If that is really the actual event, the developers deserve spanking.  This is not conformant JSON but near garbage.  First off, the nodes are not properly separated by comma.  Secondly, keys and text values are not properly quoted all the way through. Is it possible that the actual "actual" event format is like this instead? {"event_disabled": false, "internal_event_id": "124578_1245", "name": "ELEMENT_EVENT", "element_list": {"list_element":[{"element": "{\"var1\":\"1.1.8.8:443\",\"var2\":\"1188\"}"},{"element": "{\"var1\":\"8.8.1.1:443\",\"var2\":\"8811\"}"},{"element": "{\"var1\":\"1.2.3.4:443\",\"var2\":\"1234\"}"}]}, "phone_number": 123456789 } It is extremely important to present accurate data if you want to get concrete help (as opposed to seek general ideas). Meanwhile, if the data is as I posted above, Splunk would have already given you a multivalue field named element_list.list_element{}.element.  You'll need to run mvexpand on that as @ITWhisperer suggested, then spath again. | mvexpand element_list.list_element{}.element | spath input=element_list.list_element{}.element | table var1 var2   ... View more

That is because your second query (with tstats) is equivalent to index=apl-cly-sap sourcetype=cly:app:sap |search processName="applicationstatus" | stats count by plantime | stats avg(plantime) which is semantically different from your first one. Unless plantime is extracted at index time, there is no way to do avg on this field in tstats. ... View more

The first thing you need to do is to explain "not working". (Really, try to avoid this meaningless phrase at all cost.)  What have you tried?  What is the output?  What is the desired or "correct" output?  How do the two output differ? You mentioned field1, field2, field3, field5, field7.  Is there any significance in field4, field6? (Also, even though I can understand the desire to anonymize raw data, spelling a URL as http:\\ is bad practice.) ... View more

No, there is no way to "pass" results into a subsearch but you can get the values passed to the output.  The logic is kind of straightforward, albeit requiring a bit of thinking. Here, I assume that you want to place all those Account_Name into the same pot: index="wineventlog" (EventCode=4624 OR EventCode=4768 Result_Code=0x6) [ search index="wineventlog" EventCode=4768 Result_Code=0x6 | table src_ip] | stats count, distinct_count(Account_Name), values(Account_Name) by src_ip ... View more

If you want top 2 by src_ip, the command to use is |top 2 sbimb sbomb dest by src_ip Can you show the result? limit=2 is to limit total output to two  rows. I vaguely get what you wanted from the last screen; I assume that's a mockup, is this correct?  When you post output from the above command, could you elaborate the difference between output and your mockup more? ... View more

You need to describe what you are trying to get, maybe some mockup.  What is the output of | top sbimb sbomb by src_ip and how does it differ from your expected output? ... View more

The logic is inverted in the following.  Try index="wineventlog" EventCode=4624 [ index="wineventlog" EventCode=4768 Result_Code=0x6 | eval earliest = relative_time(_time, "-5m"), latest = relative_time(_time, "+5m") | table earliest latest] ... View more

Yes.  Replace fieldformat with eval. (Use fieldformat allows you to manipulate time numerically while displaying it in a readable format.  But if you want it as column head, which is for displaying purposes, you must convert it to a real string.  eval will do that.) ... View more

To add to @starcher's instructions, I recently made this screenshot to help another question; the only difference is file name. As shown here, you need to check "Advanced options" in order to set up CIDR match type. As you are looking for non-matching entries, your filter should be isnull as opposed to isnotnull. MYSEARCH | lookup mylookup src OUTPUTNEW src as toFilter | where isnull(toFilter)   ... View more

If I read your intentions correctly, you want to drop any trailing numbers from sourcetype.  The simplest expression would be   | rex field=sourcetype mode=sed "s/\d*$//"   Here is an emulation that you can run and compare with real data   | makeresults | fields - _time | eval sourcetype=split("oracle:audit:json12 oracle:audit:sql11 oracle:audit:json12 oracle:audit:json11 oracle:audit:json oracle:audit:sql", " ") | mvexpand sourcetype ``` data emulation above``` | eval orig = sourcetype ``` for display ``` | rex field=sourcetype mode=sed "s/\d*$//"   orig sourcetype oracle:audit:json12 oracle:audit:json oracle:audit:sql11 oracle:audit:sql oracle:audit:json12 oracle:audit:json oracle:audit:json11 oracle:audit:json oracle:audit:json oracle:audit:json oracle:audit:sql oracle:audit:sql ... View more

I suppose you can calculate which ones are removed by dedup, just not by using dedup. | eventstats last(curious) as remaining by deduping | stats values(curious) as all by deduping remaining | eval removed = mvmap(all, if(all == remaining, null(), all)) Here, curious is the field you want to examine, and deduping is the field on which to dedup. ... View more

First, I think you mean  | streamstats time_window=5m avg(myval) as five_min_val by host | streamstats time_window=15m avg(myval) as fifteen_min_val by host Secondly, you need to illustrate what the actual output from your code and illustrate the desired output, explain any difference that is not obvious to volunteers who are unfamiliar with your original data. ... View more

The problem is in your query (and possibly your lookup definition).  Generally speaking, using inputlookup as subsearch is not a solution in cases where you really mean a lookup match. Splunk's lookup definition allows you to specify match type, one of them is CIDR.  You'll need to check "Advanced options" to add it. Suppose your file  match_cidr.csv contains the following subnet known_network 10.100.0.0/16 mine 10.16.5.0/24 friends 10.16.205.0/24 enemies and the lookup name is also match_cidr.csv.  Instead of inputlookup, the correct command is lookup. | lookup match_cidr.csv subnet AS src_ip | where isnull(known_network) This will find all src_ip's that are not your own, not your friends', and not your known enemies'. ... View more

Your title says you want to convert some data originally in miliseconds into a different format.  But you didn't illustrate your data, either the original data, or intermediate data, namely totalTime that you used rex to extract.   Nor did you explain how the field inMs in the tried code relates to totalTime. I have several suspicions.  First is the rex.  Unless your raw data has some really funky characteristics, the extraction group would be something like (?<totalTime>\d+) (all integers) or (?<totalTime>[\d\.]+) (decimals).  Have you confirmed that totalTime is a numeric value? If totalTime is a valid numeric field, you can use strftime to reformat it into HH::MM::SS. | fieldformat totalTime = strftime(totalTime, "%H:%M:%S") As expected, if totalTime exceeds 24 hours, the reformatted representation will cross 0. Example, | makeresults | fields - _time | eval totalTime = 12345.6789 | fieldformat totalTime = strftime(totalTime, "%H:%M:%S") results in totalTime 19:25:45 whereas | makeresults | fields - _time | eval totalTime = 123456.789 | fieldformat totalTime = strftime(totalTime, "%H:%M:%S") gives totalTime 02:17:36 ... View more

Pro tip (to get help from volunteers): Describe/illustrate your data (anonymize as needed but explain any characteristics others need to know) and desired output; describe the logic connecting your data and desired results (short, simple sample code/pseudo code is fine); if you have tried sample code, illustrate output and explain why it differs from desired results. From the OP to this, there is only one piece of sample code and an explanation that the token in the sample is not itself multivalued.  Unless you provide the rest of information, "it doesn't work" conveys absolutely no information.  In fact, avoid this phrase like a plague even at the best of times. ... View more