Hello, we've faced with a problem of results trunkating while using join command. In fact limitations of max results for join are extremely dissapointing, we stuk with them here and there and changing params in limits.conf doesn't help anymore. One of our searches stopped working correctly due to this limits. Now I'm trying to remake a problem search to exclude using of join. The search might find users that made their first monetary purchase after making a promo purchase. Each user can have multiple promo and monetary purchases. Promo purchsases can be of several promo offers. How it was done before: source="my_source" | where isnotnull(offer_uid) | stats min(_time) as promo_purchase_time by user_uid offer_uid | join [search source="my_source" tx_amount>0 | stats min(_time) as monetary_purchase_time by user_uid ] | where promo_purchase_time < monetary_purchase_time | stats count as Customers by offer_uid What I'm trying to make: source="my_source" | eval monetary_purchase_time=if(tx_amount>0, _time, a) | eval offer_name=if(isnotnull(offer_uid), offer_uid, a) | eval offer_purchase_time=if(isnotnull(offer_uid), _time, a) | stats min(monetary_purchase_time) as min_monetary_purchase_time, values(offer_purchase_time) as offer_purchase_time by user_uid offer_name _time I get this: _time user_uid min_monetary_purchase_time offer_name offer_purchase_time 12/10/12 9:06:33.017 PM 727889 OFFER1 1355159193.017 12/10/12 9:11:08.225 PM 727889 OFFER1 1355159468.225 12/10/12 9:22:36.926 PM 727889 OFFER2 1355160156.926 12/14/12 9:42:17.085 PM 727889 OFFER2 1355506937.085 12/15/12 8:58:13.862 PM 727889 1355590693.862 I want to get plain table for each user_uid and his promo offers where can be made a comparision of his first monetary and promo purchase times. When I change last stats command to this one: | stats min(monetary_purchase_time) as min_monetary_purchase_time, min(offer_purchase_time) as min_offer_purchase_time by user_uid offer_name ..I get this: user_uid min_monetary_purchase_time offer_name min_offer_purchase_time 727889 OFFER1 1355159193.017 727889 OFFER2 1355160156.926 But I want to get this: user_uid min_monetary_purchase_time offer_name min_offer_purchase_time 727889 1355590693.862 OFFER1 1355159193.017 727889 1355590693.862 OFFER2 1355160156.926 with which I can then use a desired command: | stats count(eval(min_monetary_purchase_time > offer_purchase_time)) as Customers by user_uid offer_uid How can I fill empty fields of parameter min_monetary_purchase_time for each user with the value of first monetary purchase time? I've tried variants with chart, downfill, but got incorrect values. ... View more

Hi everyone, We met a problem with sorting data in a table. We sort users id-s, let's say there's 350000 of them, its format is 1 - 350000. The results are in a table wraped in paginator. The problem is when trying to sort by user_id by default means of splunk web-interface (triangles near the param name), its last value in descending order is 300000 and then goes 300001, 300002, etc, instead of 350000, 349999, etc. To check it by yourself, for example create csv file(test.csv) with one column of numbers 1-350000 (e.g. with a header "P"), add this file in lookups, and run the command: | inputlookup test.csv | table P | sort 0 num(P) P or just | inputlookup test.csv | table P and click triangles P.S. I didn't manage to find any proper limits that can affect in limits.conf. ... View more

Hi everyone! I made a table that shows web sources from where visitors come to our service. By clicking any row timechart of visitors for the selected source opens. But it opens not for each source. The data that is used for these tables and charts doesn't have _time parameter but has year, month, day values. By concatenating these values and converting to timestamp I got _time and built timechart. Here is working example with source "yandex": index=visitors source=web | where source_from="yandex" | strcat year "." month "." day date | convert timeformat="%Y.%m.%d" mktime(date) as _time | timechart sum(visitors) as visitors Not working example with source "google" though it has 5 times more occurances in our statistics then "yandex": index=visitors source=web | where source_from="google" | strcat year "." month "." day date | convert timeformat="%Y.%m.%d" mktime(date) as _time | timechart sum(visitors) as visitors The data seems to be similar for these sources, has no gaps in days. I found that in the second variant splunk can't write result into _time. Trying to use eval _time=.. or strftime didn't helped. How can I write to _time to use timechart? ... View more