I have a dashboard for common search query,  where i need to represent output of same search query in two time ranges. Time Range 1 and Time Range 2 added in input filters in dashboard. So now I am planning to create a base search for two different time ranges. After adding like below in the dashboard, data is not coming in panels output and when am clicking on open in search, output count is showing in query search. So please help me fix this issue. Below are the screenshots and base search's for reference.  Base Searches :  <search id="base_search_1"> <query>index=xxx source=xxx </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> ======================== <search id="base_search_2"> <query>index=xxx source=xxx </query> <earliest>$field2.earliest$</earliest> <latest>$field2.latest$</latest> </search> ... View more

Hi Team,  How to implement the base search functionality to improve the loading time of Splunk dashboard. I have multiple panels with many server types. Each panel has one type of server. Every time when am changing the time filter, taking so much time to load the panels with each server traffic data.  So how I can improve this loading time by implementing the base search functionality? Please suggest on this. ... View more

Want to create a Splunk alert for Servers traffic distribution. I have 100's of different type servers in each data center (like app servers, db servers etc.). I can create a dashboard and splunk alert for specific set of servers. But here I want to create this dashboard and splunk alert on basis of datacenter. So how I can create this type of requirement ?  Per host wise, below query I written for reference, But data center wise all hosts can i put it in one query and write ?  index=* | where host like "ANCLOPR%" | bin span=5m _time | stats count BY _time host | eventstats sum(count) as total by _time | eval percent = count / total*100 | chart values(percent) by _time host usenull=f useother=f limit=100       ... View more

Hi Team, I want a splunk search query for alert creation. My requirement is service Response time is > 3 seconds and  if it is continuous more than 10 min (> 10 min), then only I need to raise an alert. In search query i tried to use the where option for the response time, but for time condition can't able to write the query. Below is my search query. please help me how to add the time condition value in query itself.   index=kpidata | eval ProcessingTime=ProcessingTimeMS/1000 | where ProcessingTime > 3 ... View more

Hi , How to get the alphanumeric string from below data. inputs : ABCD-47440c7534d1a13d7d462860-90d2aa5bb3b20184-1541977534244 NBAD-POK-7B847D0C-4F4B-4494-982E-AE20F184CABC-1541977639.233428 000a1360-e607-11e8-ab12-4b69800c33ea I want to get the output of alphanumeric strings which is including "-" . ... View more

I have a requirement to use lookups instead of queries in Splunk Dashboards. How can I get them and how to convert them to lookups using queries. For example:: Query : index="gcp_prod_ecomm_webstoreui" "[ACCESS]" ("/catalog/*.jsp" OR "/product/" OR "/search.jsp*" OR "Cavisson") NOT("alive") NOT “dlr=true” | rex field=MESSAGE "\d{2}:\d{2}:\d{2}\s(?<page_response_time>[0-9.]*)\s(?<method>.[A-Z]+)\s(?<Request>.[a-zA-Z0-9-:/^%?+&()\"=+_.-]*)\s(?<Request1>.[a-zA-Z0-9-:/^%?+&()\"=+_.-]*)\s(?<StatusCode>[0-9]+)" | eval RequestFormat=case(Request like "%catalog%", "Catalog Page", Request like "%product%", "Product Page", Request like "%search%", "Search Page") | timechart span=1m avg(page_response_time) by RequestFormat ... View more