| makeresults | eval _raw = "user_name machine_name event_name logon_time user1 machine1 logon 12/9/2021 7:20 user1 machine1 logoff 12/9/2021 7:22 user1 machine1 logon 12/9/2021 8:20 user1 machine1 logoff 12/9/2021 8:22" | multikv forceheader=1 | eval _time = strptime(logon_time, "%m/%d/%Y %H:%M") ```| reverse``` | fields - _raw linecount | eval login_time = if (event_name == "logon", logon_time, null()), logout_time = if (event_name == "logoff", logon_time, null()) | transaction endswith=(event_name=logon) startswith=(event_name=logoff) user_name machine_name ```| transaction startswith=(event_name=logon) endswith=(event_name=logoff) user_name machine_name``` | eval session_duration = tostring (duration, "duration") | rename login_time as logon_time | table user_name machine_name event_name logon_time logout_time session_duration how do i repplace the below section of query with results from a query _raw = "user_name machine_name event_name logon_time user1 machine1 logon 12/9/2021 7:20 user1 machine1 logoff 12/9/2021 7:22 user1 machine1 logon 12/9/2021 8:20 user1 machine1 logoff 12/9/2021 8:22 my base query yields data like below wic needs go to _raw index=foo source = bar | fields user_name, macine_name, event_name, logon_time this query will result 1000s of rows that may look like belwo data user1 machine1 logon 12/9/2021 7:20 user1 machine1 logoff 12/9/2021 7:22 user1 machine1 logon 12/9/2021 8:20 user1 machine1 logoff 12/9/2021 8:22 I need to feed those thousands of events to _raw to makeresults. Any help is much appreciated. thanks ... View more

I have a dhasboard which should show buckets with number of machines by span of time.  Machine A to F is used for 2 mins Machines D-T was used for 2hrs Machine s-Z was used for more than 4hrs So my graph should show the buckets with time range as a standard set.  XAxis <5 mins, 5-30mins 30min - 2hrs 2-4hrs  > 4hrs YAxis  No of machines logged on for <2mins No of machines logged on for 5-30mins  and so on. Logon Time Logoff Time MachineName SessionTimeinMins 12/1/2021 19:33 12/1/2021 19:36 A 3 12/1/2021 16:46 12/1/2021 17:04 B 18 12/1/2021 15:35 12/1/2021 15:38 C 3 12/1/2021 11:35 12/1/2021 11:38 D 120 12/1/2021 16:35 12/1/2021 21:35 E 300   Base Search | bucket SessionTimeinMins span=20 | chart count(MachineName) by sessionSpan But this do not help in achieving what i wanted. Any help is much appreciated.  Ho do I set my X-Axis to show standard buckets like <2min, 30-1h and bring the count into this bucket.    Thanks     ... View more

I have a Dashboard which returns a table. the Drilldown is selected as Row for this table. There are 2 rows with DisplayVersion as 2.8.110 and NULL. When I click on the row with the DisplayVersion as 2.8.11.0, it opens a new window with base query that includes "search "DisplayVersion='2.8.11.0' " and return 223 rows. But When I click the row with DisplayVersion as NULL, it opens a new window with only the base query and still returns 223 rows. Ideally it should open the base query + "Search DisplayVersion = "" " and just display one row. But it is not happening so. Can someone please clarify why? Image attached for your reference. ... View more

Problem to solve: we have say 500 servers. out of 500 servers some servers have older versions of software installed. Some server are even missing the softwares. we are trying to list this in the report. SoftwareName Version NoOfhostwithsoftwareinstalled NoOfHostmissingSoftwares Listofhosts_thataremissing_softwares Software1 1.0 300 10 server1 software1 1.1 190 server2 ...... server10 I am trying to achieve this with the base search / postprocess. I am able to list first 4 columns. But Not able to list the servers missing package. <code> My dashboard XML: <dashboard> <label>Installed Softwares List</label> <search id="baseSearch"> <query>index=powershell source="powershell://CCT-InstalledSoftware" sourcetype=CCT_Software host ="UE1*A01" | dedup host, DisplayName, DisplayVersion</query> <earliest>-24h</earliest> <latest>now</latest> </search> <search base="baseSearch"> <query> | stats dc(host) as TotalNoOfHosts values(host) as allhostlist</query> <done> <condition> <set token="tokhost">$result.TotalNoOfHosts$</set> <set token="tokhostlist">$result.allhostlist$</set> </condition> </done> </search> <row> <panel> <search base="baseSearch"> <query>search DisplayName="software*" | stats dc(host) as HostsWithPackage values(host) as packlist </query> <done> <condition> <set token="tokpack">$result.HostsWithPackage$</set> <set token="tokpacklist">$result.packlist$</set> </condition> </done> </search> <table> <title>List of Hosts with Package</title> <search base="baseSearch"> <query>search DisplayName="software1*" | rex "DisplayVersion=(?<versionD1>\d+)" | rex "DisplayVersion=\d+.(?<versionD2>\d+)" | rex "DisplayVersion=\d+.\d+.(?<versionD3>\d+)" | rex "DisplayVersion=\d+.\d+.\d+.(?<versionD4>\d+)" | sort host -versionD1 -versionD2 -versionD3 -versionD4 | streamstats count by host | where count=1 | eval Version = versionD1.".".versionD2.".".versionD3.".".versionD4 | dedup host, DisplayName, DisplayVersion | dedup host, DisplayName, DisplayVersion | stats estdc(host) as HostsWithPackage by DisplayName DisplayVersion</query> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <title>Hosts_missing_packages</title> <search> <query>| makeresults | eval Hosts_missing_packages=$tokhost$-$tokpack$ |table Hosts_missing_packages</query> <earliest>@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard> Can someone suggest how do I pass the list values from both the searches to my final panel and find the missing list of servers. ... View more

Moderator Note: the below was originally posted as an Answer on an old question, but being it's own question it has been split out accordingly index=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* DisplayName="anysoftware*" host=prod1* | dedup host, DisplayName | stats count(host) as #_of_Hosts_with_package by DisplayName, DisplayVersion | append [search index=testindex sourcetype=host source="testindex://hostSoftware" host=prod1*| table host | search NOT [search iindex=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* | search "DisplayName"="anysoftware*" | dedup host | table host] | rename host as Hosts_Missing_software | stats count(Hosts_Missing_software) as #_Hosts_Missing_LeostreamAgent, list(Hosts_Missing_software) as Hosts_Missing_software] The append do not yeild all of the results due to maxout limit. So moving to multisearch. I am trying to do same search with multisearch but not working. Any help is much appreciated. TIA | multisearch [search index=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* | fields hos t| rename host as Hosts_raw_List | eval type="search1" ][index=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* Name="Anysoftware*" | fields host Name Version | rename host as hostwithpack | eval type="search2" ] | eval result=search1-search2. my search1 results 12 hosts. (total number of hosts available) search 2 results 11 hosts (Hosts with software installed) I am looking for results like in table: "Name" | Version | #ofhosts withsoftware | #of hosts without software | list of hosts with no software" can anyone pls help! TIA ... View more