I have 2 searches that I am appending that looks something like search1 | append [search search2] and basically search 1 has data for 6months e.g. Jan-Jun and search 2 has data for 6months e.g.Jun-Nov Can I control search1 to search for all dates up to June 15th at midnight using latest? And Can I control search2 to search for all dates from June 15th at midnight using earliest? This way from a graphing point of view they all line up. This way my earch would look something like search1 latest=20140615 | append [search search2 earliest=20140616 ] ... View more

Can I combine 2 fields into the 1 using this method: Combining the 2 fields c84163237 and c84163338 into the 1 field seizureTraffic : ...| timechart span=1h sum(c84163237) as seizureTraffic, sum(c84163338) as seizureTraffic by LABEL Or do I have to do an eval command: eval field1=c84163237+c84163338 I can't seem to get either working, can anyone advise? ... View more

I was having trouble with this search in my XML, I could not save it using the below search inside my searchString tags. index=core ... | rex ".*,.*Process type=(?P<ProcessType>[^,]+)" And I know it is something to do with this Or writing it another way <ProcessType> ... View more

I am trying to understand better how splunk regex works. I have the below example: This is a sample of the data I am trying to extract with Slot No.=1 being of interest: ...,measObjLdn="SGSN02KPR/Process:Process No.=5, Process type=GBP, Slot No.=1,... Using splunks Interactive field extractor gives me this (?i)=.*?, (?P\w+\s+\w+\.=\d+)(?=,) if I want to look at these values in the search I can do this `... | rex "(?i)=.*?, (?P\w+\s+\w+.=\d+)(?=,)" | stats values(FIELDNAME) Now to understand this better I would like to use an example. What if I just want the values so instead of getting Slot No.=1 I would get 1 So this (?i)=.*?, (?P\w+\s+\w+\.=\d+)(?=,) would go to ...? Appreciate any help and trying to understand this better, or is there any documentation on this. EDIT1 For instance this | rex ".*,.*Slot No.=(?P[^,]+)" will give me just the values this is just me playing around, I don't fully understand it. ... View more

i have the following search in my xml: index= ... earliest=-20d@d latest=+d@d | timechart ... | timewrap ... How do I control the search using a form? I basically want to be able to control this earliest=-20d@d latest=+d@d and I only want to increase the value 20 up or down. Maybe I should use some other type of form control? This is my 1st attempt: <label>Timeframe</label> <default> <earliestTime>-20d</earliestTime> <latestTime>now</latestTime> </default> ... View more

If i want to see the last N fridays I would do a search like below: index=core eventtype="Device_Usage" psThrputMbps DeviceName=Device1 earliest=-20d@d latest=+d@d | timechart span=15m avg(psThrputMbps) by DeviceName | eval wday = strftime(_time, "%a") | where wday = "Fri" | fields - wday | timewrap d series=exact However I am noticing a bug, it seems to be to do it when you want the friday values from the previous month. Bug explained: I got the above search to work for me, but it has a bug in that it is is showing 4 values for Apr2nd (11.00,11.15,11.30,11.45). Apr2nd was a thursday. It is also missing the last 4 values for Apr3rd (11.00,11.15,11.30,11.45). So it is showing Apr17th, Apr10th, and Apr3rd (all fridays) in the legend, but as I mention above it has a bug, it is showing Apr2nd values with 4 values and these are the 4 values missing from Apr3rd. Not sure if this is data coruption for them specific dates or something else? I don't think this is the case as have tried this with different weekdays and it persists. ... View more

Just looking through some of my old dashboards and came across the below chart in XML. I was wondering what does 10 do? <chart> <searchString>index=core ......... </searchString> <title>Att Users</title> <earliestTime>-1d@m</earliestTime> <latestTime>now</latestTime> <option name="charting.axisTitleX.text"/> <option name="charting.chart">line</option> <option name="charting.primaryAxisTitle.text"/> <option name="count">10</option> <option name="displayRowNumbers">true</option> </chart> ... View more