Hi @bheptinstall, Did you ever figure this out or get a reason to what the cause is? Thanks, ... View more

I thought I would pop in and let you all know the resolution from Splunk. :\d{2}\s+(?P<Successful>\d+)\s+(?P<Failed>\d+)\s+(?P<Percentage>\S+) IN bodyPreview   ... View more

@gcusello Thank You! Your solution worked, partly. At search time this worked perfectly:  Using - nTimeframe\s+\(\w+\)\s+\w+\s+\w+\s+\%\s+\w+\\\\\w+\\\\\w+\\\\\w+\\\\\w\d+\:\d+\-\d+\:\d+\\\\\w+\\\\\w+\\\\\w+\\\\\w(?P<Successful>\d+) However, neither the regex above or the following worked as a field extract:  Regex101 - nTimeframe\s+\(\w+\)\s+\w+\s+\w+\s+\%\s+\w+\\\w+\\\w+\\\w+\\\w\d+\:\d+\-\d+\:\d+\\\w+\\\w+\\\w+\\\w(?P<Successful>\d+) I have opened up a ticket with Splunk to see  if they can figure it out. For now I will be using the search time extraction. If Splunk provides a solution, I will post an update. ... View more

After @fredclown above stated there was no way to do a fourth dimension in a Bar Chart, I opened a case with Splunk. Low and behold, he was right, which lead to some changes in our SPL. I thought I would share, just in case somebody else runs into the same issue. ```Grab badging data for the previous week``` index=* sourcetype="ms:sql" CARDNUM=* earliest=-4w@w latest=-0w@w | bin span=1d _time | rename CARDNUM as badgeid | stats count by badgeid _time | join type=left badgeid ```Use HR records to filter on only Active and LOA employees``` [search index=identities sourcetype="hr:ceridian" ("Employee Status"="Active" OR "Employee Status"="LOA*") earliest=-1d@d latest=@d | eval "Employee ID"=ltrim(tostring('Employee ID'),"0") | stats count by "Employee ID" _time | fields - time | rename "Employee ID" as employeeID | fields - count ```Filter on Hybrid Remote users in Active Directory that are not Board Members and are in the Non-Branch region``` | lookup Employee_Data_AD_Extract.csv employeeID OUTPUT badgeid badgeid_1 RemoteStatus District employeeID Region] | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") AND Region="Non-Branches" | eval badgeid=coalesce(badgeid,badgeid_1) ```Calculate the number of badge check-ins in a given week by badgeid``` | bin span=1w _time |stats latest(Region) as Region latest(employeeID) as employeeID latest(District) as District latest(RemoteStatus) as status count as "weekly_badge_in" by badgeid _time ```Calulation to determine the number of employees within District that are Hybrid Remote but have not badged-in``` | join District [| inputlookup Employee_Data_AD_Extract.csv | fields badgeid badgeid_1 RemoteStatus District employeeID Region | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") ```AND NOT like(District,"IT")``` AND NOT like(District,"Digital") AND Region="Non-Branches" | stats count as total by District] | eval interval=case('weekly_badge_in'>=3,">=3", 'weekly_badge_in'<3,"<3") | table _time District interval total ```Modify District Here vvv``` | where District="Compliance" | stats max(total) as total count as total_intervals by _time District interval | sort District - _time | fields - District | chart max(total) as total_emp max(total_intervals) as total by _time interval | rename "total: <3" as "<3" "total: >=3" as ">=3" "total_emp: <3" as total | fields - "total_emp: >=3" | stats sum(eval(total-('<3'+'>=3'))) as no_badge_ins last("<3") as "<3" last(">=3") as ">=3" by _time | rename _time as week_of | eval week_of=strftime(week_of,"%Y-%m-%d")   ... View more

Yes. So imagine the first stack with the markup being applied across the chart. ... View more

Thank you for the response but the suggestion does not resolve the problem. The dashboard needs to be delineated in a stacked format by District with each District showing weekly results over a 4week period. ... View more

