See if this helps.  It uses actual times rather than relative ones, but the format is there. index=_internal status=* earliest=-30m ``` Get the most recent status for each API every 5 minutes | timechart span=5m latest(status) as status by API ``` Convert timestamp to time (HH:MM) ``` | eval _time=strftime(_time,"%H:%M") ``` Flip the display so time is across the top and API down the side ``` | transpose 0 header_field=_time column_name="API" ``` Fill in blank cells ``` | fillnull value="-" ... View more

One of these should work, depending on which count must be greater than 2 index=idx-sec-cloud sourcetype=rubrik:json NOT summary="*on demand backup*" (custom_details.eventName="Snapshot.BackupFailed" NOT (custom_details.errorId="Oracle.RmanStatusDetailsEmpty")) OR (custom_details.eventName="Snapshot.BackupFromLocationFailed" NOT (custom_details.errorId="Fileset.FailedDataThresholdNas" OR custom_details.errorId="Fileset.FailedFileThresholdNas" OR custom_details.errorId="Fileset.FailedToFindFilesNas")) OR (custom_details.eventName="Vmware.VcenterRefreshFailed") OR (custom_details.eventName="Hawkeye.IndexOperationOnLocationFailed") OR (custom_details.eventName="Hawkeye.IndexRetryFailed") OR (custom_details.eventName="Storage.SystemStorageThreshold") OR (custom_details.eventName="ClusterOperation.DiskLost") OR (custom_details.eventName="ClusterOperation.DiskUnhealthy") OR (custom_details.eventName="Hardware.DimmError") OR (custom_details.eventName="Hardware.PowerSupplyNeedsReplacement") | eventstats count | where (count > 2 AND (custom_details.eventName="Mssql.LogBackupFailed")) OR count <=2 OR OR (custom_details.eventName!="Mssql.LogBackupFailed") | eventstats earliest(_time) AS early_time latest(_time) AS late_time index=idx-sec-cloud sourcetype=rubrik:json NOT summary="*on demand backup*" (custom_details.eventName="Snapshot.BackupFailed" NOT (custom_details.errorId="Oracle.RmanStatusDetailsEmpty")) OR (custom_details.eventName="Snapshot.BackupFromLocationFailed" NOT (custom_details.errorId="Fileset.FailedDataThresholdNas" OR custom_details.errorId="Fileset.FailedFileThresholdNas" OR custom_details.errorId="Fileset.FailedToFindFilesNas")) OR (custom_details.eventName="Vmware.VcenterRefreshFailed") OR (custom_details.eventName="Hawkeye.IndexOperationOnLocationFailed") OR (custom_details.eventName="Hawkeye.IndexRetryFailed") OR (custom_details.eventName="Storage.SystemStorageThreshold") OR (custom_details.eventName="ClusterOperation.DiskLost") OR (custom_details.eventName="ClusterOperation.DiskUnhealthy") OR (custom_details.eventName="Hardware.DimmError") OR (custom_details.eventName="Hardware.PowerSupplyNeedsReplacement") | eventstats count(eval(custom_details.eventName="Mssql.LogBackupFailed")) | where (count > 2 AND (custom_details.eventName="Mssql.LogBackupFailed")) OR count <=2 OR OR (custom_details.eventName!="Mssql.LogBackupFailed") | eventstats earliest(_time) AS early_time latest(_time) AS late_time ... View more

Contact Splunk at education_amer@splunk.com or Pearson Vue via their web site at https://home.pearsonvue.com/Test-takers/Customer-service.aspx ... View more

This thread is over three years old, is not related to Dashboard Studio, and involves a user who is no longer on the forum.  Please post a new question. ... View more

What have you tried so far?  How have those efforts not met expectations? An alert is just a scheduled search that takes action on what it finds.  Do you have a search, yet? As is often the case, a specific question is more likely get a response than a vague "I need help" message. ... View more

Yes, you should update a local config file and (almost) never a default file. ... View more

Given that a sourcetype is just a stanza name in a props.conf file, I think you need either the configs/conf-props endpoint or the properties/props endpoint. ... View more

You don't say if this a Trial account or not, but Splunk Cloud trial accounts do not have access to the REST API. Time out errors typically come from firewalls or other network devices that drop connection attempts. ... View more

The login used to download the software doesn't matter.  What matters is that the software *runs* as the right non-root user (typically 'splunk').  The license is already installed on your system and doesn't change with software versions. Be advised that upgrading from 7.2 to 9.x is not a one-step process.  You will need to install 8.1.x first.  Please read the Release Notes for the versions being skipped as well as https://docs.splunk.com/Documentation/Splunk/9.1.1/Installation/AboutupgradingREADTHISFIRST ... View more

The rex command looks at every result.  If you need to exclude certain results then you'll have to craft a regular expression that does so.  Another option is to filter the start and end blocks out of the results - assuming they're not needed for other parts of the query. ... View more

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it. https://www.duanewaddle.com/proving-a-negative/ FTR, if an <env> value is missing, it will be absent from the stats command results, not zero. ... View more

The tstats command will be faster, but processing a year of data for all hosts will still take a long time. | tstats prestats=true count where index=foo by _time,host span=1mon | timechart span=1mon count by host   ... View more

To find out which fields are present in the lookup and absent in the index use a subsearch, like this: | inputlookup test_data.csv where NOT [search index=test sourcetype=splunk_test_data | fields field1 field2 | format] ... View more

Start with this query and modify as necessary to suit your requirements.  Note that, by default, the _internal index only has 30 days of day so there may no "by month". index=_internal source=*scheduler.log* savedsearch_name=* sourcetype=scheduler alert_actions!="" ... View more

I don't know how to do that. ... View more

Use btool   splunk btool --debug props list splunk-logs   It will display all of the props for the sourcetype along with the file name in which the prop is defined. Remember, never change $SPLUNK_HOME/etc/system/default/props.conf and change $SPLUNK_HOME/etc/apps/*/default/props.conf only if it's your app.  Otherwise, put the change in local/props.conf. ... View more

We don't know what's going on, either.  What makes you think it's "erroring out" if there are no errors? You may have to add some debugging code to the script so it tells you more about what is happening. ... View more

What is the error? ... View more