To add to @yuanliu comment - the starting point to diagnose why something is NOT giving you what you expect is to isolate the simple example of a source from each where you do not get the results expected. If you are unable to understand why it's not connecting the events as you suggest, post a sanitised example here, so we can help with different sets of eyes. stats is certainly the way to go. Does this example model what your data looks like | makeresults count=3 | eval field_A=split("ABC",""), field_D="text" | mvexpand field_A | eval field_E=mvindex(split("DOWN,UP",","),random() % 2) | append [ | makeresults count=5 | eval field_B=split("ABC",""), field_C="F_C".(random() % 10) | mvexpand field_B ] | eval field_AB=coalesce(field_A, field_B) | fields field_D field_E field_AB field_C | stats values(*) as * by field_AB

Hello, Thank you for your help.   1)  I ran your first suggestion on my search, I got different numbers than yours. Any idea why?   | timechart span=1w@w first(MathGrade) by Student useother=f limit=0     _time Student1 Student2 2/4/2024 10 9 2/11/2024 7 7 2/18/2024 10 9 2/25/2024 6 5   2)  I ran your second suggestion on my search, I also got different numbers than yours.  Any idea why?     | eval _time = relative_time(_time, "-5d@d") | timechart span=1w@w first(MathGrade) by Student useother=f limit=0 | eval _time = relative_time(_time, "+5d@d")     _time Student1 Student2 2/2/2024 10 9 2/9/2024 9 5 2/16/2024 8 7 2/23/2024 6 8 3/1/2024 10 9 3) If I removed timechart command and only have the data and table, the data is only from  2024-02-08 to 2024-03-1, so there should be no data for 2024-02-04 and 2024-02-02.  Where did Splunk give data for 2024-02-04 and 2024-02-02 that should be NULL? ---Student Data--- | table _time, Student, MathGrade  First suggestion - snap to beginning of the week _time Student1 - Math Grade Student1 - expected Math Grade Student2 -  Math Grade Student2 - expected Math Grade 2024-02-04 10 NULL 9 NULL 2024-02-11 6 7 8 7 2024-02-18 10 10 9 9 2024-02-25 7 6 6 5 Second suggestion - begin on 02/09/2024 _time Student1 - Math Grade Student1 - expected Math Grade Student2 -  Math Grade Student2 - expected Math Grade 2024-02-02 10 NULL 9 NULL 2024-02-09 8 9 6 5 2024-02-16 9 8 8 7 2024-02-23 5 6 9 8 Student 1 - Math Grade Student 2 - Math Grade        

Is there anything wrong with the method you already use?  Or is there a specific effect this is not giving you? If you think it through, trellis has only one single variable for breakdown and display.  All you can do is to change this value.  You search already does that.  If it ain't broken and disclaimers

Sorry been busy with other work Maybe I  am doing this wrong The only way I could figure out how  give a bit more information in  a graph was  to  join the code  and phrase and then use that in the Split By in the Trellis | rex field=Error_Text".*:\s(?P<Code>\d{3})" | lookup error_codes Code OUTPUT Phrase | eval CodePhrase = Code+" -- "+Phrase When I use the Drill down it using joined  "codephrase"  field. So I am wondering if there is another way to add the text  to  the graphs

Let me try to answer two separate questions.  I think the question about "modified time" is in regard to file system record.  Is this correct?  Yes, file system modified time is updated. Splunk 9 added a Update: If you install Chris Younger's Config Explorer, you will find sourcetype config_explorer in _internal that includes the information you want.  For example, you can do   index = _internal sourcetype="config_explorer" item="./etc/*/lookups/*" | stats max(_time) as _time by item   I don't think such information is retained before 9 without an app.

Old post but I just noticed the addon builder doesn't support config or account changes in a search head cluster environment too. Did you ever find a solution? I'm sure I've hand crafted addons that were capable of having config changes replicated across the cluster.

I have a suspicion that you misspelled either account_id or aws_account_id in the macro because the way you presented, the resultant subsearch is NOT ().  Are you sure you copied the above search verbatim into index search and you get the correct result that is NOT the same as using the macro? Further, which fieldname exists in actual data? aws_account_id or account_id?  For example, if account_id exists AND if you intend to match account_id in index data with "Account ID" in the lookup, your macro should be something like search [inputlookup Account_Owners.csv |rename "Account ID" as account_id |search Environment IN (PROD, UAT, ) |table account_id] Hope this helps.

If all you need to get alert going is to remove decrypted field, it could be an undocumented security feature in alert actions.  But it could also be a DECRYPT2 feature.  Ask app developers or consult its documentation.

You cannot.  Splunk does not interact with external Web site directly. You can create a custom command to do so.  See Create a custom search command for Splunk Cloud Platform or Splunk Enterprise.  Hope this helps.