Looking at the "provenance" field in the search i found that only fields containing the value "UI:Search" were related to actual search queries. The rest like dashboard searches that fire off automatically appear under other field values.   Hope that helps ... View more

May I know the reason for using cs_User_Agent_ ..I mean aunderscore after Agent ? Thanks! ... View more

That make the things very difficult. The coalesce command is just creating a common field in each event so that the stats would work (a way of combining values, the field message will either have value from field message from sourcetype=sitecore* OR SiteCore_ErrorShort, based on from where the event is coming from). There may have been an option to use the wildcard for matching (using subsearch as filter), but your actual data doesn't have wildcards in them, do they? It would be impossible for Splunk to assume the portion of string to match (in other words, where to put the wildcard). In my example search, if you have a way to make both the field same (by adding wildcard or truncating them), then you would be able to match. Or at least have one of them wildcarded. ... View more

You do it with a script. Have it tail off the last event and then run a remote search with ssh -c to a Search Head to see if splunk has that event. ... View more