As others have pointed out, that is incorrect - _time is the factor for retention, NOT _indextime. Another example that shows this: You can clearly see this when receiving registry baseline key updates from Windows clients to Splunk, where the _time is the date the key was first set, which may be several years in the past. These events can disappear almost immediately because _time is outside the retention period. ... View more

Aside from the suggestion that map is generally not a go to solution for most problems, given that all your macro searches are expected to return _time _raw host, could you condense all the macros into a single statement and make the whole thing a subsearch, e.g. [ | inputlookup my_lookup_table | eval chk_ignore_from=if(Ignore_From!="", strptime(Ignore_From,"%Y/%m/%d %H:%M:%S"), null()) | eval chk_ignore_to =if(Ignore_To!="", strptime(Ignore_To,"%Y/%m/%d %H:%M:%S"), null()) | where isnull(chk_ignore_from) OR isnull(chk_ignore_to) OR (now() < chk_ignore_from OR now() >= chk_ignore_to) | where isnotnull(Macro) AND Macro!="" AND isnotnull(Alert_Mail_Send_To) AND Alert_Mail_Send_To!="" AND isnotnull(Alert_Mail_Title) AND Alert_Mail_Title!="" AND isnotnull(Alert_Mail_Body) AND Alert_Mail_Body!="" | eval Macro=trim(Macro) | eval Macro=case(match(Macro,"^[\"'].*[\"']$"), substr(Macro,2,len(Macro)-2), true(), Macro) ``` Combine them into multiple OR search conditions ``` | stats values(Macro) as search | eval search="(".mvjoin(search, ") OR (").")" ] ... That assumes that the macros represent simple search criteria and do not include any kind of pipes or other processing in the search, as they would then not combine to a single set of OR conditions. Then you don't have to use map at all.   ... View more

Something like the following [sourcetype] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]{2}) TIME_FORMAT=%s TIME_PREFIX=Last connection attempt:\s* MAX_TIMESTAMP_LOOKAHEAD=11 with the assumption that you have blocks of data where the event break is a double linefeed/CR between events. See LINE_BREAKER. Timestamp recognition is done with TIME_PREFIX, so adjust for the timestamp you want. If this is just a single event from a running script, then you can do this instead [your_sourcetype] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]Running) TIME_PREFIX=Last connection attempt:\s* which will treat the event as starting with Running, it will start a new event when it finds Running and as this occurs only once, it will put it all into the single event Variations on a theme here are setting LINE_BREAKER to something that will never match, e.g. ([\r\n]+end_of_file) The best way to write a TA is to create yourself a basic simple app and include the props.conf for that definition and upload it as your own app.   ... View more

Glad to see the old posts still have value 😊 Just a minor addition to consider - timechart will create buckets of _time depending on the time period you are looking at, so if you are searching a week, it will give you 1 day buckets and if you search 24h it will give you 30 minute buckets. When you do stats by _time if you have lots of data per second, then your stats will generate a lot of results, so if you do use the stats technique mentioned, it's worth considering a  | bin _time span=X to define the bucket. If you don't know in advance what bucket size you want, but know what your minimum would be, e.g. 1h, then add in span=1h simply to reduce the volume. So if you had 1 million events per hour, if you don't do the bin, you would exceed the base search result set, whereas with span=1h you would get a single result per hour.   ... View more

