×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
uagraw01
Motivator
Member since: ‎06-03-2020
‎01-05-2026
Community Statistics
Posts 583
Solutions 2
Karma Given 172
Karma Received 7
Member Since ‎06-03-2020
Activity Feed
Topics I've Started
View All

Re: Acess issue with different users

by in Splunk Enterprise
‎01-05-2026 07:59 PM
‎01-05-2026 07:59 PM
@PickleRick I’m not using any knowledge objects in the panel search  it’s a direct index search. After granting read access to the Search & Reporting app, the numbers started appearing correctly, consistent with other user roles. index=json a type=Put data.workstationId=* | spath source | search source=decan | rename data.putCarrierPhysicalId as BinId, data.orderId as OrderId, data.putCarrierQuantity as qty, data.workstationId as workstation | timechart span=1d@d1 sum(qty) as value by workstation | addtotals ... View more

Re: Acess issue with different users

by in Splunk Enterprise
‎01-05-2026 08:07 AM
‎01-05-2026 08:07 AM
@isoutamo Thanks for sharing this with me. I will try to accomodate in my environment. ... View more

Re: Acess issue with different users

by in Splunk Enterprise
‎01-05-2026 04:22 AM
1 Karma
‎01-05-2026 04:22 AM
1 Karma
@isoutamo I have now given read access to search and reporting app to customer role and now figures are coming similar like production manager role. ... View more

Re: Acess issue with different users

by in Splunk Enterprise
‎01-05-2026 02:07 AM
‎01-05-2026 02:07 AM
Hi @livehybrid  The numbers below are correct, which is Production_manager role. One more thing to add ; while open the panel search in custome role I am getting oops message but in Production manger role panel is working fine and opens in anaother windows.    ... View more

Acess issue with different users

by in Splunk Enterprise
‎01-05-2026 01:32 AM
‎01-05-2026 01:32 AM
Hello Splunkers !! I'm noticing an issue in Splunk. When I log in with the production manager role, the report figures are perfectly accurate. But when I access Splunk using a customer role, the values in the reports differ from what I see as a production manager. Any suggestions on how to troubleshoot or resolve this difference would be appreciated! Correct values with the production manager role   wrong values with customer role     ... View more
Labels

Re: Ingest Backdated Files in Splunk Using Event R...

by in Splunk Enterprise
‎12-22-2025 09:46 PM
‎12-22-2025 09:46 PM
Hi @richgalloway After accommodate suggested changes; still my files showing with the same index time in Splunk timeline graph.  Is there anything else I need to check or fix /   ... View more

Ingest Backdated Files in Splunk Using Event Repor...

by in Splunk Enterprise
‎12-21-2025 11:33 PM
‎12-21-2025 11:33 PM
Hello Splunkers!! I have a set of backdated files that need to be ingested into Splunk. The requirement is that the event timestamp (report time) should be used as the event time, so that the data appears in the Splunk timeline under the corresponding historical period rather than the current ingestion time. In the screenshot below, the event report time does not align with the index time. I would like the index time to match the event report time so that the data is accurately reflected in the Splunk timeline.   In my system I am using below setting: inputs.conf [monitor://D:\up_ticket_data\tbl_workorder_*.csv] sourcetype = maximo_workorder index = maximo_ts disabled = false crcSalt = <SOURCE> #followTail = 0 charset = UTF-8 props.conf [maximo_workorder] INDEXED_EXTRACTIONS = csv LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false FIELD_DELIMITER = , FIELD_QUOTE = " HEADER_FIELD_LINE_NUMBER = 1 CHARSET = UTF-8 TRUNCATE = 999999 TIME_PREFIX = REPORT_DATE, TIME_FORMAT = %Y-%m-%d MAX_TIMESTAMP_LOOKAHEAD = 10 TRANSFORMS-drop_header = remove_workorder_csv_header I need expertise advise to get it fix. ... View more
Labels

Re: Trellis view is not working while export pdf

by in Dashboards & Visualizations
‎08-20-2025 04:43 AM
‎08-20-2025 04:43 AM
Hi @PrewinThomas Its working. fantastic!! ... View more

Trellis view is not working while export pdf

by in Dashboards & Visualizations
‎08-20-2025 03:35 AM
‎08-20-2025 03:35 AM
Hello Splunkers!! I have a trellis view in my dashboard and when I export it to PDF, the trellis view is not supported. Is there a way to download it in a visual format similar to PDF instead of using Dashboard Studio? Thanks for the help in advance!!   ... View more
Labels

