Hello, I have several different type of searches and made all of those as base search.   And now I want to make input token to decide which base search to use for my post process search.   I tried like below if this would work, but it doesn't work. Is there any way to make it possible??   <form> <label>test</label> <search id="base1"> <query> MYSEARCH1 </query> <done> <condition> <set token="mysid1">$job.sid$</set> </condition> </done> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <search id="base2"> <query> MYSEARCH1 </query> <done> <condition> <set token="mysid2">$job.sid$</set> </condition> </done> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <search id="base3"> <query> MYSEARCH1 </query> <done> <condition> <set token="mysid3">$job.sid$</set> </condition> </done> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <fieldset submitButton="false"> <input type="time" token="global_time"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="tok"> <label>Choose sid</label> <choice value="mysid1">sid1</choice> <choice value="mysid2">sid2</choice> <choice value="mysid3">sid3</choice> </input> </fieldset> <row> <panel> <table> <search> <query>| loadjob $tok$ | table name</query> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>   ... View more

Hello,   I'm trying to make time based table to check trend right away. The data is currently accumulated on daily basis, which contains storage total GB, used GB per storage.   Now, I successfully made timechart that I can check trend of usage(used/  total * 100) data. I made timechart viz with below command.   my base search | eval usage = round('storage.used' / 'storage.total' * 100, 2) | timechart span=1d limit=0 values(usage) by name     I want to make table that could show me usage data of today, 1month ago, 3months ago, 6months ago by storage. Like below. (Usage data must be calculated by used / total * 100 of the specific date.)   storage   used   total   usage(today)    usage(1mon)   usage(3mon)    usage(6mon) A                 30      100     30                          27                        25                          23 ...   Is there any way to make table such way?? Thank you.   ... View more

Hello,   Is there right way to show timechart result span as 1day of percentage value which is calculated by stats or eval??   We have public ip total and used data as number currently. And those data is splited by data center.  So, I want to use data center as token while showing result data.   If I set data center as *, I want to get sum of every used data and total data of data center, and make it as percentage data like round(used / total * 100 , 2) and timechart those data..   I was trying to make the right command but I can't get any result with my command.   I tried like this. my base search data_center IN ($TOKEN$) | bucket span=1d _time | stats sum('ip.used') as used, sum('ip.total') as total by _time | eval usage=round(used/total * 100, 2) | timechart span=1d limit=0 values(usage)   I can't get the usage result with those command.. Could anyone let me try with right way??   Thank you.. ... View more

Hello, I am trying to build Splunk Dashboard with my logs in splunk. The rows are like below.   [row 1] {  "id" : 123,  "name" : "A",  "sub_id" : 444,  "count" : 25  }   [row 2] {  "id" : 123,  "name" : "A",  "sub_id" : 445,  "count" : 25  }   As you can see, some of my results have the column with id value is same but sub_id is different. I need to sum(count) only once if "id" is different, but the results came out as duplicated(not exactly twice, some results have same id with 3 or 4rows, So dividing by 2 is not a good solution.)   I want to build timechart with above data and made SPL like below. host=[HOST] index=[INDEX] sourcetype=[SOURCETYPE] source=[SOURCE] | bucket span=1d _time | chart limit=0 sum(vm.count) as VM by _time   So, How could I sum count data if the id is same? Thank you, ... View more

Hello, I am currently struggling with some SPL search command..   I want to show on table about resource's usage data.   The current spl command is like below.   MY_SEARCH_COMMAND | eval resource_a_total = a_val * threshold | eval resource_a_total = b_val * threshold | stats sum(resource_a_used) as a_used, sum(resource_a_total) as a_total, sum(resource_b_used) as b_used, sum(resource_b_total) as b_total by cluster | eval a_usage =round(a_used / a_total * 100, 2) | eval b_usage =round(a_used / a_total * 100, 2) | table name a_usage b_usage     As you can see, to get usage data, have to calculate each hosts total / used data value and then do aggregation based on same cluster name.   In this situation, I want  to add difference of usage data from yesterday to today. If yesterday's resource_a usage is bigger than today, then table should write resource_a_diff like below.   name            |      a_usage   |      a_diff  |  b_usage   |  b_diff clusterA      |         80            |     -5%p    |        70         |   5%p   How do I write the statement as efficient way?  ... View more