Thanks for the reply cmerriman. We are calling the endpoint from the Java based app and is there any way to get only isDone instead of the whole payload? ... View more

Sure, I'll try this and update you. Thanks. ... View more

HI Lucas, I'm not using any tstats command, we are only using datamodel command. | datamodel Thanks. ... View more

Hi, I've opened the datamodel via UI. I don't see transaction xxx , to add keepevicted=true. Can you elaborate where to add the keepevicted ? Thanks ... View more

That makes sense. Thanks for your time sundareshr . ... View more

That makes sense. That's what I need . The app is really helpful. Thanks for your time Luke,.... ... View more

Feel free to ask a new question about that, and make sure you include the dashboard xml that doesn't do what you expect. At some point we're just spamming an older question, veering further away from the original issue. ... View more

Check the answer by veganjay here: https://answers.splunk.com/answers/129773/advice-for-when-you-have-more-than-100-automatically-extracted-fields.html It worked for me. ... View more

Thank you. I'll try this. ... View more

It works if add "args." before argument name. For example the saved search (with the name "findSurname") is: host=my_host field1=$args.surname$ then you can do: SavedSearch savedSearch = splunkService.getSavedSearches().get("findSurname"); //get your saved search by name SavedSearchDispatchArgs dispatchArgs = new SavedSearchDispatchArgs(); dispatchArgs.add("args.surname", "IVAN*"); Job job = savedSearch.dispatch(dispatchArgs); while(!job.isDone()){ try { Thread.sleep(500); } catch (InterruptedException ex) { System.out.println("Waiting thread was interrupted: " + ex.toString()); } } try{ Args outputArgs = new Args(); outputArgs.put("output_mode","json"); InputStream inputStream = job.getEvents(outputArgs); byte[] buffer = new byte[4096]; while(inputStream.read(buffer)!=-1){ System.out.println(new String(buffer)); } }catch(Exception ex){ System.out.println("Error getting result from Splunk: " + ex.toString()); } Also you can see some examples about saved searches with Splunk SDK here: http://dev.splunk.com/view/java-sdk/SP-CAAAEKY ... View more

Perfect , This worked. It created a new column - "fieldnames" with the original column name. I could just search the new column which has no nulls. Thanks for your time Javiergn. ... View more

Additionally, move as much filtering as you can into search before the first pipe. (Exception: Report Acceleration / Postprocessing / etc. scenarios where you pre-compute a data cube style thingy and feed many things off it, here filtering late can make sense) ... View more

Hi, I think this solution needs one enhancement: In the case if latest time is now it passes "now" which in relative_time() functions gives empty result so it can be fixed by adding if("$time.latest$"="now", "-0","$time.latest$" ) condition as follows: index=foo sourcetype=bar earliest=0 | where strptime(abctime, "%Y-%m-%d") >=if(replace("$time.earliest$","\d","")!="",relative_time(now(),"$time.earliest$"),"$time.earliest$") AND strptime(abctime, "%Y-%m-%d") <if(replace("$time.latest$","\d","")!="",relative_time(now(),if("$time.latest$"="now", "-0","$time.latest$" ),"$time.latest$") ... View more

Yes, Perfect. Thanks Maciep 🙂 ... View more

I've date_hour and date_wday fields. Thanks for your time. ... View more

Perfect! It worked . Thanks for your time 🙂 ... View more

Very Welcome. 🙂 ... View more

Thanks Javiergn. That worked 🙂 ... View more