Hey Owie, This can easily be accomplished using regular expression to extract the fields from your data (using the rex command)! Try adding this to your search: ...Base Search... | rex field=_raw "(?<Field1>[^\,]+)\,(?<Field2>[^\,]+)\,(?<Field3>.*)\." This should work based on the example data you provided, however if you run into any trouble or it doesn't work let me know and I can help you write a more precise extraction. Rex command documentation: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rex Also, if you're interested in learning regex, I recommend checking out this site: https://regexone.com/ I hope this helps! ... View more

Hey Shouldntdothat, This was a tricky one! To be completely honest I'm not sure how this will work with larger datasets, and I'm basing the whole search on what I think your original dataset might look like. That said, it is possible, and I want to show you one way of how it is possible! Copy and paste this into any Splunk instance and you can dissect it to see how the search is working. I've left comments as kind of "checkpoints" to show you what each portion of the search is doing and how it is changing the data. | gentimes start=7/23/2019 end=1 increment=1d | rename starttime AS _time | table _time | eval values = (random()%19+1).",".(random()%19+1).",".(random()%19+1), Host = "Host1,Host2,Host3" | eval values = split(values,","), Host = split(Host,",") | eval newfield = mvzip(Host, values) | mvexpand newfield | fields _time newfield | rex field=newfield "(?<Host>.*?)\,(?<Value>.*)" | table _time Host Value | eval randomizer = random()%100 | where randomizer > 55 | fields - randomizer `comment("Above is just creating a dataset that mimics what I believe your data may look like")` | timechart sum(Value) AS value_sum by Host | fillnull value=0 `comment("Using timechart instead of chart so that all days are accounted for, including days with no data.")` | sort _time | table _time * | transpose 0 header_field=_time | where column != "_span" AND column != "_spandays" | addtotals `comment("Formatting data in the same chart format that you have in your spreadsheet and getting a total count for all values by host (See the "Total" field). Note: The numbers you see as the field headers are epoch timestamps. They translate to July 23, July 24, etc. We will tranlate these numbers to human readable numbers later in the search.")` | rename * as temp_* `comment("The foreach command won't work if the first character of a field is a digit, renaming all fields with a "temp_" prefix")` | foreach * [| eval <<FIELD>>_unique = if("<<FIELD>>" = "temp_column", temp_column, if("<<FIELD>>" = "temp_Total", temp_Total, if(<<FIELD>> = 0, 0, 1)))] | eval count = 0 `comment("Creating temporary "_unique" fields for all existing fields that are either a "1" or a "0" to determine if there was a hit that day. In this way, we can find unique daily hits, while preserving our original field values.")` | foreach *_unique [| eval count = if(<<FIELD>> = "1", count + 1, count)] | fields - *_unique `comment("Calculating a unique number of hits by row (See the "count" field), and then removing the temporary "_unique" fields.")` | rename temp_* AS * `comment("Removing the "temp_" prefix to return fields to their original names, since we're done using the foreach command")` | transpose 0 header_field=column | eval day = strftime(column, "%d-%b") | eval day = if(isnull(day), column, day) | eval column = if(isnum(column), column, null) | eval column = if(isnull(column), now(), column) | eval column = if(day = "count", "1", if(day = "Total", "2", column)) | sort column | fields - column | table day * | transpose 0 header_field=day | rename column AS Host, count AS DaysWithHits, Total AS TotalLast10 `comment("Converting epoch numbers to human readable time for column headers, and sorting headers so that "Hosts" will always come first, followed by "DaysWithHits","TotalLast10", and then reverse chronological order by date.")` If there are problems, or there is anything you need clarified, let me know! ... View more

Hey Jwalzerpitt! I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data. This should work for the dataset you provided: (?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z))) Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format. Give the extract command a try to see if it works to accomplish your goal like this: ...BASE SEARCH... | extract kvdelim=":" pairdelim="," If you run into any problems let me know and I'm happy to help. ... View more

Hello Brinley, This sounds like a job for the foreach command! Please note that the foreach command works on ALL fields, so there is no need to substitute your "multi_value_field" name in anywhere. Just add the searches directly onto the end of your base search as is. Give this a try for me: ...BASE SEARCH... |foreach * [| rex field=<<FIELD>> max_match=0 "(?<<<FIELD>>>.*?)(?:\\\n|$)"] This assumes all of your field values are broken by a literal "\n" character in all your fields that you want to turn into multi value fields. I've only created a few test fields to try this on, but it has worked on everything I've thrown at it so far. In the case that your fields are broken by actual newlines, this should work instead: ...BASE SEARCH... | foreach * [| rex field=<<FIELD>> max_match=0 "(?<<<FIELD>>>.*?)(?:\n|$)"] And finally, if your intention is just to replace the "\n" characters with pipes, this should work! ...BASE SEARCH... | foreach * [| rex mode=sed field=<<FIELD>> "s/\n/|/g"] The foreach command is actually one of my favorite commands. If you're interested in learning more about it, refer to the documentation here: https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Foreach If this doesn't work for you, let me know and I'll continue working on a different solution! ... View more

