Hi all, For a search similar to the following: index=myindex "Search Term" NOT field=value source="mylog.log" | eval totalx=aCount+bCount | stats sum(totalx) by y | sort -sum(totalx) Splunk returns exactly the data I am looking for. A table of sum(totalx) by y (of which there are around 5 different values of y). I have a request to combine the sum(totalx) values for 2 of the 5 values and treat them as one value but leave the rest unchanged. What would be the best way to accomplish this? For instance, right now my search returns a table similar to this: y sum(totalx) 1 10 2 20 3 30 4 40 5 50 I am essentially trying to create an additional field, let's call it 45, which represents the sum of 4 and 5 at all times. So instead, the data being visualized is: y sum(totalx) 1 10 2 20 3 30 45 90 Thanks! ... View more

I am using the transaction command in Splunk to group the events of an identical log file across two hosts. Essentially, the field=value pairs across both hosts should be identical at all times. From time to time, issues can issue that cause the two hosts to become out of sync. I'd like to have a search that only identifies transactions where the field=value pairs do not match exactly. What would be the best way to accomplish this? For instance, using the search below groups the log files from multiple hosts into a single transaction by second. "searchterm" source="mylog.log" | transaction field maxspan=1s I want to only return events with the below pattern (mismatches) 2020-01-10 17:30:00,348 INFO field=true 2020-01-10 17:30:00,351 INFO field=false But ignore events with this pattern (identical) 2020-01-10 17:30:00,348 INFO field=true 2020-01-10 17:30:00,351 INFO field=true Or this pattern (identical) 2020-01-10 17:30:00,348 INFO field=false 2020-01-10 17:30:00,351 INFO field=false ... View more

Hi all, I am running a search that returns many events. Some of these events contain a field value that is also in a lookup table I have uploaded. What is the best way to format my search in such a way that it ONLY returns events where the field value in the event is present in the lookup table? Right now, the lookup itself works, but the search returns all events, whether it can look up the field value or not. Thanks! ... View more

What would be the best way to run a week to date search (timechart/bin) that "flattens" the individual days so I can get an average count per minute for the week? I don't care so much about the count per minute per day, but the average count each minute taking the entire week into account. For instance, if I want to take "timechart span=1m count" and run that week to date, but ignore the dates and only focus on times. The idea would be the have the avg(count) at 8:00, 8:01, 8:02 etc and compare that to the "current" count today. Ideally I'm looking to run a search for Today, timechart span=1m count - and add avg(count) per minute for the prior week to give an idea for how today compares to historical data. Thanks! ... View more

I currently have a timechart running every minute each day to show a given field value as it increases through the day. The data is being displayed as an area chart. If possible, I'd like the add an overlay to the chart that will show the "average" value each minute over a larger time period (yesterday, or last week for instance). I already have the "historical" timechart data being saved to a summary index, I'm just wondering what the best way would be to incorporate it. Right now, the search is relatively simple: "my search text" earliest=@d+6h latest=@d+18h source="mylog.log" | timechart span=1m count And I am running this same search, without the earliest and latest filters and writing the results to summary index. So it is just a matter of taking today's count by minute and comparing to the summary index count by minute so get a baseline of today vs prior days to make it easier to see if it is "normal" or not. ... View more