I have logs with a Customer field where the name of the customer is not consistent.     customer=Bobs Pizza   customer=Bob's Pizza   customer=Bobs Pizzeria I want to use an automatic lookup to change all to a standard name without needing to changing existing searches.   customer_lookup.csv   customer_name,standard_customer_name   Bobs Pizza,Bob's Pizza   Bobs Pizzeria,Bob's Pizza I am trying to do this with a lookup table in the search before I try to make it an automatic lookup.  | lookup customer_lookup customer_name as Customer output standard_customer_name AS Customer This lookup only works if the Customer returned in the search is actually in the lookup table.  So Customer="Bobs Pizza" is in the result, but Customer="Frank's   Artichokes" is not.  I can't add all customers to the table.  I have tried many forms of the lookup.  I can get a list with the original Customer name and the standard customer name in one exists, but that won't work for current searches.      Can this be done?  I would think it could cause problems since someone could add an automatic lookup to hide certain things if needed.   ... View more

Is something like this possible?    index=main sourcetype=iis host IN (| inputlookup serverlistA.csv)    I think the problem may be that inputlookup is a generating command and IN is evaluated before the inputlookup is done.  I am looking for another way to do something similar.  This is what I currently do   country IN (Afghanistan Albania Algeria Andorra ... 187 more ... Vietnam Yemen Zambia Zimbabwe)   The countries are just an example.  I have dozens of various size dynamic lists that  I need to check in different searches.                 ... View more

TL;DR What is wrong with the SPL at the end? I am trying to list the IIS cs_user_Agent(s) for each test customer. The EventID field that is found in the SystemLog matches up with the IISEventId field in IIS. That is how they are connected. The inner search (sourcetype="SystemLog*") run alone returns 6,000 events. That is correct. With the join 160,000 events are returned.  Since the sub search is run first and every  EventID is unique I would expect 6000 events.     There is only one CustomerName shown in stats and it is the same in each row.  The CustomerName is also different on each search.  If I add a specific customer to the sub search, such as CustomerName="Bob's Pizza", or CustomerName="Bolts R Us" the same number of results are returned.   Search The names have been changed to protect the innocent.  Any spelling errors or missing quotes are just a failure in my typing ability.  I have switched the two searches in the join and also switched the rename order and had the same problem.  If the subsearch is run first and the join uses the renamed field from the subsearch for the outer search this seems correct to me.    index=myIndex sourcetype=IIS   | join IISEventID  [ search index=myIndex sourcetype="SystemLog*" IsTestCustomer="True"   | rename EventID as IISEventID   | fields CustomerName ] | stats count by CustomerName cs_User_Agent   This is a sample of the output.  I know that Bob's Burgers does not use PRTG.  If I run it again the CustomerName may be "The Three Broomsticks" or any other customer. CustomerNAme cs_User_Agent count  Bob's Burgers Rebex+HTTPS 2150  Bob's Burgers Mozilla/4.0+ 934  Bob's Burgers Mozilla/5.0 611  Bob's Burgers Amazon-Route53-Health-Check 464  Bob's Burgers PRTG/Go+Health+Check 124   Thanks for any help   ... View more

As I write this I realize that what I want is likely not possible using this method.  I want a fillnull (or similar) to happen before an eval.  The eval is likely not even called if there are no events in the timechart span I am looking at.  I want the eval it to return a 1 when there are no events in that span.       This works, but is missing the eval.   index=main sourcetype=iis  cs_host="site1.mysite.com" | timechart span=10s  Max(time_taken) | fillnull value=1 This is what I am using.  It works, except for when no events happen. index=main sourcetype=iis  cs_host="site1.mysite.com" | eval site1_up=if(sc_status=200,1,0) | timechart span=10s  Max(site1_up) This charts a 1 if there was at least one 200 response from site1.mysite.com in the 10s span.  It charts a 0 if there were responses, but none were 200.  If there are no matching events it is probably not even looked at and returns nothing and the chart looks like a 0.  I want a 1 charted if there are no events in that 10s span.        Adding | fillnull value=200 sc_status after the timechart simply shows an extra column of sc_status at 200 in every span (column in the chart).  Putting this before the eval does not work since I believe nothing is done without an event.  It should also only use fillnull (or similar) if no events are in that 10 second span.   I have also tried | append [| makeresults ] without success, but don't completely know how that would work.    Logically this is what I want.  The reasoning for the up/down status is not important since this is simply an example.   For each 10s span in the timechart |eval Site1_up=1 if cs_host=A and at least one sc_status=200 |eval Site1_up=0 if cs_host=A and at no sc_status=200 |eval Site1_up=1 if there are no events matching cs_host=A |eval Site2_up =1 if cs_host=B and at least one cs_method=POST |eval Site2_up =0 if cs_host=B and at no cs_method=POST |eval Site2_up =1 if there are no events matching cs_host=B |eval Site3_up =1 if cs_host=C AND cs_User_Agent=Mozilla and at least one cs_uri_stem=check.asmx |eval Site3_up =0 if cs_host=C AND cs_User_Agent=Mozilla and no cs_uri_stem=check.asmx |eval Site3_up =1 if there are no events matching cs_host=C I am trying to make a chart of the up(1)/down(0) status of various components, some of which are determined by the IIS logs.  Thanks       ... View more

