Hello, I am having difficulty using the 'where property in (x,y,z,...)' type search filter in Splunk. Specifically, when the property values are strings. This works for me: index=indexName | where 'Error.Code' in (5224, 5198) But this does not: index=indexName | where 'Error.Type' in (ServConfigError,GetCompFail) Any idea why that would be? I've tried a lot of combinations of quotes, single and double, around different things, and also trying this kind of construction: index=indexName 'Error.Type' in (ServConfigError,GetCompFail) and this index=indexName | where in ('Error.Type', ServConfigError,GetCompFail) and so on, and I can't get it to work thanks for any help ... View more

Hello, I'm looking to create a query that is a timechart that timewraps every week, for x number of weeks, showing the count of a given field on a variable span within a given set of time on a certain day of the week with upper and lower bounds as overlay lines that are averaged for that hour across all the weeks in the time chart. I know that sounds super generic, so for example, the chart could say show me the -average http_response_time every 5 minutes -from 2-3pm on every Tuesday -timewrapped weekly over the last 10 weeks -with upper and lower bounds, say 25th and 75th percentile overlays, where the overlays are the average response time for that hour averaged out across all weeks, to check trends over the entire period Here is what I have come up with so far, using the eventgen app to generate test data: index=main /booking | eval hour=tonumber(strftime(_time,"%H")) | eval year=tonumber(strftime(_time,"%Y")) | eval month=tonumber(strftime(_time,"%m")) | eval dayOfWeek=strftime(_time, "%A") | where (and here can day day and hour to whatever) | timechart avg(http_response_time) span=1hour | timewrap 1day series=relative | append [ search index=main /booking | fields http_response_time | timechart avg(http_response_time) as SecondAverage stdev(http_response_time) as StandardDeviation perc75(http_response_time) as upper_control_limit perc25(http_response_time) as lower_control_limit span=1d | eval lowerBound=(SecondAverage-StandardDeviation), upperBound=(SecondAverage+StandardDeviation) | fields _time lowerBound upperBound upper_control_limit lower_control_limit SecondAverage] | eval hour=strftime(_time,"%H") | table hour * part of the issue with the above is the overlay displays next to the averages, like this: https://imgur.com/a/YxregbJ any help is appreciated, Thanks! ... View more