Hello Splunk Community, I have the following search command:   index="myIndex" host="myHost" myScript Running OR Stopped | eval running= if(like(_raw, "%Running%"), 1, 0) | eval stopped= if(like(_raw, "%Stopped%"), 0, 1) | table _time running stopped | rename running AS "UP" | rename stopped AS "DOWN"   It looks strange like this: There are four events with "Stopped" in it, the rest are all "Running". The script logs either Running or Stopped every 5 minutes. When I hover over the line it reports Down as 1 the entire time even though it should be 0 and only 1 four times.  How do I adjust this so that it looks like this: -------------_---------------- ________--_________ Where the upper line = Running And the bottom line = Stopped         ... View more

Dear Splunk community, I have the following query:     index="myIndex" source="*mySource*" nameOfLog* "ExitCode: 0" | stats count by _time     Once a day a event is generated. So either it was generated (count = 1) or it was not (count = 0). I have a line diagram for the last 30 days that looks like this: On February 20th there was one event generated. On 23 February there was one event generated. On 21th and 22th of February, no events were generated. Therefore I expect the line to go down in the line chart like so: ------_------- This is not happening, and I am wondering why. How do I adjust this to show count=0 in the chart aswell? Thanks. ... View more

Dear Splunk Community, I have the following query. The main query looks for errors in certain log files. If they are found, an list of events is returned. The RUNID is fetched from the events and is used in the JOIN to fetch profiles that are related to the events. Not all events from the main search have a profile. In that case, the result will be all events from the main search with empty profile collumns. I do not wish to see those events. Example: I have 10 events that show errors. 5 of these events have no profile. An event with no profile looks like this: And an event with a profile looks like this: My question is: How do I exclude events with no profiles attached to it? I want to get rid of the entire row if no profile is found. How do I achieve this/ index="myIndex" host="myHostname1*" OR host="myHostname2*" source="/opt/IBM/taddm/dist/log/sensors/*/*.log" CTJTD3028E | table _time, errorcode, IP, runid, profile, _raw | rex "(?<errorcode>CTJT\w{6})" | rex field=_raw "(?<runid>\w{16}#)" | eval runid = replace(runid,".$","") | eval _time=strftime(_time,"%d/%m/%Y %H:%M:%S") | rex field=_raw "(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "CTJTD3028E(?<_raw>.+)" | rename errorcode AS "Foutcode" | rename _raw AS "Foutmelding" | rename runid AS "RUNID" | rename _time AS "Datum" | dedup Foutcode, IP | join type=left RUNID [ search index="myIndex" host="myHostname1*" OR host="myHostname2*" source="/opt/IBM/taddm/dist/log/services/ProcessFlowManager.log" OR source="/opt/IBM/taddm/dist/log/services/ClientProxy.log" "started with profile" myProfileName | rex field=_raw "Discovery\srun,\s(?<RUNID>[^\s]+)\sstarted\swith\sprofile\s(?<profile>[^\s\r]+)" | stats count by profile RUNID | fields profile RUNID] | rename profile AS "Profiel"   ... View more

Dear Splunk Community, Every 5 minutes the following event is generated : 2022-01-05 21:20:33 : Running OR 2022-01-05 20:19:33 : Failed I would like to display a timeline with two (2) lines showing when the system is running and when it fails. I have come so far:   running OR failed | eval status = if(like(_raw, "%Running%"), "Running", "Not running") | table status     I am in need of some guidance in this matter. How do I change the above search so that I have a line chart visualization with the two lines in it? Thanks in advance.     ... View more

Dear Splunk community, I have completed Splunk Fundamentals Part I for Splunk 7.x. This version is no longer available for Fundamentals Part II but 8.x is. The only problem right now is that there is only one course with online instructor led classes, and they are only this December.  Due to a tight working schedule I would prefer a on demand course so that I can do the course whenever I have time to do it. Will there be such a course in 2022 available? Thanks. ... View more

Dear Splunk Community, I have the following code: <dashboard> <label></label> <row> <panel> <single> <search> <query>host="DESKTOP-L4ID3T2" source="BatchProcessor*" inventoryimport* "ExitCode: 0" | stats count | eval msg=case(count == 0, "Scan niet succesvol!", count &gt; 0, "Scan succesvol!") | eval range=case(count == 0, "severe", count &gt; 0, "low") | table msg</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="field">range</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> </dashboard>   If count returns 0 events, I expect the color of the single value field to be red (severe), otherwise it should be green (low). But using the above code, there is no color at all (besides the default color black and white).  Why is the above not working? Thanks in advance. ... View more