Hello I have a serach that gives me back two types of events. event A with field r_code and some other fields while event B with a field s_code. I want to list only Events A that can be matched by field r_code with Events B s_code field (meaning that if there is no event B that has s_code matching some Event A r_code then Event A should not be listed. | from datamodel ABC.Perf |where isnotnull(s_code) OR isnotnull(r_code) |where ??? ... View more

Hello i have a search query with timechart function but i don't want to display last bucket because it shows not complete data. I use 5m span and i would like to display ONLY the time frames that have completely passed. Is there an easy way to achieve this? ... View more

Hello, I am new to Splunk and i have a little problem with making an alert So i want to trigger an alert when I don't find any rows before 10:00AM that day The search looks like this index = auth "File has been processed" | eval mytime=strftime(_time, "%Y-%m-%d") And it woud be simple if it could trigger every day. Unfortunately i need to check if the day the alert should trigger is in another log (trigger if the date is same) To get that date i use that query (INDATE is yyyy-mm-dd) index=auth Add.N.Days |rex "<retdate>(?<INDATE>.*)</retdate>" So basically i need to check if first search finds anything until 10:00 AM and if not, then trigger an alert but only if the INDATE is the same as the "mytime" from first query. Any suggestions? ... View more

Hello, I am trying to join two searches so i could get number of declined transactions in time. First i look for inbound messages to get an IDs (it's in txRef tag) of special kinds transactions and then I am looking for outbound messages of all declined transaction to join them together based on the IDs The search I am using looks like this but it is not working correctly. index=Auth AuthorizeTransaction Inbound Message "<alias" NOT "<ticket" | regex "<txRef>(?<TXREF>\d+)<" | eval txRefs = TXREF | join type=inner txRefs [search index=Auth Outbound Message "declined" | regex "<txRef>(?<TXREF>\d+)</txRef>" | eval txRefs=TXREF] | timechart span=1h count as "Declined transactions" EDIT I have found what i was doing wrong. Apprently i was using Regex instead of Rex so i did not really extract the fields 🙂 ... View more