Please try something like.. (would be good if paste some sample events , so we can frame the query) |inputlookup Qasd.csv |stats latest(alpq) as latest_time first(alpq) as earliest_time by Release | eval earliest_time=strftime(earliest_time,"%d/%m/%Y") | eval latest_time =strftime(latest_time,"%d/%m/%Y") ... View more

Hi Check this and modify accordingly <form> <label>Product</label> <fieldset submitButton="false"> <input type="dropdown" token="product"> <label>Product Type</label> <choice value="ProductA">ProductA</choice> <choice value="ProductB">ProductB</choice> </input> <input type="dropdown" token="field2"> <label>field2</label> <fieldForLabel>Version</fieldForLabel> <fieldForValue>Version</fieldForValue> <search> <query>|inputlookup RK.csv | eval date = strptime($product$,"%d/%m/%y") | where date < now() | table Version | sort - Version</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> </fieldset> </form> OR If you want only the latest value <form> <label>Product</label> <fieldset submitButton="false"> <input type="dropdown" token="product"> <label>Product Type</label> <choice value="ProductA">ProductA</choice> <choice value="ProductB">ProductB</choice> </input> <input type="dropdown" token="field2"> <label>field2</label> <fieldForLabel>Version</fieldForLabel> <fieldForValue>Version</fieldForValue> <search> <query>|inputlookup RK.csv | eval date = strptime($product$,"%d/%m/%y") | where date < now() | table Version | sort 1 - Version</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> </fieldset> </form> ... View more

You would need to compare against epoc. One way to check would be |tstats `summariesonly` earliest(_time) AS et where index=* by index, sourcetype, _time span=1mon | where > 1546300800 I have used the epoc time converter to get 154* dating back to 18months. you can change as needed ... View more

Hi Check this solution to get month diff by @somesoni2 https://answers.splunk.com/answers/352963/how-to-calculate-total-month-difference-between-da-1.html ... View more

Give this version a try | rest /services/data/indexes | table title frozenTimePeriodInSecs minTime maxTime totalEventCount | eval minTime=strptime(minTime,"%FT%T%Z") | eval maxTime=strptime(maxTime,"%FT%T%Z") | stats sum(totalEventCount) as totalEventCount min(minTime) as minTime max(maxTime) as maxTime values(frozenTimePeriodInSecs) as frozenTimePeriodInSecs by title | rename title as index | streamstats count as Row | eval Days=frozenTimePeriodInSecs/86400 | eval Year=Days/365 | fields Row index frozenTimePeriodInSecs minTime maxTime totalEventCount | convert ctime(minTime) ctime(maxTime) timeformat="%FT%T%Z" If you still don't see the time, that is because those indexes do not have any data in them, so there is no minTime/maxTime to display. ... View more

Add this to the search above: | search hour>=0 hour<=12 wday IN (Mon,Tue,Wed,Thu,Fri) Or for numerical week days ("%w" instead of "%a"): index=dcsdjc ... | eval _time=_time-7*60*60 | eval wday=strftime(_time,"%w") | eval hour=strftime(_time,"%H") | search hour>=0 hour<=12 wday>=1 wday<=5 Check out the documentation on Date and time format variables. ... View more

Splunk will always use UTC (GMT) to index events - internally it uses Unix Time or epoch which is always UTC. To have Splunk search in a timezone other than UTC the simplest way is to ensure your Locale is set to the timezone you want to use as your reference time. (From the menu, click your username and select preferences) If you have already set your locale to a UTC adjusted timezone and it still shows incorrectly, you have a problem with your timestamp extraction. ... View more

add this to your base search date_wday IN (monday,tuesday,wednesday,thursday,friday) date_hour>=0 date_hour<=12 you might need to tweak the <=12 depending on your requirements index=dcsdjc host=awer THREAD_WALL_MS!=null date_wday IN (monday,tuesday,wednesday,thursday,friday) date_hour>=0 date_hour<=12 | bin _time span=1h | streamstats count as Req by host, _time | eval RequestsPerMin=Req/60 | eval RequestsPerSec=RequestsPerMin/60 | stats avg(RequestsPerMin) as AvgRequestsPerSec, max(RequestsPerMin) as MaxRequestsPerSec, p95(RequestsPerMin) as P95RequestsPerSec by host | eval AvgRequestsPerSec=round(AvgRequestsPerSec,2), MaxRequestsPerSec=round(MaxRequestsPerSec,2), P95RequestsPerSec=round(P95RequestsPerSec,2) | sort -MaxRequestsPerSec, -P95RequestsPerSec ... View more

For the PST part, run the search as a user that had <LoginID> -> Preferences -> Time zone to PST. For the other part, you can add something like this to your search: ... | eval date_wday = strftime(_time, "%a") | where NOT (date_wday = "Sat" OR date_wday = "Sun") ... View more

Typed on a phone, so there may be errors, but would something like this work for you? ...|search QUEUE=message* |eval level=case((QUEUE=MESSAGE1 AND QueueDepth>=400 AND MessageAge>=400), "high", (QUEUE=MESSAGE2 AND QueueDepth>=200 AND MessageAge>=300), "high", (QUEUE=MESSAGE3 AND QueueDepth>=100 AND MessageAge>=300), "high",1=1,"other") |where level="high" |stats count by QUEUE ... View more