Re: Append command is not working

by in Splunk Search
‎08-16-2025 06:00 PM
‎08-16-2025 06:00 PM
Hi @ITWhisperer , Firstly thanks for the responses. Below I am attaching the screenshot of the job detail dashboard for the complete search.   For more information I am splitting both the searches: First search : (index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) | fields area zone equipment isc_id error error_status start_time | eval _time=coalesce(start_time, _time) | lookup isc_mordc id as isc_id OUTPUTNEW mark_code statistical_subject | lookup isc_areaname.csv isc_id as isc_id OUTPUTNEW area_name cell cluster subsystem | search subsystem="DEP/*" OR subsystem="DEC/*" | stats count(subsystem) as scada_count by cell cluster | table scada_count cell cluster Second search : index=internal_statistics_1h [ | inputlookup internal_statistics | where report="Throughput" AND level="step" AND measurement="Case" AND (step="Defoil and decanting" OR step="Defoil and depalletising") | fields id | rename id AS statistic_id ] | eval value=coalesce(value, sum_value) | stats sum(value) AS dda_count | table dda_count   Complete search : (index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) | fields area zone equipment isc_id error error_status start_time | eval _time=coalesce(start_time, _time) | lookup isc_mordc id as isc_id OUTPUTNEW mark_code statistical_subject | lookup isc_areaname.csv isc_id as isc_id OUTPUTNEW area_name cell cluster subsystem | search subsystem="DEP/*" OR subsystem="DEC/*" | stats count(subsystem) as scada_count by cell cluster | table scada_count cell cluster | eval dda_count = [ search index=internal_statistics_1h [ | inputlookup internal_statistics | where report="Throughput" AND level="step" AND measurement="Case" AND (step="Defoil and decanting" OR step="Defoil and depalletising") | fields id | rename id AS statistic_id ] | eval value=coalesce(value, sum_value) | stats sum(value) AS dda_count | return $dda_count ] | eval Faults = (scada_count/dda_count)*1000 | table cell cluster Faults | sort cell cluster | chart count(Faults) as Faults ... View more

Re: Append command is not working

by in Splunk Search
‎08-14-2025 05:26 PM
‎08-14-2025 05:26 PM
@ITWhisperer I am reinitiates my question loop. Problem : The second sub search is always giving me the repetitive counts. Please guide me to fix it. Thanks in advance !!   ... View more

Re: Need help to fix trellis drilldown

by in Dashboards & Visualizations
‎08-13-2025 06:12 PM
‎08-13-2025 06:12 PM
Hi @bowesmana, Thank you for your response. The only difference I have observed is that when I click on the second panel, it displays all results. I would like it so that when I click on “GTP,” it should display only the corresponding GTP values (e.g., 8 and 9). Could you please advise on how I can associate this filter with the second panel? ... View more

