https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395799#M114923 <P>Just to mention it, there's no need to <CODE>| dedup Country</CODE>, cause after a <CODE>stats by Country</CODE> there won't be any duplicates for that field ever. To setup an alert, add a filter for your relevant countries (like <CODE>| where Country="yourcountry"</CODE>), and then just have the alert fire when there is more than 0 results. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 10 May 2018 23:05:11 GMT xpac 2018-05-10T23:05:11Z https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395792#M114916 <P>I want to setup a search that determines which countries have connected to my network over the past "x" hours, and then I want to highlight the table line if a specified country shows up. Here is the search I have so far:</P> <PRE><CODE>sourcetype=cisco:asa dest_ip="X.X.0.0/16" NOT "Failover primary closed" | iplocation src_ip | stats count by Country | sort - count | dedup Country | highlight "CountryName" </CODE></PRE> <P>I get the table, but the highlighting never happens even if I pick a country that shows up in the table. Last, I would like for this search to trigger an alert and email the alert if the specified country is in the table.</P> <P>Thanks!<BR /> Jon</P> Thu, 10 May 2018 15:46:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395792#M114916 jon_d_irish_ctr 2018-05-10T15:46:34Z https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395793#M114917 <P>@jon.d.irish.ctr, <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Highlight">highlight</A> would work only with Raw Events List not with transforming commands. You probably need a JavaScript Extension based solution to highlight specific text in your Table. Refer to one of following answers where TextBox filter is applied and highlighted.</P> <P><A href="https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html">https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html</A></P> Thu, 10 May 2018 17:04:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395793#M114917 niketn 2018-05-10T17:04:12Z https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395794#M114918 <P>Despite being in the documentation (which I've never noticed before) it does not appear to work at all. I just tried a very simple case that matches the sample search and... nothing. Sounds like you should report this as a bug.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Highlight%5Blink">http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Highlight[link</A> text]<A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Highlight">1</A></P> Thu, 10 May 2018 17:19:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395794#M114918 wrangler2x 2018-05-10T17:19:45Z https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395795#M114919 <P>Thanks for the suggestion, I will give this a shot.</P> Thu, 10 May 2018 17:23:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395795#M114919 jon_d_irish_ctr 2018-05-10T17:23:49Z https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395796#M114920 <P>@wrangler2x highlight works with Raw Events when you display the same as list. It will not work with Transforming command like stats, table etc.</P> Thu, 10 May 2018 17:36:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395796#M114920 niketn 2018-05-10T17:36:22Z https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395797#M114921 <P>Here is another thought. What is I wrote out the results of the iplookup command to a lookup file via the outputlookup command. Next, if I do a search against that lookup file with the lookup command, would I then be able to use the highlight command?</P> Thu, 10 May 2018 18:06:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395797#M114921 jon_d_irish_ctr 2018-05-10T18:06:22Z https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395798#M114922 <P>Oh, I see. Yes, when I click the Events tab I do see the highlighting.</P> Thu, 10 May 2018 18:16:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395798#M114922 wrangler2x 2018-05-10T18:16:12Z https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395799#M114923 <P>Just to mention it, there's no need to <CODE>| dedup Country</CODE>, cause after a <CODE>stats by Country</CODE> there won't be any duplicates for that field ever. To setup an alert, add a filter for your relevant countries (like <CODE>| where Country="yourcountry"</CODE>), and then just have the alert fire when there is more than 0 results. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 10 May 2018 23:05:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-highlight-values-from-the-iplocation-command/m-p/395799#M114923 xpac 2018-05-10T23:05:11Z