The data and lookup samples are not obvious, so I am not sure.   alert="Anonymous IP address" | lookup .... I suppose the order is this.   ... View more

| makeresults | eval _raw="ABCD" | appendpipe [ eval _raw="DABC" | appendpipe [ eval _raw="CBAB"]] ``` this is sample data ``` | eval _raw=split(_raw,"") | rex ("?<yourData>A") If the data has features, it can be extracted using regular expressions. ... View more

index="idx_cibca_Application_prod" sourcetype="tomcat:runtime:log:jpma" AND ("Job Details job name:" OR "lastUpdatedTS" OR "Time taken for" ) host=Server_1 OR host=Server_2 OR host=Server_3 OR host=Server_4 OR host=Server_5 OR host=Server_6 OR host=Server_7 OR host=Server_8 | rex "(?<Job_Thread_Name>\S+Range)" | rex "Job Details job name:(?<Job_Config_Name>.*) status:(?<JOB_STATUS>.*) timetaken:(?<TIMETAKEN>.*) minutes" | rex "(?<DATE_TIME>^(\d+)-(\d+)-(\d+)(\s+)(\d+):(\d+):(\d+).(\d+))" | lookup Application_Job_Thread_Name.csv Job_Thread_Name OUTPUTNEW Job_Name Job_Config_Name Frequency_Bucket_in_mins I don't have the log, so I don't know if it's accurate, but I think it will be faster except for the join. ... View more

If you have SECCMD do what I'm doing and search in smart mode, you're basically good to go. ... View more

.... | streamstats window=2 first(eval(rtrim(Percent,"%"))) as p_perc by Priority | eval trend=rtrim(Percent,"%") - p_perc | eventstats last(trend) as Trend by Priority | eval Priority=Priority."_".Trend | xyseries Priority month Percent | rex field=Priority "(?<Priority>.*)_(?<Trend>.*)"  There is only the image data, so I haven't tried it.     ... View more

sample: index=_internal earliest=0 sourcetype=splunkd_*| bin span=1d _time | stats sum(eval(len(_raw))) as bytes by _time sourcetype | eval KB=round(bytes/1024,2) | streamstats window=3 avg(KB) as trend by sourcetype | fields - bytes | xyseries _time sourcetype KB trend try bin and stats , not timechart ... View more

    index=firewall host="HQ-5020-1.firstagain.local" | bin _time span=1min | stats sum(bytes_in) as Received,sum(bytes_out) as Sent by _time dest_interface | rename dest_interface as Interface | eval Received=Received / 1024 / 1024, Sent = Sent / 1024 / 1024 | eval Bandwidth=round(Received + Sent,2)     Viz >> Line Chart with  trellis by Interface    sample: | tstats count where index=_internal by _time span=1h sourcetype | fields - count | eval bytes_out=random() / 1024 , bytes_in=random() / 1024 | stats sum(bytes_out) as Sent sum(bytes_in) as Received by _time sourcetype | rename sourcetype as Interface | eval Bandwidth = round( Sent + Received , 2) ... View more

<form> <label>hide_panel_width</label> <init> <set token="width_change">100</set> <set token="Viz">0</set> <set token="panel1">0</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="width_change" searchWhenChanged="true"> <label>Width Change</label> <choice value="85">width_change<set token="Viz">1</set> <set token="pane1">15</set> </choice> <default>100</default> </input> </fieldset> <row> <panel depends="$alwaysHidePanel$"> <html> <style> #Table1{ width:$width_change$% !important; } #Panel1{ width:$panel1$% !important; } </style> </html> </panel> </row> <row> <panel id="Table1"> <chart> <search> <query>| tstats count where index=_internal by _time span=1h</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> </chart> </panel> <panel id="Panel1" depends="$Viz$"> <single> <search> <query>| tstats count where index=_internal by _time span=1h sourcetype | rare 1 sourcetype</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> </single> </panel> </row> </form> ... View more