Those foreach solutions look nice. I wonder about the performance department tho, because foreach tends to be slow with big data. Have you tested the time and mem diff? ... View more

For those that came here (like me) in need for a solution, the trick I've found was to create mvfields with the span value and then mvexpand them and then do a distinct count by txid in the timechart.. So from original poster's question, lets assume we are there, and have duration in seconds created by the transaction command: | transaction UserId startswith="login" endswith="logout" Lets suppose that UserId is unique enough to be a TxId. So we want to do a count of how many concurrent Tx's are at a particular timeslot of 1s: | eval events=mvrange(0,duration,1) | fillnull events | mvexpand events Now we have created on each event a # of lines with an increasing value of 1 from 0 to duration, and we are going to use that to offset each _time by that amount of seconds: | eval _time=_time+events | timechart dc(UserId) span=1s And finally we do a distinct count of the TxId.  In theory we should have and actual event per time slot to be able to to a timechart that counts active transactions by their duration. ... View more

Yeah! I built the MV from raw and stumbled into some unwanted new line characters at that step! Either was the mvzip or my MV was not clean enough! ... View more

Glad this worked for you @ejwade ! Here my answers to your questions.. 1.  Number -2147483648 is the minimum integer number.. but you don't need "that" exactly.. you just need a "big enough number" so that subtraction of the mvcount won't take a digit out.. this is critical, since the mvsort is a lexicographical sort and will work only if all the id's are the same length. 2. You are right, the mvdedup is not needed! Will update the query for that! YW! ... View more

Try instead of 10 or 20 a small number like 0 or 1 ... View more

This is the right way. Both append and join solutions not only are bad practices, but also if dataset is big enough, they will probably hit a conf limit and return less events. ... View more

NOT (SPAN_LOSS_MAX=50 AND ((Hour>=0 AND Hour<7) OR Hour=23)) ... View more

Well there are a couple of solutions for this, at the end the strategy is doing a lookup, and then an eval applied. But the better one is to configure an automatic lookup for this to enrich the data with the Host_Operating_System field from the lookup and so when you search it it already comes like this: Assets, WindowsVersion, Host_Operating_System Asset1, 2003, 2008 Asset2, 2008, 2003 Asset3, 2012, 2012 And then you just have to do and eval if(WindowsVersion=Host_Operating_System, "Yes", "No") Check this link on how to create an automatic lookup If you dont want to alter the index's harmony, then do a lookup on the asset and an eval index=foo sourcetype=bar | lookup fooAssets.csv Assets OUTPUT Host_Operating_System | eval Difference=if(WindowsVersion=Host_Operating_System, "Yes", "No") | table _time, Assets, WindowsVersion, Host_Operating_System, Difference, _raw Regards, Rafael. ... View more

So if your multivalue variable is an input in the form used to filter what to report with a space delimiter, then you need to make it a multivalue and format it on the search.. let me explain with a simple query.. index=foo sourcetype=bar ([stats count | head 1 | eval exam_type= "$EXAM_TYPE_REQ$" | makemv exam_type delim=" " | mvexpand exam_type | fields exam_type | table exam_type | format]) | eval DAY = strftime(_time, "%Y%m%d") | stats avg(avg_reaction_time) as AVG_RT_DAY by DAY, exam_type So my strategy would be to first get whatever events we need filtered by a multivalue input from search command, then do the analysis you need to do. Regards, Rafael. ... View more

Hello ngerosa, There is already a default hour extraction called date_hour.. if you don't have it, I will recommend building the extraction yourself to be able to filter since search command. index="flap" DELTA_SPAN>=3 NOT NOT (SPAN_LOSS_MAX=50 AND date_hour>=0 AND date_hour<=7) | dedup CONCATENATE_Z sortby + _time | chart count AS FLAP by date_hour Hope it helps, Regards. ... View more

I've noticed pretty much the same behavior but my deployment is a production deployment with clusters and 5+ indexers and massive amount of data. 1 minute for you is sometimes 20 minutes for me. I don't know the technical specification for this, but when Splunk says "Eventtypes and tags run at search time" it refers that when you run your search request it will look for the rules that apply for your particular search and then perform them. My primary suspect is that splunk uses a more static than dynamic way to store this rules so that they are available as soon as anyone needs them, and the time it takes to update them based on changes to the splunk UI are related to the availability of both the cached set of rules to apply to searches and the memory/cpu resources in the deployment. So let me explain why I think this, because if the job manager is running constantly and overloading the machines and using constantly the rules, it would be hard to splunk to say "okay, now is the right time to alter the rules without impacting other Jobs. I recall a time when I updated a lookup by removing the old one and uploading the new one.. and the users reported 15~ minutes later that it wasn't finding the lookup, but it was there, and permissions were correctly assigned, just the system didn't updated itself with the new lookup reference during that time. So that's my educated opinion on this, maybe if I get to ask an splunk technician from Splunk I would definitely ask this kind of questions on how they manage internally the availability of the search time rules. ... View more