In this code snippet: dedup Machine | stats count(Machine) as Real_Count by Code are you trying to get a count of the unique Machine values by each Code? If so, you could use this instead: dc(Machine) as Real_Count by Code . I'm having trouble following the rest of your description. Could you include the results of your main stats command and also the command itself? That might help us troubleshoot. ... View more

Yes, your'e right, this looks like it will do the job, thank you. ... View more

Thanks for noticing the type. Just corrected it. ... View more

Like others have mentioned, you have way too much going on in that search for us to just immediately recognize what is wrong. But I think I can recommend some basic troubleshooting. Hopefully you've gone through this exercise already, but if not maybe now is the time. Your search is complex. Do you have any idea where the error in logic shows ups? Does the base search work? If so, do you see the results you expect after the foreach? If so, does that mvzip do what you expect? And so on. Splunk's SPL isn't all or nothing. Start stepping through each phase of your search to try identify where the mistake is introduced. Start with the base search and pipes one at a time. And if you have lots of data you're working with, change your base search to include one or two specific sources so that maybe the mistake will be more obvious when you get there. Nobody here is going to be able to help you identify the issue without sample data. And even then, I think there's a lot of logic built into that search based on what you understand about this data, so we would still struggle to follow along. So just take it step by step on your own and should find the issue. ... View more

one note I changed the "times" to" timed" at the end of the 4th line ... View more

Thank you! ... View more

Pretty sure that the problem will be in your regular expression; when I do search time field extractions that don't appear in the interesting fields, 100% of the time it's because I've screwed up the RegEx. What does the line look like you're trying extract MachineModel from? \d{2} might be a better way of finding "910" if that's what you're looking for, but, it may be the .*? at the start that's breaking the extraction. ... View more

Read these: http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/MonitorChangestoYourFileSystem https://splunkbase.splunk.com/app/2776/ ... View more

Yes I think that was the Problem, I ended up searching multiple indexes using the OR boolean, and its working. I appreciate the help, however I was required to delete the posting, still Thank You! ... View more

It worked! Thank you ... View more

If I'm understanding this correctly, is this what you are looking for: You do a search of problem tickets that have individual ID numbers: search PBM The results are logs for the problem tickets with the various RMTMS values. The RMTMS values are the serial numbers of the machines associated to the problem tickets. You then want to take the serial numbers and search your asset inventory to see what the patch level is and compare the systems to see if they are equivalent? So for instance, I've got problem ID PBM 8675309. The RMTMS values that come back for are serial numbers 00042, 01337, and 01010. I will then search my asset inventory to see if those three systems are all running NT 4 Patch 6 and IIS 3.12? So then my end table would be: 00042 - NT 4 P 6 - IIS 3.12 01337 - OS/S IIS - IBM 2 01010 - NT 4 P 6 - IIS 3.11 Is that correct? ... View more

I thought that raby1996 only needed to know how to run two searches at the same time. Please excuse me if anyway I caused any confusion. I see that your answer used also the Boolean operator OR, but your answer is very complete definitely. ... View more

Thank you! ... View more

It worked! Thank you. ... View more

This seems to work with a limited set of test data. But it's also late, so it could be way off too 🙂 Essentially, I'm trying split the event by the hashtags, and then expand those sections into separate events. So instead of 1 event above, you'd have 4. And then I rex the serial and bu for each of those new events (so each section of the original 1 event). Then across all events, i do a stats for the largest bu by _raw (even after the expand, all of those new events still have the same _raw). So now each event has a _raw, serial, bu and the max(bu) that represents the highest bu across the same original event. So finally, I filter on where the max field is the same as the bu field, since those will only match for those events that represent the largest bu per _raw. And that's it, just table the remaining serial and bu fields. Hopefully that makes sense (and is logically correct) index=* sourcetype="test:serial" | eval blah = _raw | makemv blah delim="#############################" | mvexpand blah | rex field=blah "Serial:\s+(?<serial>\S+)[^-]+-(?<bu>.+)" | eventstats max(bu) as max by _raw | where max=bu | table serial bu ... View more

Thank you, and as a side note it also worked when i set my rex to search for that specific pattern with a max_match=0, then i just use eval max ... View more

Great, thank you! ... View more

Here you go. ... View more

That worked wonderfully, thank you! ... View more

It will show under the same field if you've correctly done the renaming in the stats within appendpipe. | stats sum(Field1) as Field1 will give total of all values of Field1 and list it under Field1 only. If you don't mind, could you paste the query that your tried? ... View more