Apparently, this is a known issue and we be resolved in future releases. ... View more

Splunk Cloud Version: 9.0.2209.2 Build: 65513fa942ad ... View more

Thank you @richgalloway  That was one of the search I attempted and Splunk shows it as having a 50k limit. ... View more

Thanks for the suggestion, but this did not resolve the issue. I have not pursued any further due to the requirement of ingesting the file was canceled. Thanks again! ... View more

Thank you @scelikok ! This worked perfectly! Almost. The query return the data in the format I was looking for, however it only returning 11 rows of data, where there should be a 1000+. On another note... Leave it to me to totally overthink the logic. Thanks again. ... View more

Thank you cmerriman! That worked perfectly! I simply copied and pasted your revisions and it worked! ... View more

@to4kawa Thank you for the help with your response! It took me awhile to get back to this, due to other projects. After many different variations of my logic I ended up only searching one index, which resolved my issue along with your suggestion. Below is the latest version of the script which is working as desired. index=foo sourcetype=bar (OU="Vendor - Long Term" OR OU="Vendor - Short Term" OR OU="Vendor - VPN") lastLogonTimestamp* | fields cn, lastLogonTimestamp, userPrincipalName, userAccountControl, accountExpires, OU,distinguishedName | dedup cn | rex field=distinguishedName "(?<AccountType>(?<=OU=)(.*)(?=,OU=Vendor))" | eval last_logon = strptime(lastLogonTimestamp, "%H:%M.%S %p, %a %m/%d/%Y") | where last_logon < relative_time(now(),"-14d@d") | eval last_logon_date =strftime(strptime(lastLogonTimestamp,"%I:%M.%S %p, %a %m/%d/%Y"),"%Y/%m/%d") | eval NetworkID = trim(replace(userPrincipalName, "@g1net.com", "")) | eval uac = case(userAccountControl==66050,"Disabled, password never expires",userAccountControl==512,"Enable Account",userAccountControl==514,"Disable Account",userAccountControl==544,"Account Enabled - Require user to change password at first logon",userAccountControl==4096,"Workstation/Server",userAccountControl==66048,"Enabled, password never expires",userAccountControl==66050,"Disabled, password never expires",userAccountControl==262656,"Smart Card Logon Required",userAccountControl==532480,"Domain Controller",userAccountControl==1,"Script",userAccountControl==2,"Account Disabled",userAccountControl==16,"Locked Out",userAccountControl==512,"Normal Account",userAccountControl==8388608,"Password Expired",userAccountControl==8,"Home Directory Required",userAccountControl==32,"Password Not Require",userAccountControl==64,"Password Can't Change",userAccountControl==128,"Encrypted Text Password Allowed",userAccountControl==256,"Temp Duplicate Account",userAccountControl==2048,"Interdomain Trusted Account",userAccountControl==4096,"Workstation Tusted Account",userAccountControl==8192,"Server Trusted Account",userAccountControl==65536,"Don't Expire Password",userAccountControl==131072,"MNS Logon Account",userAccountControl==262144,"Smartcard Required",userAccountControl==524288,"Trusted for delegation",userAccountControl==1048576,"Not Delegated",userAccountControl==2097152,"Use Des Key Only",userAccountControl==4194304,"Don't Req Preauth",userAccountControl==16777216,"Trusted to auth for delegation") | rename cn as "Name" NetworkID as "Network ID" AccountType as "Vendor Type" uac as "Account Status" last_logon_date as "Last Logon" accountExpires as "Account Expires" | table "Network ID" Name "Vendor Type" "Last Logon" "Account Expires" "Account Status" | sort "Vendor Type", "Last Logon" ... View more

Thanks for the response @to4kawa! Display Name | Classification | Last Login Date > 60 Days | Account Status Jon Doe |AD Security Group | 12/1/2019 | Disabled The goal is to alert our help desk with this information so a ticket can be opened. We will probably have the alert run once a day. ... View more