If you want to do this at search time, create a composite field and expand that, e.g. | eval composite_field=mvzip('users{}.userhost', 'users{}.username', "###") | fields - users{}* | mvexpand composite_field | rex field=composite_field "(?<userhost>.*)###(?<username>.*)" | fields - composite_field it will only zip correctly if there are exactly equal elements in each of the MV fields.   ... View more

If you want the Total to represent the Total of the individual MINUTE in the period, then it will always be different to the max of all the minutes in the period for each LPAR. e.g.  Time,TRX,TRX2,STM,Total 00:01,4,5,6,15 00.02,1,1,16,18 When this is summed over the hour it will be 00.00,4,5,16,18 and of course 18 is less than the sum of 4+5+16 - so you can't have it both ways - in your original post, you wanted the total to reflect the sum of LPAR for the biggest MINUTE, so it can't also represent the sum of the biggest DAY unless you do another addtotals to a new field which is the total for the day. ... View more

OK, so it's getting created in the stats command. So don't use that technique. Do something like | stats dc(hostname) as server_count | eval n=if($env|s$="*", "ALL", $env|s$) | eval server_{n}_count=server_count | fields - server_count but do you really need the $env$ in the field name? Is this dashboard studio - you can probably assign an additional token $env_name$ based on the selected NAME of the environment rather than the token value. I'm not familiar enough with DS to say how to do this, but you can then use $env$ as the search constraint and $env_name$ as the server name. ... View more

You can't rename it like that - how does that field exist? Is it actually in the data or is it created somehow. Can you post the dropdown where that field is created?   ... View more

It is technically correct in what it's telling you in that the max value over the 1 hour for each of the MIPS* values is different, in that it's adding the biggest TRX in the hour + the biggest TRX2 in the hour which MAY add values from two different miniutes, whereas the first is the biggest TRX in the minute + the biggest TRX2 in the SAME minute. If you want to add up the max values per minute then you can just stack two timechart commands, the first with span=1m to get the max per minute, then do a second timechart  | timechart span=1h max(*) as * which will then give you the max values in the 1h span. ... View more

Here's an example which sets up two weeks of simulated data and then does the calcs you want | makeresults count=14 | streamstats c | eval _time=now() - ((c - 1) * 86400) | fields - c | eval ApplName=split("ABCDEFGHIJKLMNO","") | mvexpand ApplName | eval ApplName="Application ".ApplName | eval count=random() % 20 | table _time ApplName count ``` The above sets up 2 weeks of data for 15 applications ``` ``` Now sort in ascending time and calculate the rolling 7 day average at the end (most recent) it will show the average over the previous 7 days - based on the PRIOR 7 day. (current=f) ``` | sort _time | streamstats window=7 current=f global=f avg(count) as Avg by ApplName ``` Then this just calculates the variance ``` | eval Variance=count-Avg ``` And finally put in order and retain only today's numbers ``` | sort ApplName - _time | where _time >= relative_time(now(), "@d") This should give you some pointers, but if you want to share what you've tried so far, we can help you get there. ... View more

To go slightly tangential to your post, you refer to base searches. Note that a base search that does NOT do aggregation is a bad use of a base search, so if you are just doing index=xxx | fields * in your base search and not doing a transforming command, that is not a good example to be showing in an example dashboard. It will often perform worse than one using a transforming command, but also has significant limitations in that it can only hold a limited set of results. See this https://docs.splunk.com/Documentation/Splunk/9.4.0/Viz/Savedsearches#Post-process_searches_2     ... View more

You can download archived apps from the old splunkbase site https://classic.splunkbase.splunk.com/app/1603/   ... View more

