Dear experts According to the documentation after stats, I have only the fields left used during stats.  | table importZeit_uF zbpIdentifier bpKurzName zbpIdentifier_bp status stoerCode | where stoerCode IN ("K02") | stats count as periodCount by zbpIdentifier | sort -periodCount | head 10 | fields zbpIdentifier zbpIdentifier_bp periodCount importZeit_uF To explain in detail: After table the following fields are available:  importZeit_uF zbpIdentifier bpKurzName zbpIdentifier_bp status stoerCode After stats count there are only  zbpIdentifier periodCount left. Question:  How to change the code above to get the count, and have all fields available as before? Thank you for your support.    ... View more

Dear experts Based on the following search:  <search id="subsearch_results"> <query> search index="iii" search_name="nnn" Umgebung="uuu" isbName="isb" status IN ("ALREADY*", "NO_NOTIF*", "UNCONF*", "NOTIF*") zbpIdentifier NOT 453-8888 stoerCodeGruppe NOT ("GUT*") | eval importZeit_unixF = strptime(importZeit, "%Y-%m-%dT%H:%M:%S.%N%Z") | eval importZeit_humanF = strftime(importZeit_unixF, "%Y-%m-%d %H:%M:%S") | table importZeit_humanF importZeit_unixF zbpIdentifier status stoerCode stoerCodeGruppe </query> <earliest>$t_time.earliest$</earliest> <latest>$t_time.latest$@d</latest> <done> <condition> <set token="stoermeldungen_sid">$job.sid$</set> </condition> </done> </search> I try to load some data with:  <query> | loadjob $stoermeldungen_sid$ | where stoerCode IN ("S00") | where [ | loadjob $stoermeldungen_sid$ | where stoerCode IN ("S00") | addinfo | where importZeit_unixF &gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &lt;= relative_time(info_max_time,"@d") | stats count as dayCount by zbpIdentifier | sort -dayCount | head 10 | table zbpIdentifier ] | addinfo | where .... Basic idea:  the subsearch first derives the top 10 of the elements based on the number of yesterdays error messages.  based on the subsearch result then the 7 day history is read and displayed (not fully shown in the example above) All works fine except if there are no messages found by the subsearch. If yesterday no error messages of the given type were recorded, the subsearch returns a result which causes the following error message in the dashboard: Error in ´where´command: The expression is malformed. An unexpected character is reached at ´)´.  The where command is the one which should take the result of the subsearch (3rd line of code).  The error message is just not nice for the end user, better would be to get just an empty chart if no data is found.  The question is: How to fix the result of the subsearch in a way, that also the main search runs and gets the proper empty result, and therefore the empty graph instead of the "not nice" error message? Thank you for your help. ... View more

Dear experts Why is the following line   | where my_time>=relative_time(now(),"-1d@d") AND my_time<=relative_time(now(),"@d")   Accepted as a valid statement in a search window, but as soon I want to use exactly this code in a dashboard, I get the error message: "Error in line 100: Unencoded <" ? The dashboard code validator somehow fails with the <= comparison.  >= works, as well = but not <=  We're on splunkcloud.  ... View more

Dear experts In my dashboard I have a time picker providing the token t_time.  My search index="abc" search_name="def" [| makeresults | eval earliest=relative_time($t_time.latest$,"-1d@d") | eval latest=relative_time($t_time.latest$,"@d") | fields earliest latest | format] | table _time zbpIdentifier Should pick up that token and make sure only data is displayed from the last full day before t_time.latest. 2024-12-12 13:13 should be converted to earliest = 2024-12-11 00:00 latest = 2024-12-11 23:59:59 (or 2024-12-12 00:00) As long really two dates are selected in the time picker, all works as expected.  If e.g. last 7 days is selected the search fails, no data is returned.  I'm guessing that in relative mode $t_time.latest$ is represented with something like "now", which causes problems for the relative_date function.  So the question is: how to detect this "now" and turn it into a date understood by relative_date?   ... View more