It isn't a perfect answer, but I've found a solution that seems to work for me. I've created a dataset for you that should mimic what you have and added comments in the search so that you can follow along with what's going on. Try seeing how it works, and then try to apply it to your search. Copy and paste this directly into your Splunk: | gentimes start=-10 end=1 increment=5m | rename starttime AS _time | eval date = strftime(_time, "%Y/%m/%d") | eval time = strftime(_time, "%H:%M:%S") | table date time | eval randomizer = random()%2 | eval so = random()%4000 + 4000 | eval "Modify Ops" = random()%2000 + 2000 | eval "Search Ops" = if(so > 5600 AND randomizer = 0, so - (random()%2000 + 3600), if(so > 5600 AND randomizer = 1, so + random()%2000 + 5000, so)) `comment("Adding a comment here to let you know you don't have to worry about anything above this line, I'm just generating a dataset to work with")` | fields date time "Search Ops" "Modify Ops" | rename "Search Ops" AS search_ops, "Modify Ops" AS modify_ops `comment("Working with spaces in field names is a pain. Let's re-name these fields to use underscores instead until we're done working with the data.")` | eval datetime = date." ".time | eval _time = strptime(datetime, "%Y/%m/%d %H:%M:%S") `comment("I'm not sure if you have a _time field, but in the data you provided I'm only seeing "Date" and "Time" fields. In order for the sparkline to work, we'll need a proper _time field. The two pipes above should create that field for us.")` | table _time search_ops modify_ops | bucket _time span=1m `comment("For some reason the only way I can get it to work is to bin the time. Right now I'm putting the time in 1 minute buckets, but you can change this to suit your needs")` | stats sparkline(avg(search_ops),10m) AS "Average Modify Ops Sparkline", avg(search_ops) AS "Average Modify Ops" `comment("specify a time range in the second part of the sparkline command to get an average across that timeframe. (change 10m to 30m/1h/1d)")` I hope this helps! ... View more

