I have an alert which detects when a log feed has failed The team the alert goes to have asked that I allow them to suppress the alert. I have now created a mailto link within the alert email that sends and email with a specifically crafted email subject and body that is detected in all future alerts to suppress future alerts for 12hrs. a simple math calculation generates the 12hrs, the epoch timestamp is in the subject header, the alert spl looks at the subject and either suppresses the alert or not. This works perfectly - the technical team have now asked that I vary the suppression as follows If the alert came in before 10AM the suppression remains 12 hours If the alert came in after 10AM then the suppression time would be "until 10AM the following day". So - how do you calculate a time stamp to 10AM the following day. It must be simple but my mind has lost it right now. Something like is current hour >10AM timestamp=tomorrow:10Hrs ... View more

Before I start, I've view TreeMap and Word Tree visualisations but they don't seem to do what I need (happy to be proven wrong though) We use workday, we export the complete org hierarchy from workday and ingest that into a lookup table every day.   The data contains - Name - OrgPosition- Manager - MiscDetails So Name=Dave Bunn OrgPosition=12345_Dave_Bunn Manager=1230_Mrs_Bunn MiscDetails="some text about my job" We then use the manager detail in the OrgPosition field to look for their manager and so on until we come across as service level manager (indicated in the misc details filed) Name=Mrs Bunn OrgPosition=1230_Mrs_Bunn Manager=10_The_Big_Boss MiscDetails="some text about Mrs Bunns job" Name=Big Boss OrgPosition=10_The_Big_Boss Manager=0_The_Director MiscDetails="Manager of HR" What I would like to do is programmatically generate a hierarchy for any inputted user - with the named individual listed in the middle, their managers above and subordinates below. I would like a visualisation similar to Word Tree Viz, but accept that it's more likely going to have to look like the principal name sandwiched beteen two fileds - one containing sorted managers and one containing sorted subordinates. ... View more

I need the output token of a text box to be the true option of a radio button. I have two text inputs Username going to $upn$ and Asset going to $asset$ (Both are * as default) The base search is index=azuread devicename=$asset$ userPincipalName=$upn$ So this work perfectly allowing filter to user and/or asset  But I want to pull in our VPN logs (with an append so that both show in the same table in time order). The trouble is that our VPN logs only record by asset and are very noisy. so need to be filtered by asset before the append.  But when asset is "*" then everything is displayed, obscuring the azure login detail. I've tried adding a radio button (with the token being $vpn_asset$).  I've set the False option as default returning "This_is_not_a_valid_asset_name" which will not match anything in the VPN logs. I want to set the true option to be $asset$ so that it uses the token from the ASSET text box, When selecting false - the search "index=VPN deviceName=$vpn$" substitutes $vpn$ with "This_is_not_a_valid_asset_name" which is correct, but when selecting true, the token $vpn$ simply gets substituted for $asset$, whereas I would expect it to be substituted with either the contents to the ASSET Text input. Any ideas? The code is something like this (poetic licence is used for simplicity)     input Title="Insert User Principal Name" type=text token=upn default=* input Title="Insert Asset Name" type=text token=asset default=* input Title="Include VPN Logs" type=radio token=vpn false="not_an_asset" true="$asset$" default=false index=azure userPrincipalName="$upn$" userDeviceName="$asset$" |append [search index=VPN deviceName="$vpn$"]     Whilst "Include VPN Logs" is set to false, the deviceName="not_an_asset" will result in zero VPN logs returned. I need this to pass through the asset detail in the asset input box when set to true, therefore the azure logon details will be interspersed with the VPN logs making assessment easier. ... View more

SO I have a data set User      Vehicle User_a    Car User_b    Car User_a    MotorBike User_c    MotorBike User_d    Car User_c    Bicycle User_a    Bicycle User_c    Scooter User_e    Car What I need is to be able to run a search against this type of dataset and pull out only one return per username based upon those with a CAR, then Motorbike, then bicycle then scooter. But I only need ONE return for any given user - if they have all four - based upon priority they are reported as a car owner.  If they only have two or three of the four, they only get reported as the owner of the highest priority vehicle. I'm currently doing a search cars, score 1pt, append motobike score 2pt, and so on but that is slow on a big datasaet.   ... View more

Is there a way to find which forwarder a devices event logs came from. I have hundreds of devices sending WEC logs through WEC servers, I could really do with an easy method to pinpoint where they came from during search time. Something like Index=wec_index | ctable hosts,  WECSvr ... View more