This is surely a bug and certainly fixed by now. ... View more

You should wrap the fieldname name with '$' For example: | eval myExample=$an:example$ ... View more

I'd like to piggy back off of this post. I apologize if this is bad netiquette. Can someone suggest how to use stats rather than append for this search? I stole the structure from the deployment app index=_internal source=*license_usage.log pool="auto_generated_pool_enterprise" earliest=@d| eval GB=b/1024/1024/1024 | eventstats sum(GB) by pool | timechart partial=f span=30m per_hour(GB) as GBph | eval marker = "today" | eval _time = _time+1800 | append maxtime=600 maxout=1000000000 timeout=600 [ search index=_internal source=*license_usage.log pool="auto_generated_pool_enterprise" earliest=-1d@d-30m latest=@d-30m| eval GB=b/1024/1024/1024 | eventstats sum(GB) by pool | timechart partial=f span=30m per_hour(GB) as GBph | eval marker = "Yesterday" | eval _time = _time+86400*1+1800 ] | timechart median(GBph) by marker Sorry I had to use an answer post because the comment text box is too limiting. Thanks in advance, Curtis ... View more

I see. Well unless im still misunderstanding that is not what it will do though--- both 'eval myHour=strftime(_time,"%H")' and date_hour will give hour of the day as interpreted in the server's timezone. ... View more

rather, you should have no problem running oneshot on the forwarder where your files are. even if you could run oneshot remotely (I guess you could), it wouldn't do what you want. running it locally does. ... View more