Re: Need help to fix trellis drilldown

by in Dashboards & Visualizations
‎08-13-2025 03:21 PM
‎08-13-2025 03:21 PM
Hi @ITWhisperer  Below is my complete code. <form stylesheet="common:vanderlande.css, customer_reports=mordc.css" theme="dark"> <label>Daily Performance Dashboard ( Services )</label> <init> <!-- Ensure details are hidden until user clicks the first panel --> <unset token="tokShowDetails"></unset> </init> <fieldset submitButton="true"> <input type="time" token="time" searchWhenChanged="false"> <label>Time Selector</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <single> <title>Depalletising, Decanting Faults per thousand cases ( Overall )</title> <search> <query>(index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) earliest=-30d latest=now | fields area zone equipment isc_id error error_status start_time | eval _time=coalesce(start_time, _time) | search error_status=CAME_IN | lookup isc id AS isc_id OUTPUTNEW statistical_subject mark_code | lookup new_ctcl_21_07.csv JoinedAttempt1 AS statistical_subject mis_address AS error OUTPUTNEW description operational_rate technical_rate alarm_severity | lookup internal_cell_cluster.csv isc_id AS isc_id OUTPUTNEW cell cluster | lookup mordc_Av_full_assets.csv Area AS area Zone AS zone Section AS equipment OUTPUT TopoID | lookup mordc_topo ID AS TopoID OUTPUT Description AS Area | where Area="Depalletizing, Decanting" AND technical_rate&gt;0 AND operational_rate&gt;0 AND isnotnull(alarm_severity) AND isnotnull(mark_code) | dedup isc_id error _time | stats count AS scada_count BY cell cluster | eval dda_count = [ search index=internal_statistics_1h earliest=-30d latest=now [ | inputlookup internal_statistics | where report="Throughput" AND level="step" AND measurement="Case" AND (step="Defoil and decanting" OR step="Defoil and depalletising") | fields id | rename id AS statistic_id ] | eval value=coalesce(value, sum_value) | stats sum(value) AS dda_count | return $dda_count ] | eval Faults = (scada_count/dda_count)*1000 | table cell cluster Faults | sort cell cluster | chart count(Faults) as Faults</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051","0xf8be34","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">large</option> <option name="useColors">1</option> <drilldown> <set token="tokShowCluster">1</set> <unset token="tokShowCells"></unset> <unset token="tokCluster"></unset> </drilldown> </single> <single depends="$tokShowCluster$"> <title>Depalletising, Decanting Faults per thousand cases ( Cluster )</title> <search> <query>(index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) earliest=-30d latest=now | fields area zone equipment isc_id error error_status start_time | eval _time=coalesce(start_time, _time) | search error_status=CAME_IN | lookup isc id AS isc_id OUTPUTNEW statistical_subject mark_code | lookup new_ctcl_21_07.csv JoinedAttempt1 AS statistical_subject mis_address AS error OUTPUTNEW description operational_rate technical_rate alarm_severity | lookup internal_cell_cluster.csv isc_id AS isc_id OUTPUTNEW cell cluster | lookup mordc_Av_full_assets.csv Area AS area Zone AS zone Section AS equipment OUTPUT TopoID | lookup mordc_topo ID AS TopoID OUTPUT Description AS Area | where Area="Depalletizing, Decanting" AND technical_rate&gt;0 AND operational_rate&gt;0 AND isnotnull(alarm_severity) AND isnotnull(mark_code) | dedup isc_id error _time | stats count AS scada_count BY cell cluster | eval dda_count = [ search index=internal_statistics_1h earliest=-30d latest=now [ | inputlookup internal_statistics | where report="Throughput" AND level="step" AND measurement="Case" AND (step="Defoil and decanting" OR step="Defoil and depalletising") | fields id | rename id AS statistic_id ] | eval value=coalesce(value, sum_value) | stats sum(value) AS dda_count | return $dda_count ] | eval Faults = (scada_count/dda_count)*1000 | table cell cluster Faults | sort cell cluster | chart count(Faults) as Faults BY cluster</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,100]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">medium</option> <option name="trellis.splitBy">cluster</option> <option name="useColors">1</option> <!-- Click a cluster tile --> <drilldown> <set token="tokShowCells">1</set> </drilldown> </single> </panel> <panel> <single depends="$tokShowCells$"> <title>Depalletising, Decanting Faults per thousand cases ( Per Cell )</title> <search> <query>(index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) earliest=-30d latest=now | fields area zone equipment isc_id error error_status start_time | eval _time=coalesce(start_time, _time) | search error_status=CAME_IN | lookup isc id AS isc_id OUTPUTNEW statistical_subject mark_code | lookup new_ctcl_21_07.csv JoinedAttempt1 AS statistical_subject mis_address AS error OUTPUTNEW description operational_rate technical_rate alarm_severity | lookup internal_cell_cluster.csv isc_id AS isc_id OUTPUTNEW cell cluster | lookup mordc_Av_full_assets.csv Area AS area Zone AS zone Section AS equipment OUTPUT TopoID | lookup mordc_topo ID AS TopoID OUTPUT Description AS Area | where Area="Depalletizing, Decanting" AND technical_rate&gt;0 AND operational_rate&gt;0 AND isnotnull(alarm_severity) AND isnotnull(mark_code) | dedup isc_id error _time | stats count AS scada_count BY cell cluster | eval dda_count = [ search index=internal_statistics_1h earliest=-30d latest=now [ | inputlookup internal_statistics | where report="Throughput" AND level="step" AND measurement="Case" AND (step="Defoil and decanting" OR step="Defoil and depalletising") | fields id | rename id AS statistic_id ] | eval value=coalesce(value, sum_value) | stats sum(value) AS dda_count | return $dda_count ] | eval Faults = (scada_count/dda_count)*1000 | table cell cluster Faults | sort cell cluster | chart count(Faults) as Faults BY cell</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="rangeColors">["0xf1813f","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[1,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">small</option> <option name="useColors">1</option> </single> </panel> </row> </form>   ... View more

Re: Need help to fix trellis drilldown

by in Dashboards & Visualizations
‎08-13-2025 06:00 AM
‎08-13-2025 06:00 AM
Hi @ITWhisperer  Thanks for working on this. While loading the dashboard at very first all the panels are loading including Overall, cluster and cells. I want to load Overall ( first) then click ---> load Clusters panel --> then click any cluster open only its respective cells and its count. One more issue I can see. While clicking back the panel one, I can se third panel is showing error with lookup.   ... View more

