Hi Folks I've been using mcollect to collect metrics from the events in my indexes and I thought if I set up an alert with the mcollect part in the search, it would automatically collect the metrics every X minutes but that doesn't seem to be working, the metrics are only collected when I run the search manually.   Any suggestions to how I can make mcollect just automatically collect the metrics I am looking for ?   Thanks ... View more

Hey all I am taking input over TCP by having this in my inputs.conf   [tcp://1.2.3.4:123] connection_host = ip index = index1 sourcetype = access_combined   My question is, can I have the same port send data to multiple indexes? Ie. without opening additional ports on my firewall, can I have another host send data to the same port but land in a different index? I tried adding this   [tcp://5.6.7.8:123] connection_host = ip index = index2 sourcetype = access_combined   but that just stopped the ingestion altogether. Thanks. ... View more

Hi Put simply, I am trying to wrap my head around how I can configure an alert to trigger is a metric is X% higher or lower than the same metric, say 1 day ago. So for example if I search index=my_index eventStatus=fault | stats count by eventStatus Searching "Last 15 minutes", giving say 100 results, can I trigger an alert IF the same search in the same 15 minute timeframe 1 day ago is for example 10% higher or lower?   Thanks ... View more

I asked in a previous thread for help to get response time based on time differential between two events connected by a UUID (Solved: Re: Measuring time difference between 2 entries - Splunk Community) which is working perfectly. I turned that into an average response time grouped by a particular transaction type (processName) and thats working fine as well, but I would very much like to use this as a timechart - but I can't seem to get it working. From what I understand, the fact that I am using Stats stripts out the _time which the timechart uses, but I am not sure how to work around that. My query goes as follows: [My search here] | stats earliest(eval(if(eventType="BEGIN",_time,""))) AS Begin_time latest(eval(if(eventType="END",_time,""))) AS End_time BY UUID processName | eval ResponseTime=End_time-Begin_time | stats avg(ResponseTime) by processName I've tried a number of things that didn't work, including changing stats to: | timechart span=10m Avg(ResponseTime) by processName While this did perform a search, it generated no result whatsoever. Won't bore everyone with my multiple failures. My query gives me basically ProcessName Avg(Response_time) Process1 0.5 Process2 0.6 Process3 0.7   My goal is to get this as a time chart visualization with a span of 10 mins. Any suggestions ? Thanks ... View more

Hi I am getting a log feed for a transactional system. Each log entry has a status either End, Begin or something in between (but for this I don't care about the in between) and a UUID to mark that they belong to the same transaction. I am struggling to write a search query that essentially subtracts the _time from the BEGIN entry ud UUID123, from the _time from the END entry with the same UUID. Obviously, my goal is to get the time it took the transaction to complete but I am not sure how to compare fields in two entries with the same UUID. Any ideas ? Thanks ... View more