The Aruba Networks App for Splunk | Splunkbase seems to be outdated. If you want to cherry pick some of the dashboard searches you could install the App on a standalone instance, review the dashboards and copy the searches to reuse it in your own app.  Please specify  your second questions to get help.  

Hi @bowesmana , The allowCustomValues attribute indeed works well, but my requirement is slightly different. I have a text input box inside an HTML tag that receives cron input from the user, and this input is then processed with a JavaScript file. Here, I'm attempting to implement a dropdown where the user can either select from predefined cron expressions or enter their own. Here's the content of my HTML tag: <html> <div> <input type="text" id="cron_input" placeholder="Enter cron expression (optional)" name="cron_command" /> </div> <div> <p/> <button id="save_cron_input" class="btn-primary">Save</button> </div> </html> Is it possible to include a dropdown with allowCustomValue inside the HTML tag (as depicted in the image below)? I aim to provide some default cron expressions to the user. The main goal of this configuration is to gather input (cron expressions) from the user. Additionally, I've included some basic cron expressions in the dropdown so the user can either select from them or enter their own. Thank you for your assistance!

Hi @KellyP , in the search you shared you forgot the join command, but anyway avoid to use join, and possible forget this command because it's very slow and resource consuming: Splunk isn't a relational DB. t's a search engine. So you can correlate events in a different way usng stats: (index=netproxymobility sourcetype="zscalernss-web") OR index=netlte | stats values(transactionsize) AS transactionsize values(responsesize) AS responsesize values(requestsize) AS requestsize values(urlcategory) AS urlcategory values(serverip)serverip values(ClientIP) ASClientIP values(hostname) AS hostname values(appname) AS appname values(appclass) AS appclass values(urlclass) AS urlclass values(IMEI) AS IMEI BY ClientIP if you want onlythe events in both the indexes, you can add an additional clause: (index=netproxymobility sourcetype="zscalernss-web") OR index=netlte | stats values(transactionsize) AS transactionsize values(responsesize) AS responsesize values(requestsize) AS requestsize values(urlcategory) AS urlcategory values(serverip)serverip values(ClientIP) ASClientIP values(hostname) AS hostname values(appname) AS appname values(appclass) AS appclass values(urlclass) AS urlclass values(IMEI) AS IMEI dc(index) AS index_count BY ClientIP | where index_count=2 | fields - index_count Ciao. Giuseppe

Hi @KendallW , check if the issue is related to the header or to thwe regex: use a sourcetype instead of host in the stanza header. Sometimes I found an issue using host or source instead sourcetype. Ciao. Giuseppe

There is a recent question about doing this in dashboard.  Using a time selector token would be the cleanest. If you are not doing it in dashboard, but this is a singular use case, I can think of an ugly map, like this   | makeresults | addinfo | eval start_24h_earlier = relative_time(info_min_time, "-24h") | map start_24h_earlier search="search index=netlte earliest=$start_24h_earlier | dedup ClientIP | fields ClientIP IMEI" | join ClientIP [index=netproxymobility sourcetype="zscalernss-web" | fields transactionsize responsesize requestsize urlcategory serverip ClientIP hostname appname appclass urlclass]   Here is a proof of concept:   | makeresults | addinfo | eval int_start = relative_time(info_min_time, "-24h"), int_end = relative_time(info_max_time, "-4h") | map info_min_time info_max_time search="search index=_audit earliest=$int_start$ latest=$int_end$ | stats min(_time) as in_begin max(_time) as in_end by action" | join action [search index = _audit | stats min(_time) as out_begin max(_time) as out_end by action] | fieldformat in_begin = strftime(in_begin, "%F %T") | fieldformat in_end = strftime(in_end, "%F %T") | fieldformat out_begin = strftime(out_begin, "%F %T") | fieldformat out_end = strftime(out_end, "%F %T")   My output looks like action in_begin in_end out_begin out_end expired_session_token 2024-03-24 23:23:20 2024-03-25 12:25:33 2024-03-25 22:33:51 2024-03-25 23:19:51 login attempt 2024-03-24 22:23:12 2024-03-25 04:25:11 2024-03-25 21:33:26 2024-03-25 21:33:26 quota 2024-03-24 22:23:16 2024-03-25 04:25:17 2024-03-25 21:41:52 2024-03-25 23:21:45 read_session_token 2024-03-24 19:21:02 2024-03-25 19:18:58 2024-03-25 20:17:30 2024-03-25 23:21:49 search 2024-03-24 19:37:09 2024-03-25 11:29:40 2024-03-25 21:15:35 2024-03-25 23:21:05 update 2024-03-24 19:51:57 2024-03-25 09:15:17 2024-03-25 21:13:23 2024-03-25 23:09:53 validate_token 2024-03-24 19:21:02 2024-03-25 19:18:58 2024-03-25 20:17:30 2024-03-25 23:21:49

Thanks a lot yuanli,    That worked , you are a genuis. I thought I could never structure it in splunk.  I did speak to the dev team , apparently the json is structured in that way to feed a particular dashboard system that they use. So it has to be in that structure for that system to consume. However they have agreed to update the structure in the next release which could be a few months away (6 months atleast) . So in the mean time I could work with this bad json until then.    Thanks  a lot again. I had searched in splunk for something like this before and havent seen anything. 

Hi @sks if you want just the percentage of misses and the percentage of hits, you can do this with eval: | eval Bperc=('B'/(B+C))*100 | eval Cperc=('C'/(B+C))*100 If you want to show this in a chart (e.g. pie chart) you don't need to calculate the percentage as Splunk will do this for you, but you will need to get the values of B and C in the same column using transpose. Example:  

Hi Giuseppe, I want to view the results in the below format. I also want the diff time in human readable format like 10sec, 15 mins etc. Appid Responsetime(Diff) In my usecase- I have more that 5000 messages, each successful message has 16 steptypes, so I have put the query in this way.- index="abc" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd*" | rex field=_raw "\"Application-ID\"\:\s\"(?<appid>.*?)\"" | rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\"" | rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\"" | rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" |stats latest(eval(if(steptype="EndNBflow",max(infotime),0))) AS endNBflow latest(eval(if(steptype="Deserialized payload",infotime,0))) AS endPayLoad dc(steptype) as unique_steptypes by appid|where unique_steptypes >= 16 |eval diff=endNBflow-endPayLoad   My earlier code included-  | rex field=_raw "INFO  ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" | stats max(infotime) as maxinfotime, min(infotime) as mininfotime,count(eval(match(_raw, "error"))) as error_count, dc(steptype) as unique_steptypes by appid | where error_count = 0 | eval maxtime=strptime(maxinfotime,"%Y-%m-%d %H:%M:%S,%3N") | eval mintime=strptime(mininfotime,"%Y-%m-%d %H:%M:%S,%3N") |  eval TimeDiff=maxtime-mintime | eval TimeDiff_formated = strftime(TimeDiff,"%H:%M:%S,%3N")| where unique_steptypes >= 16|sort steptype | table appid, mininfotime, maxinfotime, mintime, maxtime, TimeDiff_formated, unique_steptypes, flowname I am unable to club these two and get the expected output.