Re: Need help to fix trellis drilldown

by in Dashboards & Visualizations
‎08-13-2025 03:41 AM
‎08-13-2025 03:41 AM
@bowesmana Thanks for all the suggestion. While applying in my real code. I am still facing an issue. As I provided my code below please help me to fix it.   <row> <panel> <single> <title>Depalletising, Decanting Faults per thousand cases ( Overall )</title> <search> <query>(index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) earliest=-30d latest=now | fields area zone equipment isc_id error error_status start_time | eval _time=coalesce(start_time, _time) | search error_status=CAME_IN | lookup isc id AS isc_id OUTPUTNEW statistical_subject mark_code | lookup new_ctcl_21_07.csv JoinedAttempt1 AS statistical_subject mis_address AS error OUTPUTNEW description operational_rate technical_rate alarm_severity | lookup internal_cell_cluster.csv isc_id AS isc_id OUTPUTNEW cell cluster | lookup mordc_Av_full_assets.csv Area AS area Zone AS zone Section AS equipment OUTPUT TopoID | lookup mordc_topo ID AS TopoID OUTPUT Description AS Area | where Area="Depalletizing, Decanting" AND technical_rate&gt;0 AND operational_rate&gt;0 AND isnotnull(alarm_severity) AND isnotnull(mark_code) | dedup isc_id error _time | stats count AS scada_count BY cell cluster | eval dda_count = [ search index=internal_statistics_1h earliest=-30d latest=now [ | inputlookup internal_statistics | where report="Throughput" AND level="step" AND measurement="Case" AND (step="Defoil and decanting" OR step="Defoil and depalletising") | fields id | rename id AS statistic_id ] | eval value=coalesce(value, sum_value) | stats sum(value) AS dda_count | return $dda_count ] | eval Faults = (scada_count/dda_count)*1000 | table cell cluster Faults | sort cell cluster | chart count(Faults) as Faults</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0.0</option> <option name="rangeColors">["0x53a051","0xf8be34","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">large</option> <option name="useColors">1</option> <drilldown> <set token="cluster">$trellis.value$</set> <set token="form.cluster">$trellis.value$</set> </drilldown> </single> <single > <title>Depalletising, Decanting Faults per thousand cases ( Cluster )</title> <search> <query>(index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) earliest=-30d latest=now | fields area zone equipment isc_id error error_status start_time | eval _time=coalesce(start_time, _time) | search error_status=CAME_IN | lookup isc id AS isc_id OUTPUTNEW statistical_subject mark_code | lookup new_ctcl_21_07.csv JoinedAttempt1 AS statistical_subject mis_address AS error OUTPUTNEW description operational_rate technical_rate alarm_severity | lookup internal_cell_cluster.csv isc_id AS isc_id OUTPUTNEW cell cluster | lookup mordc_Av_full_assets.csv Area AS area Zone AS zone Section AS equipment OUTPUT TopoID | lookup mordc_topo ID AS TopoID OUTPUT Description AS Area | where Area="Depalletizing, Decanting" AND technical_rate&gt;0 AND operational_rate&gt;0 AND isnotnull(alarm_severity) AND isnotnull(mark_code) | dedup isc_id error _time | stats count AS scada_count BY cell cluster | eval dda_count = [ search index=internal_statistics_1h earliest=-30d latest=now [ | inputlookup internal_statistics | where report="Throughput" AND level="step" AND measurement="Case" AND (step="Defoil and decanting" OR step="Defoil and depalletising") | fields id | rename id AS statistic_id ] | eval value=coalesce(value, sum_value) | stats sum(value) AS dda_count | return $dda_count ] | eval Faults = (scada_count/dda_count)*1000 | table cell cluster Faults | sort cell cluster | chart count(Faults) as Faults BY cluster</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,100]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">medium</option> <option name="trellis.splitBy">cluster</option> <option name="useColors">1</option> <!-- Click a cluster tile --> <drilldown> <set token="cluster">$trellis.value$</set> <set token="form.cluster">$trellis.value$</set> </drilldown> </single> </panel> <panel> <single > <title>Depalletising, Decanting Faults per thousand cases ( Per Cell )</title> <search> <query>(index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) earliest=-30d latest=now | fields area zone equipment isc_id error error_status start_time | eval _time=coalesce(start_time, _time) | search error_status=CAME_IN | lookup isc id AS isc_id OUTPUTNEW statistical_subject mark_code | lookup new_ctcl_21_07.csv JoinedAttempt1 AS statistical_subject mis_address AS error OUTPUTNEW description operational_rate technical_rate alarm_severity | lookup internal_cell_cluster.csv isc_id AS isc_id OUTPUTNEW cell cluster | lookup mordc_Av_full_assets.csv Area AS area Zone AS zone Section AS equipment OUTPUT TopoID | lookup mordc_topo ID AS TopoID OUTPUT Description AS Area | where Area="Depalletizing, Decanting" AND technical_rate&gt;0 AND operational_rate&gt;0 AND isnotnull(alarm_severity) AND isnotnull(mark_code) | dedup isc_id error _time | stats count AS scada_count BY cell cluster | eval dda_count = [ search index=internal_statistics_1h earliest=-30d latest=now [ | inputlookup internal_statistics | where report="Throughput" AND level="step" AND measurement="Case" AND (step="Defoil and decanting" OR step="Defoil and depalletising") | fields id | rename id AS statistic_id ] | eval value=coalesce(value, sum_value) | stats sum(value) AS dda_count | return $dda_count ] | eval Faults = (scada_count/dda_count)*1000 | table cell cluster Faults | sort cell cluster | chart count(Faults) as Faults BY cell</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="rangeColors">["0xf1813f","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[1,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">small</option> <option name="useColors">1</option> </single> </panel> </row> ... View more

