Thanks @dwaddle for your time, this looks promising(haven't tried yet). But I think you missed considering comparison of all the values in the latest log/transaction. That means there might be multiple values in the same transaction. Suppose X field has 1,1 and 2 as values at Y time range. We are comparing first(X) i.e., 1 with latest(lookup) which is good but we still need to compare all the values in this transaction i.e., 1 with 1,2 values and alert us since 2 is a different value. Hope you understood, Can you help me with this? ... View more

Thanks @rnowitzki  for your response. I get your point but unfortunately, logs of that index would be of indefinite time period. That means Suppose field got last value in last 2 weeks, next log might be earlier(like within 1 week) than that or later(may be after 25 days) as well. Hence, How to know the time range to be selected to compare recent/current value of that field with the lastly stored value in that field. To give more picture on the requirement I am looking for a query that will help in alerting whenever a particular field value changes by comparing the 1st value(suppose 3 values are there) of recent log/transaction with the last/old value of that field (no certain idea of when the last log came in) and also comparing within these 3 values of recent transaction if there is any new value within them. Hope you got my concern. ... View more

Then what could be suitable query for my requirement @to4kawa ... View more

index=_audit TERM("_internal") | stats count values(search) as search by user | mvexpand search | rex field=search "index=(?\S+)" | eval index=trim(index,"\"") | stats values(user) by index Above query almost worked but it is giving only results related to _internal index. Actually, I am looking for indexes ending with "_archive". Hence I tried in the below way. index=_audit | stats count values(search) as search by user | mvexpand search | rex field=search "index=(?\S+)" | eval index=trim(index,"\"") | stats values(user) by index |search index=*_archive let me know in case any optimization/better query can be provided @to4kawa ... View more

Yes, it is 7.X for us. index=_audit TERM("_internal") | stats count by user - this works good, but I would like to know the list of users based on index names. For Example: I would like to know the users who searched for all the index names ending with "_archive" like _internal_archive. if I run the below it is also giving wherever "_archive" is used, instead of not only in index names. index=_audit TERM("*_archive") | stats count by user Can you help me on this @to4kawa ... View more

I have used the query you have provided but it is not giving any results. | tstats count where index=_audit TERM("_internal") by PREFIX("user=") Also tried like this, but no use. | tstats count where index=_audit by user ... View more

@heroku_curzonj Can you please share the query to compare count of splunk indexers buckets older than 90 days from the current date with the hadoop data roll archived buckets. Recently I have archived buckets of _internal index(older than 90 days) from one site of splunk indexers to Hadoop cluster using https://docs.splunk.com/Documentation/Splunk/8.0.3/Indexer/ArchivingindexestoHadoop. I see buckets copied to Hadoop cluster and I am able to view events from archived index. But my challenge here is I see more buckets count in Hadoop cluster than in the splunk indexers from the dashboards Settings->virtual indexes -> archived indexes-> View dashboards I used SPL query "dbinspect index=_internal |stats count by splunk_server |addcoltotals" with the time range older than 90 days. Please help me in knowing what went wrong in my above approach or share the exact query to get the comparison of buckets count between archived index and splunk index ... View more