I agree with the use of isnotnull if you want only events that had the returned values from the lookup. ... View more

hey that worked, thank you ... View more

Sure, do this: ... lookup test.csv X OUTPUTNEW Y | nomv Y ... This will flatten the list into a single value. ... View more

If you want time bucketed on something other than the even increments, then you have to cheat a bit. Basically, you have to calculate an offset time, bin THAT, and then add back the offset. The following code assumes the data is non-sparse enough that there will be at least one event in the first 10 minute increment. | addinfo | eval MyBinField = _time - info_min_time | bin MyBinField span=10m | MyBinField = MyBinField+info_min_time Sometimes when doing time binning, there is value in tossing in a fake start and end point before invoking the bin command. | addinfo | eval MyBinField = _time - info_min_time | append [|makeresults | eval MyBinField=0 | eval FakeFlag="DeleteMe"] | bin MyBinField span=10m | where FakeFlag!="DeleteMe" | MyBinField = MyBinField+info_min_time ... View more

Just lie to Splunk about your time value, like this: ... earliest=-12h@m | eval _time = _time - (60 * tonumber(strftime(now(),"%M"))) | bin _time span=1h | stats count BY field ... View more

How about you give updated answer a try. ... View more

oh ok my understanding of eventstats was slightly off, your last comment makes a lot of sense now, thanks for all the help, this has been troubling me all day. You definitely cleared up my confusion! ... View more