Hi all, I'm working on a dashboard in which I populate a panel with summary data. The summary data runs once per hour over a very large dataset, looking back over the past 60 minutes, generating an | xyseries of response codes across another split by field (field1).  What I'd like to accomplish is to fill the gap in summary data with live data with a subsearch, if possible. Essentially, the panel will be half filled during the gap between summary data. E.G. it ran at 10 AM, and you're looking at 10:30AM. It also functions poorly for small time increments - say 15 minutes. For now, I'm limited by resources and cannot refine the summary index load to run more frequently. I expect this would fix the problem (say, if it ran every 5 minutes). Is it possible to dynamically generate a timeframe for a live search based on when the summary data sees a gap?  Within the panel, I pull summary data like so:  index=summary source="summaryName" sourcetype=stash search_name="summaryName field1=* | stats sum(resp*) AS resp* BY _time | untable _time responseCode Volume ``` this part is just processing to apply the description I need to the response code ``` | eval trimmedCode=substr(responseCode, -2) | lookup responseLookup.csv ResponseCode AS trimmedCode OUTPUT ResponseDescription | eval ResponseDescription=if(isnull(ResponseDescription), " Description Not Available", ResponseDescription) | eval Response=trimmedCode+" "+ResponseDescription ``` since volume is established by the summary index, sum(Volume) here ``` | timechart partial=f limit=0 span=15m sum(Volume) AS Volume BY Response I then append a subsearch here to pull the same info from live data, using another timechart after the processing:  | timechart span=15m limit=0 count AS Volume by Response  ``` presumably here, I would need to sum(Volume) AS Volume to add up the totals``` I looked into some other searches that pull a single event from a summary index, and tried to generate timestamps based on that, but I haven't had much luck. Like so: index=summary source=summaryName sourcetype=stash | head 1 | eval SourceData="SI" | append [| makeresults | eval SourceData="gentimes"] | head 1 | addinfo | eval earliest=if(SourceData="SI",if(_time>info_min_time,_time,info_min_time),info_min_time) | eval latest=info_max_time | table earliest,latest Any ideas? Is this a possibility or am I limited by the summary data? ... View more

Hi all, I'm working to correlate a series of events. These events are all part of a logging process of a separate application. What seems to be common is a UUID. The following searches produce what I'd like individually: for the first timestamp associated with the start of the process (there are multiple processes running for each UUID, but the ask is to extract the first / last timestamp) index=###### sourcetype=### "process() - start" | rex "^(?:[^ \n]* ){2}(?P<UUID>[^,]+)" | eval startTime = strftime(_time, "%Y-%d-%m %H:%M:%S") | stats earliest(startTime) as startingTimeStamp by UUID index=###### sourcetype=### "process() - end" | rex "^(?:[^ \n]* ){2}(?P<UUID>[^,]+)" | eval endTime = strftime(_time, "%Y-%d-%m %H:%M:%S") | stats latest(endTime) as endingTimeStamp by UUID I'm trying to learn how to use join to connect these events by UUID. This SPL returns a table that has the earliest and latest of startTime, rather than the earliest(startTime) and latest(endTime).  index=###### sourcetype=### "process() - start" | rex "^(?:[^ \n]* ){2}(?P<UUID>[^,]+)" | eval startTime = strftime(_time, "%Y-%d-%m %H:%M:%S") | stats earliest(startTime) as startingTimeStamp by UUID | join UUID type=left [ search index=###### sourcetype=### "process() - end" | rex "^(?:[^ \n]* ){2}(?P<UUID>[^,]+)" | eval endTime = strftime(_time, "%Y-%d-%m %H:%M:%S") | stats latest(endTime) as endingTimeStamp by UUID ] Is join the appropriate function to use here? I'm reading in coalesce and append as well, but from my understanding append does not fit. Another piece is that the UUID is not a field extraction, but rather a regex, so I'm unsure how the join would be able to function if the subsearch has no knowledge of UUID until it runs and performs the rex.  ... View more

Hi all, I'm setting up an alerting process that monitors different servers on a single index and sends an alert out if no events are fired over a 24 hour period. It's set to run at midnight and look back over the last 24 hours. If no events are found on any of the hosts, it should send an email with the details of that host. I'd like to set up 1 alert, if possible, rather than setting up an alert for each host.  I should specify that host is internal, not the 'splunk_server', but each host is one of our servers. Here's what I tried so far: index=#### sourcetype=#### source=/usr/app/*/logs/#####.txt | rex field=source "\/[^\/]+\/[^\/]+\/(?<env>[^\/]+)\/.*"                // extract our the environment | stats count by host                                                                                            // count by host | lookup ######.csv serverLower AS host output IP   // add in the ip of the host to add to the table | table env, host, IP, count                                                         // inline table passed to alert This will give us a correct assessment of count by host, but will just return that count to the email alert. I'd like to only send out an email when a count is 0 for a specific host, and then send only the details of that host with count=0.  Thanks ... View more

Hi all, I have a lookup and I'd like to filter based on tokenized value. The lookup dropdown also sets a different token based on selection. This would normally be a simple task, but I've been asked to have the lookup pre-filtered based on who is using the app. Each item in the dropdown represents a different user.  The lookup: | inputlookup $tokLookup$ | fields field_description, field | dedup field,field_description field for label = field_description field for value = field The pseudo code of what I'd like to do is simple: | inputlookup $tokLookup$ | where field="$tokUserRole$" | fields field_description, field | dedup field,field_description Is this possible within the constraints, such that I'm only producing the single value from the lookup corresponding to the user? ... View more

Hi all, I'm working on a dashboard query that preprocesses data for a | geostats command. The end goal is to pipe data between two different but similar applications. The value used to populate the field 'country' has different format between the two applications, and if it's possible to create a conditional statement that uses different values from a lookup table (or even separate lookups) in line. Caveat: I know it's possible to build a different search and used a token with the | savedsearch command to pass the correct search based on the token. I'm trying to understand if it can be done inline in my base search. The details: application A's field associated with country uses the ISO numeric country code. The search then uses a lookup table like so:  | lookup [lookup].csv NumericCountryCode as [field in search] output AlphaCountryCode This takes the numeric code and produces a 2 character ISO like 'US' or 'BR' and so on. The format of the lookup table is: AlphaCountryCode CountryCode NumericCountryCode In application B, country data comes in uppercase ISO alphabetical format, but it can be represented as either the Alpha-2 or alpha-3 (3 digit) country code. In the majority of cases, this could be solved with a substring call that reduces the length to 2. However, there are fringe cases where this approach does not work, and must be accounted for.  Example: Angola - Alpha-2 code: AO alpha-3 code: AGO.  My proposed approach is to modify the lookup table like so: AlphaCountryCode AlphaTwoCountryCode AlphaThreeCountryCode NumericCountryCode Such that I can access both of these values and return the correct format (AlphaTwoCountryCode). Is it possible to handle this inline with the same lookup table? The pseudo code would be something like this: if(len(countryCode)==2), lower(countryCode) and return the countryCode. Else if(len(countryCode)==3), | lookup [lookup].csv AlphaThreeCountryCode as countryCode output AlphaTwoCountryCode Is this an appropriate approach, and if so, how can I build the syntax of the eval statement to evaluate length and output the appropriate result? Thanks   ... View more