@cboonyan  You're on the right track with makeresults. Here's one possible solution: | makeresults count=7 | streamstats count | eval _time=relative_time(_time-86400*count, "@d") | fields - count | eval host="host1 host2 host3", host=split(host, " ") | mvexpand host | table host _time | sort host _time | rename host as HOST, _time as DATE | fieldformat DATE=strftime(DATE, "%F") ... View more

hi, I have tried to include $search$ into the message field according to http://docs.splunk.com/Documentation/Splunk/6.5.5/Alert/EmailNotificationTokens. However, when I sent a test email, the token resolves to nothing. The default $name$ token however resolves to something. I have tried both report into dashboard and inline report panel but both exhibits same blank result for $search$. ... View more

Are these records time oriented? Using streamstats may also be an option (as part of the solution only). ... View more

Hi @cboonyan, Let me explain that. When we do an eventstats of values(Col_C) as vals by Col_A, it creates a new column "vals" and add all distinct values of Col_C (no,yes) for each row of Col_A. Col_A Col_B Col_C found vals ID_A log 1 yes 1 no yes ID_A log 2 yes 1 no yes ID_A log 3 yes 1 no yes ID_B log 4 no no ID_B log 5 no no The column vals is a multi value field. Now with mvfind, we search in the vals for a "yes" and mvfind returns the index of matching starting with '0'. In our case, since the "yes" is second value in the list, it always returns 1. It's possible that you are applying this on a different dataset and not what you have given in this example. Neverthless, we can generalize it by using the below search ( |where NOT isnull(found) ) instead of using 0 or 1. "your search"|sort Col_A|eventstats values(Col_C) as vals by Col_A |eval found=mvfind(vals,"yes") |where NOT isnull(found)|fields - vals,found If you are grouping by Col_C itself , it might not be correct. Let's know if you need any further assistance ... View more