Need help to fix trellis drilldown

by in Dashboards & Visualizations
‎08-12-2025 03:17 AM
‎08-12-2025 03:17 AM
Hello Splunkers!! I want to configure the dashboard so that when I click GTP, only cells 8 and 9 are displayed in the second panel, with all other cells hidden. Similarly, clicking North or South should display only their respective cells. Please guide me on how to achieve this by adjusting the Trellis drilldown settings in the dashboard. Below is the expectation I want. In a statistical view below: My current trellis token is looking as below : Thanks in advance.   ... View more

Re: Append command is not working

by in Splunk Search
‎08-10-2025 03:52 AM
‎08-10-2025 03:52 AM
I got the solutions. Thanks all the expertise for involving in this.  Issue was with the second search which was showing last 30 days only ( before 15th july only ) ... View more

Re: Append command is not working

by in Splunk Search
‎08-10-2025 03:09 AM
‎08-10-2025 03:09 AM
@PickleRick Hi removed all the highlighted attributes from the query. But still I am not getting any results. (index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) | fields - _raw | fields + area, zone, equipment, element, isc_id, error, error_status, start_time | search (area="*"), (zone="*"), (equipment="*"), (isc_id="*") | eval _time=exact(if(isnull(start_time),'_time',max(start_time,earliest_epoch))) | dedup isc_id error _time | fields - _virtual_, _cd_ | fillnull value="" element | sort 0 -_time -"_indextime" | streamstats window=2 global=false current=true earliest(_time) AS start latest(_time) AS stop, count AS count by area zone equipment element error | search error_status=CAME_IN | lookup isc id AS isc_id OUTPUTNEW statistical_subject mark_code | lookup new_ctcl_21_07.csv JoinedAttempt1 AS statistical_subject, mis_address AS error OUTPUTNEW description, operational_rate, technical_rate, alarm_severity | fillnull value=0 technical_rate operational_rate | fillnull value="-" alarm_severity mark_code | eval description=coalesce(description,("Unknown text for error number " . error)), error_description=((error . "-") . description), location=((mark_code . "-") . isc_id), stop=if((count == 1),null,stop), start=exact(coalesce(start_time,'_time')), start_window=max(start,earliest_epoch), stop_window=min(stop,if((latest_epoch > now()),now(),latest_epoch)), duration=round(exact((stop_window - start_window)),3) | fields + start, error_description, isc_id, duration, stop, mark_code, technical_rate, operational_rate, alarm_severity , area, zone, equipment | dedup isc_id error_description start | sort 0 start isc_id error_description asc | search technical_rate>* AND operational_rate>* (alarm_severity="*") (mark_code="*") | rename isc_id as Location, mark_code as "Mark code", technical_rate as "Technical %", operational_rate as "Operational %", alarm_severity as Severity | lookup mordc_Av_full_assets.csv Area as area, Zone as zone, Section as equipment output TopoID | lookup mordc_topo ID as TopoID output Description as Area | search Area="Depalletizing, Decanting" | stats count as Scada_count by Area | table Scada_count | appendcols [ search index=internal_statistics_1h [| inputlookup internal_statistics | where (step="Defoil and decanting" OR step="Defoil and depalletising") AND report="Throughput" AND level="step" AND measurement IN("Case") | fields id | rename id AS statistic_id] | eval value=coalesce(value, sum_value) | fields statistic_id value group_name location | eval _virtual_=if(isnull(virtual), "N", "Y"), _cd_=replace(_cd, ".*:", "") | sort 0 -_time _virtual_ -"_indextime" -_cd_ | dedup statistic_id _time group_name | fields - _virtual_ _cd_ | lookup internal_statistics id AS statistic_id OUTPUTNEW report level step measurement | stats sum(value) AS dda_count] Note : While executing both the queries individually. I a, getting the results. ... View more

Re: Append command is not working

by in Splunk Search
‎08-10-2025 02:01 AM
‎08-10-2025 02:01 AM
@yuanliu I want to divide Scada_count/dda_count. This is my use case. ... View more

