Reviving a dead thread but I believe your solution is precisely the same as @rocketboots_ser's, except using _time rather than a fixed time. In either case the changing of time zones doesn't affect the outcome.  A more compact rewrite is this:  | eval time_UTC = strftime(2 * _time - strptime(strftime(_time, "%F %TZ"),"%F %T%Z") Which relies on the same tricking of strptime() into thinking the output of strftime() is in UTC with the %Z variable. Doesn't matter if you use _time or 2000-01-01 as long as you're consistent.  ... View more

Sorry kind of fell off there, but just wanted to update in case others see this.  Basically the problem is for the "fully populated" case.  For fully populated data, why not use this? index=example | stats avg(field1) perc95(field2) by x,y,z a,b,c I may not have been very clear here, but basically this would not work because what I'm looking for is:  avg(field1) perc95(field2) x y z a b c f1g1   10 20 30         f2g2       1 2 3 f1g3   40 50 60         f2g4       4 5 6   Here we have agg stats for four groups, g1to g4. For example g1 represents the stats for the grouping x=10, y=20, z=30, a=*, b=*, c=*, and g4 represents the stats for the group of transactions with x=*, y=*, z=*, a=4, b=5, c=6.  Just a stats doesn't help us here  because of overlap, for instance g1 contains events of g2 (g1 contains events with a=1,b=2,c=3 and g2 contains events with x=10,y=20,z=30) ... View more

That is possible. You would get most impact if your generated sum of time segments caused splunk to ignore whole buckets vs. the whole time range. So obviously there would be much less I/O overhead, memory use, opened files and so on. With search like "(earliest=-10m latest=-9m) OR (earliest=-8m latest=-7m)" vs. "(earliest=-10m latest=-5m)"... I wouldn't expect much improvement. It also depends on the data and search itself so YMMV. ... View more

Not sure actually, I am actually not the admin of our cluster but I know both of those things (reassign captain, rolling restart) have happened between then and now either due to other issues or updates.  Either way it seems to have cleared up some time ago now...  ... View more

The way that we did this was to run a base search and capture the SID using the addinfo command to get info_sid and then using |loadjob <SID here> in the other part of the search. This works great, except it makes the drilldown funky because it starts with | loadjob obscuring the base search. ... View more

| stats count | eval raw="2019/10/01,2019/10/04" | makemv delim="," raw | mvexpand raw | eval raw=strptime(raw,"%Y/%m/%d") | makecontinuous span=5m raw | eval _time=raw | eval Total_ct=random() % 100 + 1 `comment("this is sample data")` | timechart span=1h avg(Total_ct) as Total_ct | eval days=tonumber(strftime(_time,"%d")) | eval time=tonumber(strftime(_time,"%H")) | xyseries time days Total_ct | sort time | fields - 4 Hi, this is sample query.　Please take a look at Line chart. ... | bin span = 5m _time | timechart span=5m avg(Total_ct) as avg_Total_ct | eval days=tonumber(strftime(_time,"%d")) | eval time=tonumber(strftime(_time,"%H")) | xyseries time days avg_Total_ct | sort time How about this? ... View more

@w564432 this would be a tough ask for the built in Splunk Dropdown as the Text Box that searches the values and Dropdown Values are two different DOM nodes in the same Dropdown. So what it means is if you have values like host1, host2, host3 .... in the dropdown and you type in host in the textbox and then choose host1 or host2 as the value you Dropdown, you will still have host value present in the textbox. Since Value selected in the text box may not exist in the dropdown, if you select any text not present as Dropdown value, will not be displayed in the input. Following is one way to implement this using Simple XML JS extension and Splunk JS <form script="dropdown_textbox.js"> <label>Dropdown with Text Box</label> <fieldset submitButton="false"> <input type="dropdown" token="tokHost" searchWhenChanged="true"> <label>Select Host</label> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <default>*</default> <search> <query>| makeresults count=10 | fields - _time | eval sno=random() | eval sno=substr(sno,0,2) | eval host="host".sno | fields - sno | dedup host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <choice value="*">All</choice> </input> </fieldset> <row depends="$alwaysHideCSS$"> <panel> <html> <style> input[class^="TextStyles__StyledInputSearchInput-sc-"][data-test="textbox"]{ background:red !important; } </style> </html> </panel> </row> <row> <panel> <table> <search> <query>| makeresults | fields - _time | eval finalToken="$tokHostForSearch$"</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> Following is the required JavaScript file dropdown_textbox.js file to be put under your Splunk App's appserver/static folder (which would need to be created if already not existing, also would required system restart/refresh/bump and browser history cleanup in case changes do not reflect). PS: jQuery Selector is based on Splunk 7.1.x and higher versions and may not work on previous versions. Within test Simple XML Dashboard hidden css <style> section has been added to test the Text Box selector within Dropdown which will turn red in case selector is valid (tested in Splunk 7.3.x) require(["jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!"], function($, mvc) { console.log("Inside Dropdown JS"); var defaultTokenModel=mvc.Components.get("default"); var submittedTokenModel=mvc.Components.get("submit"); //Token Value changed defaultTokenModel.on("change:tokHost",function(value,newValue,options){ console.log("Dropdown Value Changed"); var strDropdownSelection=defaultTokenModel.get("tokHost"); console.log("Changed strDropdownSelection:",strDropdownSelection); if(strDropdownSelection!==undefined){ //Set the token tokHostForSearch from strDropdownSelection defaultTokenModel.set("tokHostForSearch",strDropdownSelection); } }); //Text Box value changed $(document).on('change','input[class^="TextStyles__StyledInputSearchInput-sc-"][data-test="textbox"]',function(){ console.log("TextBox Value Changed"); var strTextBoxSelection=$('input[class^="TextStyles__StyledInputSearchInput-sc-"][data-test="textbox"]').val(); console.log("Changed strTextBoxSelection:",strTextBoxSelection); //Clear Dropdown if(strTextBoxSelection!==undefined){ defaultTokenModel.unset("form.tokHost"); //Set the token tokHostForSearch from strTextBoxSelection defaultTokenModel.set("tokHostForSearch",strTextBoxSelection); } }); }); ... View more