Hi, Your response was the key to make the idea I had happened. I have to made some changes to the query. Since I have a long file list, I decided to list them with "| rest" command, then I was getting wildcard issues and I had to make macros to overcome that problem. Now I working with the Splunk admin team because I am getting the error below casuse by "| sendemail" and it is caused by a missing admin access: [map]: command="sendemail", 'rootCAPath' while sending mail to:
[email protected] I cannot use "| sendresults" command because the version we have does not support it. | rest /servicesNS/-/-/data/lookup-table-files f=title splunk_server=local ```To avoid the "you do not have the "dispatch_rest_to_indexers" capability" warning``` | fields title | search title="lk_file*.csv" | dedup title | map maxsearches=9999 search="inputlookup $title$ |eval filename=$title$ | search path!=`macroDoubleQuotation` | stats values(duration_time) AS duration_time by path filename | `macroMakemvNewLineDelimeter` duration_time | eval duration_time=`macroSplitSpace` | `macroPerformanceP90` | sort path | `macroSendMailPerformanceSlaList` Thanks so much for help me with!!!. Regards,
... View more