It sounds like you have too many rows in your lookup file which is breaching the limits on search sizes. ... View more

Hi @Mike6960, maybe the problem is the field message.messageId, rename it or use quotes: index=TEST (logger="success - Metadata:*" OR logger="Response: OK") | rename message.messageId AS messageId | eval kind=if(logger="Response: OK","Response: OK","success - Metadata") | stats dc(kind) AS kind_count values(logger) AS logger BY messageId | where kind_count=2 Ciao. Giuseppe ... View more

Yes, its either colon or a space. Your last reply worked. Thank you ... View more

Try something like this. You have to manually select the column chart and format the X-Axis Label to rotate vertically. <base_search> | timechart span=1d count | eval date=strftime(_time, "%Y-%m-%d") | table date count   ... View more

@kamlesh_vaghela  Hi, sadly this does not make a difference. I suspect that it has something to do with the fact that splunk 'sees' the '0' in the single value as a result ... View more

This works like a charm. Thanks ... View more

Hi, you are absolutely right but I find it difficult to supply samples. The situation is that there is a chain of events, every event starts with the logger "start" when the event cannot be distrtibuted it ends in an exception. Every event contains a messageid en sometimes a businessid. The messageid is unique for every string of events, this can be 2 events of 100. In case of an error there will be retries with the same messageid. I need the count of the unique id's that have been started en the count of the id's that had an exception. Both dedupped. Message.ID LOGGER LOGGER 1 “start” 2 “start” 3 “start” 3 "Exception" 3 "Exception" 4 "Start" 5 "Start" 5 "Exception" 6 "Start" 7 "Start" ... View more

try: where ‘questions’ %3C 1 ... View more

Great ! Can you Accept this answer to close the question ? Thanks 🙂 ... View more

Based on the example you provided in the question comments, this should return the data you are looking for: | rex "(?<PDFFileName>\S+)\.[Pp][Dd][Ff]" Here's the regex101 link showing it function on your example: https://regex101.com/r/OyLl8z/1 ... View more

@Mike6960 , Try your search |stats latest(eval(if('message.information'=="Start",_time,null()))) as Start, latest(eval(if('message.information'=="End",_time,null()))) as End by ID |eval dur=Start-End You may use first as well instead of latest ... View more

You're welcome 🙂 cheers, MuS ... View more

yeah, append only kicks in when results are empty, and what you said about table sort of fixing it, it's the same for the fields I added here, apparently the sum(count) was breaking the results, when I removed it, everything was working and when I added it the 0 became red. ... View more

Just add dedup after the eventstats. index=* "message.Origin"=blabla source="something " | search logger="test1" OR logger="test2" | eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID | dedup ID | table example1,example2,source,index,ID ... View more

Thanks, but I dont see how my searches are related to your example. Looks like a totally different search ... View more

Update ping ... ... View more

Finally- the above one should work..for some reason 'hard' and 'hostname' got missed out even after applying it within the code blocks, i dunno why ! ... View more

Hello, You can use a CSV lookup describe in: http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/ConfigureCSVlookups ... View more

@niketn , I produced this : Fieldalias for B_C and B_X is B_C_X | eval B_C_X =ltrim(tostring(B_C_X ),"0") | chart count(B_C) as T count(B_X) as T2 by B_C_X | where T!= T2 | fillnull if I use 'search' instead of 'where' I still get mutiple rows with all the results. Now I only need to figure out how to show the sourcetype in the result ... View more

or did i understand you wrong? ... View more

No, trendline is selected in 'menu' 'formatting visualisation' ... View more

What do i do when events exist more then one time? The events are imported every day and events that dont have a statuschange are imported again. So I have duplicates in my index. I tried Dedup but then I can't do the transaction ... View more

Hi Mike6960, if it's acceptable for you to have different rows for each level, you could use something like this: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) [ search index=index1 sourcetype=sourcetype1 error_message="my message" | dedup Id | fields Id ] | stats values(level) AS level count BY Id flow | eventstats count AS Total BY Id | table Id flow level Total so you'll have Id flow level Total 123456 action exe 2 123456 message error 2 Otherwise, but it's a little bit more complicated you could use (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) [ search index=index1 sourcetype=sourcetype1 error_message="my message" | dedup Id | fields Id ] | stats values(level) AS level count BY Id flow | append [ search (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) [ search index=index1 sourcetype=sourcetype1 error_message="my message" | dedup Id | fields Id ] ] | table Id flow level Total | sort Id -Total | eval Id=if(Total>0,Id,"") And you'll have Id flow level Total 789 2 action exe message error 123456 2 action exe message error Bye. Giuseppe ... View more

You can enable event colouring (but not specifically to fields) To do this, build an eventtype and choose a colour for it. You will need to make sure your coloured event type has a higher priority than other eventtypes matching the same event, otherwise the colour gets removed. ... View more