I have 7 search heads in one cluster->(Splunk-Enterprise ) and 5 search heads in another cluster(ITSI) i want to know how much memory is consumed by each cluster for a searching for every hour. ... View more

The query i gave above bring the result which is check for last 30 days of data ... View more

The same query that you gave above | index=sample check=ERROR | stats first(_time) as _time by SampleCode, Message | rex mode=sed field=Message "s/failed: //g s/Order.ScenarioId/Order-ScenarioId/ s/([0-9])[\.|\_]([0-9])/\1\2/ s/[0-9]+// s/(PREOK)?(ID)?([A-Z]+_[A-Z]+_?[A-Z]+)?(\b([A-Z]{1,}\b))?/\1\2\3/g s/ / /" | rex field=ComplianceAcknowledgementMessage "^(?<ResponseMsg>[ a-zA-Z \-,]+)" | bin span=mon _time | stats count by _time ResponseMsg | sort ResponseMsg _time | autoregress count as previousCount p=1 | autoregress ResponseMsg as previousMsg p=1 | eval sign=if(ResponseMsg=previousMsg,count-previousCount,null) | eval sign = sign/abs(sign) | fillnull value=0 | eval sign=if(sign < 0, "RED", if(sign > 0, "GREEN", "YELLOW")) | eval count=mvappend(count,sign) | fields - sign previousCount previousMsg | xyseries ResponseMsg _time count | transpose 0 header_field=ResponseMsg | eval column=strftime(column,"%Y-%m") | transpose 0 header_field=column column_name=ResponseMsg ... View more

Tried with the query you gave but its not working as expected, When i check for last 30 days of data we are seeing most empty for Feb month and colors need to be applied based on previous months data. But we are seeing the yellow colors Bg-color on March month.     This the Feb and March data ... View more

| index=sample check=ERROR | stats first(_time) as _time by SampleCode, Message | rex mode=sed field=Message "s/failed: //g s/Order.ScenarioId/Order-ScenarioId/ s/([0-9])[\.|\_]([0-9])/\1\2/ s/[0-9]+// s/(PREOK)?(ID)?([A-Z]+_[A-Z]+_?[A-Z]+)?(\b([A-Z]{1,}\b))?/\1\2\3/g s/ / /" | rex field=ComplianceAcknowledgementMessage "^(?<ResponseMsg>[ a-zA-Z \-,]+)" | bin span=mon _time | stats count by _time ResponseMsg | sort ResponseMsg _time | autoregress count as previousCount p=1 | autoregress ResponseMsg as previousMsg p=1 | eval sign=if(ResponseMsg=previousMsg,count-previousCount,null) | eval sign = sign/abs(sign) | fillnull value=0 | eval sign=if(sign < 0, "RED", if(sign > 0, "GREEN", "YELLOW")) | eval count=mvappend(count,sign) | fields - sign previousCount previousMsg | eval _time = strftime(_time,"%b %y") | xyseries ResponseMsg _time count   you can see this the output i am getting and the its not coming in correct order Jan21 and Feb 21 should be coming at last ... View more

Yes i have tried it but i am not getting the expected thing i am getting most of the columns as empty ... View more

 This the query i am trying to use | index=sample check=ERROR | stats first(_time) as _time by SampleCode, Message | rex mode=sed field=Message "s/failed: //g s/Order.ScenarioId/Order-ScenarioId/ s/([0-9])[\.|\_]([0-9])/\1\2/ s/[0-9]+// s/(PREOK)?(ID)?([A-Z]+_[A-Z]+_?[A-Z]+)?(\b([A-Z]{1,}\b))?/\1\2\3/g s/ / /" | rex field=Message "^(?<ResponseMsg>[ a-zA-Z \-,]+)" | timechart span=mon limit=0 count by ResponseMsg | fields - _span, _spandays | eval _time = strftime(_time,"%b %y") | transpose 0 header_field=_time, column_name=ResponseMsg ... View more

Its working fine with the'| makeresults' but the column with months are dynamic based on the time range we select . Is it possible to apply the same  ... View more

Thanks Renjith_Nair, But i am getting the results like below, Rows Mar20 Apr20 Apr20-Mar20 Mar20-Rows Feb20-col1 Row1 0 8 3 decreased Increased Row2 9 9 7 decreased Nothing Changed Row3 8 1 7 Increased decreased   ... View more

Thank you so much renjith_nair. But i am  looking result like below I am looking the results like    Feb20 Mar20 Apr20 Apr20-Mar20 Mar20-Feb20 Feb20-Jan20 Row1 0 8 3 decreased Increased Nothing Changed Row2 9 9 7 decreased Nothing Changed Nothing Changed Row3 8 1 7 Increased decreased decreased ... View more