatype myself, but I believe this is why you're seeing the results you described above: sourcetype=log4j ERROR | eval warns=errorGroup+"-"+errorNum | top warns by errorDesc | stats stdev(count), var(count) by warns You're asking for the stdev / var of the number of events. The number of events is always going to be a single value. When I remove "| top warns by errorDesc" The succeding search displays nothing accept the first column values for "warns". Nothing for stdev(count) or var(count) If you remove "top warns by errorDesc" then the count field is never generated, so there's nothing to perform statistics on. sourcetype=log4j ERROR | eval warns=errorGroup+"-"+errorNum | top warns by errorDesc | stats stdev(count), var(count) That is returning data -- specifically the stdev and the var between the top types of errors. In essence, the first one, you're looking at the stdev of the count for a particular warn. For the last one, you're looking across all the warns. So if you had 10 types of warns, all occurred 1 time, and one occurred 30 times, the stdev would be 9.17 (at least, according to my web calculator). BTW: You might also find value in the following, related search (and because that's the direction I thought you were heading in, and started writing it before I re-read your original post): sourcetype=log4j ERROR earliest=-7d@d latest=@d | eval warns=errorGroup+"-"+errorNum | stats count as Date_Warns_Count by date_mday,warns | stats stdev(Date_Warns_Count), var(Date_Warns_Count) by warns That's similar to your first one, except it will provide you the stdev, var of the daily count, per warn. Hope this is helpful. ... View more