If field1 exists always but is only sometimes error, then ... Hmm. There's several ways to do this (some outlined by the inestimable somesoni2 already). Let's try this one: sourcetype=abc | eval is_error = if(field1=="error", "error", null()) | streamstats window=50 last(is_error) as trigger_error | transaction maxevents=50 trigger_error That should create one "event" out of the error line, plus the preceeding 50 events. NOTES: Change window=50 and maxevents=50 to 5 each for testing - it might make it easier to see/test. They should match each other, but otherwise the number is up to you. Also, for debugging it might be useful to run that same search only replace the | transaction... line with | table _time, field1, is_error, trigger_error (and maybe include another field or two if it makes sense). If you do that, you'll see better how it works. It works by a) searching all the data - you can't throw out the non-error ones at the front or else how would you include them later? b) creating a new field "is_error" (change that name if it conflicts with an existing field!) that only exists when field1 equals "error". This way if field1 is NOT "error" then there's no new field "is_error" on that event. c) now the magic - streamstats in this case is watching a window or 50 events. For each event, it copies the most recent "is_error" to the all 50 events in its window as the field "trigger_error". This means that when "is_error" doesn't exist, nothing gets copied, but when it does, the preceeding 50 events also get a copy of it. d) last we just group them together to make it easy to alert on it. Line d) may require a little fiddling depending on exactly how you are going to use this. As reference, here's a very similar thing done with 100 items before the "alerting event". It's not quite the same scenario, but it is close enough that it may help to read through that answer too. Happy Splunking! -Rich ... View more

@Gawker, can you try the following Run anywhere Search? The commands from first | makeresults till | table Location Data_Age generate dummy data similar to your question. The query uses two transpose commands to make a row of Table Data as Column Header. In this case Germany . To ensure Germany is always present in the result dummy row with 0 Age has been appended to the results. | makeresults | fields - _time | eval data="Location=Germany,Data_Age=3;Location=Switzerland,Data_Age=2000;Location=USA,Data_Age=1000;Location=USAHQ,Data_Age=200;" | makemv delim=";" data | mvexpand data | rename data as _raw | KV | table Location Data_Age | sort Location | append [| makeresults | fields - _time | eval Location="Germany", Data_Age=0] | dedup Location | transpose header_field=Location column_name=Location | transpose header_field=Germany column_name=Germany | search Germany!="Location" Since the logic behind this approach is to use Table Row data as Table Header, the formatting of the Row will be same as Table Header and the same can not be overridden. If this does not cater to your needs, can you please describe the need for Report and not Dashboard? ... View more

The pathing is mentioned here for cloud: http://docs.splunk.com/Documentation/Splunk/6.5.1612/AdvancedDev/UseCSS Here for others: http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/UseCSS Glad it was resolved for you. I had the same issues until I found two things: table id, which you had, and I missed (found it called out in another answer by @niketnilay) hard refresh the browser due to cache Then it worked. Takes a community. Thank you @Gawker and @niketnilay for your contributions! ... View more

Works great. Thank you for the solution and insight. ... View more

This sounds to me like approaches #2 and #4 are using different time windows (maybe realtime?) than #1 and #3. Just a guess, though. ... View more

Thank you for the excellent insight! I tried the NOT search as you suggested and the count was the exact delta of the linecount and apiKey numbers. ... View more

Thank you for the reply, damiensurat. I've used your valuable input to modify my query and now have an alert in place. ... View more

You can also accomplish the same thing by doing this: sourcetype="IPS" | iplocation prefix=CC1_ src_ip | iplocation prefix=CC2_ dest_ip | table src_ip CC1_Country dest_ip CC2_Country To access other data iplocation and that isn't part of the default values (ex: timezone) , you would add the allfields=true parameter to each iplocation command: sourcetype="IPS" | iplocation prefix=CC1_ allfields=true src_ip | iplocation prefix=CC2_ allfields=true dest_ip | table src_ip CC1_Country CC1_Timezone dest_ip CC2_Country CC2_Timezone http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Iplocation ... View more