Hold on to your hat, this is about to get a bit ridiculous. Long needlessly complicated searches are my specialty! I have an alert I spent a good amount of time setting up to alert me on "atypical" data rates for all of my indexes daily. I've modified it fairly extensively to give you a search I'm really hoping will accomplish what you're trying to do. To start out, let's make sure the data we're working with looks the same. Copy and paste this into any Splunk instance, this is a fake dataset of what I'm assuming your data looks like. If your data is not in the same format, the rest of the search will likely not function correctly: | gentimes start=6/23/2019 end=7/24/2019 increment=1m | rename starttime AS _time | eval id = random()%7 | eval fired_alert_name= if(id = "0", "Unique Alert A", if(id = "1", "Unique Alert B", if(id = "2", "Unique Alert C", if(id = "3", "Unique Alert D", if(id = "4", "Unique Alert E", if(id = "5", "Unique Alert F", "Unique Alert G")))))) | fields _time fired_alert_name | search NOT [|inputlookup nonessential_alerts.csv] Note- This is what I'm using for my non-essential alerts lookup: | makeresults count=2 | streamstats count AS id | eval fired_alert_name= if(id= "1", "Unique Alert C", "Unique Alert E") | fields - _time id | outputlookup nonessential_alerts.csv Basically, this lookup just filters any instances of "Unique Alert C" and "Unique Alert E" from my main search. If this all looks good, we can progress to the real search. ...BASE SEARCH... | rename fired_alert_name AS title `comment("We'll need to rename whatever fields your using for your alert names as "title" so it will function with the rest of the search")` | bin _time span=60m aligntime=@m `comment("Puts our time in 60 minute "buckets" from the time the search is ran")` | rex mode=sed field=title "s/\W/_/g" `comment("We'll be using the foreach command extensively during this search. Since we know this ahead of time, we'll need to prepare the fields so that this is possible. The foreach command is only to work on fields that contain alphanumeric characters, as well as underscores. Each alert will become a new field after we use the chart command in the next pipe. Since some of the alert names may have spaces or special characters, well need to replace those characters with underscores so we can perform aggregate functions on the fields later on.")` | chart count OVER _time by title useother=f limit=0 `comment("Finds the count of alerts fired in each bucket")` | timewrap 1day `comment("We're wrapping time to compare our current bucket count with bucket counts in the same timeframe for each day over the last 30 days")` | fillnull value="0" `comment("Since we may not have any alerts fired for certain times, we want to replace null values with "0" so that we can perform aggregate functions on the data")` | fields - *_30days_before `comment("We remove the last day from our search because it will end up being a partial day, and as a result will be missing data for some of the buckets.This will cause the average to be skewed for buckets in those time ranges, so we'll just remove this day altogether.")` | foreach *_29days_before [| eval <<MATCHSTR>>_avg=<<FIELD>> ] | foreach *_28days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_27days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_26days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_25days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_24day_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_23day_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_22days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_21days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_20days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_19days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_18day_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_17day_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_16days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_15days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_14days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_13days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_12day_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_11day_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_10days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_9days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_8days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_7days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_6day_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_5days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_4days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_3days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_2days_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_1day_before [| eval <<MATCHSTR>>_avg=<<MATCHSTR>>_avg+<<FIELD>> ] | foreach *_avg [| eval <<FIELD>>=<<FIELD>>/29] `comment("Calculating the average number of alerts fired for each bucket and alert for the last 30 days")` | foreach *_29days_before [| eval <<MATCHSTR>>_stddev=abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_28days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_27days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_26days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_25days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_24day_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_23day_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_22days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_21days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_20days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_19days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_18day_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_17day_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_16days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_15days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_14days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_13days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_12day_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_11day_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_10days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_9days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_8days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_7days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_6day_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_5days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_4days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_3days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_2days_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_1day_before [| eval <<MATCHSTR>>_stddev=<<MATCHSTR>>_stddev+abs(<<MATCHSTR>>_avg-<<FIELD>>) ] | foreach *_stddev [| eval <<FIELD>>=<<FIELD>>/29] `comment("Calculating the average standard deviation for each bucket and each alert over the past 30 days")` | fields *_latest_day *_avg *_stddev | eval hidev=2, minimum=2 `comment("IMPORTANT: Play around with these numbers to set your alerting criteria. These numbers will be used as tokens in the subsequent foreach command. They will also be how we determine whether or not the alert should go off. If you find your alert is going off too frequently, you can raise this number set the bar higher to define what is an "atypical" amount of alerts going off. This works by multiplying the standard deviation by a certain amount. (1 = 100% of the standard deviation, 2 = 200% of the standard deviation, etc) The minimum field will be used to prevent fields with infrequent alerting patterns to cause an alert. For example, if you have an alert that goes off once every few days, the average fire rate for that alert is probably less than 1. This would mean any time we saw that alert fire, it would most likely trigger this alert to go off. To get around that, we set the minimum to "2" so that there must be at least 2 alert firings to happen to trigger this alert.")` | head 1 `comment("We only care about the last hour, so we'll remove all other buckets from our search")` | foreach *_latest_day [| eval <<MATCHSTR>>_upperBound = <<MATCHSTR>>_avg + <<MATCHSTR>>_stddev * hidev `comment("This calculates our alerting threshold but adding the average plus our standard deviation muliplied by our custom multiplier")` | eval <<MATCHSTR>>_concern = if(<<MATCHSTR>>_latest_day > <<MATCHSTR>>_upperBound AND <<MATCHSTR>>_latest_day >= minimum, <<MATCHSTR>>_latest_day, null) `comment("We'll then compare our current alert count to our threshold and our minimum. If it meets both the criteria of being over our threshold AND over our minimum, it will return a value.")` | eval <<MATCHSTR>>_concern = if(isnotnull(<<MATCHSTR>>_concern), "Alert Count: ".<<MATCHSTR>>_latest_day.",Average Alert Count: ".round(<<MATCHSTR>>_avg,1), null)] `comment("This just makes it pretty.")` | streamstats count as temp_id | stats values(*) by temp_id | rename values(*) as * | fields - temp_id `comment("These four pipes go through and look for any null fields and remove them from the search")` | table *_concern | foreach *_concern [| eval <<MATCHSTR>>_concern = split(<<MATCHSTR>>_concern, ",")] `comment("Also to make it look pretty")` | rename *_concern AS * `comment("Renaming alerts to their original names")` | table * `comment("Since we're not sure which fields will be returned, we'll return them all!")` I've added comments along the way to try to help identify what each piece is doing and why each piece is important. You can break it down if you'd like to understand it better. You can also play with the fake data if you just add the main search onto my fake dataset. The most important part that you'll need to change is the hidev and the minimum. Go ahead remove the |head 1 from the search to give you a better idea of what has been considered "atypical" over the last 24 hours. Tweak the hidev to make concern values appear more or less frequently. I'm open to assist with any problems you run into as my schedule allows. Good luck! ... View more

