Hi, I successfully created an SPL that does what I need for a single host but I cannot get it to work for all hosts.  This works   index=<my_index> host=<specific_host> sourcetype=<my_sourcetype> instance=_Total counter="% Processor Time" | sort host, -_time | dedup 2 host | lookup <my_lookup> resource_name as host output businessprocess_name | search businessprocess_name = "<my_business_process_name>" | eval Value = round(Value,2) | delta Value AS ValueDelta | eval lowerThreshold = -25 | eval upperThreshold = 25 | eval CreateEvent = if((ValueDelta > upperThreshold OR ValueDelta < lowerThreshold),"Yes","No") | search CreateEvent = "Yes" | eval metric_type = "CPU Usage Anomaly" | eval description = if(ValueDelta < 0,"CPU Usage is now: " + Value + "%. A decrease of " + ValueDelta,"CPU Usage is now: " + Value + "%. An increase of " + ValueDelta) | table _time, host, businessprocess_name, metric_type, description   The output of that SPL is (changed the lower and upper threshold to trigger a result) _time host businessprocess_name metric_type description 2021-05-05 12:35:57 <specific_host> <my_business_process_name> CPU Usage Anomaly CPU Usage is now: 57.52951309736281%. A decrease of -3.69007662538445 I know the sort on host does not make sense in this SPL but it nicely takes the last values, compares it and based on the difference the result is what it needs to be.  When I remove the host=<specific_host> and run it on all the hosts in the system the output is wrong.  It seems that it is comparing value of row 1 (server A) with the value of row 2 (server A), then value of row 2 (again server A) with the value on row 3 (server B), etc etc. I guess that makes sense but not what I am looking for.  What would be needed to run the calculation of the delta for only the two records that belong to the same host? What I am aiming to do is to create an event when the difference in the CPU usage between the last two values is more then the configured threshold, whether it drops or increases. Maybe I am going about it the wrong way with the Delta command?  ... View more

Hi,  The following SPL returns records to me as shown below.      index="uf_basickpi" host!=DS-* (sourcetype="CPU" counter="% Processor Time") OR (sourcetype="Memory" counter="Available MBytes") OR (sourcetype="DiskStuff" counter="% Free Space" instance=C:) | stats latest(Value) as Value by host, counter | eval "CPU Time" = if(counter="% Processor Time",Value,0) | eval "RAM Available" = if(counter="Available MBytes",Value,0) | eval "C Free Space" = if(counter="% Free Space",Value,0) | table host, "CPU Time", "RAM Available", "C Free Space"     Rows 1,2 and 3 are from the same server. Rows 4,5 and 6 from the second server.  What I would like to have is a single row per server with the three values. What would be the best way to do this.  ... View more

Hi, Is it possible to change the 'name' of the value in a pie chart displayed on a geostats map? The below example shows the piechart. The blue 1 indicate that there are 4 devices with that status. One device with status 14 and 1 with status 3. I have been trying the change the numbers into a readable status. 1=UP,3=WARNING,14=Critical but for some reason I don't seem to make it possible. This is the SPL creating the worldmap index="xxx" Splunk_Node=true | stats latest(Latitude) as Latitude, latest(Longitude) as Longitude, latest(Node_Status) as Node_Status by NodeID | geostats count(NodeID) by Node_Status latfield=Latitude longfield=Longitude Been trying the below. Added this line and change the SPL from Node_Status to NodeStatus but then the map stays empty. | eval NodeStatus = if(NodeStatus=1,"UP",if(NodeStatus=2,"DOWN",if(NodeStatus=3,"WARNING",if(NodeStatus=14,"CRITICAL",isnull)))) `comment("Change the status number to something readable")` Someone any thoughts on this? ... View more

Hi, I have created a bar chart that shows in my case example data on the CPU usage of a device with two overlays for inbound and outbound traffic. When a certain combination of values is exceeded I want to place an annotation to highlight this. As shown in this example. What I cannot seem to get rid off are the orange annotations that seem to be placed when the condition is not matched. The search is as follows. In this I am evaluating and updating the label and the category. <search type="annotation"> <query>index="bla" | timechart span=1m avg(inPercentUtil) as inPercentUtil avg(Percent_CPULoad) as Percent_CPULoad | eval critical=if(inPercentUtil>65 AND Percent_CPULoad>90,"Yes","No") | eval annotation_category=case(critical="Yes","Critical") | eval annotation_label=case(critical="Yes","Insert_Message") </query> What should I do to stop the orange markers from showing? I don't even specify a color for the annotations. <option name="charting.annotation.categoryColors">{"Critical":"0xe60000"}</option> ... View more