Append command is not working

by in Splunk Search
‎08-06-2025 05:17 AM
‎08-06-2025 05:17 AM
Hello Splunkers!! I want to combined both the queries by using append but it doesnot work. its always giving me only one section of the results. Please help me to fix it. (index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) | fields - _raw | fields + area, zone, equipment, element, isc_id, error, error_status, start_time | search (area="*"), (zone="*"), (equipment="*"), (isc_id="*") | eval _time=exact(if(isnull(start_time),'_time',max(start_time,earliest_epoch))), _virtual_=if(isnull(virtual),"N","Y"), _cd_=replace('_cd',".*:","") | sort 0 -_time _virtual_ -"_indextime" -_cd_ | dedup isc_id error _time | fields - _virtual_, _cd_ | fillnull value="" element | sort 0 -_time -"_indextime" | streamstats window=2 global=false current=true earliest(_time) AS start latest(_time) AS stop, count AS count by area zone equipment element error | search error_status=CAME_IN | lookup isc id AS isc_id OUTPUTNEW statistical_subject mark_code | lookup new_ctcl_21_07.csv JoinedAttempt1 AS statistical_subject, mis_address AS error OUTPUTNEW description, operational_rate, technical_rate, alarm_severity | fillnull value=0 technical_rate operational_rate | fillnull value="-" alarm_severity mark_code | eval description=coalesce(description,("Unknown text for error number " . error)), error_description=((error . "-") . description), location=((mark_code . "-") . isc_id), stop=if((count == 1),null,stop), start=exact(coalesce(start_time,'_time')), start_window=max(start,earliest_epoch), stop_window=min(stop,if((latest_epoch > now()),now(),latest_epoch)), duration=round(exact((stop_window - start_window)),3) | fields + start, error_description, isc_id, duration, stop, mark_code, technical_rate, operational_rate, alarm_severity , area, zone, equipment | dedup isc_id error_description start | sort 0 start isc_id error_description asc | eval operational_rate=(operational_rate * 100), technical_rate=(technical_rate * 100) ,"Start time"= strftime(start,"%d-%m-%Y %H:%M:%S"), "Stop time (within window)"= strftime(stop,"%d-%m-%Y %H:%M:%S"), "Duration (within window)"=tostring(duration,"duration") | dedup "Start time","Stop time (within window)", isc_id, error_description, mark_code | search NOT error_description="*Unknown text for error*" | search technical_rate>* AND operational_rate>* (alarm_severity="*") (mark_code="*") | rename error_description as "Error ID", isc_id as Location, mark_code as "Mark code", technical_rate as "Technical %", operational_rate as "Operational %", alarm_severity as Severity | lookup mordc_Av_full_assets.csv Area as area, Zone as zone, Section as equipment output TopoID | lookup mordc_topo ID as TopoID output Description as Area | search Area="Depalletizing, Decanting" | stats count as Scada_count by Area | table Scada_count Search 2: index=internal_statistics_1h [| inputlookup internal_statistics | where (step="Defoil and decanting" OR step="Defoil and depalletising") AND report="Throughput" AND level="step" AND measurement IN("Case") | fields id | rename id AS statistic_id] | eval value=coalesce(value, sum_value) | fields statistic_id value group_name location | eval _virtual_=if(isnull(virtual), "N", "Y"), _cd_=replace(_cd, ".*:", "") | sort 0 -_time _virtual_ -"_indextime" -_cd_ | dedup statistic_id _time group_name | fields - _virtual_ _cd_ | lookup internal_statistics id AS statistic_id OUTPUTNEW report level step measurement | stats sum(value) AS dda_count   ... View more
Labels

Re: Issue with time selector

by in Dashboards & Visualizations
‎06-19-2025 04:08 AM
‎06-19-2025 04:08 AM
Hi @ITWhisperer  I have already used the finalized and done brackets, but the issue still persists. Additionally, I moved the saved search to the search app location to test, but it did not resolve the problem either. ... View more

Re: Issue with time selector

by in Dashboards & Visualizations
‎06-19-2025 03:38 AM
‎06-19-2025 03:38 AM
@ITWhisperer  Sure, thanks for the suggestion. Let me check ... View more

Re: Issue with time selector

by in Dashboards & Visualizations
‎06-18-2025 11:18 PM
‎06-18-2025 11:18 PM
@ITWhisperer So, if I remove the depends attributes, will it start working for the users? ... View more

