I don't think that's possible although you might be able to use a saved search so both reports run from the same search. ... View more

Try this */5 0-2,9-11,21-23 * * * Note that is has to be a separate cron schedule or you adapt your report to check whether the search time fits in the required time periods. ... View more

Try setting your token to value2 not row.<fieldname>.value ... View more

You are right, SPL does not do recursion or loops particularly well. However, if you know the maximum depth, you could use repetition | makeresults | fields - _time | eval _raw="from to A B A C A D B E B F B G F K F L C H D I D J J M" | multikv forceheader=1 | table from to | eval path=from."-".to | eventstats values(path) as paths | foreach mode=multivalue paths [| eval path=if(mvindex(split(<<ITEM>>,"-"),-1)==from,<<ITEM>>."-".to,path)] | eventstats values(path) as paths | foreach mode=multivalue paths [| eval path=if(mvindex(split(<<ITEM>>,"-"),-1)==from,<<ITEM>>."-".to,path)] | eventstats values(path) as paths | foreach mode=multivalue paths [| eval path=if(mvindex(split(<<ITEM>>,"-"),-1)==from,<<ITEM>>."-".to,path)] The last two lines are repeated sufficient times to resolve all paths. ... View more

Perhaps if you shared some anonymised events which demonstrate the issue you are facing, we might be better placed to advise. Please use the code block </> button when inserting event data so that formatting (e.g. white spaces) of the event is preserved. ... View more

If your subnets are in CIDR format, you can use the cidrmatch() function ... View more

You don't appear to have extract anything that identifies the transaction. You would need to do this and add it to the by clause of your stats command to split the transactions into separate "lines" ... View more

Assuming your time field is a numeric timestamp, the sort will put the events in descending time order i.e. latest first. The dedup will keep the first event in the pipeline for each table name. Without seeing the exact data you are dealing with, it is not possible to say whether the values you are showing are correct or not, but given the above assumptions, if you are not getting the data you are expecting, you should look closer at your actual data to determine where the discrepancy may have arisen from. ... View more

| stats list(src) as src list(dest) as dest sum(count) as count by signature_name ... View more

What steps did you follow to create the dashboard? ... View more

If you are trying to find new events when the job is running 2 hours later, why not just set the timeframe to -2h@h? ... View more

Just overwrite the success and fail fields index=my_index sourcetype=openshift_logs openshift_namespace=my_ns openshift_cluster="cluster009" ("message.statusCode"=2* OR "message.statusCode"=4*) | eval status=if('message.statusCode'>300,"fail","success") | search "message.logType"=CLIENT_RES | search "message.url"="/shopping/carts/*" | timechart span=1h dc("message.tracers.correlation-id{}") as count by status pct | addtotals | eval success=round(100*success/Total,1) | eval fail=round(100*fail/Total,1) ... View more

It is a bit confusing which results are coming from where. For example, are the results at 9:30 and 9:40 both coming from your base search of the second search? What "additional" data are you expecting to retrieve from the join? Note that join adds data fields to existing events, it does not add events. If you want to add events (from the summary index) use the append command instead of join. ... View more

Instead of the last 3 lines, try this | addtotals | eval successpercent=100*success/Total ... View more

This does what you say you want: | eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived | eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName) | eval sourceImageName=if(sourceImageName!="baseline","unknown","baseline") However, is it really what you want as image5 is derived from image 3, which is derived from baseline. If you want to know which images are ultimately derived from baseline, you need to repeat the first two lines (for as many depths as you need). | eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived | eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName) | eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived | eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName) | eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived | eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName) | eval sourceImageName=if(sourceImageName!="baseline","unknown","baseline") ... View more

This is a non-trivial task. Splunk processes events in a pipeline. In order to do what you want, the pipeline has to be processed multiple times. If you know what the maximum depth of references is, you could set up a series of essentially the same commands finding the next reference back, until you find a baseline, or assume that it is unknown. Do you know the maximum depth of references? ... View more