If you have the episodeID, you can link directly to it: https://YOURSPLUNKSERVER:8000/en-US/app/itsi/itsi_event_management?earliest=-7d%40h&latest=now&form.earliest_time=-7d%40h&form.latest_time=now&episodeid=YOUREPISODEID Please be aware of the time span, if episode is older than 7d it won't be found because in THIS link -7d is set.

You could do something like this: | makeresults format=json data="[{ \"iphone\": { \"price\" : \"50\", \"review\" : \"Good\" }, \"desktop\": { \"price\" : \"80\", \"review\" : \"OK\" }, \"laptop\": { \"price\" : \"90\", \"review\" : \"OK\" } },{ \"tv\": { \"price\" : \"50\", \"review\" : \"Good\" }, \"desktop\": { \"price\" : \"60\", \"review\" : \"OK\" } }]" | fields _raw _time | eval p_name=json_array_to_mv(json_keys(_raw)) | streamstats count as row | eval flag = pow(2, row - 1) | mvexpand p_name | eval {p_name}=flag | fields - flag row p_name | stats sum(*) as * Fields with 1 are only in the first event, fields with 2 are only in the second event (missing from the first event), and fields with 3 are in both events. This also works for more events as the sums are essentially binary flags for which events the fields come from, e.g. for 3 events, 7 would be all event, 5 would be first and third. etc.

Hi @gcusello Thank you for your reply, I changed the hostname in server.conf, but in forwarder inputs.conf not there in the mentioned path, I have outputs.conf!!!! It also doesn't work when I just change the server.conf file. 

Hi @SplunkDash , please use this: https://splunkbase.splunk.com/app/742 remember to copy the inputs.conf file in a local folder (to create) and to enable (disabled = 0) the inputs you need because, by default, all the inputs are disabled. Ciao. Giuseppe

Hi @chakavak, you could manually rename hostaname in $SPLUNK_HOME\etc\system\local\server.conf and $SPLUNK_HOME\etc\system\local\inputs.conf of your forwarder to have thes values in your logs. Otherwise, you could rename it with a calculated field at search time. Ciao. Giuseppe

Hi @athul_r_m, your request is just a little too vague! could you better describe your data? e.g. fields to display, API execution time fieldname, etc... Anyway, to sort in descrnding order you have to see the options of the sort command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/SortCommandOverview index=your_index | sort -API_execution_time | table API_execution_time field1 field2 field3 Ciao. Giuseppe  

Hi , Sorry , I missed to mention if they are of same event or different. The answer is they are from different events. The standalone query with makeresults is working as expected. I used the main part of your query with mvmap and tweaked it as below : index=product_db time="1706589466.725491" | eval data1=if(match(time,"1706589466.725491"),_raw,0)| eval p_name_1=json_array_to_mv(json_keys(data1))|table p_name_1 |appendcols [ search index=product_db time="1705566003.777518" |eval data2=if(match(time,"1705566003.777518"),_raw,0) | eval p_name_2=json_array_to_mv(json_keys(data2)) ] | eval p_unique = mvmap(p_name_1, if(isnull(mvfind(p_name_2, "^".p_name_1."$")), p_name_1, null())) | eval p_missing = mvmap(p_name_2, if(isnull(mvfind(p_name_1, "^".p_name_2."$")), p_name_2, null())) | table p_unique p_missing   Please let me know if you have any better suggestion to write this query.   Thanks

I would suggest not using mvexpand, as in your example search - in your example you will triple the raw events. Can you provide a sample of the inputs you want to be able to select DS makes a multiselect token= a,b,c so you can use this logic in your search that wants to use the token index=your_index [ | makeresults | fields - _time | eval <your_field_name>=split("$token$", ",") | mvexpand <your_field_name> ] How were you using prefix/suffix/delim in your old dashboard?