Solution: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-add-background-colour-to-single-value-visualisation-based/td-p/616565 ... View more

There are plenty of ways to do this using various forms of eval. You can use if/case to match the types then convert based on match type as suggested, or you could do something like | eval date=coalesce(strptime(DateAdded, "%m/%d/%Y"), strptime(DateAdded, "%F")) which would parse each date/time until one of them converts to non-null   ... View more

The appendpipe command usually is used in this case. | inputlookup my_lookup | search Exposure=External | stats count by Status | appendpipe [ stats count as Count | eval Status="No results",count=1 | where Count=0 | fields - Count ] | eval pie_slice = count + " " + Status | fields pie_slice, count   ... View more

So, Asset count * Exposure types = 68? Not sure how you get 2584 rows from that stats command. Anyway, so in your example, does the server1 row indicate that today has 1 CVE and 30 days ago there were none? How do you want to reflect 'difference'. You can try something like this ... | stats count values(cveID) as cveID by _time AssetName Exposure | nomv cveID | stats list(_time) as time list(*) as * by AssetName Exposure | eval time=strftime(time, "%F %T") | where mvcount(cveID)=1 OR mvindex(cveID, 0)!=mvindex(cveID,1) | table AssetName cveID Exposure count   ... View more

That command is not a valid Splunk command What you probably want is | stats dc(AssetNames) AS TotalExternalAssets dc(eval(if(vulnerability!="missing", AssetNames, null()))) AS TotalExposedAssets I assume the AssetNames field is the same field (not Asset_Names in the second case) This takes the count of unique assets (first dc()) and the second says  If the vulnerability is not missing, then count AssetNames, otherwise count NULL (this counts as 0)   ... View more

The earliest/latest stats commands always base early/late on the event time. What you want is simply min/max of my_report_date, which must be an epoch, so you will need to convert it first, i.e. | eval my_report_date=strptime(my_report_date, "%F") | stats min(my_report_date) AS FirstFound, max(my_report_date) AS LastFound by my_asset %F is shorthand for %Y-%m-%d ... View more

@mistydennis  Can you please try this? YOUR_SEARCH | eval t = mvzip(mvzip(server,error),uniquekey) | mvexpand t | rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" | table server error uniquekey   OR YOUR_SEARCH | eval t = mvzip(mvzip(server,error),uniquekey) | mvexpand t | eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2) |table server error uniquekey   My Sample Search :   | makeresults | eval error="1232 2345 5783 5689 2345 5678 5901", server="server1 server2 server3 server4 server6 server9 server7" | makemv delim=" " error | makemv delim=" " server | eval uniquekey=mvzip(server,error, ":") | rename comment as "upto this is sample data" | eval t = mvzip(mvzip(server,error),uniquekey) | mvexpand t | eval server=mvindex(split(t,","),0), error=mvindex(split(t,","),1), uniquekey=mvindex(split(t,","),2) |table server error uniquekey   | makeresults | eval error="1232 2345 5783 5689 2345 5678 5901", server="server1 server2 server3 server4 server6 server9 server7" | makemv delim=" " error | makemv delim=" " server | eval uniquekey=mvzip(server,error, ":") | rename comment as "upto this is sample data" | eval t = mvzip(mvzip(server,error),uniquekey) | mvexpand t | rex field=t "(?<server>.*),(?<error>.*),(?<uniquekey>.*)" | table server error uniquekey   I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.   ... View more

If you are using a lookup as a subsearch then you use "inputlookup" rather than lookup. There are three ways to solve your problem, two with subsearches 1. Search after lookup with a subsearch | inputlookup myinputlookup1 | search NOT [ | inputlookup my_lookup | fields my_lookup_field_matching_outer_field ] or 2. Basic Lookup  | inputlookup myinputlookup1 | lookup my_lookup InLookField AS LookField OUTPUT InLookField | where isnull(InLookField)  or 3. inputlookup with where clause using a subsearch  | inputlookup myinputlookup1 where NOT [ | inputlookup my_lookup | fields my_lookup_field_matching_outer_field ]  In each subsearch case, you need to make sure that the fields returned by the subsearch are the same as the field you want to filter from the inputlookup ... View more

Epoch date times start from 1970 so if you are prepared to consider 1969-12-31T23:59:59.999 as 1970-01-01T00:00:00.000, then you could use fillnull | eval newdate=strptime(lastscan,"%Y-%m-%d") | fillnull value=0 newdate | eval newdate=strftime(newdate,"%Y-%m-%d") ... View more

Finally figured it out. The correct timechart command was: index=foo sourcetype="bar" realm="keywords" | timechart span=1d distinct_count(User) by status ... View more