Sadly enough this is not the case, when I use another name for the root event (in this case I tried this with the name "Whatever", which should be one of the last ones if done alphabetically) the same thing occurs. The worst part is this even happens in the SAMPLE data models which are there by default. Adding a second root event and accelerating makes the second root event the accelerated one, breaks the first root event while any other root events (e.g. the third, fourth and so on) still work but won't benefit data model acceleration except for ad-hoc acceleration. ... View more

Good to hear this helped 😉 ... View more

Well by setting the search to rt, rt and the alert mode to "once per result" you will be alerted for every event after one event is found. (ie. the second, the third, the fourth and so on). It really depends on what you're trying to achieve. ... View more

This depends on the window in which the real-time search is run. For example lets assume a window of 30 min and the throttling you have configured (10 min). Now lets say the search has two results (seen at time 0), Splunk sends an email and keeps quiet for 10 min. Now after 10 min the throttling is turned off and still these two events are seen since the window rolls over 30 min, this time at time 10. Thus another email is send and so on. Solutions to this can be to decrease or increase the real-time window (once again I don't know your setting since it is not shown in the screenshot), to adjust the condition (ie. number of events greater than 10 instead of 1) or to adjust the throttling time to match the real-time window. ... View more

One thing you're missing. Your regex is exactly "source:: ...." Drop the first part, source:: and it will work. ... View more

Ah I think I see the issue, did you use the xmlkv command at the base of the search and the subsearch? It should be something like: sourcetype="test4" | xmlkv | eval currenthour=strftime(now()-3600, "%H") ... [search sourcetype=test4 | xmlkv | eval currenthour=strftime(now()-3600, "%H") ... ]| eval PERC=(((LATEST-AVERAGE)/AVERAGE)*100) | table PERC Shortened the query because of the character limitation. Replace ... with the rest of the query ... View more

Be aware: Reviving an old thread and just skimming the comments Also, some assumptions are made and keep in mind that the search is NOT OPTIMIZED AT ALL: Your field userCount is already extracted (with xmlkv for example). In this example all the test data is in the sourcetype "test4". Assumption that alerting is wanted based on the increased amount of users. Assumption that the total amount of userCounts in the whole hour are to be calculated. Search is scheduled hourly and goes over the data from an hour before. So the monster of a search that makes this happen: sourcetype="test4" | eval currenthour=strftime(now()-3600, "%H") | eval match=if(date_wday=lower(strftime(now(), "%A")), "T","F") | eval match2=if(date_hour=currenthour,"T","F") | where match="T" and match2="T" | stats sum(userCount) by date_wday,date_hour,date_mday | stats avg(sum(userCount)) as AVERAGE | appendcols [search sourcetype=test4 | eval currenthour=strftime(now()-3600, "%H") | eval match=if(date_wday=lower(strftime(now(), "%A")), "T","F") | eval match2=if(date_hour=currenthour,"T","F") | where match="T" and match2="T" | stats latest(userCount) as LATEST]| eval PERC=(((LATEST-AVERAGE)/AVERAGE)*100) | table PERC The basic thought of this search is to run this every hour and calculates the percentage of growth based on the average of the month. It's really hard (if even possible) to exclude the last event's field value from the average. So what is done is we take the average of the whole month and compare this with the value of the last value. So the first three eval's are to fill some fields, like the current hour (offset by 1 hour since we go through the data from the previous hour) and two checks to filter out all the data that is not needed. The unnecessary data is filtered out with a where match="T" AND match2="T". Unnecessary data is data which is not in the same hour and week day span. Then we sum all the userCounts based on the weekday, the hour and the day of the month so we get four buckets containing the summed amount of userCounts for that specific hour on this specific weekday. Now we can do an average over these four summed values and append the summed value of the latest day. This we do with a sub search which again filters out the unnecessary data and get the latest value of sum(userCount) by weekday, the hour and the day of the month. At this stage we are left with two values, an average of all 4 weekdays of the month and the current value of that weekday. With this we can calculate a percentage of growth for this hour, at this weekday compared with the average of this hour of this weekday of the whole month. Now you could do some summarization or alerting based on this percentage growth, but be aware that this search uses the current hour and weekday! Try and dissect the search and understand it on your own and see if this works for your dataset: I tested this on a months worth of self created data which only had a timestamp and a value for userCount (e.g. 17 Aug 2012 08:57:46 userCount=20) Good luck! ... View more