I am trying to parse information from a json file, but am having difficulty doing this. Here is my sample json file: { "message":"OK", "status":200, "responseEntity":[ { "counters":{ "SearchResult.close()":{ "name":"SearchResult.close()", "count":42, "max":9.0, "min":0.0 } }, "errors":{ }, "groupDescription":"Counters", "groupName":"Group01" }, { "counters":{ "SearchResult.close()":{ "name":"SearchResult.close()", "count":7, "max":8.0, "min":7.0 } }, "errors":{ }, "groupDescription":"Counters", "groupName":"Group2" } I want to be able to filter the value for "SearchResult.close().count" for groupName "group2", however I am unable to do that. I tried | spath path=responseEntity{}.groupName output=groupName | mvexpand groupName | But when I filter by json_group, I still get ALL values(responseEntity{}.counters.SearchResult.close().count values would be both 42, and 7) inputs.conf file [monitor://\HOST01\groupInfo.json] disabled = 0 followTail = false host = HOST01 sourcetype = JSON Testing crcSalt = props.conf file [JSON Testing] TRUNCATE = 0 KV_MODE = json Is there a way that I can filter by groupName, then only get values that are associated with that group name, for count, max, min etc? Or is there an issue with my json file itself? Thank you ... View more

I have stats values(A) by B, C and then I want to sort by values of A within each group. A is a numeric value. How can I accomplish that? I tried stats values(A) as A by B, C | sort A but that's only sorting the groups, not the values within each group in the stats. ... View more

Hi, I have two values that I would like to draw on one time chart. Currently I have the following query that doesn't work the way I want it to. (sourcetype="Application" Type = "A" AND WorkTime > 0) AND Project="ABC" | chart values(WorkTime) as ATime over _time | appendcols [ search (sourcetype="Application" Type = "B" AND WorkTime > 0) AND Project="ABC" | chart values(WorkTime) as BTime over _time ] The lines for those two values are not drawing correctly on the chart. Did I do something wrong in my query? Is there an example of chart overlay using SideView Util Editor? I know how to do that in XML...Just wondering if there is a way in SideView Util Editor to do that same. Thanks. ... View more

Hi, I have a view where a user have to input three values before a report is created. The user must first select a report type, and then host type and the host name. The problem is the search is executing every time something changes and keep refreshing the message saying "No results found". For example, after the user selects the report type from a Pulldown, the host type field is populated for the user. At the same time the search is already executed and the page displays "No results found". Then the user selects the host type, and the search gets executed again with the result of "No results found". It's very annoying. I don't want the search to execute until after the user has input ALL three values. How can I control that? May be there is a way to put a "GO" button that the search will execute only when the user hits GO? Examples will be great. Thanks! ... View more

Hi, I have two different log types under the same directory path. At first I have only imported one type of log: [monitor://PATH] disabled = 0 followTail = false host = HOST1 sourcetype = A Logs ignoreOlderThan = 2d whitelist = A.*.log crcSalt = <SOURCE> blacklist = native|\.zip .... the log lines are imported fine to Splunk. AND THEN a few weeks later I added second type of log which is under the same path .... [monitor://PATH] disabled = 0 followTail = false host = HOST1 sourcetype = B Logs ignoreOlderThan = 2d whitelist = B.*.log crcSalt = <SOURCE> blacklist = native|\.zip Now, Splunk is NOT getting any A Logs, but it has everything from B Logs. Did I do something wrong? How can I get both types imported to Splunk? Thanks! ... View more

Hi, How can I only grab the last two distinct values from a single transaction. For example: Search this within 24 hr period will give me a several connection values. {Search} | transaction by Server | stats values(connection) by Server I would like to dedup the connection values, and get the difference of the last two values. Let's say I have distinct connection counts 1, 3, 5, 2, 6, 9, 3, and 13. So my last two connections are 3 and 13, so their difference is 10. Thanks for your help. ... View more

Hi, I need to set where clause based on certain condition. For example, if value=a, then where should be x>1. If value=b, then where clause should have x>100. If value=c, then x>1000, etc. So I did something like: eval condition=if(value=a,x>1,if(value=b,x>100,x>1000)) | stats values(blahblah) | where condition As expected, that doesn't work =D Please help and let me know how I can set up variable where clause. Thanks! ... View more