There is no need for join. Try like this index=indexname host=hostname (sourcetype=meminfo OR sourcetype=cpuinfo) earliest=-1d@d latest=@d | multikv | search CPU=all OR memUsedPct=* | eval CPU=100-pctIdle | fields _time memUsedPct CPU | timechart avg(*) as * ... View more

The props.conf file is missing some important settings.  Splunk recommends all sourcetypes have at least these 8 settings: LINE_BREAKER, TIME_PREFIX, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD, TRUNCATE, SHOULD_LINEMERGE, EVENT_BREAKER, and EVENT_BREAKER_ENABLE.  The last two are only used by Universal Forwarders, but can be specified anywhere. I recommend these settings: sourcetype = job_logs [source::*\trace*.txt] TIME_PREFIX = \) TIME_FORMAT = %d-%m-%y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 18 SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) TRUNCATE = 10000 EVENT_BREAKER = ([\r\n]+) EVENT_BREAKER_ENABLE = true TRANSFORMS-set= setnull,setparsing ... View more

Finding something that is not there is not Splunk's strong suit, but you may be able to accomplish what you desire by searching for the logs and listing the times when nothing was reported.  Fortunately, the timechart command will zero-fill time spans with no data.  Try something like this: <<your search for logs>> | timechart span=1m count | where count=0 ... View more

The OR operator must be used because no event can contain BOTH "started" and "completed". If job IDs are unique then a job starting before the search window should not appear in the results.  Likewise for jobs that do not end within the search window. ... View more

Please post a new question for this problem. ... View more

Since this is ingested as a table, no new source are generated and hence we could see not count values. Apart from time field, there are other unique fields such as EXECUTION_HASH, EXECUTION_ID, with which I tried to do a count, but couldn't get desired result. Search query: | eval _time=TIME | timechart count by EXECUTION_ID ... View more

Instead of re-starting splunkd on the search head, try restarting the splunkd service on the Heavy Forwarder, where the changes have been made and then check if the results are effective.   If not, btool can tell if the configuration is really being loaded in the memory or not.  Thanks, S  ****If it helped, please upvote and accept it as a solution. It helps others to find the solution more quickly in the future****       ... View more

Filtering events based on timestamps requires comparing timestamps, which is something Splunk cannot do with human-readable time strings.  Splunk compares times in integer form. ... View more