Hello Splunkers, My original data looks like this for a particular day in a below example. Currently, there are 10 entries in a day sometimes it's 4 entries and it's totally random. I would like to reshape my data as per hour and whenever there are no entries in an hour it should fill it as zero. TIME AND VALUE are the main key fields. ORIGINAL DATA _time TIME Value 1 2018-07-26 23:43:01.079 26-JUL-2018 00 2 2 2018-07-26 23:43:01.079 26-JUL-2018 04 2 3 2018-07-26 23:43:01.079 26-JUL-2018 06 2 4 2018-07-26 23:43:01.079 26-JUL-2018 09 2 5 2018-07-26 23:43:01.078 26-JUL-2018 12 2 6 2018-07-26 23:43:01.078 26-JUL-2018 15 3 7 2018-07-26 23:43:01.078 26-JUL-2018 16 4 8 2018-07-26 17:43:04.176 26-JUL-2018 18 2 9 2018-07-26 15:43:01.062 26-JUL-2018 21 1 10 2018-07-26 09:43:01.160 26-JUL-2018 23 1 I would like to change into per hour of raw data and fill with Zero for the time period where we don't have logs in Splunk. REQUIRED DATA TIME Value 1 7/26/2018 0:00 2 2 7/26/2018 1:00 0 3 7/26/2018 2:00 0 4 7/26/2018 3:00 0 5 7/26/2018 4:00 2 6 7/26/2018 5:00 0 7 7/26/2018 6:00 2 8 7/26/2018 7:00 0 9 7/26/2018 8:00 0 10 7/26/2018 9:00 2 11 7/26/2018 10:00 0 12 7/26/2018 11:00 0 13 7/26/2018 12:00 2 14 7/26/2018 13:00 0 15 7/26/2018 14:00 0 16 7/26/2018 15:00 3 17 7/26/2018 16:00 4 18 7/26/2018 17:00 0 19 7/26/2018 18:00 2 20 7/26/2018 19:00 0 21 7/26/2018 20:00 0 22 7/26/2018 21:00 1 23 7/26/2018 22:00 0 24 7/26/2018 23:00 1 Thanks in advance for your help 🙂 ... View more

Hi Splunker, Originally I have an output like this as a raw event in Splunk:- 2018-07-17 14:56:08 MIR="TUE, 17-JUL-2018", D_0="-", D_1="2", D_2="4", D_3="-", D_4="-", D_5="-", D_6="2", D_7="-", D_8="- ", D_9="2", D_10="-", D_11="-", D_12="-", D_13="-", D_14="-", D_15="-", D_16="- ", D_17="-", D_18="-", D_19="-", D_20="-", D_21="-", D_22="-", D_23="- ", TOTAL="10" Where D_0 is 00:00 HR , D_1 is 01:00 HR AM,D_2 is 02:00HR AM similarly D_23 is 23:00 HR . I would like to change it to below format:- TIME VALUE 2018-07-17 00:00 - 2018-07-17 01:00 2 2018-07-17 02:00 4 2018-07-17 03:00 - 2018-07-17 04:00 - Similarly, it goes on till 23:00 HR. Thanks in advance for looking into it ... View more

Hi Splunker, I have a logs which has Defect ID ,Actual Fix Time Taken,Detected By,Priority. I would like to calculate maximum value of Actual Fix time taken by each Priority and simultaneously i would like to see the Defect Id as well My output should look like that Priority Defect ID Detected by Maximum Actual Fix time(In days) P1 1234 x 2 P2 767 Y 5 P3 122 z 20 P4 3526 T 67 Note:- Actual Fix time means time taken to fix the defect and here i would like to know the Defect ID for which maximum time taken to close that defect against each priority. I tried using below mentioned query source="Jcaps_Logs.csv" index="jcaps" sourcetype="csv" | fillnull value=NULL "Actual Fix Time" | search "Actual Fix Time"!=NULL | stats max("Actual Fix Time") as maxy by "Priority","Defect ID" Thanks in advance ... View more

Hi Splunker, How would like to learn how can i rex out these fields names and i don't want to rex out startTimestamp and endTimestamp in it. <activityName>TubeSales<activityName> <activityStatus>Play<activityStatus> <startTimestamp>Do not want to extract<startTimestamp> <endTimestamp>Do not want to extract<endTimestamp> <JourneyID>3DF62A1191152ED064B039AFD2C6A81E.node-app-1<JourneyID> <startID>C3FE7047-E9EA-78DE-D719-8D3D66EF4A1F<startID> <JourneyOrderPointsByProductCode> <ProductCode>16<ProductCode> <JourneyOrderPoints>130<JourneyOrderPoints> <JourneyOrderPointsByProductCode> <success> <GetRequiredJourneyOrderPointsend> </S:Body> Thanks in advance ... View more

Hi Splunker, I would like to know and learn how to replace ^ns4: with < Please find below dummy data. ^ns4:ChannelName>PublicSales ^ns4:Result>SUCCESS^/ns4:Result> Probably here HTML tags are not visible therefore not able to provide you the exact information. Thanks in advance ... View more