Grazie,  Giuseppe ... View more

How would I incorporate an average of genSecondsDifference over a 24 hour period? for 7 days? ... View more

Hi Rich, How would I incorporate an average of genSecondsDifference over a 24 hour period? for 7 days? ... View more

Thanks, Tejas and Rich...   Very much appreciated. ... View more

Hi  I'm using the Splunk App for Lookup File Editing. ... View more

Hi  I'm using the Splunk App for Lookup File Editing. ... View more

Thank You, bowesmana..... ... View more

Hi Giuseppe, I have fixed my issue by using the | return command as per below. index=a4_designeng_generic_app_audit_prd sourcetype=cba:designeng:nonstop:syslog [| inputlookup NonStop_Production_Health_Status.csv | tail 1 | eval earliest=strptime(Status_Check_Timestamp,"%m/%d/%Y %H:%M:%S"), latest=now() | fields earliest latest | return earliest=$earliest ] ... View more

Hi Giuseppe, I've used that exact syntax and got the below error. index=a4_designeng_generic_app_audit_prd sourcetype=cba:designeng:nonstop:syslog [| inputlookup NonStop_Production_Health_Status.csv | tail 1 | eval earliest=strptime(Status_Check_Timestamp,"%m/%d/%Y %H:%M:%S"), latest=now() | fields earliest latest ] Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side. The search job has failed due to an error. You may be able view the job in the  ... View more

Hi Giuseppe, My apologies for my delayed response. The results of the sub search is the value of "earliest", however, I am wanting to use this value as the search time window for a report. earliest=Status_Check_Timestamp  latest=(now)       ... View more

Hi  Giuseppe, Thanks for  your suggestion. I no longer get the invalid value error, however the "earliest" time modifier does not use the value of Status_Check_Timestamp from my lookup.csv????   It uses the value from preset (ie... last 15 min) Sample value of Status_Check_Timestamp - 09/28/2022 18:56:00 ... View more

Hi Giuseppe, Thanks for responding.  Unfortunately, I can not answer all those questions. I work for a large bank in Australia and am deemed a user of Splunk with no access to  our Splunk environment. I suppose, I was hoping for a magic formula to make sure my report runs on time.   ... View more

Thanks again. I'll have a play with this, but think it does not quite meet my needs. I need to return 10 fields with a count of how many matches have occurred, which I will have my report output to my alert_status_lookup.csv       f_ignore  f_chkr  f_disk  f_power  f_not_run  f_severiry  f_proc  f_test  f_inc  f_link  f_clim 0               0              2             3                 0                   1                   0             0            0          0            0 I then will have my dashboard reference the alert_status_lookup.csv. ... View more

Hi, Can you show me how you would create rex commands to create fields from the below search, seems tricky for an old Cobol programmer like myself. So I need 10 fields, one for each search item I am looking for. index=a0_test_index sourcetype=dr:syslog | search "IGNORE THIS" OR ("*$CHKR*" "*disk*") OR "*Power_Issue*" OR ("*$CHKR*" "*NOT RUNNING*") OR "*Severity: Major*" OR "*Processor Down*" OR "*TEST DRDOWN" OR "Incident Report Delivery Failure" OR "*link pulse is down*"                   OR "*CLIM Link Pulse Down*" Regards, David ... View more

Hi, I appreciate your feedback. The data is free text, so I will try to work out the regex command to isolate the values I'm searching for into field names and then try your suggested stats command. Regards, David ... View more

Hi, I have no issue creating my lookup.csv and I have no issue outputting to my lookup.csv and I do not have any issue retrieving into my dashboard from the lookup.csv. What I can't work out is how to have my search within my scheduled report access the index 1 time (ie... a basesearch) and retrieve multiple count values which I then populate my lookup.csv with. Scheduled report sample...  System_Error_Cnt1 and System_Error_Cnt2 do not show a count but System_error_Cnt3 does. index=a0_designeng_generic_app_audit_npd sourcetype=cba:designeng:nonstop:syslog | search "IGNORE THIS" OR ("*$CHKR*" "*disk*") | stats count as System_Error_Cnt1 | search "*Power_Issue*" OR ("*$CHKR*" "*NOT RUNNING*") | stats count as System_Error_Cnt2 | search "*Severity: Major*" OR "*Processor Down*" OR "*TEST DRDOWN" OR "Incident Report Delivery Failure" | stats count as System_Error_Cnt3 | table System_Error_Cnt1 System_Error_Cnt2 System_Error_Cnt3 System_Error_Cnt1 System_Error_Cnt2 System_Error_Cnt3     0   Regards, David ... View more

Hi Ismo, I have used a basesearch before in a dashboard. What I'm trying to achieve is a scheduled report outputting multiple count values to a lookup.csv.  I would then use the values of the lookup.csv to utilise in a traffic light type dashboard as well as a secondary dashboard drilled down  from the traffic light dashboard. 1. Report runs every 5 to 10 minutes loading a lookup.csv 2. Traffic Light Dashboard utilizes the lookup.csv to decide Green(ok) Red (Bad) 3. Secondary Dashboard drilled down from Traffic Light Dashboard will show multiple panels using the lookup.csv to highlight the area of concern in one of the panels.   4. Drilldown from secondary Dashboard Panel of concern to look at events of concern. the lookup.csv will have Error/Issue counts columns (ie..Ingestion count, system error count, backup error count etc... So I basically want to load this lookup.csv from the scheduled report but only having to hit the index once. Regards, David  ... View more