I have a panel which shows the usage of a dashboard in GMT timezone. Is it possible to show the same data in different timezones (PST, EST, IST, etc) as different lines in same chart? Below is the query which shows count in GMT timezones  index="_internal" user!="-" sourcetype=splunkd_ui_access "GET" "sample" | rex field=uri "\/app\/(?<App_Value>\w+)\/(?<dashboard>[^?\/]+)" | search App_Value="sample" dashboard = "daily_health" |timechart count  How can we modify this query to show in different timezone in single chart? ... View more

Hi, I have events with below format, 08/09/202109:27:00 +0000, search_name=sre_slo_BE_module_priority_monthly, search_now=1628501220.000, info_max_time=1628501220.000, info_search_time=1628501221.635, Module=InvoiceManagement, Priority=P4, LastViolationMonth="Jul-2021", MissedCount=1, LastViolationp90ResponseTime (s)="30.44", Deviation (%)="1.5" I would like to plot a graph which would have Y axis with values as P1, P2, P3, P4 & x axis with Month. I tried using below query to plot a graph by assigning values to the Priorities. But again, the Y axis becomes based on the Values assigned to the Priority rather than Priority itself.   index=summary source=sre_slo_BE_module_priority_monthly Module="ControlCenter" | eval convert_epoch = strftime(_time,"%m-%d-%Y") | eval prevMonth=lower(strftime(relative_time(_time,"-1mon@d"),"%B")) | eval MonthYear = prevMonth + "-" + date_year | search convert_epoch!="08-01-2021" | eval PriorityValue = case(Priority="P1", 4, Priority="P2", 3, Priority="P3", 2, Priority="P4", 1) | stats values(PriorityValue) as PriorityValue by MonthYear, Priority   Below is the graph which I get. Instead of PriorityValue on the Y axis, I need Priority itself. Could someone please help me out here @kamlesh_vaghela @diogofgm  Is this something which you can assist with. Appreciate if you can help on this Thanks ... View more

Hi, I have a summary index which gets indexed once in a month. I have a query which runs based on current month looks back at last 6 months and provides me a report.  Is it possible to rewrite a query to show a trend which can go over each months' event and look back 6months of data for each month and provide a report?     Here is the query which looks back at last 6 months from current month. I would like to do the same for all months (look back from each month) and provide a trend index=summary source=sre_slo_BE_qlatency_permodule_monthly | where _time>=relative_time(now(),"-6mon@mon") | eval Month=Month + "-" + Year | chart values(p90Latency) as P90Latency by Month, Module useother=f limit=10000 | eval MonthYear=Month, Year=substr(Month,5,4), Month=substr(Month,0,3) | fields - Year | table MonthYear * | transpose 20 header_field=MonthYear, column_name=Module | foreach *20* [ eval Max=case(Max>=if(isnull('<<FIELD>>'),0,'<<FIELD>>'),Max,true(),if(isnull('<<FIELD>>'),0,'<<FIELD>>'))] | where Max>30000 | foreach *20* [eval <<FIELD>>=ROUND(('<<FIELD>>')/1000,2)] | fields - Max | rename Module as MainModule | eval RequestType="Business Event" | lookup SLOHighToleranceLookup RequestType OUTPUTNEW Module | eval Module=if(isnull(Module), "null", Module) | where MainModule != Module | fields - Module, RequestType | rename MainModule as Module | eval ViolationCount=0, LastViolatedMonth="", LastViolatedResponse=0, TotalViolationCount=0 | foreach *-2020 or *-2021 [ | eval LastViolatedMonth = if('<<FIELD>>'>30,"<<FIELD>>", LastViolatedMonth) , LastViolatedMonthNumber = substr(LastViolatedMonth, 0, 2) , ViolationCount=if(('<<FIELD>>'>30), ViolationCount+1, ViolationCount) , LastViolatedResponse=if('<<FIELD>>'>30,'<<FIELD>>', LastViolatedResponse) , Deviation=case(LastViolatedResponse>30,round(((LastViolatedResponse-30)/30)*100,1)) , Priority = case( (Deviation >= 100 AND ViolationCount >=1), "P1" , ((Deviation >= 75 AND Deviation < 100) AND ViolationCount >=3), "P1" , ((Deviation >= 75 AND Deviation < 100) AND (ViolationCount >= 0 AND ViolationCount < 3)), "P2" , ((Deviation >= 50 AND Deviation < 75) AND ViolationCount >= 3), "P2" , ((Deviation >= 50 AND Deviation < 75) AND (ViolationCount >= 0 AND ViolationCount < 3)), "P3" , ((Deviation >= 25 AND Deviation < 50) AND ViolationCount >= 3), "P3" , ((Deviation >= 25 AND Deviation < 50) AND (ViolationCount >= 1 AND ViolationCount < 3)), "P4" , ((Deviation > 0 AND Deviation < 25) AND ViolationCount >= 0), "P4" )] | eval LastViolatedMonthNumber = substr(LastViolatedMonth, 0, 2) , LastViolatedMonthYear = substr(LastViolatedMonth, 4, 4) | eval LastViolatedMonth = case(LastViolatedMonthNumber==01, "Jan", LastViolatedMonthNumber==02, "Feb", LastViolatedMonthNumber==3, "Mar", LastViolatedMonthNumber==4, "Apr", LastViolatedMonthNumber==5, "May", LastViolatedMonthNumber==6, "Jun", LastViolatedMonthNumber==7, "Jul", LastViolatedMonthNumber==8, "Aug", LastViolatedMonthNumber==9, "Sep", LastViolatedMonthNumber==10, "Oct", LastViolatedMonthNumber==11, "Nov", LastViolatedMonthNumber==12, "Dec") | eval LastViolatedMonth=LastViolatedMonth + "-" + LastViolatedMonthYear | fields Module, LastViolatedMonth, LastViolatedResponse, ViolationCount, Deviation, Priority, LastViolatedMonthNumber, LastViolatedMonthYear | sort - LastViolatedResponse | rename LastViolatedMonth as "Last Violation Month", LastViolatedResponse as "Last Violation p90ResponseTime (s)", Deviation as "Deviation (%)", ViolationCount as "Missed Count" | eval CurrentMonth = strftime(now(), "%m"), CurrentYear= strftime(now(), "%Y"), ViolationMonthDifference=if(CurrentYear>LastViolatedMonthYear, (12-LastViolatedMonthNumber)+CurrentMonth, CurrentMonth-LastViolatedMonthNumber) | where ViolationMonthDifference<=3 | eval Priority = if(Priority=="P1" AND LastViolatedMonthNumber != CurrentMonth-1 , "P2", Priority) | fields - LastViolatedMonthNumber, LastViolatedMonthYear, CurrentMonth, CurrentYear, ViolationMonthDifference Thanks ... View more

