I have entries in my log which can have the same username but can have multiple machine_types. For example, user "jack" only uses Windows while user "jim" uses Windows and Linux. I want to know how many people use only Windows, how many use Windows+Linux, how many use Windows+Mac, Linux+Mac, etc. My current query looks like this: sourcetype="usermachines" | dedup username,machine_type | eval pairs=machine_type+"-"+machine_type | chart count by pairs However, the pairs look like this: Windows-Windows Mac-Mac Linux-Linux Am I taking the right approach? If so, how can I use machine_type twice and ask Splunk to read them as separate fields (as if multiplying rows to get two dimensions)? ... View more

I would like to display a chart for only the last 24 hours of data, but I don't want the charts to be empty if I haven't imported the data today, I'd like it to just show the last available 24 hours' worth of data. (This is because the data is currently coming from another machine and I have to manually import log files for the moment.) How can I specify "last 24 hours of data that is available"? ... View more

I have indexed data being displayed in dashboards for which are working well. However, I have created additional users and these users cannot execute any searches. I have found that even an additional admin account cannot execute searches (although it should be identical to my original 'admin' account). These additional accounts can, however, view the results of scheduled searches. The data is definitely visible to these users, only searching is broken. For example, these users can see the results for this search: sourcetype="dailylogs" But get "No matching events found. Inspect..." for this search: sourcetype="dailylogs" status="error" What do I need to do to enable users to search? ... View more