(1)  index=blah  Product IN (Cuteftp,Filezilla) (2)  | rex field=Image "(?<values_Image>[^\\\\]+$)" (3)  | lookup test.csv Image as values_Image OUTPUT Image (4)  | eval match=if(values_Image == Image, "yes", "no") | table _time Product Company Description ImageLoaded Image values_Image match (1) I am searching index=blah  where "Product" = Cuteftp or Filezilla (2) From my results I am removing everything before the last backslash, and the new field  is going to be  called "values_Image"  (3) I am checking the "Image" column  in the lookup file (test.csv) to see if it matches "values_Image" from my Splunk results (4) If there is a match, then I see "yes" in the match column in Splunk. If there is no match I see a "no" The problem I have: When match =yes the Image field in Splunk  is populated with the value from the Image field in the lookup file (test.csv) . This is good When match=no  the  Image field in Splunk is not populated with the value from the the Image field in the lookup file (test.csv) . This is my problem ... View more

Hello, There is a tube Splunk video on finding new service interactive logins here: https://www.youtube.com/watch?v=bgIG2um_Hd0 The following line I just need a better understanding. | eval isOutlier=if (earliest >= relative_time(now),  "-1d@d"), 1, 0) I understand this much. It is an outlier (1) if : The earliest time of the first event is greater or equal to the time you ran the search    "-1d@d"  -->I am not understanding this part? Is it going back 1 day to find other matches that are also >= relative time (now)?    You would only get an Outlier if the times are the same . If you go back "1d@d"    the earliest time of an event 1 day ago will never be equal to the the time you ran the event which is the relative _time(now).  How are the matches made when your going back 1d@d? I know I am thinking about this the wrong way. any assistance in understanding the logic would be greatly appreciated.         ... View more

This is what I have so far for my search: index=logs sourcetype=Jobs earliest=-31d latest=-1d | where strftime(_time,"%H")>"20" AND strftime(_time,"%H")<"6" For example I am only getting results starting at: 2015-03-28 21:00:10 . . 2015-03-28 23:59:58 2015-03-29 21:00:20 <--I am expecting the time to start from 00:00 and get events thru 06:00 2015-03-29 21:01:12 My goal to get events for the past 30 days between the times of 9pm and 6am the next day. Thanks ... View more

Hello, I setup a cron schedule to run on Tue, Wed, Thur, Fri at 8am. For example , on Tue I want to receive results showing me events from 9PM on Mon to 6AM on Tue. I am having a issue where on Wed I am still getting the same results that i received on Tue, whereas instead I should be receiving results from 9pm on Tue to 6am on Wed. muchtthanks ... View more