Thanks for clarifying - then you still use streamstats - see this modified example, most of the first part is getting your data to a form where you have  _time, src_ip, dest_ip, gb_in, gb_out for each of the two comparison weeks for the IP pairings. You'll need to run it a few times to get include=1 in the results, as it randomises byte counts. But the include field calculation looks for the 5% variance or whether the pairing is only seen in ONE of the weeks, in which case it also includes it. If you want to change the 5% variance, I suggest rather than editing the search each time, just create a macro with the value in there, so your test would look like if(abs('variance_%_<<MATCHSTR>>')>`get_variance_threshold`... where your macro get_variance_threshold simply has the value you want to change.  Hope this gets you closer to your target! | makeresults count=28 | eval bytes_in=random() % 200000000000 + 10000000000, bytes_out=random() % 200000000000 + 10000000000 | streamstats c | eval src_ip=mvindex(split("1.1.1.1,2.2.2.2", ","), c % 2), dest_ip=mvindex(split("3.3.3.3,4.4.4.4",","), c % 2) | eval _time=if(c<=14, now(), now() - (86400*7)) | bin _time span=7d | stats sum(bytes_*) as total_bytes_* by _time src_ip dest_ip | eval gb_out = round(total_bytes_out/1024/1024/1024,2) | eval gb_in = round(total_bytes_in/1024/1024/1024,2) | fields _time, src_ip, dest_ip, gb_in, gb_out ``` Above creates a dataset for comparison - in your case do tstats with a time span of the 1w and a time range of the full period you are comparing ``` ``` This sorts the row of data for this week and last week into two rows by _time ``` | sort src_ip dest_ip _time ``` Now streamstats pulls forward the last week value to the current week row ``` | streamstats window=2 global=f first(gb_*) as last_week_gb_* by src_ip dest_ip ``` Look how many times we have seen the pairing so we can detect count=1 ``` | eventstats count as seen_count by src_ip dest_ip ``` Calculate all the variances for in/out between the current and last week ``` | foreach gb_* [ eval diff_<<MATCHSTR>>='<<FIELD>>'-'last_week_<<FIELD>>', ``` Calculates difference in values from last week to this week ``` variance_%_<<MATCHSTR>> = round(diff_<<MATCHSTR>> / '<<FIELD>>' * 100, 2), ``` Calculate the variance % between the two weeks ``` include=if(abs('variance_%_<<MATCHSTR>>')>5 OR seen_count=1, 1, coalesce(include, 0)) ] ``` Looks at the 5% threshold and if it has only been seen one of the weeks ``` | fields - last_week_* ``` Here if include is set then it has exceeded the 5% variance or if it was only seen this week or last week ``` ```| where include=1```   ... View more

OK, first some observations 1. This logic ... values(All_Traffic.bytes_in) as bytes_in ... ... | eval total_bytes_in = sum(bytes_in) ... is wrong. Firstly if you get duplicate values of bytes_in then they will be removed so you may not get an accurate sum, and secondly it's not necessary to do it that way. Just do ... sum(All_Traffic.bytes_in) as total_bytes_in ... which will give you the correct sum. 2. | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S") is not useful. Doesn't add any value in formatting time as a string before you want to render it for display, so leave it until the end As to comparing last week and this week - what exactly do you want to compare the 1 second value for a particular host at the same 1 second time a week ago, or some other aggregated time band? What about users or source/dest IPs - what else are you looking to compare, e.g. in vs in, out vs out, total vs total? Without a clear understanding of exactly what you're trying to compare, here's an example of producing 20 events for 10 hosts over the week - 10 for this week and 10 for last week. It then uses streamstats to pull last week figure to this week and then compares the values and retains only those results where ANY of the variances (in/out/total) are >5% for any host. Note the use of foreach is simply a shorthand way of repeating the same formulas for multiple fields. | makeresults count=20 | eval total_bytes_in=random() % 200000000000 + 10000000000, total_bytes_out=random() % 200000000000 + 10000000000 ```| eval r1=random() % 26, r2=random() % (26-r1) + r1, user=mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ","") ``` | eval dest_zone="External", src_zone="Internal" | streamstats c | eval host="host".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""), ((c - 1) % 10)) | eval _time=if(c<=10, now() - ((c - 1) % 10), now() - (86400*7) - ((c - 1) % 10)) | eval gb_out = round(total_bytes_out/1024/1024/1024,2) | eval gb_in = round(total_bytes_in/1024/1024/1024,2) | eval gb_total=(gb_in+gb_out) | fields _time, host src_zone, dest_zone, gb_in, gb_out gb_total ``` This sorts the row of data for this week and last week into two rows by _time ``` | sort host _time ``` Now streamstats pulls forward the last week value to the current week row ``` | streamstats window=2 global=f first(gb_*) as last_week_gb_* by host ``` Calulate all the variances for in/out/total between the current and last week ``` | foreach gb_* [ eval diff_<<MATCHSTR>>='<<FIELD>>'-'last_week_<<FIELD>>', variance_<<MATCHSTR>> = round(diff_<<MATCHSTR>> / '<<FIELD>>' * 100, 2), alert=if(variance_<<MATCHSTR>>>5, "Alert", alert) ] | fields - last_week_* | where alert="Alert" Hope this helps give you some ideas on how to achieve what you need   ... View more

As an update to this, there is a significant optimisation to the single subsearch, which will cause events to be scanned between the overall earliest and latest time ranges, which may be a significant amount of the data. The solution is to use a 3 search multisearch, each one focused on it's own time range, which you can do in a similar way the first search will always use the time picker date, so no subsearch needed, but for the other dates... | multisearch [ search index=_audit ] [ ``` Search the last month ``` search index=_audit [ | makeresults | addinfo | eval earliest=relative_time(info_min_time, "-1mon"), latest=relative_time(info_max_time, "-1mon") | fields earliest latest ] ] [ ``` Search the last year ``` search index=_audit [ | makeresults | addinfo | eval earliest=relative_time(info_min_time, "-1y"), latest=relative_time(info_max_time, "-1y") | fields earliest latest ] ] | bin _time span=1d | stats count by _time Hope this helps.     ... View more

