Hello Guys I have a sort of quick question that has been challanging me.   I use this SPL to extract some info     | stats values(*) as * by CLIENTE_OUTPOST     Sometimes I use list sometimes I use values... and I want to be able to extract all values in the multivalue field "PROMOS" in a new field called "ADDED" this is an example:   from this:   CLIENT_OUTPOST PROMOS DATE VOUCHER LIZZA_90 UIK_IO 87585 A_IDYD 78545 10584 18-05-2021 XX-PO-89   I want this: CLIENT_OUTPOST PROMOS DATE VOUCHER ADDED LIZZA_90 UIK_IO 87585 A_IDYD 78545 10584 18-05-2021 XX-PO-89 87585 78545 10584 I will be so thankfull if you can help me out, just for reference I will eaither have strings with characters or strings that are numbers... but i have tried mvfilter, rex without any luck thank you so much guys!   Love,   Cindy ... View more

Alright guys I hope you are ready for this question because I almost lot my mind! btw THANK YOU SO MUCH FOR ALL THE HELP! I have been working on this problem for WEEKS and I have to kindly ask for your help I am now helpning ut a company that has splunk for the iot stuff and they are a welding company and want me to use SPL to count the number of events (alerts) between sequeantial stages of a 3-stage process .. so let me please break it down for you.. Information related to the process: A test Subject is made to go through a 3 stage process with stages A, B and C respectively the first one being A, second B and finally C; a test Subject may abandon the process at stages A or B and then start again from point A, each time the process takes place a dataset is created with the IDENTIFICATION of the test subject, the TIMESTAMP in which the stage took place and a unique VISIT_CODE During any stage, a test subject may trigger an "ALERT" and this will be recorded with the TIMESTAMP, ALERT_CODE and test subject IDENTIFICATION. WhatI need: to count how many ALERTS where generated by the test subjects between stages A and B, between stages B and C and finally how many ALERTS where generated after C. Please note that a test subject may at some point abandon the process to later on start again from point A. To get the data from the process I do this:   index=bearing_P1 and source=PROBES | table *     and I get STAGE TEST SUBJECT TIMESTAMP VISIT_CODE A XYU-1 10 BKO A XYU-1 15 JUJD B XYU-1 20 DUDH A FF-09 25 KSIWJD B FF-09 30 AJAKAM C FF-09 35 ZISKS A UU-89 40 NNXJD B UU-89 45 DDUWO A I-44 50 JIWIW A W-6 55 SHDN B W-6 60 IWOLS C W-6 65 JDDD A U-90 70 DJDKSMS B U-90 75 NDJSM A T-87 80 DNDJDK   and for the triggered alerts I use   index=alerts source=probes_w1 | table *     and I get TEST SUBJECT TIMESTAMP ALERT_CODE XYU-1 11 AYUJ-151571406 XYU-1 12 AYUJ-487008829 XYU-1 28 AYUJ-211990388 FF-09 32 AYUJ-4177221842 W-6 56 AYUJ-1300211351 W-6 63 AYUJ-3014305494 I-44 67 AYUJ-4454800551 U-90 73 AYUJ-1079921935 U-90 76 AYUJ-3348911727 U-90 79 AYUJ-2381219626 T-87 82 AYUJ-4778326278 W-6 89 AYUJ-3915716168   I want to be able to achieve something like this: Alerts between Stages A & B including alerts from test subjects that abandoned the process in the attempt nth at stage A Alerts between Stages B & C including alerts from test subjects that abandoned the process in the attempt nth at stage B Alerts after stage C AYUJ-151571406 AYUJ-211990388 AYUJ-3915716168 AYUJ-487008829 AYUJ-3014305494   AYUJ-1300211351 AYUJ-3348911727   AYUJ-1079921935 AYUJ-4177221842   AYUJ-4778326278 AYUJ-2381219626   AYUJ-4454800551       I know this may seem imposible but if there is a way to have this done in splunk lets say for a period of time of one year that willl be so great, I have tried autoregress,  and  a bunch of commands but I have not gotten even an inch close to me desired utput plus I fear that if I do at somepoint the data will truncate... Thank you so much to everyone who can point me in the right direction   kindly, Cindy ... View more