There are generally 2 ways to do this, one can be done in search alone and the other can be done in dashboard. I tend to use the dashboard approach when in a dashboard, which is to use addinfo and to calculate the ranges needed for the outer search. The technique is to use a hidden search, either in a table where you have <row depends="$hidden$"> as the row header, or as a base search in the core body of the XML. (NB: In this example I have not hidden the search so you can see what's generated) However, see this example, which calculates 10 periods going back over the last 10 days with the correct matching time period. <form version="1.1" theme="light"> <label>Times</label> <fieldset submitButton="false"> <input type="time" token="thetime" searchWhenChanged="true"> <label>Time</label> <default> <earliest>-5m@m</earliest> <latest>@m</latest> </default> </input> </fieldset> <row> <panel> <table> <search> <done> <set token="pd_min_current">$result.pd_min_current$</set> <set token="pd_max_current">$result.pd_max_current$</set> <set token="pd_min_1">$result.pd_min_1$</set> <set token="pd_max_1">$result.pd_max_1$</set> <set token="pd_min_2">$result.pd_min_2$</set> <set token="pd_max_2">$result.pd_max_2$</set> <set token="pd_min_3">$result.pd_min_3$</set> <set token="pd_max_3">$result.pd_max_3$</set> <set token="pd_min_4">$result.pd_min_4$</set> <set token="pd_max_4">$result.pd_max_4$</set> <set token="pd_min_5">$result.pd_min_5$</set> <set token="pd_max_5">$result.pd_max_5$</set> <set token="pd_min_6">$result.pd_min_6$</set> <set token="pd_max_6">$result.pd_max_6$</set> <set token="pd_min_7">$result.pd_min_7$</set> <set token="pd_max_7">$result.pd_max_7$</set> <set token="pd_min_8">$result.pd_min_8$</set> <set token="pd_max_8">$result.pd_max_8$</set> <set token="pd_min_9">$result.pd_min_9$</set> <set token="pd_max_9">$result.pd_max_9$</set> <set token="pd_min_10">$result.pd_min_10$</set> <set token="pd_max_10">$result.pd_max_10$</set> </done> <query>| makeresults | addinfo | eval pd_min_current=info_min_time, pd_max_current=info_max_time | foreach 1 2 3 4 5 6 7 8 9 10 [ eval pd_min_&lt;&lt;FIELD&gt;&gt;=relative_time(info_min_time, "-"."&lt;&lt;FIELD&gt;&gt;"."d"), pd_max_&lt;&lt;FIELD&gt;&gt;=relative_time(info_max_time, "-"."&lt;&lt;FIELD&gt;&gt;"."d") ] | fields - info_*</query> <earliest>$thetime.earliest$</earliest> <latest>$thetime.latest$</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <table> <search> <query>index=_audit (earliest &gt;= $pd_min_current$ AND latest &lt; $pd_max_current$) OR (earliest &gt;= $pd_min_1$ AND latest &lt; $pd_max_1$) OR (earliest &gt;= $pd_min_2$ AND latest &lt; $pd_max_2$) OR (earliest &gt;= $pd_min_3$ AND latest &lt; $pd_max_3$) OR (earliest &gt;= $pd_min_4$ AND latest &lt; $pd_max_4$) OR (earliest &gt;= $pd_min_5$ AND latest &lt; $pd_max_5$) OR (earliest &gt;= $pd_min_6$ AND latest &lt; $pd_max_6$) OR (earliest &gt;= $pd_min_7$ AND latest &lt; $pd_max_7$) OR (earliest &gt;= $pd_min_8$ AND latest &lt; $pd_max_8$) OR (earliest &gt;= $pd_min_9$ AND latest &lt; $pd_max_9$) OR (earliest &gt;= $pd_min_10$ AND latest &lt; $pd_max_10$) | bin _time span=5m aligntime=@m | chart count by _time user</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> See how the <done> part of the hidden search will then set the tokens needed by your actual search. The other technique is to do the same as the hidden search, but in a subsearch so the subsearch will return earliest and latest for each of the periods you want to restrict to) Hope this helps   ... View more

Are you saying you've installed Splunk Enterprise AND Universal Forwarder on the same host?  If you run netstat -an | grep 8000 is there a process in LISTEN state on that port? Are you running https or http?   ... View more

Where is that installed? By the sounds of it, you've probably put it in the cloud if you are creating rules. Do you know if Splunk is running? If it's installed in some cloud instance have you tried SSH to the host to see if Splunk is running. Can you ping or traceroute to the host - that won't necessarily mean anything if you can't if there are firewall rules in place. Anyway, if you could originally login to Splunk and now you can't then it seems likely that a) Splunk is not running or b) Someone (if not you) has put some kind of firewall restrictions in place between you and it   ... View more

So, you do  | stats count by user group "connection method" if those are the names of your fields.  ... View more

@isoutamo actually no, in stats for that type of field name it requires double quotes. It's eval that requires single quotes on RHS of expression. ... View more

What does that mean and what have you tried that you need help with and what is not doing what you expect? ... View more

There are 3 apps I have used for network graphs - all good https://splunkbase.splunk.com/app/3767 https://splunkbase.splunk.com/app/4611 https://splunkbase.splunk.com/app/4438 The first two are good network graphs, one does 3D, and the last allows custom icons. I use all 3 for slightly different purposes. All for classic dashboards ... View more

Interesting - I see now - yes, you can see that at the start there are event listeners for the button but once the first call to set(name, value) in SetToken is called, it will remove the event listener, when this trigger() function is called as the value changes. Don't know why, but it doesn't get reset, so there is no longer an event listener   ... View more

As @dural_yyz says, the regex is easy - you can use this with the rex command https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/rex   ... View more

Seems like your problem is that the ID in your XML is wrong - you have duplicated  <p id="personal_valueA_token_id">$personal_valueA_token$</p> <p id="personal_valueB_token_id">$personal_valueB_token$</p> Your original duplicates the personal_valueA_token_id <p id="personal_valueA_token_id">$personal_valueA_token$</p> <p id="personal_valueA_token_id">$personal_valueB_token$</p> ... View more

In Developer tools you posted example gives this   ... View more

Other than debugging the JS, I can only question if you need to do this in JS - Splunk inputs do this out of the box. Are you using JS for a specific reason that the out of the box stuff does not handle? ... View more

You are trying to get some kind of unstructured learning going on - the cluster command will give you what it thinks are common repetitions of events, how you then take its output to manage your requirement is really beyond the scope of this type of forum. If you give the search you specified and then cluster it accordingly you will be getting some results - I assume you are not getting nothing. So, given that output it's really impossible for us to say how you can massage what you are getting to save that into some kind of lookup for the following day. But if you search at midnight for your error/warn/timeout events, cluster the responses, massage that data and store it as a lookup file, then the searches you subsequently run you will also have to cluster those results, massage that data then perform a lookup against the previously generated lookup. Without knowing why the results are not what you require - perhaps you could give an example of what is given and why it does not match your requirements - it's hard to say where to go from here. Anyway, if you can make some concrete progress with the suggestions so far given, I am sure we can continue to help you get to where you are trying to get to.   ... View more