Thank you 🙏

Hi Amritesh, Can you send me the search query and some example data through email. It will be easier for me to assist. My id techiesid1985@gmail.com

index= sourcetype= OR sourcetype= | table

@@splunk_ml I have one more question in the splunk alerts can we convert the gmt timestamp to cst timestamp?

It will be same, you just need to apply those commands on the other set of fields.

Hi Rahul, Can you provide the sample query you are using. An example will be helpful for me. Sid

Splunk & Machine Learning hi sid, I have a query which returns 4 events, and each event has a time stamp, out of those I want to return time stamps of 2 events, and I my main query I want to find an event between those 2 time stamps...how can I do that? Are u able to get this ?

I think using subsearch its possible, it will be something like below, index= earliest=[your second search returning earliest timestamp] latest=[your second search returning latest timestamp] you can refer the subsearch video I created before, kzbin.info/www/bejne/iprafKNjiZpprrM

Can you tell me the desired output? I didn't understood how you want to separate

@@splunk_ml Hi Bro my desire is to get the xyz@gmail.com,abc@yahoo.com seprated based on the domain

Hi Kushagra, I used "streamstats count as counter" to generate row numbers 1,2,3,4...so that I can apply some logic rowwise while creating the test data. Regarding your second question, mvcombine you can think of as row wise operator where it's grouping (creating mv field) rows where every field value is same except one. mvappend you can think of as column wise operator where it can concatenate multiple fileds as well as strings.

That depends on scenario... Here I needed some test data that's why I used that command. Makeresults is a event generating command. Regarding your second question...mvcombine creates a multivalue filed from set of events where all the field values are same except the field you mentioned in mvcombine command...mvzip command just creats mv field by stitching several mv fields together, it’s basically column wise operations where mvcombine we can think of row wise operation.

In fact they are totally different functions, mvappend : This function is generally used to create a mv field from two or more strings or mv field. For example, mvfield1 = val1 val2 val3 mvappend(str1,str2,mvfield1) = str1 str2 val1 val2 val3 mvzip : This function takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on. The third argument, Z, is optional and is used to specify a delimiting character to join the two values. The default delimiter is a comma. For example, mvfield1 = val1 val2 val3 mvfield2 = val4 val5 val6 mvzip(mvfield1, mvfield2) = val1,val4 val2,val5 val3,val6

@@splunk_ml Thanks so much for the detailed explanation Sid. I tried with example and clear now. Thanks again!

I dont think we can add screenshot directly in youtube comment. you can email me at techiesid1985@gmail.com.

thanks for sharing the email id. Let me share the screen short directly to this mail id.

let me understand your question. So you have a mv filed with values A,B,C,D and you want to produce another mv field with values AA,BB,CC,DD?

In simple term dedup work at event level to remove duplicate events...where mvdedup only work on miltivalue field to remove duplicates.

@@splunk_ml thanks for clarifying the doubt.