This worked fine for me to get to seconds, then I just did /60/60 to get to hours which is what I wanted to sum up. ... View more

Thanks for this.  Sometimes we overthink solutions and fail to see the easiest one is right in front of us.  I spent all morning trying timewrap and a variety of datetime math solutions because all I wanted to do was compare the 11am hour of bytes per host every day of the week to troubleshoot a problem.   Much appreciated 🙂 ... View more

@PickleRick  I recreated my lookup definition and it seems to be working now so disregard my earlier message.   Not sure what happened there but at least it seems to be doing what I want now. ... View more

@PickleRick  I've never had a problem with CIDR based searches in the past.  I seem to be stumbling when doing a CIDR search involving TSTATS.  I'm pulling proxy metrics based on src addresses using tstats and then attempting to limit those results to subnets listed in a lookup table and not successful at all.  The example code below works fine when my "serverlist" lookup table has individual IP addreses but returns nothing when I have CIDR addresses despite the fact that I have the lookup definition defined.  Again, i've done CIDR based lookups a ton and never had an issue but haven't done it with TSTATS before.   | tstats sum(proxy_metrics.bytes_in) AS TotalBytesIN sum(proxy_metrics.bytes_out) AS TotalBytesOUT from datamodel=proxy_stats BY proxy_metrics.src | search [| inputlookup serverlist | rename subnet AS proxy_metrics.src | fields proxy_metrics.src] | stats sum(TotalBytesIN) AS TotalBytesIN sum(TotalBytesOUT) AS TotalBytesOUT  BY proxy_metrics.src ... View more

Where did you end up with this? I'm having issues as well but my errors are that my tstats search doesn't seem to like searching for src IPs that are CIDRs.  When I use a lookup table full of regular IP addresses, I get results but when I use a lookup table full of CIDR addresses I don't get any results despite having created the lookup definition and such. ... View more

Did you ever get an answer to this question? ... View more

This helped me combine the values of two multi-valued fields which was helpful.  I'm just trying to figure out how to combine 3 values now.  Basically one mvfield has attributes of things changed in a user account.  The second field has the old value of the attribute that's been changed, while the 3rd field has the new value that the attribute has been changed to.  attributes=group,role oldvalue=user,admin newvalue=superuser,null The 3 fields don't consistently have the same count of attributes so the dynamic method recommended certainly helped.  I'm just struggling to reverse engineer it to handle 3 multivalue fields.  Any suggestions? ... View more

I have a report that runs every day and is doing calculations based on the number of days that have occurred so far.  After pulling my hair out and using a variety of techniques posted in these forums, I ended up with: | eventstats dc(date_mday) AS daysInMonth Unless i'm mistaken, the date_* fields are automatically generated in splunk (at least all the data i've seen has them) and this was the easiest and most reliable method I found. It looks like if I use the same logic to span across months, I would simply do | eventstats dc(date_mday) AS daysInMonth BY date_month Which when my table spans a couple of months, gives me the count of days for the specific month associated with the _time field and other data for that month. ... View more

I have a report that runs every day and is doing calculations based on the number of days that have occurred so far.  After pulling my hair out and using a variety of techniques posted in these forums, I ended up with: | eventstats dc(date_mday) AS daysInMonth Unless i'm mistaken, the date_* fields are automatically generated in splunk (at least all the data i've seen has them) and this was the easiest and most reliable method I found. ... View more

I have tried many of the solutions offered in several posts and ended up with this: | eventstats dc(date_mday) AS daysInMonth Unless i'm mistaken, the date_* fields are automatically generated in splunk (at least all the data i've seen has them) and this was the easiest and most reliable method I found. ... View more

I know this is an old thread but it looks like this doesn't work if your legend placement is "bottom" or "top".  Not a big deal, just a caveat I just noticed. ... View more

FWIW, I had to remove the quotes from the second part, otherwise I was setting the value of the new token to the name of the other token, not the value. <eval token="tok_rig_lower">lower($tok_rig$)</eval> ... View more

Where did you end up with this?  I have a similar need in that I have dashboards that are regionally based around the globe and would prefer that someone viewing the dashboard from outside the location see the data based on that location's timezone.  For example, if an engineer were in Idaho and was working with an engineer in Australia on an Australia issue, they would be seeing charts displaying the same timezone rather than two different timezones. ... View more

Been digging into just about every post you have regarding to highcharts the last few days.  they've all be very helpful, thanks! ... View more

Can you explain real quick what the 1200 in this line is doing: eval timerange=mvrange(start,end,1200) Is that assuming a 12 hour window?    Or is that the number of seconds in 20 minutes?  ... View more

I'm struggling to adapt this solution to my problem but I feel like it's the closest to what I'm looking for. I'm simply trying to get the top 10 src_ips in bytes of web usage, then the top 10 sites each of those src_ips goes to. My current solution is close but I can't seem to get to it just listing the top 10 sites for each IP, it seems to be doing the top sites overall and then spreading them over the src ips. index=proxy bytes>0 | fields src domain bytes |stats sum(bytes) AS totalbytes  by domain,src |sort -totalbytes  | head 50 |stats list(domain) as Domain, list(totalbytes) AS Total BY  src | sort -Total I had to do the "head 50"  because when I did head 10, i was only getting the top 10 domains in terms of bytes transferred and that was usually over just 3 or 4 IPs.  By doing head 50, i was getting more domains to spread over more IPs but still not exactly what I wanted which would be 10 IPs and the top 10 sites for each IP. ... View more

Doesn't look like I can do the same with the "Submit" button.  Or at least there's not something to grab and drag with it. ... View more

I was searching for a solution to the same problem all morning and finally found that I can just specify which fields I want to have in the "Total" column: |stats sum(GB_in) AS "GB IN", sum(GB_out) AS "GB OUT" by category |addtotals "GB IN" "GB OUT" |sort -Total ... View more

For some reason, I get fewer results with tstats recommendation than I get with the first recommendation. I have one index that has 3 sourcetypes and with tstats, it only shows one of them. ... View more

Struggled with this for two days until I found your answer. Thanks! ... View more

Great solution. I was able to get my top 10 bandwidth users by business location and URL after a few modifications. ... View more

This was a good poar. I thought I had to subtract seconds in order to look at previous weeks. But i see now that doing this: | eval futureTime=relative_time(_time, "-7d") | fieldformat futureTime=strftime(futureTime,"%Y-%m-%d %H:%M:%S")| Gets me where I need to be as well AND looks a little cleaner. I found plenty of references to strftime but this is the first i've seen the "relative_time" command as well as the format for 7d, 1mon, etc in a query like that. Thanks again 🙂 ... View more