Hi everyone. I'm trying to link my dashboard to a separate platform and the url of this new platform needs to contain a timestamp in epoch time. I have a table such that each row represents a cycle and I have a column that redirects the user to a separate platform passing into the url the epoch time of that row's timestamp. The issue is that, for some reason, Splunk seems to be converting the timestamp to epoch + my timezone. So, for example, on the screenshot below, you can see the timestamp of a certain row in UTC as 16:33:27.967 and, to debug, I built a new column such that whenever I click on it, it redirects me to an url that's simply the timestamp converted to epoch time. The code is of the form: <table> <search> <query> ... </query> </search> <drilldown> <condition field="Separate Platform"> <eval token="epochFromCycle">case($row.StartTime$=="unkown", null(), 1==1, strptime($row.StartTime$, "%Y-%m-%dT%H:%M:%S.%Q"))</eval> <link target="_blank"> <![CDATA[ $epochFromCycle$ ]]> </link> </condition> </drilldown> </table> But, when clicking on this "Separate Platform" column for the timestamp shown on the screenshot, I get the epoch time 1752521607. When looking into "epochconverter.com": As stated on the screenshot, I'm at GMT-03. But the issue happens exactly the same way for a coworker who's located at GMT-04: for the same splunk timestamp, he clicks on the column to generate the link, and the epoch time that splunk returns is in fact 4 hours ahead (in this case, it returns the epoch equivalent of 8:33:27 PM). What am I missing? Thanks in advance,  Pedro ... View more

Hi everyone. I have a panel that contains a list of links to other dashboards. I need to create a new list item with a link that changes dinamically according to the values of three tokens evaluated inside "eval" blocks. But, as splunk makes it clear, I can't create "eval" blocks inside of a panel. So I wanted to know if there's a way to evaluate these tokens such that they can be used within the scope of the "panel" block. Thanks in advance,  Pedro ... View more

Hi everyone.  I suppose this is a very simple question, but I'm new to Splunk and I've tried everything that I have knowledge of.  The field that contains the timestamp is called "payload.eventProcessedAt" Trying to parse with  | eval time_var=strptime(payload.eventProcessedAt, "%Y-%m-%dT%H:%M:%S.%3NZ")  doesn't work, giving my only "null/empty" values. The same occurs with "strftime". How can I do this? ... View more

Hi everyone. I'm really new to Splunk, so I'm confused with what seems to be a simple problem.  I'm using "where row_num > 1" to remove the first row of my search, as I need to calculate lots of metrics based on the whole data without this specific first row. But I'm also supposed to show the value of this first row in a specific field.  My query is of the following structure: my_search... | eval val1=... | sort val1 | streamstats count as row_num | where row_num > 1 | stats avg(...) as metric1, max(...) as metric2, count(...) as metric3 ... | fields metric1, metric2, metric3 But I also need to output the value 'x' that is specifically on field 'y' on row 1.  How would I do this?  Thanks in advance   ... View more

Hi everyone I just started working with Splunk and I have a query in which one of the steps is to count the number of instances where a certain field has value > 10. But I have to count the number of instances with value > 10, > 15, > 30, > 60, > 120 and > 180. The way I'm doing it now is just by executing different counts, just as the following: <search>... | eval var1=... | stats count(eval(var1 > 10)) as count10, count(eval(var1 > 15)) as count15, count(eval(var1 > 30)) as count30, count(eval(var1 > 60)) as count60, count(eval(var1 > 120)) as count120, count(eval(var1 > 180)) as count180 ... But I'm aware this is definitely not the optimal way as, to my understanding, this will go through all the instances and count the ones > 10, then will go through all the instances again counting the ones > 15 and so on.  How would I execute this count making use of the fact that, e.g., to count the number of instances > 120, I can check only considering the set of instances > 60 and so on? That is, how do I chain these counts and use them as "filters"?  It's important to note that I don't want to use "where var1 > 10" multiple times as I also need to compute other metrics related to the whole dataset (e.g., avg(var1)) and, to my understanding, using just one  | stats count(eval(var > 10)) as count10 will "drop" all of the other columns of my query. Anyways, how would I do this? Thank you in advance. ... View more

Hi everyone. I'm doing a query in which I sort it by time according to a variable and then calculate some metrics over the data. But I need to calculate these metrics without considering exactly the first instance of my data, that is, the earliest one, as it's the one associated with the server being started daily and it's not valid for my needs. It's important to note that I don't have any information associated with this first instance before the query runs as its related to a script scheduled to run at a specific time, but it generates new values every time, and it's duration is variable, meaning that I don't know when it has finished. I cannot share information related to the data neither the query exactly, but it's of the form   index=... | stats ... | eval val1=... | eval time_val=... | sort time_val | eval val3=... | stats count...   How could I do this?  ... View more