And this is what that would look like   ... View more

You can add this subsearch to any search and it will give you the time range from the time picker and then the same period 1 month earlier and the same period 1 year earlier. [ | makeresults ``` This gets the search range from the time picker ``` | addinfo ``` Calculate the related periods using relative_time eval statement ``` | eval last_month_earliest=relative_time(info_min_time, "-1mon"), last_month_latest=relative_time(info_max_time, "-1mon") | eval last_year_earliest =relative_time(info_min_time, "-1y"), last_year_latest =relative_time(info_max_time, "-1y") ``` Now construct the search term ``` | eval search=printf("((earliest>=%d AND latest<%d) OR (earliest>=%d AND latest<%d) OR (earliest>=%d AND latest<%d))", info_min_time, info_max_time, last_month_earliest, last_month_latest, last_year_earliest, last_year_latest) | fields search ] e.g. you could then do index=bla sourcetype=bla [ __INSERT_SUBSEARCH_HERE__ ] It simply constructs the search phrase ((earliest>=X AND latest<Y) OR (earliest>=X-1mon AND latest<Y-1mon) OR (earliest>=X-1y AND latest<Y-1y)) which controls the data selected in the search. ... View more

We have saved searches that run in certain sites that collect knowledge objects, dashboards, macros and so on, using the rest API as shown by @livehybrid. It writes the data to a summary index if the data has changed. Runs reasonably frequently, so there's always a recent backup to go back to if necessary.   ... View more

There are some subtleties around your first para. Splunk does indeed in the EventCode case, only look at events where 4662 would exist in the tsidx, but that's because EventCode is generally an alias for EventID for Windows Event logs The search results therefore will only have a scanCount=resultCount - assuming no other search conditions. However, if the field you are matching is a calculated field, then it cannot do that optimisation. Say for example you have a calculated field | eval MyEventCode=random() % 10 + 9990 and in your search you do  index=bla MyEventCode=9990 then scanCount for the search will have to read every event, because 9990 does not exist in the tsidx files, so in this case resultCount will be approx 10% of scanCount. You can see the effect of this in the search.log, the first being a search for MyEventCode and the second for EventCode base lispy: [ AND index::bla [ OR ... vs base lispy: [ AND 4662 index::bla [ OR... and you can see that there is some Calculated field processing happening before this for MyEventCode. So like all things Splunk, you need to understand the data and in this case, how the "fields" you are searching for are defined in any TAs that are relevant to that data. ... View more

Why don't you use timechart rather than stats by _time. Timechart will give you the time range on the chart as defined by the time picker and then you can set gaps to be 0 in the chart. ... View more

Although I can't give an absolute answer to your question, I do know that metadata has always been an unreliable source of truth. In the docs, for example, there is this somewhat opaque statement However, in environments with large numbers of values for each category, the data might not be complete so I have never used that to report on missing data. I use tstats to give more reliable results for that exact scenario, to identify hosts that stop sending data, which is also pretty quick. If you can easily change to something like tstats min(_time) as firstEvent max(_time) as lastEvent count by host then that will be far more reliable.   ... View more

What does that url have to do with Splunk?  Google can tell you plenty about that type of message. ... View more

On ES there will also be a ton of automatic lookups. If you look at the search.log you will see lines like CsvDataProvider [2092202 searchOrchestrator] - Reading schema for lookup table= how many of each do you have in each environment. That can change what fields you will see and it certainly can affect performance significantly.  You can see the effect of this behaviour if you upload a private app that has an import = search statement in default.meta and then run your search in that uploaded app's context. The undocumented import statement appears to override which apps are evaluated to give the app its runtime context, so by removing all other apps, you will not get any of the field extractions provided by those TAs or any of the lookups. I have an existing site where I have an app that has an import statement and the searches run several times faster in that app's context compared to any other. ... View more

This is posted in AppDynamics, so probably not SPL  ... View more

@verbal_666 there is a built in way directly in the XML without using CSS to hide those buttons from panels <option name="link.inspectSearch.visible">false</option> I use a token in that and set the token from a config file so I can turn on or off simply.  See the docs here. https://help.splunk.com/en/splunk-enterprise/create-dashboards-and-reports/simple-xml-dashboards/10.0/simple-xml-reference/simple-xml-reference#search-inspect-refresh-and-export-options-0   ... View more

