Hi Splunk community, I have a chart display the number of users in each month. There was no data coming in in October and November, and I want to show the number of September for October and November for the chart to have a continuous trend. Here's my query:   <my search> | timechart span=1mon dc(UserID) as "Number of Users"   The current chart looks like this:   ... View more

Hi Splunk community, I have a lookup containing a list of allowed departments as the following vendor allowed_departments F500 SADE/xxx,BTE,RAPH/NE C99 SADE/xxx,RAPH/MS   I want to have a  field valid check if the field of department matches with any values in allowed_deparments of corresponding vendor. But for allowed_departments value ends with "xxx" will accept the department if department has the same prefix of that value For example: department of value "SADE/ER" will return Yes if allowed_departments contains "SADE/xxx"  Currently my SPL is like this     <my_search> | lookup my_lookup vendor OUTPUT allowed_departments | makemv delim="," allowed_departments | eval valid = if(match(allowed_departments, department), "Yes", "No") | fields - allowed_departments     Please advise if it is possible for Splunk to handle it. Thanks, ... View more

Hi Splunk community, I need to display data shown as table below Component Total units Violated units Matched [%] Type A 1 1 99 Type B 10 10 75 Type C 100 85 85 Total 111 96 86   In the total row, the matched value is the average of the column, while others are the sum value. Is it possible to insert the average value to the total row as shown? Here's my SPL:   index="my_index"source="*sourcename*" | stats count as total_units count(eval(isnull(approval_message))) as violated_units values(matched_percentage) as matched by component | addcoltotals total_units + violated_units labelfield=component | rename total_units as "Total Units", violated_units as "Violated Units", matched as "Matched [%]"       ... View more

Hi Splunk community, I have an excel file that sorts a field at certain order and possibly changes over time The excel file look something like this field1 AS AC RO BE .. Is it possible for me to sort with that particular field order in a search ? Thanks for your help.   ... View more

Hi Splunk Community, I need help to check whether my directory field match the regex The regex I used is ^\w+:\\root_folder\\((?:(?!excluded_folder).)*?)\\    to check the file path does not belong to the excluded_folder Example: c:\root_folder\excluded_folder\...\...\...\file  is False d:\root_folder\subfolder\...\...\...\file is True Could anyone please help? Much appreciated! ... View more

Hi Splunk community, I want to chart the data retrieved from index, filter the app_name field to match with ones in the lookup file. There will be some app_name values in lookup file not in the index, and they need to be added as new rows and labeled "Not executed" for their status. My SPL looks like below:     index="my_index" | search [ inputlookup my_lookup | table "App Name" | rename "App Name" as app_name] | table app_name stage_name stage_status | eval stage_name = "Stage - " + stage_name | rename app_name as App | chart values(stage_status) by App, stage_name useother=f limit=0     Here what I got: App Stage A Stage B Stage C Stage D App_A PASSED FAILED PASSED PASSED   And I want it to look like this: App Stage A Stage B Stage C Stage D App_A PASSED FAILED PASSED PASSED App_B Not executed Not executed Not executed Not executed ... Not executed Not executed Not executed Not executed   Please help and advise, Thanks! ... View more

Hi, I need to join data on my 2 source A and B on the fields "Workitems_URL" and "Work Item URL"  In source B, there is field "Type Name" that all of its join match must have this field contain value "Default" for a valid match. If any of the matches do not have "Type Name" as "Default" then it will not be counted. I tried to use a filter "Type Name"="Default" for the source B but it does not seem to be correct. Please let me know how to make this work Thanks   ... View more