So build on what @sjodle suggests here's what works best for me when I want to list a set of hosts to list in a slack window with carriage returns after each name. add space to the end of host name create new field name affected_hosts using values(host) so we have one field with all host names modify the new field to replace spaces with carriage return finally: use the field $result.affected_hosts$ in your slack message   <your search here> | eval host=host+" " | stats values(host) as affected_hosts | rex mode=sed field=affected_hosts "s/ /\n/g"   ... View more

Edit slack_webhook_alert.py Replace the last line with : try: json_object = json.loads(slack_message) requests.post(slack_webhook, data=slack_message) except ValueError, e: requests.post(slack_webhook, data=json.dumps({'text': slack_message})) This will allow you to send the message as JSON ... View more

This tools with be help full to work with JSON data JSON Formatter and Validator : https://jsonformatter.org JSON Viewer https://codebeautify.org/jsonviewer ... View more

index=live_index source="rest:" state=* | table _time hostname state | sort 0 hostname _time | rename COMMENT as "The above extracts and sorts your current state report records for your requested time period." | rename COMMENT as "This determines initial state and when the state changes." | streamstats current=f last(state) as priorstate by hostname | eval newstate=if(isnull(priorstate) OR priorstate!=state,1,0) | streamstats sum(newstate) as stateno by hostname | rename COMMENT as "This rolls together all the consecutive records for a given state." | rename COMMENT as "and checks to see if we had any hiccups." | stats min(_time) as _time, max(_time) as max_time, first(state) as state, count as duration by hostname stateno | eval duration = duration*300 | eval time_span=300+max_time-_time | eval countflag=case(time_span>duration,"Records missing",time_span<duration,"Records duplicated", true(),null()) | eval duration=if(duration<time_span,time_span,duration) | eval end_time=_time+duration | table _time end_time duration hostname state stateno countflag | rename COMMENT as "We can put out a file for investigating issues with our data " | appendpipe [ | where isnotnull(countflag) | outputcsv myproblems.csv | where false()] | rename COMMENT as "Now we can do stats directly on the records and various types of analysis" | stats count as statecount avg(duration) as avgduration by hostname state ... View more

about colors: what do you mean with "assign negative values with wild card", you can assign colors to negative numbers in output columns. about enddaysago, you should use another way to pass token to the search (e.g. a dropdown list or a text box) but not time picker. Bye. Giuseppe ... View more

I would like to retrieve the number of times a server went down. ... View more

Check out Horizon Chart where you have fixed timeline and can bring together different stats and compare the difference. Like CPU from Several Hosts at the same time. Punchcard should be able to depict what you need as well. ... View more

@rich7177 | stats latest(_time) as _time ... by host _time ??? ... View more

There are 2 timezone considerations: what is the TZ of the timestamper of your events and what is the TZ of the searcher of the events. You changed the former, which was almost certainly the wrong thing. The splunk indexer needs to know what TZ to use to interpret the timestamps in the sourcetype for each event; this typically is dependent on the host OS on the forwarder. That is the setting that you changed. You need to make sure that this is correct for each event (sourcetype/host combination). Once this is done, you need to change YOUR TZ setting with Your Login -> Account settings -> Time zone to be that of your personal/local/preferred value. The last thing to do is to click the Raw/List/Table setting on your Events tab to List (it should already be this way). This will create a field in all search results that shows YOUR PERSONAL timezone adjusted value for _time in the Time column. ... View more

not sure, but, did you try, TZ by this format in props? TZ = Europe/London and, are the Universal forwarders and search head are in same timezone? one more question - why two timezones in a single log file? also when i searched, it says CEST is not used nowadays at all. https://www.timeanddate.com/time/zones/cest ... View more

Thank you. Auto refresh working fine when i kept the div tag inside html table tag. Refresh is happening beautifully without our knowledge. I will try the refresh option inside search and update you. ... View more

See if this query gives you the desired results index="test1" (sourcetype="stype1" OR sourcetype="stype2") | rex "(?<status>Running)" | fillnull value="Not Running" status | stats latest(status) as status by sourcetype | eval running_ok = if(stype1="Running" AND stype2="Running", 0, 1) | eval final=running_ok | table running_ok final ... View more

Which limit in limits.conf do I need to change to allow the search to be queued? We have alerts that we definitely do not want to be skipped, but sometimes they take longer to execute and the following search is skipped because the first is not finished yet. ... View more

Thank you for the appendpipe . I made the following changes as per my requirement. It is working fine now. Now Success returns 0 , Failure returns 1 , No results found returns 9 . | eval final = if(status_="exist", 0, 1) | table final | appendpipe [stats count| eval final=9 | where count==0 |table final] | outputlookup output.csv ... View more