Hi, I've got a query that's failing at the "where" statement. I'm trying to show data in the last 7 days based on data i've imported. This is the query: source=* host="xxx" index="xxx" sourcetype="xxx" "Issue Type"="Bug" | streamstats dc(source) as distinct_source | head (distinct_source == 1) | eval NewTime=strptime(Created,"%d/%b/%y %H:%M %p") | eval _time=NewTime | eval epoch7days_ago=relative_time(now(), "-7d@d") | where _time>epoch7days_ago I'm not sure why I'm getting no results at the where statement. ... View more

Hi, Is there a way of writing an if condition that basically says, "if value x exists in all of tabled fields, then create a new field, and insert the value "valid" into it". Is that possible? ... View more

Hi, I have two sets of records, let's call them V1 and V2. They both share a common field called ITEM. I basically need a way of saying return to me to items that are not common. So for instance, I would use a join command to join item values that are common - I need the opposite of that, wherein where items dont match, return that data. Thanks ... View more

Hi, I was just wondering, is there a way to validate the name of the file that is being ingested into splunk? So for example, if the file name is: "filename 20180124" I would have thought a regular expression could be used to validate that, but the question is, how do I use a query to display the file name into the console and then validate it? Could someone shed some light on this? Thanks ... View more

Hi, I have a could of fields that contain multiple values, and I am trying to seperate them into sepereate records. The following query works 90%. The only issue is that the last field in the subsearch is not displaying the unique valeus, for example it may contain the value: 2,3 but it will only display 2. Every other field works fine in terms of displaying all the unique values per record. This is the current query I have: index=index sourcetype=csv source=src1 host=host1 | stats count by ITEM field2 field3 field4 | rename field2 as F_2 field3 as F_3 field4 as F_4 | join ITEM [ search index=index sourcetype=csv source=src2 host=host2 | stats count by SKU c_2 c_3 c_4 | rename SKU as ITEM | rename c_2 as C_2 c_3as C_3 c_4as C_4 ] | eval DIFF1=F2-C_2 | eval DIFF2=F_3-C_3 | sort limit=0 ITEM | table ITEM, F_2, F_3, F_4, c_2, c_3, c_4, DIFF1, DIFF2 Can someone suggest what I can do to fix the problem? Thanks ... View more

Hi, I'm using the join command to join to searches based on a common field called ITEM. Based on this join, I want to return results from both searches only in instances where ITEM values match. However, I'm not sure it's working correctly. Could you please have a look at my query and let me know where I'm going wrong and what I could do to avoid using a join command: index=index sourcetype=csv source=src1 host=host1| stats list(field1) as F_1 list(field2) as F_2 list(field3) as F_3 BY ITEM| eval source1=mvzip(F_1,mvzip(F_2,F_3)) | mvexpand source1 | rex field=source1 "(?<F_1>\d+),(?<F_2>\d+),(?<F_3>\d+)" | join ITEM [search index=index sourcetype=csv source=src2 host=host2| stats list(c_1) as C_1 list(c_2) as C_2 list(c_3) as C_3 BY SKU | eval source2=mvzip(C_1 ,mvzip(C_2,C_3)) | mvexpand source2| rex field=source2 "(?<C_1 >\d+),(?<C_2 >\d+),(?<C_3>\d+)" |rename SKU as ITEM] | eval DIFF1=F1-C_1 | eval DIFF2=F_2-C_2 | sort limit=0 ITEM |table ITEM, F_1, F_2, F_3, C_1, C_2, C_3, DIFF1, DIFF2 Can someone please check my query as I think there may be a mistake in there somewhere when attempting to create new records for instances where there are multiple values in a single field. Thanks! ... View more