As a matter of fact, one actually doesn't need to specify the field name, which contains all the key value pair. I used following simple extract parameters: | extract pairdelim="," kvdelim=":" One doesn't need to escape "," as done in the first answer! ... View more

Hi, I've a similar use case but to get the second and last Saturday's. I tried to use your search but couldn't get there. Can you please help me with that. TIA ... View more

If you want to align time so that your 4 hours windows are always 0-4, 4-8, 8-12 and so on, then you should use the aligntime parameter to the bin command to align it to the day starting point, otherwise it will bucket the data into 4 hours windows based on the current hour being the last of 4. | bin _time span=4h aligntime=@d Note that your startTime appears to be text, so you would also need something like | eval start_time=strptime(StartTime, "%m/%d/%Y %H:%M") | bin start_time span=4h aligntime=@d Note that I assumed US time above, as the data doesn't say either way.     ... View more

Hi @niketn  I'm also looking for the similar requirement like in the below screenshot, I've to show counts for total and escalations. Please let me know if it is possible in Splunk with header and a sub-header. TIA     ... View more