Hello I have to find all the alerts and dashboards queries by sourcetype i saw this query but it is not contains the query inside the dashboard\alert   | union [| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" | search "eai:data"="*index=*" | eval Type="Dashboards" | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write] [| rest splunk_server="local" "/servicesNS/-/-/admin/macros" | search definition="*index=*" | eval Type="Macros" | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write] [| rest splunk_server="local" "/servicesNS/-/-/saved/searches" | search search="*index=*" | eval Type="Saved Searches/Alerts/Reports" | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]   maybe there is another way to achieve my goal ?     thanks ... View more

Hello, Is it possible to add banner to dashboard in order to separate between panels ?   Thanks ... View more

Hello I want to monitor if user run new search in our environment or created new alert  i tried to use this query :   |rest /services/saved/searches | search action.email.to=* OR action.email.to=* | where disabled=0 | table title , search , updated   the problem is that there is no time field in order to compare the 'updated' value with time to know if there is something new. is there any other way to check new entries ? ... View more

Hello, I want to calculate a ratio between two fields (i know it suppose to be an easy one but looks like im missing something) i want to count all the Totals and then check where Total > 200  as latency and count them all  after i have both of them i want to check if the ration between them is > 0.3   sourcetype="*user-program*" | rename AdditionalData.Total as Total | eval Latency=if(Total>200,Total,null()) |eval Ratio = Total/Latency   this one returning no results ... View more

Hello, I have a query that return results if im running it for 1 hour but if im trying to run the query for more than 1 our it returns no result..  index=clientlogs sourcetype=clientlogs Mode=Real ApplicationIdentifier="*" "orders-for-open" (Action="OpenPositionRequest" AND Level=Info) | eval StartTime=strptime(ClientDateTime,"%Y-%m-%dT%H:%M:%S.%3N") | rename Request_Id AS RequestId | stats min(StartTime) as StartTime min(_time) AS _time BY RequestId | join RequestId [ search index=clientlogs sourcetype=clientlogs Mode=Real ApplicationIdentifier="*" Message="Create OrderForOpen" | rename OrderID AS PushEventData_Position_OrderID ] | join PushEventData_Position_OrderID [ search index=clientlogs sourcetype=clientlogs Mode=Real ApplicationIdentifier="*" (Message="Position.Open" AND (PushEventData_Position_OrderType=17 OR PushEventData_Position_OrderType=18)) | eval finishTime=strptime(ClientDateTime,"%Y-%m-%dT%H:%M:%S.%3N") | stats min(finishTime) as finishTime min(_time) AS _time BY PushEventData_Position_OrderID ] | eval Latency=finishTime-StartTime | where Latency>0 | timechart avg(Latency) span=1m ... View more

Hello I have a field that does not return results when searching for specific string.  i need to combine two searches so i will be able to return this field + other results from the search with the specific string this is my query :   sourcetype=clientlogs OR sourcetype="client-logs-api" Categories="Login" | stats count(eval( Message="Unable to load " OR Message="Unable to load from SDK")) as Faliure, values(Message) as Message values(IPAddress) as IPAddress, values(Url) as url by Country SessionGuid | appendpipe [ stats sum(Faliure) as Faliure | fillnull value=0 Faliure | eval Country="TOTAL" ] | appendpipe [ stats count(SessionGuid) as FailedSessions | eval Country="TOTAL",Faliure="Faliure"] ] | table SessionGuid IPAddress Country Faliure Message FailedSessions url | sort - Faliure   i need to add the field CID which return no results when searching for the message at the beginning of the query  how can i join them together so i will see in the table also the values of CID ? ... View more