Hi, struggling to get single values to show with trendline comparing to previous month.   | bin span=1mon _time | chart sum(cost) as monthly_costs over bill_date   Tried differnt varations. The above will show a single value for each month, but I want to add a trendline to the single value to compare to the previous month. Any ideas? Thanks! ... View more

Hi,   Struggling trying to figure out what I'm doing wrong. I have the following SPL | inputlookup append=t kvstore | eval _time = strptime(start_date, "%Y-%m-%d") | eval readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S") start_date is YYYY-MM-DD, when I modify the _time, I can see it is changed via readable_time, but the timepicker still ignores the change. I can say search last 30 days and I get the events with _time before the range in the timepicker. Any ideas?  Thanks! ... View more

Hi, We already have a case open but wondering if someone else ran into this problem. Randomingly Scheduled Searches are losing the original owner and defaulting to Other This causes the cron scheduled to be running at the wrong times, since the timezone defaults to the system timezone.   Does anyone have any experience in figuring out why the owner is being changed to Other? We use SAML.   Thanks  Chris ... View more

Hi, trying to get stats of user search stats. I'm struggling trying to workaround the 10K limit with distinct , stats dc(sids) in the below query.    ("data.search_props.type"!=other "data.search_props.user"!=splunk-system-user AND "data.search_props.user"!=admin data.search_props.sid::* host=* index=_introspection sourcetype=splunk_resource_usage) | eval mem_used='data.mem_used', app='data.search_props.app', elapsed='data.elapsed', label='data.search_props.label', intro_type='data.search_props.type', mode='data.search_props.mode', user='data.search_props.user', cpuperc='data.pct_cpu', search_head='data.search_props.search_head', read_mb='data.read_mb', provenance='data.search_props.provenance', label=coalesce(label,provenance), sid='data.search_props.sid' | rex field=sid "^remote_[^_]+_(?P<sid>.*)" | eval sid=(("'" . sid) . "'"), search_id_local=replace('data.search_props.sid',"^remote_[^_]+",""), from=null(), username=null(), searchname2=null(), searchname=null() | rex field=search_id_local "(_rt)?(_?subsearch)*_?(?P<from>[^_]+)((_(?P<base64username>[^_]+))|(__(?P<username>[^_]+)))((__(?P<app>[^_]+)__(?P<searchname2>[^_]+))|(_(?P<base64appname>[^_]+)__(?P<searchname>[^_]+)))" | rex field=search_id_local "^_?(?P<from>SummaryDirector)" | fillnull from value="adhoc" | eval searchname=coalesce(searchname,searchname2), type=case((from == "scheduler"),"scheduled",(from == "SummaryDirector"),"acceleration",isnotnull(searchname),"dashboard",true(),"ad-hoc"), type=case((intro_type == "ad-hoc"),if((type == "dashboard"),"dashboard",intro_type),true(),intro_type) | fillnull label value="unknown" | stats max(elapsed) as runtime max(mem_used) as mem_used, sum(cpuperc) AS totalCPU, avg(cpuperc) AS avgCPU, max(read_mb) AS read_mb, values(sid) AS sids by type, mode, app, user, label, host, search_head, data.pid | eval type=replace(type," ","-"), search_head_cluster="default" | stats dc(sids) AS search_count, sum(totalCPU) AS total_cpu, sum(mem_used) AS total_mem_used, max(runtime) AS max_runtime, avg(runtime) AS avg_runtime, avg(avgCPU) AS avgcpu_per_indexer, sum(read_mb) AS read_mb, values(app) AS app by type, user | eval prefix="user_stats.introspection." | addinfo | rename info_max_time as _time | fields - "info_*"   Can someone suggest a tweak in the SPL to get around distinct 10K limit? Thank you,   Chris ... View more