Hello Splunk Community, How can I move the addtotals field to display as the first column and not last for this chart?  Currently:  _time Host123 Host456 total  2022-02-24 22:00 0 2 2 Would like: _time total Host123 Host456 2022-02-24 22:00 2 0 2 Current Code: index="Dept_data_idx" eventType="Created" status="success" host=* | bucket _time span=1h | stats count by _time host | addtotals ... View more

Hello Splunk Community,  I am trying to replicate a heat map using the table formats app available through Splunk.  I see the coloring of the cells when I use the stats command as below, but I need to have the data show as a chart. The issue is when I use chart all the color goes away from the table. Is there a work around for this problem?    <dashboard> <label>Table Formats</label> <description>Format columns using built-in table formats (coloring, number formatting).</description> <row> <panel> <table> <search> <query> index="Dept_data_idx" eventType="Created" status="success" host=* | bucket _time span=1h | stats count by _time host </query> <earliest>-7d</earliest> <latest>now</latest> </search> <format type="color" field="count"> <colorPalette type="minMidMax" maxColor="#31A35F" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> </table> <html> </html> </panel> </row> </dashboard>     ... View more

Hello All,  I have a lookup that is a saved as a schedule report that runs once a week.  This schedule report will get the new email addresses that were populated upon the search, then write the new email addresses to another lookup. The issue I have is that I get duplicates as this search runs once a week.  Is there a way I can avoid duplicates using outputlookup?  Dedup is not doing the trick... | inputlookup Stored_Email_lookups.csv | table Email, User_Id | rename User_Id as "New User" | dedup Email | outputlookup append=true "New_Incoming_Emails.csv" ... View more

Hi All, I have two dashboards, dashboard 1 and dashboard 2. I have linked them. When clicking on host from a line chart from dashboard 1, dashboard 2 opens up and filters on the selected host from dashboard 1. So far, dashboard 2 shows the correct host on the multiselect input. The issue is that I somehow override the panels in dashboard 2 with those of dashboard 1.  It may be an issue with the token, since I have tok_host=$tok_host$ on both dashboard's 1 and 2, but I am not sure if that is causing the issue. Any advise is welcome.  Thanks in advance    Dashboard 1 Input for multiselect: <input type="multiselect" token="tok_host" searchWhenChanged="true"> <label>Select Server (Multi Select)</label> <search> <query> (index=test_*_idx) |fields + host | stats values(host) as host | mvexpand host | rename host as tok_host </query> </search> <prefix>host IN (</prefix> <valuePrefix></valuePrefix> <valueSuffix></valueSuffix> <delimiter> , </delimiter> <suffix>)</suffix> <choice value="*">All</choice> <fieldForLabel>tok_host</fieldForLabel> <fieldForValue>tok_host</fieldForValue> </input> Linking the dashboard code: <drilldown> <link target="_blank">/app/XYZ_Sun_Sys/Dashboard2?form.tok_host=$click.name2$</link> </drilldown> Dashboard 2 Multiselect input code: <input type="multiselect" token="tok_host" searchWhenChanged="true"> <label>Select Server</label> <search> <query>(index=text_idx) |fields + host | stats values(host) as host | mvexpand host | rename host as tok_host</query> <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> </search> <fieldForLabel>Select Host</fieldForLabel> <fieldForValue>tok_host</fieldForValue> <choice value="*">All</choice> <delimiter> ,</delimiter> <default>*</default> </input> Dashboard 2 code for panel </fieldset> <row> <panel depends="$tok_host$"> <title> First Panel - $tok_host$ </title> <single> <title>Space Avail</title> <search> <query>index=testing_idx host=$tok_host$ |timechart span=10min avg(Speed) as speed | eval change=_time</query>   ... View more

Hello All,  Thought I had this down, but not quite. So here is the scenario. I have two Fields  1. "Sent Invite Time"  and 2. "Received Invite Time". Received Invite Time should happen 1440 min from the time "Sent Invite Time occurred" and then searching for when the duration it took between those two fields is over 1440 in min.  The problem I have is that I am getting fields that are coming up as Not Received Invite this is because its not giving Field 2 "Received Invite Time" 1440 min to complete. So how can I do that - have Field 1"Sent Invite Time"  and give it 24 hours for Field 2 to occur from the start of the time that field 1 occurred  ? I was hoping to do this in the where clause....    | where Field1-Field2>1440   ... View more

Hello All, Anyone out there know how I can search for an event that is supposed to occur within 24 hours but has not?  Example: 1 - Invite is sent, if invite is not marked received in 24 hours it is a failure.  So, lets say --- invite was sent 11/14/21 and it is received on 11/16/21 this is a failure.  The start time would not be now() or relateive_time function because the start time would be the time the invite was sent.  Any help is greatly appreciated.  ... View more

Hello There, I'm a bit rusty when it comes to the syntax and I am trying to get a better grasp. I have an if else function, so if lets say ABC is greater than 3600 add 21600 seconds else don't add any time. I have 3 of these types of conditions, but they are all under the same field name. The struggle for me is combining these if else functions into one multi conditional function.  I have spent a while looking at how to do this, but I didn't run into any examples that included strftime or strptime.  Any guidance on this type of syntax is apricated.       | eval SLA_Breach=case(ABC>3600, strftime(strptime(releaseToCarsTime, "%Y-%m-%d %H:%M:%S.%6N") +21600, "%Y-%m-%d %H:%M:%S.%6N"),"none") | eval SLA_Breach=if(DEF>2800,strftime(strptime(releaseToCarsTime, "%Y-%m-%d %H:%M:%S.%6N") +172800, "%Y-%m-%d %H:%M:%S.%6N"),"none") | eval SLA_Breach=if(GHI>1400,strftime(strptime(releaseToCarsTime, "%Y-%m-%d %H:%M:%S.%6N") +86400, "%Y-%m-%d %H:%M:%S.%6N"),"none")         ... View more

Hey There,  Below I have a field in where ABC > 2500 cuz the value is actually 2800. So then If ABC>than 2500 add 1 day to the Human_readable field. I have already created the logic to adding 1 day to the Human_readable field.... Question now is how can I write the logic for it in a nested loop? So If ABC>2500 add 1 day to human readable.  This is my logic that I have thus far: | eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y") This is what I have so far: | makeresults | eval ABC="2800", DEF="3", GHI="5" | eval rel_Time="11102021" | eval Epoch_Time=strpTime(rel_Time,"%m%d%Y") | eval Human_readable=strfTime(Epoch_Time, "%B %d, %Y") | eval Service=if(ABC>2500, "Send Alert", "No Alert") | eval Add_1Day=strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y") | eval Then_Set=if(ABC>2500,strftime(strptime(Human_readable,"%B %d, %Y") +86400, "%B %d, %Y") | table Service Epoch_Time Human_readable Add_1Day Then_Set ... View more

Hi All, Need guidance on how to approach this. I need help with creating an alert that triggers during different times, for instance: Alert will trigger if: If Y-email was sent over 1 day ago If Z-email  was sent over 2 days ago  if M-email was sent over 3 days ago  All these triggers will be a part of 1 email... can this be done with cron schedule alone or will the time need to be hard coded in the code itself? Or will I need separate alerts?  ... View more