Hello Aking! This sounds like an excellent opportunity to make use of eventstats ! eventstats works very similarly to the stats command, except that it is a dataset processing command instead of a transforming command. Basically what this means is that you won't lose any fields when running the command (dest_ip, src_ip, and count will be preserved) Give this a try for me: index=network_index_name (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* | stats count by src_ip, dest_ip | eventstats avg(count) as Average_Connections | table src_ip dest_ip count Average_Connections | rename src_ip AS "Source_IP", dest_ip AS "Destination_IP", count AS "Current_Connections" If you would like to know more information about the eventstats command, check the Splunk documenation here: https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Eventstats Also, Splunk documentation on command types can be found here: https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Commandsbytype Let me know if you have any other questions or the solution doesn't work for you and I'll try to help! ... View more

Hey 3vi, Using the raw data you provided, I've created a search that should give you the correct numbers you're looking for (you can copy and paste this into any Splunk instance): | makeresults count=1 | eval _raw = ".success [{\"importo\":2,\"tipologiaOperazione\":\"AAA\"},{\"importo\":1.82,\"tipologiaOperazione\":\"BBB\"}, {\"importo\":1,\"tipologiaOperazione\":\"AAA\"}]" | rex field=_raw max_match=0 "\"importo\"\:(?<importo>[^\,]+)\,\"tipologiaOperazione\"\:\"(?<tipologiaOperazione>[^\"]+)" | eval zippedfields = mvzip(importo,tipologiaOperazione) | mvexpand zippedfields | rex field=zippedfields "(?<importo>[^\,]+)\,(?P<tipologiaOperazione>.*)" | fields - zippedfields | stats sum(importo) by tipologiaOperazione Since there are multiple importos and tipologiaOperaziones in each log, you'll need to use mvexpand to make sure all the importos are accounted for before summing them together. If you run into any problems, or the solution doesn't work for you, let me know and I'll do my best to further assist! ... View more

Hey Tyler! I've recreated what I believe your dataset may look like (copy and paste into any Splunk instance): | gentimes start=6/18/2019 end=7/18/2019 increment=10m | eval modifier = random()%5 | eval VOLUME = random()%400 + 100 | eval VOLUME = if(modifier = 1 OR modifier = 2, VOLUME * -1, VOLUME) | eval _time = starttime | timechart span=1d sum(VOLUME) AS sumv | predict sumv as prediction algorithm="LLP5" future_timespan=30 holdback=0 period=7 lower95=lower95 upper95=upper95 | streamstats count as test | eval sumv = if(test = 20 OR test = 13, sumv + 20000, if(test = 4 OR test = 25, sumv - 24000 , sumv)) | fields - test | eval isOutlier = if(prediction!="" AND 'sumv' !="" AND ('sumv' < 'lower95(prediction)' OR 'sumv' > 'upper95(prediction)'), 1, 0) | where isOutlier=1 | fields - isOutlier | rename sumv as "Actual Crashes", prediction as "Predicted Crashes" | join [| gentimes start=6/18/2019 end=7/18/2019 increment=1d | eval USERNAME = random()%200 | eval _time = starttime | timechart span=1d values(USERNAME) AS "Users"] If this is correct, I think I understand your problem. Without specifying a field to join on or a join type, the automatically defaults to an inner join and joins on any fields present in both datasets. For some reason, I don't believe the join command is using the "_time" field as default field to look at when joining the two searches. My best guess is that maybe Splunk doesn't automatically look at internal fields when using the join command. In order to get around this, we can explicitly state that we want to join on the _time field like this: index=index sourcetype="sourcetype" APPLICATION="app*" | timechart span=1d sum(VOLUME) | predict "sum(VOLUME)" as prediction algorithm="LLP5" future_timespan="30" holdback="0" period=7 lower"95"=lower"95" upper"95"=upper"95" | eval isOutlier = if(prediction!="" AND 'sum(VOLUME)' !="" AND ('sum(VOLUME)' < 'lower95(prediction)' OR 'sum(VOLUME)' > 'upper95(prediction)'), 1, 0) | where isOutlier=1 | fields - isOutlier | rename sum(VOLUME) as "Actual Crashes", prediction as "Predicted Crashes" | join _time [ search index=index sourcetype="index" APPLICATION="app*" | timechart span=1d dc(USERNAME) as "Users"] Although I would strongly recommend adding a join type= argument to your joins in the future as they can greatly effect your results. If you would like to know more about join types, check out the documentation on the join command here under the type subheading: https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Join Let me know if you're still having any problems! ... View more