Hello guys I have this SPL         | stats count(events) by type process         and it gives me something CORRECT like this: PROCESS TYPE OF ALERT COUNT A RED FLAG 458 A ISJD 5245 A IOO 21452 A XCNCNC 125 B LPOLSSS 21 B SSSSSS 584 B RED FLAG 284 B ISJD 455 C RED FLAG 255214 C ISJD 55551 C IOO 8569   but when I do this:         | stats count(events) by type process | stats values(*) as * by process         I get something incorrect because the type or erros do not correspond witht he count field next to them because splunk seems to order the m in anotehr fashion, like this for example which is not correct PROCESS TYPE OF ALERT COUNT A IOO                        ISJD                      RED FLAG    XCNXNX 125             5245              458         21452 and so the rows for B and C will also be mixed up I will like to have them showm like this: WHICH is correct   is there  a proper way to do that guys THANK you so much in advance! kindly C ... View more

Hello Lovely people   I have a field that contains values contatenated by the "." character and the values of this fields may be something like this: uhss.didhikd.8979.ODJD.73HJ.Uber.39383.7854 dhikd.8979.ODUber.JD.73HJ.39383.7854 undñ_opl.Uber.iolddld ddidjd_iddd_lioft_yes What I want is to detect is if the string has the characters ".Uber" that means a "." next to "Uber" if that is true I want the variableRIDE to be 1 if not I want that variable to be 0, I would really enjoy your help guys thank you so much.. so for the last example: FIELD RIDE uhss.didhikd.8979.ODJD.73HJ.Uber.39383.7854 1 dhikd.8979.ODUber.JD.73HJ.39383.7854 1 undñ_opl.Uber.iolddld 1 ddidjd_iddd_lioft_yes 0   Thank you so much guys! ... View more

Well Hello Gorgeous people!   I have a fields that can take anywhere from 3 to 5 diferente values which are cities... this field is called "CITY" if I want to get the percentage of each city over the total count I always Have to do something like this:   | stats count(eval(CITY="A")) as CITY_A, count(eval(CITY="B")) as CITY_B, count(eval(CITY="C")) as CITY_C, count(CITY) as TOTAL | eval %P_CITY_A=CITY_A/TOTAL (repeat for each city)   but often times I find myself wanting to calculate percetages of the values of fields that can have up to 15 differente values.. and I just wonder is there is a faster more effcient way of doing this.... thank you so much people love, cindy ... View more

Hello guys I hope you are doing well,   It turns out I am in need of a regex that will allow me to extract a "fixed" or "static" pattern within a field that is called HEAD in a splunk search that I have... this so-called HEAD field will start with any kind of words/numbers/strings... but will always have at some point the pattern "***\|Hotel=YY-4857UU45547|" wich is three (*) followed by "\|Hotel=" and then a combination of words and numbers and this pattern with always end with a "|" .... this will may always have some other kinds of words of number after that last "|" so what i an trying to acchive is estracting only the pattern that we know to be always consistent... to show you an example this is one of the real values of that field: | makeresults | eval HEAD=" 487542 For Flight Toronto AV TAX VIP client UBER_LIFT_ 78547 ***\|Hotel=YY-4857UU45547| aws not equip Need end seat 1U" and I would like a regex that will allow me to extract: YY-4857UU45547 and put it in a new field name: RESERV_CODE I have tried all day and all nig I will ne so thankful to any of you lovely people who can help me out tahnk you so much   love; cindy   ... View more