As Rich says, take a look at the monitoring console, search and resource usage tabs to see if that gives any insight. If it does appear to be search related you can start with this search in the audit log to see what searches may be a problem index=_audit host="*" sourcetype=audittrail action=search (info=completed OR info=canceled) | eval user = if(user="n/a", null(), user) | eval search_window=round(search_lt-search_et) | foreach search_lt search_et [ eval <<FIELD>>=strftime(<<FIELD>>, "%F %T") ] | table provenance total_run_time scan_count event_count result_count search_et search_lt search_window savedsearch_name app user | sort - total_run_time This shows run_time, scan_count (an indicator of a heavy search) and other key fields. You can add the "search" field to the table command to show the raw search, but it doesn't always extract the field well for complex searches, but once you find culprits you can dig deeper ... View more

There are many ways to achieve this with streamstats, but my example goes with sorting in ascending time and calculating duration in the streamstats. See this example which creates 10 dummy logon/off events for a single user/host (SPL can demo up to 4 by changing the 'random() mod value from 1 to 4 in user/host eval) | makeresults count=10 | eval EventType=mvindex(split("Logon,Logoff", ","), random() % 2) | eval TargetUserName="USER".mvindex(split("ABCD", ""), random() % 1) | eval host="HOST".mvindex(split("ABCD", ""), random() % 1) | eval _time=_time - random() % 3600 | fields EventType Target* host _time | sort 0 TargetUserName host _time | streamstats range(_time) as SessionDurationSec reset_after="("EventType=\"Logoff\"")" by TargetUserName host | streamstats count(eval(SessionDurationSec=0)) as session by TargetUserName host | eval SessionStart=if(EventType="Logoff", _time - SessionDurationSec, null()) ``` Change this to stats to collapse data ``` | eventstats max(SessionDurationSec) as SessionDurationSec min(SessionStart) as SessionStart count(eval(EventType="Logon")) as LogonCount min(eval(if(EventType="Logon", _time, null()))) as firstLogOn max(eval(if(EventType="Logoff", _time, null()))) as lastLogOff by TargetUserName host session | eval SessionDuration = if(SessionDurationSec=0,"N/A", tostring(SessionDurationSec,"duration")) | eval IsOpenSession = if(isnull(lastLogOff), 1, 0) | eval Notes = case( IsOpenSession=1, "Open session: No logoff found after this logon", isnull(firstLogOn), "No prior login state found in search window", 1==1, "") | foreach SessionStart firstLogOn lastLogOff [ eval <<FIELD>>=if(isnull(<<FIELD>>),null(), strftime(<<FIELD>>,"%F %T")) ] ```| table EventType TargetUserName host firstLogOn lastLogOff SessionStart SessionEnd SessionDuration LogonCount LogoffCount IsOpenSession Notes``` I've used an eventstats rather than stats so you can see the effect of the decisions made in the SPL, but you can change that to stats to get rid of the unwanted events. The example ignores multiple logoff events and treats a logoff with no prior login (since a previous logoff) as a 0 length session. Hope this helps   ... View more

I have used a technique which can work, depending on data volumes and cardinality. Using append to collect both datasets together, then you can use  | eventstats values(cs_title) as titles | eval titles=if(isnotnull(cs_title), null(), titles) which will collect ALL titles in q1 into every event from q2 - it collects every title to every event then drops the field from q1 events. What this is doing it to push all titles into a field for all q2 events which can then be matched against, a bit like a dynamic runtime lookup.  and then you can follow that with a match, e.g. | eval matching_title=mvmap(titles, if(match(description, "(?i)".titles), titles, null())) | fields - titles which will set a new field matching_title which will be non-null if a match can be found - NB- it will do case insensitive match. This can use a lot of memory if you have lots of titles, but works. Note that there are some other optimisations you should do in your Q1 - ALWAYS limit the fields you want in the expanded events before using mvexpand. Particulary, make sure you exclude _raw as _raw JSON is generally always unnecessary and will be duplicated for every expanded event. You should not need to use mvsort on a field that has come from stats values(), as the output from values is always sorted. ... View more

See here https://help.splunk.com/en/splunk-cloud-platform/manage-knowledge-objects/splunk-app-for-lookup-file-editing/4.0/release-notes/known-issues Seems like there's a known bug Date filed Issue number Description 2025-03-18 LOOKUP-304 Unable to Update KV Store Lookups in Splunk App for Lookup File Editor (v4.0.5)   ... View more

See this statement in the 3rd panel search | search cluster=$tokCluster|s$ it does the filtering and the token setting will set that to the clicked cluster - I will edit the original XML in my post  ... View more