My goal is to make a report that has running total (cumulative) data across years. Current year data is queried from Splunk while prior year data is all housed in a lookup (called TY19_Splunk_total_data.csv). My issue is that this report will be on a dashboard that has date range selectors. When the date range is selected, the streamstats works correctly for current year data (since it isolates the data from dates selected in the range THEN adds) but not for prior year data because I don't know how to restrict data in the inputlookup by "date" + 1 yr while at the same time, having the tokens apply to my base splunk search. Hopefully that makes sense... here's the query I'm working with     [base query] year=<current_year>     | timechart span=1d dc(intuit_tid) as current_year_data     | streamstats sum(current_year_data) as current_year_data     | eval time=strftime(_time,"%m-%d")     | join time     [| inputlookup TY19_Splunk_total_data.csv     | eval token_time=relative_time(strptime(time,"%m/%d/%Y"),"+1y")     | where capability="W2" and token_time>=$time.earliest$ and token_time<$time.latest$     | eval time=strftime(strptime(time,"%m/%d/%Y"),"%m-%d")     | stats sum(attempts) as prior_year_data by time     | streamstats sum(prior_year_data ) as prior_year_data     | fields time prior_year_data ]     | fields time current_year_data prior_year_data     | fields - _time ... View more

I have the following query: splunk_server=indexer* index=wsi sourcetype=fdpwsiperf (channel_type=ofx2 OR agent_service=OfxAgent) domain=tax api_version=v1 capability=* tax_year=2019 NOT *test* NOT *jmeter-automation* ofx_codes!="[15500,2000]" | lookup Provider_Alert.csv Provider_ID AS partnerId OUTPUT Tier Form_Type | search Tier=Tier1 | eval time_bucket=case(_time>=relative_time(now(),"-1h"), "last_hour", 1==1, "prior_hour") | eval error_type=case(error_code_host="2000", "OFX_2000", error_code_service IN ("5000","5001"), "provider_unavailable", like(http_status_code_host,"5%"), "HTTP_500",1==1,"null") | eval combo=partnerId."::".provider_id."::".Form_Type."::".host_base_url."::".error_type | chart dc(intuit_tid) as total_requests by combo time_bucket | eval partnerId=mvindex(split(combo,"::"),0) | eval provider_id=mvindex(split(combo,"::"),1) | eval Form_Type=mvindex(split(combo,"::"),2) | eval host_base_url=mvindex(split(combo,"::"),3) | eval error_type=mvindex(split(combo,"::"),4) | fields partnerId provider_id Form_Type host_base_url error_type last_hour prior_hour Which produces a table, where the following result is possible: partnerId provider_id Form_type host_base_url error_type last_hour prior_hour partner1 XYZ FormA urlB null 50 30 partner1 XYZ FormA urlB HTTP 500 12 20 partner2 ABC FormB urlZ null 20 30   I would like to add a column that sums values in last_hour according to grouping by partnerId, so that the above example, I would have another column (ie. extra_column) that has 62 (ie. 50 + 12 = 62) in the two rows for partner1. Extra note: I need the volume breakdown by error_type, but not in a chart format. How can I achieve this? ... View more

My goal is to design an alert that will populate a table of raw results, but only when certain evaluation aggregates apply. For example, if the total count of events in a time frame >100, post table of raw data. How do I achieve this limitation (similar to SQL "Having"), while reserving my desired table output? My query so far, which reflects the table output I desire without the "Having" logic: splunk_server=indexer* index=wsi sourcetype=fdpwsiperf (channel_type=ofx2 OR agent_service=OfxAgent) domain=tax api_version=v1 capability=* tax_year=2019 partnerId!=*test* partnerId="ADP" | lookup Provider_Alert.csv Provider_ID AS partnerId OUTPUT Tier Form_Type | search Tier=Tier1 | eval capability=if(like(capability,"109%"),"1099",'capability') | eval error_category=case(like(http_status_code_host,"5%"), "5XX", like(http_status_code_host,"4%"),"4XX", http_error_host="Read timed out", 'http_error_host', 1==1, "Other") | table _time, partnerId, intuit_tid, error_category, capability, tax_year, ofx_appid, host_base_url | rename intuit_tid as TRNUID Do not direct me to "From SQL to Splunk SPL" documentation. I've reviewed it, and it's not helpful for my use case. Thanks! ... View more

Here is my query (time range is YTD): (splunk_server=indexer* index=wsi_tax_summary sourcetype=stash capability=109* tax_year=2019 ein=* intuit_offeringid=* partnerId!=*test* partnerId=*) | timechart span=1d dc(intuit_tid) as 19attempts | streamstats sum(19attempts) as 19attempts | eval time=strftime(_time,"%m-%d") | join type=left time [ inputlookup TY18_Splunk_total_data.csv | where capability="109X" | stats sum(attempts) as 18attempts by _time | streamstats sum(18attempts) as 18attempts | eval time=strftime(strptime(_time,"%m/%d/%Y"), "%m-%d") | fields time 18attempts] | fields time 19attempts 18attempts | rename 19attempts as "TY19" | rename 18attempts as "TY18" I understand a left join to mean that if the results from my subsearch don't match with the main search, it won't be included. If I run the query above, I get data in TY18 column from 01-02 thru 01-09 (below). I didn't expect data against those dates, so I copied the subsearch and ran it in a separate search window, and I can see (as I expected) there's no data from 01-02 thru 01-09 (below). Am I not understanding something about join type? What's happening here? ... View more