I want to add an annotation to a dashboard every time we switch from blue servers to green servers or green to blue.  There is no event for this, but I can calculate the active color by comparing the count of each type of server.  If I look two minutes ago and compare it to one minute ago I can see if the active color changed.  So if two minutes ago there were more blue servers than green servers, but now there are more green than blue I know the active color changed.       This query will show a transition if I give it two time frames (two minutes ago compared to one minute ago).  It works, but I want the query to show me all color transitions over a specific time period, such as 24 hours.           index=... earliest=-3m latest=-2m | stats count(eval(match(colortag,"Blue"))) as BlueCount, count(eval(match(colortag,"Green"))) as GreenCount | eval activePreviously=if(BlueCount > GreenCount, "BLUE", "GREEN") | fields activePreviously | join [search index=... earliest=-2m latest=-1m | stats count(eval(match(colortag,"Blue"))) as BlueCount, count(eval(match(colortag,"Green"))) as GreenCount | eval activeNow=if(BlueCount > GreenCount, "BLUE", "GREEN") | fields activeNow] | eval transition=if(activePreviously=activeNow, "no", "yes") | where transition="yes" | table transition activeNow activePreviously   This search will show me the active color in 2 minute period periods over a given time frame.      Index=... | bin _time span=2m | stats count(eval(match(colortag,"Blue"))) as BlueCount, count(eval(match(colortag,"Green"))) as GreenCount by _time | eval active=if(BlueCount > GreenCount, "BLUE", "GREEN")     This is what I see _time                                       BlueCount           GreenCount          active 2022-11-15 11:15:00      1561                      143                           BLUE 2022-11-15 11:16:00      1506                      140                           BLUE 2022-11-15 11:17:00      1627                      154                           BLUE 2022-11-15 11:18:00      1542                      148                           BLUE 2022-11-15 11:19:00      1199                      553                           BLUE 2022-11-15 11:20:00        255                    1584                           GREEN 2022-11-15 11:21:00             3                     1721                          GREEN 2022-11-15 11:22:00             0                     1733                          GREEN 2022-11-15 11:23:00             0                     1780                          GREEN 2022-11-15 11:24:00             0                     1802                          GREEN I want to add a field that indicates if the color changed from the previous _time.  I will then only show (annotate) the time and color where change=yes. _time                                       BlueCount           GreenCount          active             change 2022-11-15 11:15:00      1561                      143                           BLUE                 N/A  2022-11-15 11:16:00      1506                      140                           BLUE                 No 2022-11-15 11:17:00      1627                      154                           BLUE                 No 2022-11-15 11:18:00      1542                      148                           BLUE                 No 2022-11-15 11:19:00      1199                      553                           BLUE                 No 2022-11-15 11:20:00        255                    1584                           GREEN             Yes 2022-11-15 11:21:00             3                     1721                           GREEN             No 2022-11-15 11:22:00             0                     1733                           GREEN             No 2022-11-15 11:23:00             0                     1780                           GREEN             No 2022-11-15 11:24:00             0                     1802                           GREEN             No I can't see how to reference the previous active color from the current bin/bucket.  That is probably not the way to do it, but that is where I go to before asking for help.     In short, I want to annotate whenever the count of two fields changes so that one is now larger than the other one and show the name of the larger field.   Thanks.   ... View more