I'm just trying to get a good answer for you here, but ÇI don't know if I'm right. Can you try this and tell if it works? I want to advise you that maybe I didn't get the consult yet, but I'm trying. sourcetype=a event!=by | join type=left eventId [search sourcetype=a event=b] just notice that in the sql code you wrote event=by in () and in the splunk search event=b in [], so I just change the splunk part code for this part and wrote event!=by If I missing something just answer again and I will keep trying 😉 ... View more

| rex field=operation mode=sed "s/([0-9a-z]+\-)+[0-9a-z]+/id/" Works fine:) thank you! ... View more

To Set action.email to 1... send the param "actions" as "email"... This works for email.. try the same for "alert" Refer the below rest url of your environment for the internal parameter names used... While creating alerts pragmatically we have to use these parameters...(Applicable for all entities in splunk... :)) https://localhost:8089/servicesNS/UserName/AppName/saved/searches ... View more

gkanapathy, I would agree with your response, but it would not work in my circumstance (at least with my current knowledge). below is the query that I was trying to do as a Subsearch but was unable to get it to work properly because of what myself and MuS explained above and below. sourcetype=checks check_number=XXX | eval earliest=strftime(_time-2, "%m/%d/%Y:%H:%M:%S") | eval latest=strftime(_time+2, "%m/%d/%Y:%H:%M:%S") | fields + earliest, latest, sourcetype | format "" "(" "" ")" "OR" "" ... View more

Thanks) partial is enough. ... View more

try this Some search terms | eventstats min(_time) as MinTime by Field_1, Field_2| mvcombine IP_Addr If you intention is to combine multivalue field among a group of identical events, see this also Some search terms | stats min(_time) as "Min Time", values(Ip_addr) as "IP Addresses" by Field_1, Field_2 ... View more

I have a similar issue. What if my data is something like below: index=a left join filter (index=a join Q (index=xyz|table Q) table filter ) table * ... View more

It appears you also have to catch a value of "now" explicitly, i.e. ... | where mydate < case(isnum("$timepicker.latest$"), $timepicker.latest$, $timepicker.latest$="now", now(), 1=1, relative_time(now(), "$timepicker.latest$")) ... View more

That depends on the problem. As stated in your question, the solution might be "don't use axisX.minorUnit"... however, there probably is a more abstract problem to be solved that I don't know about. ... View more

The X-axis labels seem fine to me. ... View more

thanks MuS... but we have VMware app... 😞 ... View more

You can always use | inputcsv append=t file.csv in your SPL. cheers, MuS ... View more

Nothing that I am aware of in simple xml. ... View more

What option are you talking about precisely? The X-Axis seems fine to me using the approach described here. ... View more

Hi 0range, Yes, this is possible if you do create your own custom alert script like written in the docs. Update: another useful link on this topic is in the wiki. cheers, MuS ... View more

This is not configured on the Universal Forwarders, but on the indexer. See the MAX_EVENTS directive in props.conf: http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf ...so, to clarify, what you'd do is put something like this in: [yoursourcetype] MAX_EVENTS = 1000 ... View more

mysticism... thanks, I'll try ... View more

Alright, I don’t know if there are any xml option (simple or advance) to do it but you can bucket your data in the time interval that you want and use it in the xseries of your chart in spite of using the default timechart capabilities. I mean, | bucket span=6m _time | eval mytime = strftime(_time, "%H:%M:%S") | stats xxx by mytime This should force the chart to mark your frequency. ... View more

It's in the docs, but a little buried (charting options are a hard thing to document well): http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_properties ... View more

Hi 0range I use a summary saved search like this: index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time) | table trigger_time ss_name severity In the advanced XML dashboard I use a single value graph with rangemap like this: <module name="HiddenSearch" layoutPanel="panel_row1_col2" autoRun="True"> <param name="search"> index=summary search_name="YourSavedSearch" | table trigger_time ss_name severity | stats count | rangemap field=count low=0-0 elevated=1-1 default=severe</param> <module name="SingleValue" > <param name="beforeLabel">Overall Status: </param> <param name="afterLabel"> Alerts have been fired</param> <param name="linkFields">result</param> <param name="linkView">flashtimeline</param> <param name="linkSearch"> index=summary search_name="YourSavedSearch" | table trigger_time ss_name severity </param> </module> </module> hope this helps ... cheers, MuS ... View more