Hi @GaneshAryan , Based on what you provided, I came up with this: index=? sourcetype="sfdc:transaction_log__c" | eval totalmessage="b2cforce-liveperson", errormessage="userId Retrieval Failure" | eval total=if(like(_raw,"%".totalmessage."%"),1,total), errors=if(like(_raw,"%".errormessage."%"),1,errors) | stats sum(total) as total, sum(errors) as errors After that you can do your math with "total" and "errors". Not sure I'd use the like() function to search something in _raw in general. But it works it seems. Maybe you can setup a field that indicates if the event is an error, instead of searching for a string in _raw all the time. Cheers Ralph ... View more

Hi @CMEOGNAD , See my response to a similiar question.  You could drop events with seconds *1 to *9, keep *0 It will not be exactly 9 of 10. But with something like that you could randomly reduce the volume.  Not sure if it makes sense with your data. (or Cribl) ... View more

I was looking for the same Document. Found it in the Internet Archives 🙂 http://web.archive.org/web/20171227002107/https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F   ... View more

Ah ok, I understand now. You could throw away the irrelevant hours: | eval hour=strftime(_time, "%H") | where hour>=6 AND hour<=18 ... View more

Hi @jip31 , Can you please give more details about your use case? I tested your SPL and it works in general. It gets into troubles when you set the time picker to several days.  One limitation are the sort commands. (sort 0 time might help).  But in general I don't see a reason why you'd select events of 7d and then limit in in the search to 4 hours. Is there a reason to limit time later, instead of using the time picker? Ralph ... View more

Hi @shocko, The first Event is: <Channel>DhcpAdminEvents</Channel> So this one is processed by your DHCPAdminEvents Stanza. There is no white/blacklist, so it is processed. To allow the second Event, I guess the whitelist entry has to be adjusted.  I did not use this recently, but looking at the docs it has to be key=regex syntax.   "SourceName" is not the key I guess....isn't it "EventSourceName".  And maybe even something like "System.Provider.EventSourceName"? (not sure about that part right now) In this (2018) post Nick mentions, that quotations in the regex might be an issue. Maybe try to escape them EventSourceName=\"DhcpServer\". Or something like EventSourceName\S\SDhcpServer\S   (just to try if the quotations are an issue also when escaped) ... View more

Hi @jip31, It seems to work in general for me, independent of the timepicker setting (well, if you select less than 4 hours it will only show you events from the selected range or course). Can you show the first part of the search? Is there a timechart or something that groups by 30 min?  Because when I use the given part of the search I get columns for each minute. Is there a reason why you filter the time range in the SPL instead of selecting  e.g. "last 4 hours"? Ralph     ... View more

Hi @crucifier_0  Suppose your columns are called "letter" and "number": | stats avg(number) by letter   Hope this is what you asked for. BR Ralph ... View more

So, there is no "Status" field in the Lookup, that's why it didn't map. I assume the field "Error_Code" is what you want to map with the "Status" from Query 1. | lookup blabla.csv Status as "Error_Code" OUTPUT Action ... View more

What are the actual column names in the lookup table? Is it "Status" and "Action" (Starting with capital letter)? Also the fields from Query 1? ... View more

The eval statement that @ITWhisperer is refering to would set the Error_Message to null if it is <double quote><comma>,  you could change that to  if(Error_Message="\',",null,Error_Message). But if you use my adjusted rex command, you would not even have this "wrong" Error Messages in your search results. You just need to check that your valid Error Events have the string "ERROR" with space in front, which is usually the case. ... View more

Hi @aditsss, You could change your rex command to this: |rex field=_raw "\sERROR(?<Error_Message>.*)" Note that I added \s before ERROR, because usually in an Error Message/Event the string "ERROR" is not directly located next to another string . You could also add a \s after the "ERROR". Hope that helps. BR Ralph ... View more

This would give you numbered ip* columns | transpose | rename "row *" as ip* | fields - column This is a modified version of what @ITWhisperer  suggested, which is more flexible than my simple transpose approach: | rename ip0 as ip | streamstats count as row | eval row="ip".row | eval {row}=ip | stats values(ip*) as ip* But answering these questions would really help to find a suitable solution 🙂 ... View more

Hi  @Dalador , Try to add : | transpose This would create columns based on your rows. You will probably have to do some renaming and maybe filter some of the new rows, but it should give you what you are asking for. Best Regards Ralph ... View more

Hi @roopeshetty , This should give you a start: | streamstats current=f window=1 last(ProtectionStatus) as prev_status | eval statuschange=if(ProtectionStatus!=prev_status,"true", "false") There was a similiar question recently. There is also another option using command "Delta" suggested by @manjunathmeti  Cheers Ralph ... View more

Hi  @gvssaicharan , Try this: | eval month=strftime(strptime(checkDate,"%Y-%m-%dT%H:%M:%S.%Q"),"%m") | eval quarter=case(month<=3,"Q1",month<=6,"Q2",month<=9,"Q3",month<=12,"Q4") | eval year=strftime(strptime(checkDate,"%Y-%m-%dT%H:%M:%S.%Q"),"%Y") | eval year_quarter=year."_".quarter BR Ralph ... View more