Try this: ...your query (supposing your date field name is "date")... | eval date = strptime(date,"%m/%d/%Y") | sort - date | eval date = strftime(date,"%m/%d/%Y") ... View more

Maybe, it's the result you want? Consider you are reading 2 different events in different time. If it's the result you need, it's ok. ... View more

Ok, as you can see you don't have both values for the same event and in this case it's not possible with the logic in use. You have to use hostname and create a complete different search. ... View more

... "and I just want to display a result if LastLogon < 2 days from the current day and if LastReboot >10 days from the current day." you mean the last reboot executed in the last 10 days? Or executed more than 10 days ago? Please run the query I wrote and share (an example) the event you want to view. index="ai-wkst-windows-wmi-fr" (sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot") | eval LastLogon = strptime(LastLogon,"%Y%m%d%H%M%S") | eval LastBootUpTime = strptime(LastBootUpTime,"%Y%m%d%H%M%S") | eval secondlastday=relative_time(now(), "-2d@d") | eval nexttendays=relative_time(now(), "-10d@d")| table LastLogon LastBootUpTime secondlastday nexttendays ... View more

...and pay attention that if you want to use | eval nexttendays=relative_time(now(), "10d@d") you have to use "+" | eval nexttendays=relative_time(now(), "+10d@d") but in this case you'll have a result date in the future. ... View more

I think it will be correct with "-10d@d" index="ai-wkst-windows-wmi-fr" (sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot") | eval LastLogon = strptime(LastLogon,"%Y%m%d%H%M%S") | eval LastBootUpTime = strptime(LastBootUpTime,"%Y%m%d%H%M%S") | eval secondlastday=relative_time(now(), "-2d@d") | eval nexttendays=relative_time(now(), "-10d@d") | where (LastLogon < secondlastday) | table LastLogon anyway please run index="ai-wkst-windows-wmi-fr" (sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot") | eval LastLogon = strptime(LastLogon,"%Y%m%d%H%M%S") | eval LastBootUpTime = strptime(LastBootUpTime,"%Y%m%d%H%M%S") | eval secondlastday=relative_time(now(), "-2d@d") | eval nexttendays=relative_time(now(), "-10d@d")| table LastLogon LastBootUpTime secondlastday nexttendays 1543420093.000000 is correct, it's the epoch time to compare. I use epochconverter ... View more

I think now the issue is related to the eval. I don't know what you want but you are not populating nexttendays with nexttendays=relative_time(now(), "10d@d"). If you try with nexttendays=relative_time(now(), "-10d@d") you will have results I think but I don't know if it's the result you required. So try to check variables with this: | makeresults | eval nexttendays=relative_time(now(), "-10d@d") | eval secondlastday=relative_time(now(), "-2d@d") | table nexttendays secondlastday ... View more

In the second query if you use only "eventtype=NATCO" (instead of "eventtype=Flag OR eventtype=NATCO") do you have the same result? ... View more

I shared the app with you. ... View more

Adjust AND (default) or OR as you needed and try adding to the search field=*, in your case similar to: credentials=* host=* okato=* command=* | where like(credentials, "%$credentials$%") OR like(host, "%$host$%") OR like(okato, "%$okato$%") OR where like(command, "%$command$%") ... View more

ok, shared. ... View more

ok, shared. ... View more

If you need 3.1.2, send me an email and I'll share a private link with you. andrea.corvini@gmail.com With the last message you mean you have different errors with 3.1.2? ... View more

Did you try with 3.1.2? With 3.1.3 I traced a lot of unresolved issues. ... View more

| timechart count as src is the right code (count of "src" events renamed in "src"). If you use "count by src" and you have deduplicated "by src" in the previous action, you can have always 1 as result (1 event per "src"). ... View more

Yes, you see 1 "count" field with value=5. No? ... View more

With "by src" you have 1 result per event, it's not one value. With "as src" you have 1 "count" result renamed in "src". ... View more

As in your example you can use "Server" in "Suppress results containing field value" if you want to stop alerts for the same server (i.e. all alerts for Server srv05). If you wan to stop alerts for all servers, leave blank "Suppress results containing field value". Time Server Response_time 07:40 srv01 28 07:58 srv05 58 08:50 srv04 13 10:13 srv08 43 11:54 srv03 33 ... View more

In this case you can use "Server" field to throttle if you want to stop alerts for that. Otherwise leave it blank to stop all. ... View more

Did you try with "* * * * *" (five asterisk) in cron definition? ... View more

Throttle works for the same field value. If the response time change, then you'll receive a new alert. Leave the field blank. ... View more

See here: https://community.oracle.com/thread/698380 Which version of jdk are you using? See here: https://www.genuitec.com/forums/topic/i-cannot-connect-to-sybase-db-browser/ This is an old version but anoter possible issue. ... View more

Can you give an example of your input? Because you would like to get the output divided by item_type but in the query you do not have any "by" condition. I would like to better understand what you have in input, the output you want is clear. ... View more

I'm not sure I understand what you want. Statistics of closed tickets "| append" statistics of tickets that are still open? If you want to see all the tickets opened as if they were open in the current month, overwrite the opening date with eval.... But your goal is not clear to me. ... View more