Thanks, jpolvino!  That worked for my timechart! ... View more

Thank you both for your feedback.  I agree this is a very broad request, and while we do use CIM as much as possible, not all fields match up as you stated. I also figured such a search would take up too many resources every time it ran, if it completed at all. I will take your feedback back to the requestors and explain. ... View more

Thanks, dmarling.  I will give these a try.   ... View more

Thanks, boz_8058.  I am trying this now. ... View more

Thank you, Woodcock, for your answer. I tried your suggestion and it works. It shows only those systems that have no events. I noticed that the output does not show the Target data (which comes from the input file), listing the indexes for each host in which we expect to see events. ... View more

This works for a short period of time, say the last 10 minutes, but not for the last 24 hours. The search runs for a while then auto-cancels. Alas, back to the drawing board. Anyone have any suggestions? ... View more

I finally figured it out... made a few changes: index!=_internal index!=_audit | stats count by host,index | rex field=host "^(?\w+)\.?" | eval host=upper(host) | search [|inputlookup myinput.csv | fields host] | stats list(index) as index values(count) as count by host | fields host, index, count | append [|inputlookup lmyinput.csv | fields host] | dedup host | lookup myinput.csv host | fields host, sys_purpose, opsys, index, count, note | lookup myinput.csv host | eval Target=mvdedup(mvappend(app1, app2, app3, app4, app5, app6, app7, app8, app9, app10, app11, app12, app13, app14, os1, os2)) | table host, sys_purpose, opsys, Target, index, count, note | where isnull(count) | rename host AS "Host Name:", sys_purpose AS "System Purpose:", opsys AS "Operating System:", Target AS "Expected Index:", count as "Event Count:", index as "Received Events in Index:", note as "Note:" ... View more

Sorry, hit the post button before adding the search... | tstats count where index!=_internal AND index!=_audit by host,index | rex field=host "^(?\w+)\.?" | eval host=upper(host) | search [|inputlookup myinput.csv | fields host] | stats list(index) as index values(count) as count by host | fields host, index, count | append [|inputlookup myinput.csv | fields host] | dedup host | lookup myinput.csv host | fields host, sys_purpose, opsys, index, count, note | lookup myinput.csv host | fields - fqdn | eval Target=mvsort(mvdedup(mvappend(app1, app2, app3, app3, app5, app6, app7, app8, app9, app10, app11, app12, app13, app14, app15, os1, os2))) | fields host, sys_purpose, opsys, Target, index, count, note | rename host AS "Host Name:", sys_purpose AS "System Purpose:", opsys AS "Operating System:", Target AS "Expected Index:", count as "Event Count:", index as "Received Events in Index:", note as "Note:" ... View more

Thanks koshyk! I appreciate the help. ... View more

I had to make it as generic as possible. I hope it is still helpful. sourcetype alert_metadata: {"alert": "myalertname", "alert_time": "2019-03-19T17:15:11.892+00:00", "app": "search", "entry": [{"content": {"earliestTime": "2019-03-19T16:15:00.000+00:00", "eventCount": 1, "eventSearch": "search (myalertsearchstring)", "keywords": "index::myappindex myapp_msgarea::RRR myapp_msgname::SSS", "latestTime": "2019-03-19T17:15:00.000+00:00" remote_mysplunkserver_scheduler_wilsonvsearchRMD54ae8a1459b8e343f_at_1553015700_10843. "optimizedSearch": "| search (mysearchstring", "resultCount": 1, "searchEarliestTime": 1553012100, "searchLatestTime": 1553015700, "searchProviders": ["mySplunkservers]}, "links": {"alternate": "/services/search/jobs/schedulerwilsonvsearchRMD54ae8a1459b8e343f_at_1553015700_10843"}, "name": "search mysearchstring}], "impact": "high", "incident_id": "23464663-4af1-4073-bf84-6edebfb6c837", "job_id": "schedulerwilsonvsearch_RMD54ae8a1459b8e343f_at_1553015700_10843", "name": "myalertname", "owner": "unassigned", "priority": "critical", "result_id": "0", "title": "myalertname", "ttl": 86400, "urgency": "high"} sourcetype incident_change: time=2019-03-19T17:15:12.245662 event_id="21794f2b4d134d36359eca1115a478b7" severity=INFO origin="alert_handler" user="splunk-system-user" action="create" alert="myalertname" incident_id="23464663-4af1-4073-bf84-6edebfb6c837" job_id="scheduler_wilsonvsearch_RMD54ae8a1459b8e343f_at_1553015700_10843" result_id="0" owner="unassigned" status="new" urgency="high" ttl="86400" alert_time="2019-03-19T17:15:11.892+00:00" example of the actual event that tripped the alert: 2019-03-19 16:44:43 myapp_logversion="2" myapp_msgarea="AU" myapp_msgname="L" myapp_pid="37301" myapp_taskno="00031" myapp_slgttyp="CC" myapp_termname="myterm" myapp_username="userhere" Splunk fields: host, index, sourcetype, source, tag::host I'm trying to figure out how to get the host name where the event occurred, based on the info in Alert Manager (the top two examples). ... View more

In my haste to post my question, I forgot to say that the events that tripped the alert are in a different index and are different sourcetype. I was thinking I could try using the time field as a common field to try to find the host, but this particular alert is scheduled to run every hour, so the time it shows in AM is not the time of the actual event that tripped the alert. Still stumped. ... View more

Thank you for the quick response. I will keep this info for a different report. In my haste to post my question, I forgot to say that the events that tripped the alert are in a different index and are different sourcetype. I was thinking I could try using the time field as a common field to try to find the host, but this particular alert is scheduled to run every hour, so the time it shows in AM is not the time of the actual event that tripped the alert. Still stumped. ... View more

Thank you, woodcock! I appreciate the guidance. I hope I did it correctly. ... View more

I just learned that I should upvote. Sorry about that. Not trying to be rude; just a newbie. 😉 ... View more

Still working on this. Thank you for your suggestions! ... View more

Thank you so much for your help! I am learning every day, for sure! ... View more

I am trying to find events that match field1 and field2, and match field3 if there are more than 5 or match field4 if there are more than 2. Thanks for the info. ... View more