Re: Issue with time selector

by in Dashboards & Visualizations
‎06-18-2025 11:12 PM
‎06-18-2025 11:12 PM
@ITWhisperer  Below is my complete code. So do you any any possibility which is causing an issue ? What Can i fix here so it will work for all the users ? <form script="common:common.js, common:remove_elements.js, customer_reports:attrchange.js, customer_reports:kpi_dashboard.js" stylesheet="common:vanderlande.css, kpi_dashboard.css, common:project_specific.css" hideEdit="true" version="1.1"> <label>KPI Dashboard</label> <search id="thresholds"> <query>| savedsearch report_kpi_dashboard_thresholds</query> <finalized> <!-- Availability --> <eval token="availability_min_value">$result.system_dashboard_availability_min_value$-0.0001</eval> <eval token="availability_max_value">$result.system_dashboard_availability_max_value$+0.0001</eval> <set token="availability_max_range_threshold">$result.system_dashboard_availability_max_range_threshold$</set> <!-- Completeness --> <eval token="completeness_min_value">$result.system_dashboard_completeness_min_value$-0.0001</eval> <eval token="completeness_max_value">$result.system_dashboard_completeness_max_value$+0.0001</eval> <set token="completeness_max_range_threshold">$result.system_dashboard_completeness_max_range_threshold$</set> <!-- Group Coherence --> <eval token="group_coherence_min_value">$result.system_dashboard_group_coherence_min_value$-0.0001</eval> <eval token="group_coherence_max_value">$result.system_dashboard_group_coherence_max_value$+0.0001</eval> <set token="group_coherence_max_range_threshold">$result.system_dashboard_group_coherence_max_range_threshold$</set> <!-- Lead Time --> <eval token="lead_time_min_value">$result.system_dashboard_lead_time_min_value$-0.0001</eval> <eval token="lead_time_max_value">$result.system_dashboard_lead_time_max_value$+0.0001</eval> <set token="lead_time_max_range_threshold">$result.system_dashboard_lead_time_max_range_threshold$</set> <!-- On-Time --> <eval token="on-time_min_value">$result.system_dashboard_on-time_min_value$-0.0001</eval> <eval token="on-time_max_value">$result.system_dashboard_on-time_max_value$+0.0001</eval> <set token="on-time_max_range_threshold">$result.system_dashboard_on-time_max_range_threshold$</set> <!-- Partitioning --> <eval token="partitioning_min_value">$result.system_dashboard_partitioning_min_value$-0.0001</eval> <eval token="partitioning_max_value">$result.system_dashboard_partitioning_max_value$+0.0001</eval> <set token="partitioning_max_range_threshold">$result.system_dashboard_partitioning_max_range_threshold$</set> <!-- Productivity --> <eval token="productivity_min_value">$result.system_dashboard_productivity_min_value$-0.0001</eval> <eval token="productivity_max_value">$result.system_dashboard_productivity_max_value$+0.0001</eval> <set token="productivity_max_range_threshold">$result.system_dashboard_productivity_max_range_threshold$</set> <!-- Throughput --> <eval token="throughput_min_value">$result.system_dashboard_throughput_min_value$-0.0001</eval> <eval token="throughput_max_value">$result.system_dashboard_throughput_max_value$+0.0001</eval> <set token="throughput_max_range_threshold">$result.system_dashboard_throughput_max_range_threshold$</set> <!-- Utilization --> <eval token="utilization_min_value">$result.system_dashboard_utilization_min_value$-0.0001</eval> <eval token="utilization_max_value">$result.system_dashboard_utilization_max_value$+0.0001</eval> <set token="utilization_max_range_threshold">$result.system_dashboard_utilization_max_range_threshold$</set> </finalized> </search> <search id="operational_hours"> <query>| savedsearch set_operational_hours</query> <finalized> <set token="operational_start_time">$result.operational_start_time$</set> <set token="operational_end_time">$result.operational_end_time$</set> <eval token="time.earliest_epoch">if($form.time.earliest$="",0,if(isnum($form.time.earliest$),$form.time.earliest$,relative_time(now(),$form.time.earliest$)))+($operational_start_time$*3600)</eval> <eval token="time.latest_epoch">if(isnum($form.time.latest$),$form.time.latest$,relative_time(now(),$form.time.latest$))+($operational_start_time$*3600)</eval> </finalized> </search> <fieldset autoRun="true" submitButton="false"> <input id="time" type="time" token="time" depends="$operational_start_time$, $operational_end_time$" searchWhenChanged="true"> <label>Time</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> <change> <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum('earliest'),'earliest'+($operational_start_time$*3600),relative_time(now(),'earliest')))+($operational_start_time$*3600)</eval> <eval token="time.latest_epoch">if('earliest'="",0,if(isnum('earliest'),'earliest'+(86400)+($operational_start_time$*3600),relative_time(now(),'earliest')))+(86400)+($operational_start_time$*3600)</eval> </change> </input> </fieldset> <row> <panel> <title>Throughput</title> <chart id="throughput"> <search> <query>| savedsearch report_kpi_dashboard_throughput operational_start_time=$operational_start_time$ operational_end_time=$operational_end_time$ earliest_epoch=$time.earliest_epoch$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[$throughput_min_value$,$throughput_max_range_threshold$,$throughput_max_value$]</option> <option name="charting.chart.showMinorTicks">1</option> <option name="charting.chart.style">minimal</option> <option name="charting.gaugeColors">["0x3FC77A","0xB44441"]</option> <option name="refresh.display">progressbar</option> </chart> <html> <center>Cases</center> </html> </panel> <panel> <title>Availability</title> <chart id="availability"> <search> <query>| savedsearch report_kpi_dashboard_availability operational_start_time=$operational_start_time$ operational_end_time=$operational_end_time$ earliest_epoch=$time.earliest_epoch$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[$availability_min_value$,$availability_max_range_threshold$,$availability_max_value$]</option> <option name="charting.chart.showMinorTicks">1</option> <option name="charting.chart.style">minimal</option> <option name="charting.gaugeColors">["0xB44441","0x3FC77A"]</option> <option name="refresh.display">progressbar</option> </chart> <html> <center>Percentage</center> </html> </panel> <panel> <title>Completeness</title> <chart id="completeness"> <search> <query>| savedsearch report_kpi_dashboard_completeness operational_start_time=$operational_start_time$ operational_end_time=$operational_end_time$ earliest_epoch=$time.earliest_epoch$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[$completeness_min_value$,$completeness_max_range_threshold$,$completeness_max_value$]</option> <option name="charting.chart.showMinorTicks">1</option> <option name="charting.chart.style">minimal</option> <option name="charting.gaugeColors">["0xB44441","0x3FC77A"]</option> <option name="refresh.display">progressbar</option> </chart> <html> <center>Percentage</center> </html> </panel> <panel> <title>On-Time</title> <chart id="on_time"> <search> <query>| savedsearch report_kpi_dashboard_on_time operational_start_time=$operational_start_time$ operational_end_time=$operational_end_time$ earliest_epoch=$time.earliest_epoch$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[$on-time_min_value$,$on-time_max_range_threshold$,$on-time_max_value$]</option> <option name="charting.chart.showMinorTicks">1</option> <option name="charting.chart.style">minimal</option> <option name="charting.gaugeColors">["0xB44441","0x3FC77A"]</option> <option name="refresh.display">progressbar</option> </chart> <html> <center>Percentage</center> </html> </panel> <panel> <title>Lead Time</title> <chart id="lead_time"> <search> <finalized> <eval token="lead_time">now()</eval> </finalized> <query>| savedsearch report_kpi_dashboard_lead_time operational_start_time=$operational_start_time$ operational_end_time=$operational_end_time$ earliest_epoch=$time.earliest_epoch$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.majorUnit">1800</option> <option name="charting.chart.rangeValues">[$lead_time_min_value$,$lead_time_max_range_threshold$,$lead_time_max_value$]</option> <option name="charting.chart.showMinorTicks">1</option> <option name="charting.chart.style">minimal</option> <option name="charting.gaugeColors">["0x3FC77A","0xB44441"]</option> <option name="refresh.display">progressbar</option> </chart> <html> <center>Duration (hh:mm)</center> </html> </panel> </row> <row> <panel> <title>Utilization</title> <chart id="utilization"> <search> <query>| savedsearch report_kpi_dashboard_lfl_utilisation operational_start_time=$operational_start_time$ operational_end_time=$operational_end_time$ earliest_epoch=$time.earliest_epoch$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[$utilization_min_value$,$utilization_max_range_threshold$,$utilization_max_value$]</option> <option name="charting.chart.showMinorTicks">1</option> <option name="charting.chart.style">minimal</option> <option name="charting.gaugeColors">["0xB44441","0x3FC77A"]</option> <option name="refresh.display">progressbar</option> </chart> <html> <center>Percentage</center> </html> </panel> <panel> <title>Partitioning</title> <chart id="partitioning"> <search> <query>| savedsearch report_kpi_dashboard_lfl_partitioning operational_start_time=$operational_start_time$ operational_end_time=$operational_end_time$ earliest_epoch=$time.earliest_epoch$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[$partitioning_min_value$,$partitioning_max_range_threshold$,$partitioning_max_value$]</option> <option name="charting.chart.showMinorTicks">1</option> <option name="charting.chart.style">minimal</option> <option name="charting.gaugeColors">["0xB44441","0x3FC77A"]</option> <option name="refresh.display">progressbar</option> </chart> <html> <center>Percentage</center> </html> </panel> <panel> <title>Group Coherence</title> <chart id="group_coherence"> <search> <query>| savedsearch report_kpi_dashboard_lfl_group_coherence operational_start_time=$operational_start_time$ operational_end_time=$operational_end_time$ earliest_epoch=$time.earliest_epoch$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[$group_coherence_min_value$,$group_coherence_max_range_threshold$,$group_coherence_max_value$]</option> <option name="charting.chart.showMinorTicks">1</option> <option name="charting.chart.style">minimal</option> <option name="charting.gaugeColors">["0xB44441","0x3FC77A"]</option> <option name="refresh.display">progressbar</option> </chart> <html> <center>Percentage</center> </html> </panel> <panel> <title>Productivity</title> <chart id="productivity"> <search> <query>| savedsearch report_kpi_dashboard_productivity operational_start_time=$operational_start_time$ operational_end_time=$operational_end_time$ earliest_epoch=$time.earliest_epoch$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[$productivity_min_value$,$productivity_max_range_threshold$,$productivity_max_value$]</option> <option name="charting.chart.showMinorTicks">1</option> <option name="charting.chart.style">minimal</option> <option name="charting.gaugeColors">["0xB44441","0x3FC77A"]</option> <option name="refresh.display">progressbar</option> </chart> <html> <center>Cases/Hour</center> </html> </panel> <panel></panel> </row> </form>    ... View more

Re: Efficiently Expanding Multiple Multi-Value Fie...

by in Splunk Search
‎06-18-2025 06:10 AM
‎06-18-2025 06:10 AM
hi @ITWhisperer Its hard for me to share complete events. FYI to you  Area, zone, equipment fields are coming from the index search while other fields are coming through lookups. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-05-2026 07:56 PM
Karma from
Karma given to