I have a similar use case hope this works for you as well. (index=A) |rename A_field_match as B_field_match | fields B_field_match | join B_field_match [ search index=B ] | table A_interesting_field_1 A_interesting_field_2 A_interesting_field_3 A_interesting_field_4 B_interesting_field_1 B_interesting_field_2 B_interesting_field_3 B_interesting_field_4 As you are using two indexes, use give as many filters as possible like source type or source and run it on a small-time range to check the results. Thanks. ... View more

try something like this | your search | rex field=`some_field` "(?<=\/shop)(?<uri>[a-zA-Z-0-9.\/-]+)" | table uri ... View more

no problemo, happy to help 😄 ... View more

Thanks for pointing that out @aholzer , I have been trying to debug this query for hours and totally forgot that it needed a (') ... View more

Sure, like this: index=summary source="summary_events_2" orig_source=$source$ ms_region=$region$ ms_level=$level$ | timechart span=5m partial=f sum(count) AS count BY sourcetype | timewrap d series=short | rename *s0 AS *Today | foreach *s* [ eval <<MATCHSEG1>>d<<MATCHSEG2>> = <<MATCHSEG1>>Today - <<FIELD>>] ... View more

@kiamco, Try this <eval token="event_token">if($click.value2$=="","*",$click.value2$)</eval> Sample dashboard with run anywhere example <dashboard> <row> <panel> <table> <search> <query>|makeresults count=5|eval event="someevenet",noevent=""</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <drilldown> <eval token="event_token">if($click.value2$=="","*",$click.value2$)</eval> </drilldown> </table> </panel> </row> <row> <html> <h1>This is the token value : <font color="red">$event_token$</font></h1> </html> </row> </dashboard> ... View more

@kiamco, Alright try this, index=summary source="summary_events" orig_source=some_source ms_region=us-west-1 ms_level=E* |timechart span=5m sum(count) as count by event|eval date=strftime(_time,"%d-%m-%Y"),time=strftime(_time,"%H:%M:%S") |table time,event,count,date|eval temp=time."-".event |chart values(count) over temp by date|rex field=temp "(?<time>[^-]+)-(?<event>[^-]+)" |fields - temp ... View more

@kiamco - The summary index would contain the pre-summarized data. The predict could then run quickly across any length of time, and would not have to analyze the data at the event level ever again, which is what takes the majority of the CPU time. ... View more

worked like a charm; thank you! ... View more

ye a this would work if applied the time token before the appendcols but unfortunately that is no the case. what I am trying to basically do is when user clicks on graph it will show the events in that specific point in time but I want the sparkline to show the trend of that event starting from 14 days before the "time_token". ... View more

it works!! thanks a lot for the very detailed answer ... View more

It should take into account the "seasonality" trend since you are using LLP. Predict is generally followed by timechart, but i'm not sure what you're data looks like or what the exact output is. if you remove everything after predict and just look at the chart, can you see the predictions fluctuating as expected? if you use timechart before predict and span=1d or whatever span you need, does that change the prediction? ... View more

High level answer would to be find which data is missing and then run your collect command to summary index it. But it would be tricky to find which data is missing considering very heavy amount of data you've. Ideally if you've a specific criteria for which you see data, you need to apply those criteria to both regular search and summary index search and get a diff. ... View more

It seems all your events, that are fed to stats command, have no_event=null(), so when you include it in stats you get no results (trying to aggregate by something that doesn't exist). Using a string value to denote null (say NULL) in place of null() would be the way to go. ... View more

yup basically just doing it for faster search and yea im searching in all sources because I might as well create a summary index that can also helped with current and future dashboards ... View more

Start by thinking about what kind of graph you want to produce. What information is it going to transfer to the viewer? Your query produces a list of events where a field called total_waiting > 50. What is the important characteristic of those events? Is it the number of them per unit of time? ... View more

Hey@kiamco, For source=summary_daily_users You have splitted it by _time.This will give you hourly count of distinct users,since the summary index used earlier is hourly basis. You can try running your query like this: index=summary source="summary_users" | eval today=relative_time(now(),"@d") |eval time=strftime(today,"%d/%m/%Y %H:%M:%S") |stats dc(user_id) as user_id dc(named_user_id) as named_user_id dc(anon_user_id) as anon_user_id by time, ms_region, tenant_id, browser |collect index=summary source=summary_daily_users |sort -num(time) Let me know if this helps!! ... View more

I tried this out and you almost had it but I was able to fill in the blanks. Thanks that really helped a lot ... View more

| rest /services/authentication/users splunk_server=local |fields title, roles, email | rename title as user | eval roles=if(roles="admin","admin","") | eval action="need to reset password" |join type=left user [|search index=_audit (action="password change" NOT user=index-manager) |join user [| rest /services/authentication/users splunk_server=local |fields title, roles, email | rename title as user | eval roles=if(roles="admin","admin","") ] |eval timestamp= strptime(timestamp,"%m-%d-%Y") |eval check_time=if(roles="admin",relative_time(timestamp,"+30d@d"), relative_time(timestamp,"+90d@d")) |eval action=if(action="password change",if(check_time < now(),"need to reset password","password change successful"), "need to reset password") |convert ctime(*time*) ] |table user,email,roles, timestamp, check_time, action This is my final query it doesn't need a lookup and its not dependent on a lookup that I have to manually update every month or so ... View more