Well the data is pretty simple, one file per Netcool and the lines in the log have time stamp and a number of numeric values one of which is a count of inserts.
But isn't earliest part of Splunk limiting how far back the search can go?
This all works nicely in the Pivot editor but not run as a report so there must be something in the editor that obeys the data picker that's ignored in the report.
What we are trying to highlight is where the inserts are outside a range around the 30 day average, that is if inserts are outside 50-150% of the average. If too low for an extended period possible data feed issue, if too high we could be seeing a data flood that if maintained could bring system down.
... View more