you have to use rex command to extract the fields: MachineID and Department.
| inputlookup "assets.csv" |rex "(?P< MachineID>\w+\d)-(?P<Departement>\w+)"| stats count by Department
... View more
Make sure that you saved report in the same app context with you dashboard
Make sure that in your dropdown you listed the name for the saved report
look the roles for your saved report
you dashboard code is stile correct to run the saved report see more in new_in_splunk_6.2.pdf manuel
... View more
in search and repporting app
build 3 search:
1 with source=first source file who is in your index and save it like eventype Routers
index=my_index source=first_source_name
2 index=my_index source=second_source_name save it like eventype asa_firewall
3 index=my_index source=third_source_name save it like eventype acs_server
... View more
1.you can't use the token in populatingSearch tag
2.using search in this tag most be not inline.
3.you most use count or table to pick data in the field.
4. something like this:
|inputlookup file_name|stats count by field_name
... View more
Use only props.conf in your app directory. try this following stanza:
[my_sourcefile]
EXTRACT-extract_hostname =( ?<hostname> ^([^.]+)..+..+s.+s.+)
... View more
for convert filename date to epoch time format try something like this
.....| convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(date) as date
look more detail in search reference manuel
... View more
try something like this:
index="temp" testhost=* |bucket span=1d _time |eval allprocess=runing+sleeping+zombie |timechart avg(allprocess)
change the span as you need
... View more
try something like this
search /my/huge/query/with/lot/of/evals/and/joins|stats avg(field1) as avgfield1, avg(field2) as avgfield2|eval field3=mvappend(field1,field2)|mvexpand field3|table field3 avgfield1 avgfield2 | fillnull value="-"
... View more
last version of splunk have is unreliable Version.
me too i try some query with join and follows with appendcols command in 6.2.1. i have different result for 6.1.2 (correct one)
... View more
try this:
"search A"|dedup Txnld |appendcols [search B or C | stats min(_time) as start_time, max(_time) as end_time by TxnId | eval total_time = end_time - start_time] | table total_time,Queue
... View more