Are you trying port 8000 or port 8089 -- command port is usually 8089. ... View more

Do you mean something like this?: |rest /servicesNS/-/-/saved/searches | table title eai:acl.app eai:acl.owner actions search So maybe with your criteria, it'd be: |rest /servicesNS/-/-/saved/searches | table title eai:acl.app eai:acl.owner actions search | where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%" Alerts generally have actions so you could add a filter for those, or there may be other ways to do it: |rest /servicesNS/-/-/saved/searches | search NOT actions="" | table title eai:acl.app eai:acl.owner actions search | where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%" ... View more

You're looking for a way to persist some search results -- and then further filter them? There's a few mechanisms for that with Splunk. I think one is the closest to what you're looking for: https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Loadjob See also: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Usesummaryindexing There's likely a few others that also would help. Good luck. ... View more

Not much to go on here... Maybe you can provide some more details around what you've tried and what your current data set or query attempts are... Broadly you can look at these: https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Search https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Where https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchTutorial/Useasubsearch ... View more

Here's a search with numeric values - that you can look at: index=_internal sourcetype=splunkd kb=* | table _time sourcetype kb | eval threshold = if(kb<80,"UNDER","OVER") | streamstats current=t window=3 list(kb) as last_three list(threshold) AS all_threshholds values(threshold) AS last3_threshhold | eval ALERT = if(last3_threshhold != "UNDER","All 3 were OVER","") | eval GOOD = if(last3_threshhold != "OVER","Last 3 were all good","") ... View more

How we did that was to pull together the list of inputs and then add a streamstats like this: | streamstats current=t window=3 values(status) AS last_three by input_name Something like this: index=_internal sourcetype=dbx_job_metrics | sort input_name _time | table input_name _time status | streamstats current=t window=3 list(status) as last_three values(status) AS values_three by input_name | search values_three != "COMPLETED" You'll need to adjust a little to get your > 80% in there.. but that's the basics of it. ... View more

Does your resulting table only have a single row in it? Or are there multiple rows? dc returns a single value, but I think values returns a multi-value field. I'm just shooting in the dark at this point but maybe: Change dc(dest) AS host count -> values(dest) AS host count Swap the field names -> dc(dest) AS hash values("match_hash") as host_count Remove the "by "intel_name". I did notice that you seem to be quoting the other fields, but not dc(dest)? ... View more

hmm.. tough to say. At least you're saying that the token doesn't work no matter where you try to use it. That gets us back into the normal territory. I'm confused how you're using a stats command, but also generating the rest of the notable fields. Maybe you can post a few more details of your search output, or the notable that comes out of it. ... View more

So you're saying that a token in the "Drill-down Name" field of your Notable isn't working, but the same token when used in the "Drill-down Search" field gets passed correctly to the drill-down search? If that's what you're seeing -- then that is a bit nasty.. I'd start to wonder whether your browser is telling you the truth? Clear browser cache? ... View more

Notable link is on Lower right... under Adaptive Responses.. ... View more