I couldn't get this to work since it would just append the Unicode Decimal Code to the value (e.g., &#8203;<value>).  I was able to get it to work by adding a space instead: <field>=" "+<field> ... View more

Thanks alot! ... View more

Oh boy, i feel stupid for not finding it myself. Thank you! ... View more

Thank you for your solution! Is there a way to set the URL path so that it gets the name of the current app and then redirects to the dashboard? e.g. <a href='/app/<currentApp>/reports'>Scheduled Searches </a> ... View more

The correct syntax in that regard would be [WinEventLog://*] Don't forget the two forward-slashes before putting the asteriks for all ... View more

Here's run-anywhere code to make your test data... | makeresults | eval mydata= "1=A 2=B 2=B 1=C 1=C 2=C 2=A" | makemv mydata | mvexpand mydata | rex field=mydata "(?<User>[^=]+)=(?<Event>.*)" | eval User = "User ".User | eval Event="Event ".Event | streamstats count as recno | eval _time =relative_time(now(),"-1h@h") + recno | rename COMMENT as "The above just generates your test data." Then you can do either this.... | rename COMMENT as "This assumes that the Events have a completely unique key." | stats min(_time) as _time by User Event | table _time Event User | sort 0 _time ... or this... | rename COMMENT as "This assumes that the Events have an event type that is not unique." | sort 0 _time | streamstats current=f last(Event) as lastEvent by User | where isnull(lastEvent) OR Event!=lastEvent ... View more

Based on your clarification, like this: | eval myDate=relative_time(now(), "@d+12h") | search Outputdate < myDate ... View more

index=your_index State="Active" earliest=@w6@d latest=@w6@d+7d | stats count Shows the count of all open tickets from previous Saturday until the end of Friday. If you want to exclude friday, use latest=@w5@d+7d ... View more

Instead of lookup you can use a search, but it's a limited check because you're not sure to check all IDs: in this example I'm checking if the IDs of the last hour were present in the 24 hours before: your_search earliest=-25h@h latest=-h@h | stats count by ID | append [ your_search earliest=-h@h latest=now | dedup ID | count=0 | table ID count ] | stats sum(count) AS Total by ID | where Total=0 If the problem is to manage the lookup, you could generate it automatically using a scheduled search (e.g. every hour or every night): your_search earliest=-h@h latest=now | dedup ID | count=0 | table ID count I usually prefer use the lookup. Bye. Giuseppe ... View more

While they will need to find the inputs.conf on the forwarder, the question was "How do I manage it remotely?". ... View more

Thank you! This was exactly what I was looking for. ... View more

Thanks a lot for the quick response! Works as intended. ... View more

Hi Hi ckunath,, last year I did the same question, see the answer https://answers.splunk.com/answers/341972/how-do-i-separate-the-results-of-a-transaction-to.html. Bye. Giuseppe ... View more

You really should do a proper field extraction so that ID (or listID ) is automatically extracted at search time as a multivalued field. That is the only way to go and that is a completely different question. ... View more