I have a dashboard with cron_schedule as below. When is the cron schedule actually scheduled? And how to modify it to run every 5hr and look for time range of -4h? savedsearches.conf [My_search] dispatch.earliest_time = -20m ... View more

I'd joined two different searches and trying to display the search 2 table for search 1 users. Both the searches have the usernames field different search 1 displays usernames with field name "usernumber" search 2 displays usernames with field name "userid" I know if both the searches has same field name i can display as below search 1 | fields userid | join userid [search 2] But here the scenario is different. Even though the field names are different, how can i combine those two searches? ... View more

I am trying to construct a search from almost days to display each user's average of a certain max of distinct count of a field values for last 7 days. like as below user max(dc(A)) avg(max(dc((A))) user1 3 4 user2 6 3 user3 5 6 where avg(max(dc((A))) is last 7 days avg(max(dc(A))) for each user I'd reached somewhat in constructing the query as below for one day base search | stats dc(ABC) as dUniqueCIFs by user|eventstats avg(dUniqueCIFs) as avgdUniqueCIFs |stats max(dUniqueCIFs) as max_dUniqueCIFs max(avgdUniqueCIFs) as avgdUniqueCIFs by user which displayed as below user max(dc(A)) avg(max(dc((A))) user1 3 4 user2 6 4 user3 5 4 Where I was getting the average of all the users max(dc(A)) instead of each user's max(dc(A)) for last 7 days I'd also posted simillar question in which i haven't explained the question well so posting it again with detail explanation. Thank you ... View more

I have a search which gives the result as follows for one day Query :- base search | stats dc(dCIF) as dUniqueCIFs by user |eventstats avg(dUniqueCIFs) as avgdUniqueCIFs |stats max(dUniqueCIFs) as max_dUniqueCIFs max(avgdUniqueCIFs) as avgdUniqueCIFs by user Users dc(users_activity_count) average(All_users_activity_count) A 2 2 B 3 2 C 1 2 Similarly how can I calculate the average of each users_activity count for n number of days like below Users dc(users_activity_count) average(All_users_activity_count) average(each_users_activity_count_forlast7days) A 2 2 A's average for last 7 days B 3 2 B's ....... C 1 2 C's......... Where average(each_users_activity_count_forlast7days) should display the average of each user for last 7 days, which is user A's Average,B's,C's.... ... View more

Hello everyone, I have a search as follows which displays the usernames, their accessing application count on that day, and the average of total users average accessing application count index=foo sourcetype = foo | | stats dc(A) as accessing_application_count by usernames |eventstats avg(accessing_application_count) as avg_accessing_application_count |stats max(accessing_application_count) as max_accessing_application_count max(avg_accessing_application_count) as avg_accessing_application_count by usernames Which Displays something as follows usernames max_accessing_application_count avg_accessing_application_count abc 3 4.982456 def 0 4.982456 ghi 10 4.982456 Now I want to calculate similarly for each user's last 3 days max_accessing_application_count which should be calculated based on each day's max_accessing_application_count of last 3 days, and the average too. like below usernames max_accessing_application_count last_3days_max_accessing_ avg_accessing_application_count last_7d_avg abc 3 6 4.982456 7.8 def 0 4 4.982456 7.8 ghi 10 7 4.982456 7.8 average should be calculated as each days average for the last 3 days and that 3 days average of that. Please suggest if you have any idea to help me regarding this query. Updated :- ... View more

Hi I have created some dashboards and approving some permissions to users. But for one dashboard, I am not able to give any permissions. The only difference in this dashboard is that it searches in a different index. The following is the error I am getting. I'm not sure why I'm not able to give read and write permissions even though I am the owner of the dashboard. ... View more

search1 displays :- user field1 field2 field3 field4 A B C D Search2 displays :- user field3 field4 B C D E Now both the searches has a common field user. Is there any way that I can display the user list who were in both the search 1 and search 2 something like as below user B C D ... View more

I have a Dashboard row as follows where search is as follows :- My search |stats avg(e) as a_e avg(l) as a_l values(eval(if(days=1, e, null()))) as y_e values(eval(if(days=1, l, null()))) as y_l by user days How can I display the dashboard in such a way that I give the input of a user and then the result dashboard should be only for that user? ... View more

Hi everyone, Since I dont have much knowledge on Splunk query language. I am struggling for the past one week to sort out the results from a splunk query which is described as below. I want to define the "normal" time a user is working on Yesterday. This time-interval has to be between 18:00 day1 and 06:00 day2. Similarly for 7 consequent days I have to calculate his average working time range for the last 7 days which should be between 18:00 day1 and 06:00 day2 like we trying for yesterday. And display them both. I have acheived somewhat with the help of some of the splunksters in this site with the following Splunk Query For some reason I couldn't able post my complete query so pasting a picture. please check the picture for my splunk query. how can i filter my output to display only the user results which satisfies the condition substraction of the fields a_e and y_e is greater than 3 hours. Where a_e and y_e are the epoch times converted to human readable time. I know that I have been posting simillar questions for the past 1 week but due to my Unformulated English I failed to explain what I'm exactly looking for. ... View more

I'm going crazy of calculating the difference between two fields which has epoch time. The following is my Query Updated :- foo | convert ctime(_time) as Date_and_Time|convert timeformat="%m/%d/%Y %H:%M:%S" mktime(_time) as time |eventstats range(time) as duration by user| stats avg(duration) as avgDurationPeruser by user| eval Total_time_spent(out_of_school)=tostring(ceil(avgDurationPeruser), "duration") | table user Total_AccessTime Total_time_spent(out_of_school) ... View more