Hi! I have to collect some JSON "as is" - not as key-value pair. How can I set event timestamp in this case? ... | eval _time=strptime(...) | table _time _raw | collect index="..." ... doesn't work: _time is ignored with _raw present and replaced with cirrent time. I could do: ... | eval data = _raw | table _time data | collect ... , but it generates key-value-event with "data={my_json_from_raw}" ... View more

Hi! ... | streamstats count as SESSION by PATIENT_ID PROGRAM_NAME | chart values(AVG_RT) over SESSION by PROGRAM_NAME limit=0 SESSION 0 A 1 A-Rhythmical 2 Inhibition 3 Diff inhibition 4 Shifting 5 Attention __________________________________________________________________________________________________ 1 0.76 0.75 0.76 1.80 1.03 0.96 0.77 0.79 1.84 1.05 1.02 0.80 0.80 1.09 1.19 0.82 0.82 1.27 0.83 0.79 1.30 1.31 2 0.79 0.78 ... 0.75 "0 A", "1 A-Rhythmical" are PROGRAM_NAMEs i.e. the name of these fields are variable. I would like to get average of its multivalues for each program name by SESSION: SESSION 0 A 1 A-Rhythmical 2 Inhibition 3 Diff inhibition 4 Shifting 5 Attention __________________________________________________________________________________________________ 1 0.76 0.79 0.79 1.82 1.06 1.16 2 0.79 0.77 ... ... View more

Hi! On my dashboard there is the dropdown list. I want to exlude its token criteria from search query if default value "notdef" is selected. i.e.: if("$dropdown_token$" == "notdef") | WHERE param1 = $param1_token$ AND param2 = $param2_token$ else | WHERE param1 = $param1_token$ AND param2 = $param2_token$ AND dropdown_param = $dropdown_token$ I tried to use match replaceing "notdef" by empty sting while "notdef" is selected: | eval dropdown_req = if("$dropdown_token$" == "notdef", "", "$dropdown_token$") | WHERE param1 = $param1_token$ AND param2 = $param2_token$ AND match(dropdown_param, dropdown_req) , but values of $dropdown_token$ include the sign "*" (e.g. "*A") and it doesn't work in regex in match(). Thank you! ... View more

Hi! I have two indexes: patients and examination patients: | id name | gender | date_of_birth | examination: | user_id | exam_type | How could I get a table of all examinations for males? Thank you! ... View more

Hi! I have XML-events with different name values: <reactiontimes> <rt1>1.42</rt1> <rt2>1.31</rt2> <rt3>1.33</rt3> ... <rtN>X.XX</rtN> </ractiontimes> How can I get AVG of rt* for each event? Thank you! ... View more

Hi! Find same issue but Unfortunatelly doesn't work for me. <?xml version="1.0" encoding="utf-8" ?> <DynavisionXML version="1.1"> <name>Fname, Sname</name> <email></email> <ID></ID> <startdatetime> <year>2016</year> <month>3</month> <day>4</day> <hour>4</hour> <minute>54</minute> <second>55</second> </startdatetime> ... </DynavisionXML> Timestamp specification: MAX_TIMESTAMP_LOOKAHEAD=105 TIME_PREFIX=\<year\> TIME_FORMAT=%Y\<\/year\>[\r\n\s]+\<month\>%m\<\/month\>[\r\n\s]+\<day\>%d\<\/day\>[\r\n\s]+\<hour\>%H\<\/hour\>[\r\n\s]+\<minute\>%M\<\/minute\>[\r\n\s]+\<second\>%S\<\/second\> But Splunk returns an error: Could not use strptime to parse timestamp from '2016\r\n3\r\n4\r\n4\r\n54\r\n55' Thank you! ... View more