Finally here is my query which i want; <base search> | timechart span=1h count(REQUESTNAME) by ilce usenull=f useother=f | eval Time=strftime(_time,"%H:%M") | table Time,* | untable Time Xaxis Yaxis | xyseries Xaxis Time Yaxis Fyi.. ... View more

so, following on from your example data Hour : 00:00 EventCount: 10 Hour : 01:00 EventCount: 15 Hour : 02:00 EventCount: 23 . . Hour : 23:00 EventCount : 127 do you want the 'trend' for 01:00 to show the difference (+5) to the previous hour and the same for 02:00 (+8) or as a percentage? Anyway to simply calculate hourly differences, use any of  delta autoregress streamstats (as in my example)   ... View more

Hi,  - search | extract reload : didn't work - Server restart : didn't work - splunk show config props : I didn't try, i'm waiting for admin return because is enterprise product. Thank you for suggests Regards. ... View more

It's impossible to say why the data is not matching the lookup without seeing the data.  Please share some samples. Also, the lookup command is specifying the 'user_info' field, which does not exist in the lookup file. ... View more

King regards , thank you again. ... View more

you are amazing, works fine. Thank you very much   I love splunk community.. ... View more

Why do you need to increase the lines shown? There are various limits in Splunk, e.g. if you just run a simple search index=* it will show you 10,000 results max, but if you run index=* | stats count it will tell you how many result you have, which can be > 10000   ... View more

Exactly.  I need like this format, company logo's or background style.. etc. Also Soutamo share link in previously post.  Can i use for this or can you share any example html codes or additioanal app for splunk ?   Regards, ... View more

Hello @corehan, if I understand it correctly, the problem is that the count field from the raw event get overwritten by count field generated by stats command. .. | rex "count=(?<count_orig>\d+)" |stats count by DATE,Region,managed_object,ALERT |where count_orig >100 AND ALARM="LINK-3-UPDOWN" |sort -count -ALARM alternatively (not tested): |stats count AS amount by DATE,Region,managed_object,ALERT |where count>100 AND ALARM="LINK-3-UPDOWN" |sort -amount -ALARM ... View more

I see, I'm sorry to waste your time. ... View more

I don't know a way that's possible out of the box. 😞 Maybe there's something in Splunkbase. Attach PDF. ... View more