Hi, if i run this query in simple search bar it works fine. However, when i create panel and add the below, i'm getting error as waiting for input. Please could you advise? index=hello sourcetype=welcome | stats max(DATETIME) as LatestTime | map search="search index=hello sourcetype=welcome DATETIME=$LatestTime$" | stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count Thanks, selvam. ... View more

Hi, I am trying to get the execution count based on the parentIDs over two different data sets. Please could you review and suggest ?  I would like to see what's execution count  between (sourcetype=cs, sourcetype=ma) , only the field ParentOrderID is common between cs, ma sourcetype. Note: daily close to ~10Million events are loaded  into splunk and unique execution will be 4Million.Also, sometime the join query is getting auto-canceled. SPL: index=india sourcetype=ma NOT (source=*OPT* OR app_instance=MA_DROP_SESSION OR "11555=Y-NOBK" OR fix_applicationInstanceID IN(*OPT*,*GWIM*)) msgType=8 (execType=1 OR execType=2 OR execType=F) stream=Outgoing app_instance=UPSTREAM "clientid=XAC*" | dedup fix_execID,ParentOrderID | stats count | join ParentOrderID [ search index=india sourcetype=cs NOT (source=*OPT* OR "11555=Y-NOBK" OR applicationInstanceID IN(*OPT*,*GWIM*)) msgType=8 (execType=1 OR execType=2 OR execType=F) app_instance=PUBHUB stream=Outgoing "clientid=XAC" "sourceid=AX_DN_XAC" | dedup execID,ParentOrderID | stats count] Thanks, Selvam. ... View more

Hi, I have requirement as below, please could you review and suggest ? Need to pick up all client ids from application log called "Cos" (index=a sourcetype=Cos ) where distinct client ids are in 6Millions. And, I want to compare whether these clients ids are present in  another application log called "Ma" (index=a sourcetype=Ma). And, I also want to compare the same in another application  called "Ph" (index=a sourcetype=Ph) Basically trying to get the count/volume based on the client id, which is common among the 3 application (Cos, Ma,Ph). The total events are in Millions and when i use join, the search job is getting auto-cancelled or getting terminated. (index=a sourcetype=Cos) OR (index=a sourcetype=Ma) OR (index=a sourcetype=Ph) stats count by clientid, sourcetype   Thanks, Selvam. ... View more

Hi, I have the below SPL and I am not able to get the expected results. Please could you help? if i use stats count by - then i'm not getting the expected result as below. SPL: basesearch earliest=@d latest=now | append [ search earliest=-1d@d latest=-1d] | eval Consumer = case(match(File_Name,"^ABC"), "Down", match(File_Name,"^csd"),"UP", match(File_Name,"^CSD"),"UP",1==1,"Others") | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | eval percentage_variance=abs(round(((Yesterday-Today)/Yesterday)*100,2)) | table Name Consumer Today Yesterday percentage_variance Expected Result: Name Consumer Today Yesterday percentage_variance TEN UP 10 10 0.0% ... View more

Hi, I have below spl query and trying to combine them together. please could you suggest? Expected count is 13919 spl 1: index=abc sourcetype=123 source="allocation" TERM("1=1") OR TERM("2=2") TERM("3=C") Sender=aaa TERM("4=region") | dedup ExecId | stats count ## Results Count = 4698 spl 2: index=abc sourcetype=123 source=*block* TERM("1=1") OR TERM("2=2") | dedup ExecId | stats count ## Results Count = 9221 ... View more

Hi, My dashboard seems to be taking around 1.3 mints to load the data for multiple panels and sometime it takes around 4 mints to load the data. My client come up with an requirement to get 'auto refresh" feature  enabled for the dashboard with 15 mints intervals. I used base search and the base search intern uses the | tstats. I am not familiar with save search or scheduled serch or loadjob. Please could you advise? how to implement the feature Thanks, Selvam.   ... View more