Hello community. I use splunk for one of my projects and i had a doubt. I have a query which roughly looks like below     index=app* rum.plugin="myPluginId" rum.status="Error" rum.apiCall="apiCallName" | chart count by rum.companyId     which gives the result like rum.companyId       ||        count ======================== 456789456              ||         6 827634966              ||         2 456789057              ||         4 098765456              ||         6 123456789              ||         677 And i run this query for last 24 hours. Now i want to check, if out of these companyIds listed, whether there was a similar Error occurred for these list of companies (rum.companyId) in past. If it has occurred, show the timestamp of first occurrence. So my expected output is something like rum.companyId       ||        count     ||. First occurrence Timestamp ================================================ 456789456              ||         6              ||. 20/04/90 04:04:04 827634966              ||         2              ||  20/04/90 04:04:04 456789057              ||         4              ||  20/04/90 04:04:04 098765456              ||         6              ||  20/04/90 04:04:04 123456789              ||         677         ||  20/04/90 04:04:04 Is there any way to achieve this? Thanks in advance. ... View more

Hello splunk community. As on today we have two queries that are running  Count of api grouped by apiName and status     index=aws* api.metaData.pid="myAppName" | rename api.p as apiName | chart count BY apiName "api.metaData.status" | multikv forceheader=1 | table apiName success error NULL   Which displays a table something like shown below ===================================== | apiName            || success || error              || NULL.   | ==================================== | Test1                   || 10            || 20.                  || 0            | | Test2                   || 10            || 20.                  || 0            | | Test3                   || 10            || 20.                  || 0            | | Test4                   || 10            || 20.                  || 0            | | Test5                   || 10            || 20.                  || 0            | | Test6                   || 10            || 20.                  || 0            | latency of api grouped by apiName   index=aws* api.metaData.pid="myAppName" | rename api.p as apiName | rename api.measures.tt as Response_Time | chart min(Response_Time) as RT_fastest max(Response_Time) as RT_slowest by apiName | table apiName RT_fastest RT_slowest   which displays a table something like below ================================== | apiName            || RT_fastest || RT_slowest               ================================== | Test1                   || 10                  || 20.                  | | Test2                   || 10                  || 20.                  | | Test3                   || 10                  || 20.                  | | Test4                   || 10                  || 20.                  | | Test5                   || 10                  || 20.                  | | Test6                   || 10                  || 20.                  | Question: If you see the above tables, both tables are grouped with apiName. Is there a way to combine these queries so that i get a single result something like this |=============================================== | apiName || success || error || NULL || RT_fastest. || RT_slowest | =============================================== | Test1       || 10            || 20.     || 20.       || 20.                  || 20.                  || | Test2       || 10            || 20.     || 20.       || 20.                  || 20.                  || | Test3       || 10            || 20.     || 20.       || 20.                  || 20.                  || | Test4       || 10            || 20.     || 20.       || 20.                  || 20.                  || | Test5       || 10            || 20.     || 20.       || 20.                  || 20.                  ||   I could not find any documentation regarding combining multiple chart query into one. Could someone please help me with this. Thanks 🙂 ... View more

Hello Splunk community. I have a query that is running currently as shown below:   index=myIndex* api.metaData.pid="my_plugin_id" | rename api.p as apiName | chart count BY apiName "api.metaData.status" | multikv forceheader=1 | table apiName success error NULL | eval line=printf("%-85s% 10s% 10s% 7s",apiName, success, error, NULL) | stats list(line) as line | eval headers=printf("%-85s% 10s% 10s% 7s","API Name","Success","Error", "NULL") | eval line=mvappend(headers,line) | fields - headers   Which displays a table with "API Name","Success","Error", "NULL" counts. This works as expected. Now i want to add a new column in the table which displays the latency value (tp95 and tp99) for each apiName . The time taken by each api is in the field api.metadata.tt. How can i achieve this ? I am new to splunk and I am literally stuck at this point. Could someone please help me. Thank you 🙂 Info: Just to let you guys know, my query has these additional logic to format things because of related question here ... View more