Hi I created a calculated field called "SUCCESS" using Splunk Web on sourcetype. The calculated field eval condition is like if(TYPE="S", "Success", null). Now I am trying to use this calculated field in my search like below - index=customindex sourcetype=customsource | stats count(SUCCESS) as SuccessCount But this returns no results and I know there are events in source that qualifies eval conditions. Not sure what I am doing wrong? Before my search used to be like below for ref - index=customindex sourcetype=customsource | eval Success=if(TYPE=="S", "Success", null) | stats count(Success) as SuccessCount ... View more

Hi I am working on query to retrieve count of unique host IPs by user and country. The country has to be grouped into Total vs Total Non-US. The final result would be something like below - UserId, Total Unique Hosts, Total Non-US Unique Hosts user1, 42, 54 user2, 23, 95 So far I have below query which works but its very slow. Is there any better and faster way to achieve desired result ? Thanks index=customindex sourcetype=custom src | iplocation allfields=true lang=code HOST | search Country!=US | stats estdc(HOST) as total_non_us by USERID | join USERID type="left" [ search index=customindex sourcetype=custom src | iplocation allfields=true lang=code HOST | search Country=US | stats estdc(HOST) as total_us by USERID ] | fillnull | eval total = total_non_us + total_us ... View more