Hello everyone I hope everyone is having a great day thank you so much for the help that you have provided me with in this forum I have a question it turns out that I do have a field which can take on the values "box_56**"  and "box_56**78_A" but whenever I try to execute a search splunk always tells me that I am using a wild card and this is because the asterisk is within the search and sometimes making the search | Search field="box-56**"  Can bring up both values.. I would like a way to properly search for this values without having to suffer a Heart attack.. I have used the "\" character to try to "escape" the "*" but it is not working... From now on I would like to change the value of that field using the case command but everytime I use it I get a bunch of nonsense... Thank you guys so much for your kind help you guys are just one of a kind!   Love Cindy,     ... View more

Hello Guys First let me please thank you for all the help I get from you guys... you people rock!!!! I am trying to extract a code that is inside a string that reads as follows: BOX="|autx_path\IUIUXX-8569545|" I want to be able to extract the numbers at the end and also the first 3 characters to the left of the numbers so his would give me:  XX-8569545 as "XX-" are the 3 first characters on the left side of the numbers... is this even possible in splunk? thank you much for your help guys Love, Cindy ... View more

Hello everyone I hope you guys are doing well   I have a sort of simple question but I have not been able to sort a solution.. I want to filter out rows of a table where there are multivalues based on a numeric criteria, this is an example: I have this: AGENT INX ROCKS TASK XX_9 7 9 -6 T Y U TY-8 GY-0 FG-67 XX_10 7 -49 -66 UY IO UJI TY-8E G-0 VG-67   I would like to only remove all rows in the table where  the multivalue field "INX" have negative numbers and have something like this: AGENT INX ROCKS TASK XX_9 7 9 T Y TY-8 GY-0 XX_10 7 UY TY-8E   I have tried using mvfilter and mvfind and mvindex but... every trial has not been successful yet so I really love you guys for helping me out thanks a LOTTTT kindly, Cindy ... View more

Hello everyone I hope you guys are doing just great!   I have a sort of simple question but I have not been able to come up with a solution.. I want to be able to filter out rows of a table where there are multivalues based a numeric criteria, this is an example: I have this: AGENT INX ROCKS TASK XX_9 7 9 -6 T Y U TY-8 GY-0 FG-67 XX_10 7 -49 -66 UY IO UJI TY-8E G-0 VG-67   I would like to only remove all rows in the table where  the multivalue field "INX" have negative numbers and have something like this: AGENT INX ROCKS TASK XX_9 7 9 T Y TY-8 GY-0 XX_10 7 UY TY-8E   I have tried using mvfilter and mvfind and mvindex but... every trial has not been successful yet so I really love you guys for helping me out thanks a LOTTTT kindly, Cindy ... View more

I hope everyone is having a great time today, I am here to first thank you guys for being so helpful and assertive! you people rock! and second to ask for assistance regarding a regular expression. I have a field that will contain a string that will start by "check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##" I want to be able to extract the string that is between the "##"  but... sometimes this field may have a string that starts by "the auth was..." I want to be able to extract any string   between two "#" whenever the value of the field starts with  "check-in unavailable due to external cause the ref code is"     for example  if I have this: FIELD CODE "check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ## AIUI- 989 K-IOJ "the auth was denied code ## uik-55855##" N.A   thank you guys SO MUCH   Kindy, Cindy ... View more

Hi Everyone I hope everyone is having a great day    I need to calculate the sum over two different indexes and then plot it by week or month... I have been trying to do the following : 1) first I calculate the total sum of my interest suing this SPL | multisearch [ | search index=TRAVELS AND STATUS IN ("OK", "CHECKED", "ABORD") AND CLIENT_TYPE="vip" AND ID=* | fields ID] [ | search index=tv_int_ang AND STATUS IN ("BOOKED", "CHECKED", "IN_DEPT") AND corp="vip" AND crop_id=* | fields corp ] | stats dc(ID) as VIP_CX dc(crop_id) VIP_CORP | eval total=VIP_CX+VIP_CORP but I would like to have that total plot over time by month and week I have tried the timechart function but it naver gives me what I want I know I am the one doing it wrong...  I'd like to know what would be the proper way to have "total" calculated by month or week without truncating the data... thank you so much to everyone willing to help me out   Kindly, Cindy ... View more