I am building a query where I want to use a top 10 list of values from a lookup table, and then run a search against those entries (each entry in a different query). The basic search is something like this:     | tstats count as count where index="myindex" id="some id value" by _time CAUSE_VALUE span=5m | timechart sum(count) as total_count span=5min     The query in the lookup table to provide the variable for the ID is something like this:     | inputlookup lookuptable.csv | sort 10 -dm | table oper, dm | transpose 10 | rename "row "* AS "value_in*" | eval top1=value_in1     TSTATS needs to be the first statement in the query, however with that being the case, I cant get the variable set before it. The perfect query should be something like this, however it is not (because of the above):     '''~ Set Variable top1 ~''' | inputlookup lookuptable.csv | sort 10 -dm | table oper, dm | transpose 10 | rename "row "* AS "value_in*" | eval top1=value_in1 '''~ Use Variable ~''' | tstats count as count where index="myindex" id=top1 by _time CAUSE_VALUE span=5m | timechart sum(count) as total_count span=5min     I did read some similar questions where it was suggested to use |where id= <whatever> but that doesn't work in my case because of the TSTATS. Any suggestions? ... View more

I have a query that returns an avg calculation over time and I am using a sparkline to try to show the results for each 'period' over that time, however although my results are showing a correct value, my sparkline only shows a value of 0 or 1. My search is:       | tstats SUM(ABC) as ABC, sum(DEF) as DEF where index=FOO earliest=-4h latest=-45m by _time platform span=5m | eval AVG_ABC=((sum(DEF)/sum(ABC))/60) | stats sparkline avg(AVG_ABC) by platform         Instead of the single line result with the sparkline over time, I get the following: Can anyone point me in the right direction? Essentially I am looking to create something like a single number value viz with a trendline. Thanks. ... View more

On an existing dashboard I have a rather complex query that generates a timechart on which I am looking to use annotations to highlight threshold breaches. Is there any way to avoid having to run the same query twice (once to create the initial chart, and a second time for the annotations). Oh -- [I think I have may be answering my own question,] is the answer here going to be to use a base search? Thanks.   ... View more

I am looking for suggestions as to how best to implement an alerting request made by my users.  Summary A query is run to count the number of events. The time weighted difference (in percentage) between one period of the next will be used to trigger the alert if the threshold is met. Query I have a query which I am already using on an existing dashboard. I am using TSTATS to count events, then a REX to group the events based on the first 3 characters for a field (DRA).      | tstats prestats=t count where index="foo" sourcetype="bar*" DRA=C* by DRA, _time | rex field=DRA "^(?<pfx>\D\S{2}).*" | timechart span=5m count by pfx useother=f limit=0 usenull=f       The groups and the number of these 'groups' will vary, but the result will be similar to the below : _time C27 C31 C33 2022-10-12 13:00:00 116 2 70 2022-10-12 13:05:00 287 3 20 2022-10-12 13:10:00 383 6 45 2022-10-12 13:15:00 259 7 41 I suspect the maximum number of DRA codes that we will see will be 25, although I can break this up into different queries and play with some timing and priorities with the running of the searches. Goal The goal is to alert when any percentage changes from one period  to the next by more than a set percentage.  So, for example, in the above, I might want an alert at 13:05 that 'C33' had changed by ~72% from the previous period. I Have Tried Using a mix of streamstats, eval and trendline statements, have the following which will alert for a single 'C' code.     | tstats count as count where index="foo" sourcetype="bar" DRA=C27* by _time span=5m | timechart sum(count) as total_count span=5min | streamstats current=f window=1 last(total_count) as prev_count | eval percentage_errors=round(abs(prev_count/total_count)*100,1) | fillnull value=000 | trendline wma5(percentage_errors) AS trend_percentage | eval trend_percentage=round(trend_percentage,1) | fillnull value=0 trend_percentage | table _time, total_count, prev_count, percentage_errors, trend_percentage       Problems and Concerns How can I modify my query to account for the variable nature of the DRA code - both in name (Cxx) and in the number of DRA codes returned? I have added 'by' clauses almost everywhere, but have not had success. Each 5 minute period can see up to 70k events per DRA. Any thoughts on running all of the calculations across all extracted DRAs every 5 minutes? Any suggestions or comments on my line of thinking are appreciated.   ... View more

Can someone explain the prestats option within tstats? I have reread the docs a bunch of times but just don't find a clear explanation of what it does other than it is "designed to be consumed by commands that generate aggregate calculations". Below I have 2 very basic queries which are returning vastly different results.   index="myindex" sourcetype="mysource" DRA=B* | rex field=DRA "^(?<pfx>\D\S{1}).*" | timechart count by pfx useother=f limit=0 usenull=f   AND   | tstats prestats=t count where index="myindex" sourcetype="mysourcetype" DRA=B* by DRA, _time | rex field=DRA "^(?<pfx>\D\S{1}).*" | timechart count by pfx useother=f limit=0 usenull=f     I get it -- I must use prestats for the search using tstats but, then, what are the values that it IS returning without prestats? What is prestats doing?    ... View more

When editing a dashboard in source code, I add comments using <!-- -->,  but after saving the comments move location. It is not consistent -- they generally bunch together near the top, but sometimes others are left in place. This has been an issue for some time and is referenced here - https://community.splunk.com/t5/Dashboards-Visualizations/Commented-code-moves-in-splunk-Dashboard/m-p/498902  I have tried moving the comments within different stanzas (<row>, <panel>, etc), and also played with the tab levels in case that was involved, however have not had luck. It drives me batty. Has this been figured out? My Edits:     ... <!-- Some Comment --> <row> <!-- Another Comment --> <panel> ... ... </panel> </row> ...       Becomes:     ... ... <!-- Some Comment --> <!-- Another Comment --> <row> <panel> ... ... </panel> </row> ...           ... View more

When using DBXQUERY, is the a |search needed after the query?       | dbxquery connection="DRTP-Connection" query=" SELECT <X, Y, Z> FROM <wherever> WHERE <wherever>;" | search | table X, Y, Z | sort - Z        My query appears to work either way, but I have often been critical about using extra 'search' commands within a query, so I am curious as to whether there is a performance hit. ... View more