I see similar issues with a search where the from clause specifies a datamodel.dataset - summariesonly=t returns no results but summariesonly=f does. If you specify only the datamodel in the FROM and use a WHERE nodename= both options true/false return results So your search would be | tstats summariesonly=true dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware where nodename=Malware_Attacks by Malware_Attacks.signature | drop_dm_object_name("Malware_Attacks") | sort 10 - dest_count LMK if that works in your case. ... View more

nice. tks v much ... View more

interested in how you did this with lookup...??? ... View more

When I try to implement the 6.2 solution, I see the results of my referenced report but the pipe to stats seems to be ignored. Any insights? <panel> <table> <search ref="acall"> | stats count </search> </table> </panel> ... View more

still having the effect. I'm installing it on Win8.1 using the default c:\program files directory. Does it have hardcoded directory paths or other environment dependencies? ... View more

Thank you! And thanks for creating this app, I'm really looking forward to using it. I'll download the new version ASAP. ... View more

problem persists on my system... ... View more

Interestingly, there seems to be some limiter on number of results but I can't find any entry in limits.conf to explain it. In my lab environment, it behaves fine until I exceed 60000 results, once I exceed that it returns only the first 50000 results. Up to that point performance seems linear, execution time increasing with the number of results as expected. ... View more

Nice, thank you. Beautifully simple and elegant. Only concern is scalability/ performance as the map search runs once per input and that can be a very large number. Something to test 🙂 ... View more

Thanks - I see the entry in limits.conf which can be increased but I'm not anxious to do that as you can imagine. Here's a summary of the use case below. I'm exploring several different approaches - subsearches, lookups using outputlookup, intermediate .csv files using outputcsv, transactions, joins... it seems like a simple scenario and is actually quite malleable, however several of the approaches run out of steam on scalability as the number of events gets large, others on performance... Scenario: Splunk query to determine whether a new transaction which is performed by a company in the past hour has any historical record. A transaction is deemed to have historical record if there is a similar transaction performed by the same company in past 90 days having the **same beneficiary name OR beneficiary account number** ... View more

This revised regex should do the named capture from the sample string you provided backwardslashS(?lessthanpathddgreaterthan.+)tomcat7 Notes on modification to regex: changed to capture any non-whitespace character (S) before the literal value "tomcat7" also the named capture's name shouldn't contain a hyphen so changed it to pathdd tested against your supplied input string at regex101.com Match information MATCH 1 pathdd [1-58] home/jenkins/qa-automation-smcconnell/Automation/Tomcats/ Hope this helps with the regex part of the question. If you're working against input from an inputlookup command I believe someson12 is correct - in the rex command you need to specify the fieldname from the csv that you want to apply the regex to. sorry for some reason the capture name was edited out when i posted the reply, possibly because or the angle brackets - i've replaced them with "lessthan" and "greaterthan" here, also the backslash at the beginning ... View more

sorry for some reason the capture name was edited out when i posted the reply, possibly because or the angle brackets - i've replaced them with "lessthan" and "greaterthan" here \S(?lessthanpathddgreaterthan.+)tomcat7 ... View more

This revised regex should do the named capture from the sample string you provided \S(?.+)tomcat7 Notes on modification to regex: changed to capture any non-whitespace character (\S) before the literal value "tomcat7" also the named capture's name shouldn't contain a hyphen so changed it to pathdd tested against your supplied input string at regex101.com Match information MATCH 1 pathdd [1-58] home/jenkins/qa-automation-smcconnell/Automation/Tomcats/ Hope this helps with the regex part of the question. ... View more

It's a two-step process - you have to first create a CSS file for your custom appearance, then reference that CSS file in the XML of your dashboard. Here are some useful links which will help you tie it together and also get information on other customization options Customizing dashboards and custom stylesheets: http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/CustomizeSimpleXML#Custom_stylesheet Simple XML reference: http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/PanelreferenceforSimplifiedXML#dashboard Dashboard examples app: http://apps.splunk.com/app/1603/ - this is a great resource for any customizations you may want to do. ... View more

answering my own! pilot error - I forgot I had the fieldformat for _time from the "non-timewrap" version I derived this from. So took it out [further simplifying the search] and got my x-axis markings...Sweet! ... View more

hoow can I change my profile contact information, there doesn't appear to be any edit mechanism beyond username and email ... View more

rex ")s(? .*Exit|[^.]+)" | dedup Message Case sensitivity in field names: I notice you used "message" [all lower case] in the regex but "Message" in the dedup. Field names are case sensitive so this may be part of your problem ... View more

Great clarification/ correction. Thanks! ... View more

Is the text in a field? If so an eval expression would be one solution startswith=eval(thefieldname=="Sophos Anti-Virus service entered the stopped") If there's further text in the field following this phrase you could use a wildcard at the end. "Sophos Anti-Virus service entered the stopped*" If it's not a pre-defined (persistent) field you could use rex or erex to create a transient field before the transaction command and use that in the startswith/ eval. ... View more