@georgear7 First of all, Need an _time field to plot a line chart. It should be time series data. In this case, 1) assign a new _time like this. Do it before override fields by strftime. | eval _time=StartTime Note: Basically if you search without tstats and _indextime, you don't need to care attempt _time with search. _time included with events. 2) Using timechart command + avg() aggregation function is the simple way to plot line chart. Of course you can do same thing with stats command but don't forget _time. Modify the span=1d to change aggregation time span. If you don't need GROUP BY, please remove BY clauses. | timechart span=1d avg(TimeTaken) by FileName Here is a sample. | tstats min(_indextime) as StartTime max(_indextime) as EndTime where index=* source=*.restart.log by source | rename source as FileName | eval _time=StartTime | eval TimeTaken= round((EndTime - StartTime)/60,2) | eval StartTime=strftime(StartTime, "%d/%m/%Y %H:%M:%S"),EndTime=strftime(EndTime, "%d/%m/%Y %H:%M:%S") | timechart span=1d avg(TimeTaken) by FileName ... View more

FYI. Be careful. Modify the configuration with system/default files are not recommend. If you upgrade the Splunk or Forwarder, all of under system/default configuration files override to new one. It means you'll lost your customize settings with system/default. On the global context, system/local is the most higher precedence. (or App local is good) ... View more

@georgear7  Looks like @rnowitzki 's answer is the solution. Did you try to add the solution to end of the line? (like this)  If it doesn't work, let me know your SPL and sample results of Not Matching. index=abc sourcetype=xyz source=*.txt host=host1 OR host=host2 | rex field=source "/abcdef(?<EAR_Name>\w+.*ear)/versionInfo.txt" | rex field=source "/xyzpqrs(?<EAR_Name>\w+.*ear)/versionInfo*.txt" | rex field=_raw "deployTag=\d+\@\w+.*@(?<Label>\w+.*)" | chart latest(Label) by EAR_Name,host | eval Result=if(host1==host2,"Matching", "Not Matching")   Just to be sure, check the result of the rex command on the third line you posted in your question.  My concern is that the regular expression "versionInfo*.txt" is probably does not match filename such as "versionInfo20200611.txt".  In this case, like "versionInfo.*.txt" or "versionInfo\d+.txt" works. If the regular expression works correctly and extracts the information you want, you are good to go. ... View more

@georgear7 FYI.  The tstats command does not support wildcard characters in field values in aggregate functions or BY clauses. Here's a sample with WHERE clauses.   | tstats min(_indextime) as StartTime max(_indextime) as EndTime where index=* source=*.restart.log by source | rename source as FileName | eval TimeTaken= round((EndTime - StartTime)/60,2) | eval StartTime=strftime(StartTime, "%d/%m/%Y %H:%M:%S"),EndTime=strftime(EndTime, "%d/%m/%Y %H:%M:%S")   ... View more

Here's an example using indexed time ( _indextime ).  Please change the "index=*" to your specific index.   | tstats min(_indextime) as StartTime max(_indextime) as EndTime where index=* by source | rename source as FileName | eval TimeTaken= round((EndTime - StartTime)/60,2) | eval StartTime=strftime(StartTime, "%d/%m/%Y %H:%M:%S"),EndTime=strftime(EndTime, "%d/%m/%Y %H:%M:%S")     ... View more

https://www.splunk.com/ja_jp/blog ... View more

確認と情報連携ありがとうございます。下記２点について教えてください。 ・利用されているSplunkバージョン ・事象発生前後（再起動）での、設定変更等の有無、および変更内容 ... View more

SmartStoreの説明についてはこちらもご参照ください。 https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/SmartStorearchitecture Buckets and SmartStore Indexer clusters ... View more

＞検索結果が重複する Search Headのserver.confにCluster MasterのURIが設定されていない可能性があります。 ご確認いただき、設定されていない場合は下記の設定・参考URLをご参照ください。 （参考）https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Configuresearchheadwithserverconf [clustering] master_uri = https://xxx.xxx.xxx.xxx:8089 mode = searchhead pass4SymmKey = whatever ＞レプリケーションが行われていない SmartStoreを利用している場合は、Index管理方法が従来と異なります。 Warmバケツの冗長化はリモートストア側が担うため、Warmバケツの複製（rb_*）はIndexer側では行われません。 レプリケーション処理は、Hotバケツに対して行われており、バケツステータスがWarmに遷移するとリモートストアにデータがコピーされ、以降はリモートストア側がマスターデータとして扱われます。 ... View more