Hi I have a query which results me data in the below format, I am trying to put out a table assigning priority based on the response(>2s is violator) for module and number of times violation occurred.      | foreach *-2020 or *-2021 [ | eval LastViolatedMonth = if('<<FIELD>>'>2,"<<FIELD>>", LastViolatedMonth) , LastViolatedMonthNumber = substr(LastViolatedMonth, 0, 2) , ViolationCount=if(('<<FIELD>>'>2), ViolationCount+1, ViolationCount) , LastViolatedResponse=if('<<FIELD>>'>2,'<<FIELD>>', LastViolatedResponse) , Deviation=case(LastViolatedResponse>2,round(((LastViolatedResponse-2)/2)*100,1)) , Priority = case( (Deviation >= 100 AND ViolationCount >=1), "P1" , ((Deviation >= 75 AND Deviation < 100) AND ViolationCount >=3), "P1" , ((Deviation >= 75 AND Deviation < 100) AND (ViolationCount >= 0 AND ViolationCount < 3)), "P2" , ((Deviation >= 50 AND Deviation < 75) AND ViolationCount >= 3), "P2" )] | fields Module, LastViolatedMonth, LastViolatedResponse, ViolationCount, Deviation, Priority     Currently the Module is considered P1 violator when the violation count is >3. I would like to add one more condition to check for the previous month response - if it was a violator or not.If previous month is not a violator but the latest/last month is a violator and the violation count >=3, I want that module to be marked as P2(not P1). I am not sure how to check the previous column value(that is previous month value - to check if it violated then) against the last/latest month under for each statement. Could someone please help me out here.  @bowesmana Can you help me on this. Thanks ... View more

Hi  I have input fields which has value as week number. Based on the Weeknum selected, how do I pass on the earliest and latest date under my drilldown. Here is my input field   <input type="dropdown" token="weeknum" searchWhenChanged="true">   And here is my drilldown section from one of the dashboard panel where time range gets passed to another page (sre_module_summary) in the name of token selectedearliest & selectedlatest. How to get the values for the token based on the weeknum selected from input panel.   <drilldown target="_blank"> <eval token="Module">$click.value$</eval> <eval token="HostType">$HostType$</eval> <link> <![CDATA[/app/sre/sre_module_summary?form.Module=$Module$&host=$HostType$&form.timerange.earliest=$selectedearliest$&form.timerange.latest=$selectedlatest$]]> </link> </drilldown>   Could someone please help. ... View more

Hi I have a table which displays duration for each category. I would like color code fields based on its duration. In the above screenshot, how do I write an expression to color code which are exceeding 1min. I would prefer using the color coding from the source rather than creating JSS because we dont have the permission to splunk servers as such to update config/put the JS scripts. Could someone please help me out here ... View more