Excellent!! That worked. I appreciate it. ... View more

Thanks for the response Here's the base of the search with MTTR is the mean time to repair or average outage time averaged by duration. The "avg_outage" is epoch: | transaction node startswith="up_or_down=down" endswith="up_or_down=available" | stats avg(duration) as avg_outage by node | eval MTTR=tostring(avg_outage, "duration") | table node MTTR ... View more

Needed to add a second eval to fix the above issue. "|eval down=if(isnull(down),0,down)" ... View more

I changed the query history to only go back a year and that seemed to open things up. ... View more

no, nothing. I have a ticket opened with support, but was hoping to see if anyone else had this experience with 3.1.1? ... View more

Just to add, when I run the same query in another tool, the data is there and current. This has to be in the DB connect config somewhere. The weird thing is that it was working, and now it's not. I noticed I cannot set up a Rising input no matter what I do. So maybe the issue is there. ... View more

Nope that didn't fix it. Singled out nodes using the same search do not show anything when Availability is at 100.00. On the full node panel, it's ok. ... View more

Just made a change and took out the IPregex and just replaced it with $field2$. That brought in the nodes that are in the green range, but not anything that is 100.00. So it has something to do with the round and the decimal I believe. ... View more

I do have one more issue. I've tried to create a single panel using the above that searches for one node in the "IPregex". This only works for any node that isn't at 100% or in the top range. So any node that's ok, doesn't appear in the Availability column. Here's the comparison of the two searches (I made some changes to the original search...I just took out the rangemap and used graph color ranges). So the working search: index=index IPregex=* upordown=* |rename upordown as status | rename IPregex as IP |lookup nodes.csv IP |chart count over NODENAME by status | eval Availability=round((available*100)/(available+down),2) | table NODENAME,Availability The non-working search: index=index IPregex=10.0.0.1 upordown=* |rename upordown as status | rename IPregex as IP |lookup nodes.csv IP |chart count over NODENAME by status | eval Availability=round((available*100)/(available+down),2) | table NODENAME,Availability ... View more

I like it!!! Thanks. I'm actually going to use both and build a nice dashboard with drop downs to pick the node. Thanks for your help. ... View more

well, it's basically a chart with a right side legend of 5 pages of nodes and not graph. But I like where you're going with this. What ultimately I need is a simple graph or table showing a percentage up time of each node on the list (about 43 of them) for a sales person so she can report that this node has been up for 30 days straight or whatever if a customer complains that they aren't getting data. So perhaps the table with "bright lights" is where I need to go with this, if you know what I mean. ... View more

OK, thanks. I'll let you know. ... View more

just "available" or "down". I thought about putting the packet loss output in there, but thought I'd keep things simple for now. ... View more

Data is fine as I get data without the lookup. I just can't do anything with it. The lookup table is not helping. Thanks for the help ... View more

Permissions are set globally. So that's not it. I should be seeing events with the lookup, so perhaps the data is not parsed correctly. ... View more

Inspecting the job shows that the remote search seems to be doing what it should: litsearch (index=aircontrol DEBUG (Rule="Questionable Radio Link" OR Rule="Bad Cable" OR Rule="Data Abuser Warning" OR Rule="Data Abuser Critical" OR Rule="AP Down" OR Rule="Low Noise Floor" OR Rule="Low Noise Floor Access Points" OR Rule="High Latency" OR Rule="Warning CPU" OR Rule="High CPU" OR Rule="Warning CPU Access Points" OR Rule="High CPU Access Points" OR Rule="Number of Client >=25" OR Rule="Number of Client >=30" OR Rule="Number of Client >=35" OR Rule="Customer Interface LAN Status = Down")) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1516035600.000000 lt=1516125059.000000 remove=true max_count=1000 max_prefetch=100 ... View more

OK, wait, I need to back up. The only thing that works is "index=aircontrol DEBUG "Questionable Radio Link" OR Rule="Bad Cable" OR Rule="Data Abuser Warning" OR Rule="Data Abuser Critical" OR Rule="AP Down" OR Rule="Low Noise Floor" OR Rule="Low Noise Floor Access Points" OR Rule="High Latency" OR Rule="Warning CPU" OR Rule="High CPU" OR Rule="Warning CPU Access Points" OR Rule="High CPU Access Points" OR Rule="Number of Client >=25" OR Rule="Number of Client >=30" OR Rule="Number of Client >=35" OR Rule="Customer Interface LAN Status = Down" When I try "index=aircontrol DEBUG [inputlookup aircontrol.csv]" I get nothing. They're basically the same. ... View more

But building a top 5 doesn't work. So what I'm thinking is the lookup table DOES work, but the top 5 for whatever reason, doesn't. ... View more