Yes, if you have multiple messages “could not get id” per task number you should use the “by tasknumber” clause. and yes most of the times stats is the answer, not transaction. There are several presentations from .conf regarding using stats instead of transaction. ... View more

Please provide us more details regarding you problem. Are you using or created any add-on for that specific data source? What do you mean "not parsing correctly"? can you provide examples of the "junk"? What input mechanism are you using? (File monitor, udp/tcp inputs, etc) ... View more

Have you tried something like this? <your base search> | stats last(state) AS state last(_time) AS _time by host service | eval time_diff = now() - _time | where (state="Stopped" AND time_diff > 259200)     ... View more

Is there a reason why you're using transaction? why not just look for the "could not get id" and simply do a stats count over the last 5 min?   index=index_name host=server_name sourcetype=moveit:fti* "could not get id" | stats count   If you can, post some more details regarding your raw data. ... View more

First combine both queries: (index=a0_payservutil_generic_app_audit_prd sourcetype="npp:pom:stdout" eventCode="fundsReservationManualInterventionNeeded") OR (index=prod_payments OR index=a0_payservutil_generic_app_audit_prd sourcetype="npp:cbis:techevent" $selected_ID$) Then you need to combine the 2 fields from both searches into one. Then use the coalesce function to fill an ENTITY field with the values of first valid following the order inside function. This should be placed after any eval or regex used to extract these fields. | eval ENTITY = coaalesce(EntityID, instructionReceiptIdentification)   ... View more

Hi, When you say payloads, do you mean data you have indexed? From what you describe, that looks like a simple dashboard with 1 input and 2 panels: - table to list the transId's - table to list the merchant based on the transId selected on the 1st  panel Composing the dashboard structure is quite simple within splunk. https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchTutorial/Createnewdashboard Regarding the contextual drill down (listing data on 2nd panel based on the data selected in the 1st) check the following: https://docs.splunk.com/Documentation/Splunk/8.1.3/Viz/DrilldownIntro If you are having trouble building a simple dashboard and you haven't completed it yet, I would recommend you do the free Splunk fundamentals 1 as it covers, among with other Splunk content, building dashboards like this. https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html ... View more

Use eval epoch = strptime(your_time_field, “%Y-%m-%d ... remaining time format ”) | delta epoch complete the time format with your time stamp  the eval converts the time stamp into epoch with is in seconds and the delta calculates the diff between each epoch  if you want after that you can make more readable using | eval duration = tostring(delta, “duration”) ... View more

Hi Rohan, You can try this: ... your search | rex field="Title" "\:\s+(?<Name>[^\d]+)" Assumptions: - Names will always come between : and a digit.  ... View more

You can accomplish that by using cascading dropdown boxes. There are examples on how to accomplish this available in the Splunk dashboard examples app available in splunkbase here: https://splunkbase.splunk.com/app/1603/ Also there are multiple answered questions regarding this topic you can have a look: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-multiple-dependent-dropdowns-on-a-dashboard/td-p/391089 ... View more

Hi, The "Data in SH:" doesn't show much. It's linking to you Splunk local instance. Can you correct that and share an example of what you're seeing? ... View more

Hi! If you want to solve your performance problems you should start by adopting the hardware requirements for Splunk. There are pages dedicated to that in docs. For Azure deployments, there is this tech brief that sheds some light on some good practices and even advice on which is the appropriate set of instances you should use depending on the size of your deployment.  Regarding CIM datamodels, you should enable acceleration only on the datamodels you are actually using and restrict the indexes each datamodel accelerates data from. The CIM app has a macro for each datamodel where you can place the specific indexes to look for tagged data. This will reduce the amount of data the acceleration searches will have to look into, lowering the run time and the chance you'll endup with skipped searches. Regarding the "hour behind", i would make sure all your systems have configured and using the same NTP and the time zone they are set into. I've ran into customers not having NTP configured at all making it impossible to properly correlate data or having diferent time zones setup. ... View more