Dear experts My search index="abc" search_name="xyz" Umgebung="prod" earliest=-7d@d latest=@d zbpIdentifier IN (454-594, 256-14455, 453-12232) | bin span=1d _time aligntime=@d | stats count as myCount by _time, zbpIdentifier | eval _time=strftime(_time,"%Y %m %d") | chart values(myCount) over zbpIdentifier by _time limit=0 useother=f produces the following chart:   For each zbpIdentifier I have a group within the graph showing the number of messages during several days.  How to change the order of the day values within the group? Green (yesterday) should be the most left, followed by pink (the day before yesterday) and orange, ..... | reverse will change the order of the whole groups, that's not what I need.  All kind of time sorting like  | sort +"_time" or | sort -"_time" before and after  | chart ...  does not change anything. ... View more

Dear experts Basic idea of what I try to do: the results of a search should be filtered in a way, that only data points are displayed which are not part of a "Blacklist" maintained as lookup table.  The challenging thing is, there are 3 columns at the same time to be taken into account for filtering.  After a lot of trials, I ended up in creating a key from the 3 columns (which is unique) and then filter on the key.  It is working, I just don't understand why :-(. Question: Has anybody an idea why the Version 1 filter works, and why Version 2 filter fails? Question: What needs to be changed to get Version 2 also to work? index="pm-azlm_internal_prod_events" sourcetype="azlmj" | strcat ocp "_" fr "_" el unique_id | table _time ocp fr el unique_id d_1 | search d_1="DEF ges AZ*" ``` VERSION 1: the working one ``` ``` As long the subsearch returns a table with the column unique_id ``` ``` which is exactly the name of the column I want to filter on, all works great.``` | search NOT [| inputlookup pm-azlm-aufschneidmelder-j | strcat ocp "_" fr "_" sec unique_id | table unique_id] ``` VERSION 2: NOT working ``` ``` As soon I change the name of the column in the subsearch, the filte won't work anymore``` | search NOT [| inputlookup pm-azlm-aufschneidmelder-j | strcat ocp "_" fr "_" sec ignore | table ignore]``` | timechart span=1d limit=0 count by unique_id   And the final question: is there a way for such filtering without going through the key creation? Thank you in advance. ... View more

Hi Based on a Multiselect  reading from   index="pm-azlm_internal_prod_events" sourcetype="azlm"   I define a token with the name   opc_t     This token can be used without any problems to filter further down in the dashboard data read from the same index (top 3 lines in the code below).    <query>index="pm-azlm_internal_prod_events" sourcetype="azlm" $opc_t$ $framenum$ | strcat opc "_" frame_num UNIQUE_ID | dedup _time UNIQUE_ID | append [ search index="pm-azlm_internal_dev_events" sourcetype="azlm-dev" ocp=$opc_t|s$ | strcat ocp "-j_" fr as UNIQUE_ID | dedup UNIQUE_ID] | timechart span=12h aligntime=@d limit=0 count by UNIQUE_ID | sort by _time DESC </query>   BUT and here's my problem: using the same token on a different index (used in the append above) will provide no results at all.  One (nasty) detail, the field names in both Indexes are slightly different. In    index="pm-azlm_internal_prod_events"   the field name I need to filter on ist called    opc     In the second index   pm-azlm_internal_dev_events   the field name is   ocp     Dear Experts: what do I need to change on the 2nd query, to be able to use the same token for filtering?   ... View more

The code below does create a table/ scatter plot showing the warnings per hour of day.  All warnings between 00:00 and 00:59 will be counted/ listed in date_hour 0, warnings from 01:00 until 01:59 will be counted in date_hour 1, .... If the time range is set across multiple days I still have the date_hours 0...23 all the warnings will be added independent of the date.   index="..." sourcetype="..." | strcat opc "_" frame_num "_" elem_id uniqueID | search status_1="DRW 1*" | stats count as warning by date_hour, uniqueID | table uniqueID date_hour warning   For the kind of evaluation we're doing we would need to have shorter counting intervals than the one given by date_hour, e.g. 20 minutes. The question is: how to update the code to get counting intervals smaller than one hour??? Below I managed to reduce the time interval to 20 minutes.     index="..." sourcetype="..." | strcat opc "_" frame_num "_" elem_id uniqueID | search status_1="DRW 1*" | bin _time span=20m as interval | stats count as warning by interval, uniqueID | table uniqueID interval warning    But: the date is still in there so I have a 20 min counting interval one day after the other. And the interval string is no more human readyble in the table.  Any help is appreciated. ... View more