You're missing a | before the where, other than that, I think that should do it indeed. ... View more

Hi @rajhemant26 Click 101010 and paste your query. Some part is truncating ... View more

hi @rajhemant26 try like this | makeresults | eval Date="12/08", shiftA=102, shiftB=10, shiftC=200 | append [| makeresults | eval Date="25/08", shiftA=240, shiftB=102, shiftC=52] | table Date shift* | eval Max=0 | foreach shift* [eval Max=case(Max>=<<FIELD>>,Max,true(),<<FIELD>>)] |sort - Max |head 1 ... View more

There is any other way? ... View more

This is an intensely broad and tricky problem. Here is some stuff to try: https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html https://splunkbase.splunk.com/app/4375/ ... View more

Hi , Can you use timechart instead of stats and use span of 1month over there ... View more

Looking at this some more I think the crux of the problem is grouping by month. As a starting point I've put together some SPL to show how to obtain the month from a timestamp then do a count by month. The value generated in the _time will be a random time in the year 2018, as 1514764800 is epoch in seconds for the beginning of year 2018. | makeresults count=100 | eval seconds_into_year = random() % ( 365 * 24 * 60 * 60 ) | eval epoch_start_of_2018 = 1514764800 | eval _time = epoch_start_of_2018 + seconds_into_year | eval month_number = strftime(_time,"%m") | eval month_name = strftime(_time,"%b") | stats count by month_number, month_name I'm hoping with this tip you should have enough to solve the question now. ... View more

Try this host=sbej* sourcetype=kekc_thjs R=* index=perf earliest=1514764800 latest=1538265600 | eval host_type=case(host LIKE "%wad%", "WAd") | bin span=1mon _time | streamstats count as Request by host_type, _time | eval RequestsPerMin=Request/24*30/60 | eval RequestsPerSec=RequestsPerMin/60 |stats count(R) as Requests avg(RequestsPerSec) as AvgRequestsPerSec, max(RequestsPerSec) as MaxRequestsPerSec, p95(RequestsPerSec) as P95RequestsPerSec by _time host_type |eval AvgRequestsPerSec=round(AvgRequestsPerSec,2), MaxRequestsPerSec=round(MaxRequestsPerSec,2), P95RequestsPerSec=round(P95RequestsPerSec,2) |sort -MaxRequestsPerSec, -P95RequestsPerSec ... View more

@rajhemant26, If you just want the count for last 2 minutes, set the earliest time to last 2 minutes relative to current time and do a stats count on the data, For eg. host=werdw* sourcetype=dfgc_metric R=* earliest=-2m@m | eval host_type=case(host LIKE "%wap%", "WAP", host LIKE "%web%", "WEB", host LIKE "%task%", "TASK", host LIKE "%iin%", "IIN", host LIKE "%gen%", "GEN", host LIKE "%ion%","ION", host LIKE "%int%", "INT", host LIKE "%out%", "OUT", host LIKE "%rpt%", "RPT", host LIKE "%rpo%", "RPO", 1=1, "Other") | stats count as Request by host_type You need to use bin/bucket only if you want to split the data into time bukcet of 2 mins for the last x minutes/hours. streamstats is used when you need a moving sum/avg/otehr agg functions over data ... View more

Try this Calculation for request per minute |eval RequestPerMin = Request / (4 * 60) ... View more

In your stats command you can add Req in by clause, if that is what you want as output . See below- stats avg(RequestsPerSec) as AvgRequestsPerSec , max(RequestsPerSec) as MaxRequestsPerSec , p95(RequestsPerSec) as P95RequestsPerSec by Req host_type _time ... View more

Hi rajhemant26, you need to install a Universal Forwarder on the Windows Server you want to monitor and also install the Splunk Add-on for Microsoft Windows on it afterwards. Then it's simply done by enabling the required inputs contained in the MS Windows TA. ... View more

hello there, tried your search, it works on my dummy data. can you verify again? | gentimes start="08/18/2018:00:00:00" end="08/18/2018:00:10:00" increment=2s | eval _time = starttime | eval R = random()%500 | eval THREAD_WALL_MS = random()%1000 | eval host = random()%3 | eval host_type = case(host=1,"some_type",host=2,"other_type",host=0,"deferent_type") | rename COMMENT as "the above generates sample data, below is your query" | bucket span=10min _time | stats count(R) as Requests, max(THREAD_WALL_MS) as "TotalResponseTime", avg(THREAD_WALL_MS) as avg_rt by host_type _time |eval avg_rt=round(avg_rt,2) |eval TotalResponseTime=round(TotalResponseTime,2) |rename avg_rt as "AvgResponseTime" |eval Throughput=(TotalResponseTime/Requests) |dedup 1 host_type |rename host_type as "Server" |sort Server hope it helps ... View more

The next step is to figure out which part is taking up too much time. Run each segment individually: earliest=1520640000 latest=1531526400 (index=app host="prod*" AND host= "*web*" OR host= "*wap*" _raw!="" AND _raw!="*sql*" AND exception!="*db2*" AND exception !="*solr*" error) | stats count Post the resulting count plus these values from the job inspector: scan count, run duration (or run time?). ... View more

You should develop this as a base search (that brings back all three months in a single result) and then post-process those results individually to select each months' data into each panel, and then to analyze all the data for your last panel. ... View more