Hi @Bisho-Fouad .. on the DMC / license master.. you can find out the license usage of a specific host.  pls suggest us exactly which step/status you are in..    As you are asking GUI.. the SPL gives more control actually. 

Hi @dongwonn  Maybe more details pls..  1) on Monitoring Console, do you see any errors / warnings 2) on the indexer clustering, do you see the buckets imbalance? 3) may we know how you say -- only 1 indexer out of 10 is overused.  4) any recent changes to the indexer cluster, .. any upgrades/migrations, any new apps deployed.. etc.. 

I can help - I asked a question about whether you had already added the dropdown field. Have you done so? What have you tried before - it's pretty straightforward to add a dropdown input and add values to the dashboard - you don't need to write XML The XML reference manual is here https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML This is a really good app you can install to a Splunk environment that shows many techniques to create powerful dashboards https://splunkbase.splunk.com/app/1603  

Judging from the SPL, where you have two searches for FRUSTRATED, it seems like you have data where multiple userExperienceScores can exist for the same event, hence all the mvexpanding out. As @PickleRick points out, it's quite tricky to deal with multivalue fields, particularly when you have 6 MV fields that you are zipping up into 2 pairs (x and y). I assume you are using 2 pairs as there is not a 1:1 correlation between the MV's in each of the pairs. What I would suggest is to find a reasonably complex SINGLE (or two) event where you can exhibit the problem. This will make it much easier to diagnose the issue. Then we can help explain what is going on. If you are able to share an example of the raw data (sanitised and preferably NOT a screen image - so we can produce a working example of a solution) that would be good.  

We don't know your raw data but the main question is why do you go to all this trouble of mvzipping and joining all those values into a multivalued field when next you want to do is mvexpand. Why not just filter on raw data in the initial search?

Hi @Bisho-Fouad  Here's an example search to solve your question...   host=<your host> ``` and whatever else you need to filter your data ```` | eval bytes = length(_raw) ``` generally 1 character = 1 byte ``` | stats sum(bytes) AS bytes BY source ``` this gives the size of each log, assuming the source is the name of the log file ``` | eval kilobytes = bytes/1024) | evenstats sum(kilobytes) AS total_kb   Hope that helps  

Thanks @yuanliu, I explained why I couldn't use path directly, because it contains actual parameters.  For example, for the route /orders/{orderID}, the path could be: /orders/123456 /orders/213123 /orders/435534 I want to analyze, for example, count of failed requests, or percentiles of call duration on this particular API route /orders/{orderID}.   Of course I can modify my service code to print the route pattern in log, but that is another way, i need to deploy new code to production environment. 

Hi @PickleRick  Not sure If I explained my requirements in a right way. I would like to expand the multiple values present in the each row to separate rows which is having only the "Frustated" related details like the below expected output   Expected output URL Duration  Type Status www.cde.com 88647 Load Frustated www.fge.com 6265 Load Frustated www.abc.com 500 Load Frustated

What do you mean by "console width limit"? If an event is split into two separate ones it's either because it's split before it reaches Splunk or it hits the LINE_BREAKER for give sourcetype. If the event was too long it'd simply get truncated, not split. And no, you can't join two separate events in Splunk - each event is processed as separate entity (in fact with distributed environment each of those events could end up on a different indexer).