maybe you can use advanced xml to color your graph look at the documentation : http://docs.splunk.com/Documentation/Splunk/5.0.3/Viz/Chartcustomization ... View more

It is inferred from the result of sampling. NO col1 col2 col3 1 A X Y 2 B 3 C X 4 D 5 E col1 col2 col3 col1 100%(5/5) 40%(2/5) 20%(1/5) col2 40%(2/5) 100%(2/2) 50%(1/2) col3 20%(1/5) 50%(1/2) 100%(1/1) ... View more

yoursearchhere | rex "\son\s*(?<hostname>ncdap\S+)" | stats count by hostname should work. This will extract all of the hostnames in the log, if you replace the first line with a general query like sourcetype=ZZZZ where ZZZZ is the sourcetype of the data. If you want to see the events, but only certain fields, you can do this yoursearchhere | rex "\son\s*(?<hostname>ncdap\S+)" | table hostname You could also filter like this yoursearchhere | rex "\son\s*(?<hostname>ncdap\S+)" | where hostname="ncdap-prd1911" OR hostname="ncdap-prd1914" | stats count by hostname ... View more

yoursearch |eval time1=strftime(_time,"%b-%y") |eval time2=strftime(_time,"%Y%m") |stats count by time2 time1 |fields - time2 This should work. ... View more

Give us an example of what your data looks like and what you want to extract from it. ... View more

really ur maverick...its worked.... ... View more