HI @gcusello  This time its runs without error, but no result found. index="XXXX" "Genesys system is available" | rename "response_details.response_payload.entities{}.onlineStatus" as status | where name="YYYY" | stats count(eval(status="offline")) AS offline_count count(eval(status="online")) AS online_count earliest(eval(if(status="offline",_time,""))) AS offline earliest(eval(if(status="online",_time,""))) AS online | fillnull value=0 offline_count | fillnull value=0 online_count | eval condition=case( offline_count=0 AND online_count>0,"Online", offline_count>0 AND online_count=0,"Offline", offline_count>0 AND online_count>0 AND online>offline, "Offline but newly online", offline_count>0 AND online_count>0 AND online>offline, "Offline", offline_count=0 AND online_count=0, "No data") | search condition="Offline" OR condition="Offline but newly online" | table condition

I think this SPL tacked on to the end of your search will work assuming the versioning follows Semantic Versioning convention. | stats dc(host) as dc_hosts by Version | eval major_version=mvindex(split(Version, "."), 0), minor_version=mvindex(split(Version, "."), 1), patch_version=mvindex(split(Version, "."), 2), minor_patch_version=mvindex(split(Version, "."), 3) | sort 0 -major_version, -minor_version, -patch_version, -minor_patch_version | fields - *_version | eventstats first(Version) as latest_version | where NOT 'Version'=='latest_version'

Upon receiving the SSL certificate, I've implemented a meticulous review of its contents, segregating the relevant stanzas into distinct .pem and .key files. This refined approach ensures clarity and precision in handling SSL certificates. Furthermore, to optimize our distributed environment, I've seamlessly copied these files to both instances – the Search Head and the Heavy Forwarder. This streamlined method aims to enhance the efficiency and consistency of our SSL certificate management across our infrastructure. If you have any questions or suggestions regarding this approach, feel free to share your insights.

Not sure if I am interpreting your question correctly but I gave it a shot. So given that the are many different fieldnames with dot notation. You are trying to get a final table of something like this? I was able to achieve this by utilizing a foreach loop | makeresults | eval "tmp.exe"="value1" | append [ | makeresults | eval "noop.spl"="value2" ] | append [ | makeresults | eval "tmp.spl"="value3" ] | append [ | makeresults | eval "foo.exe"="value4" ] | append [ | makeresults | eval "tmp.tgz"="value5" ] | append [ | makeresults | eval "foo.tgz"="value6", "tmp.exe"="value7" ] ``` Gather unique fieldnames as values of a new field ``` | foreach *.* [ | eval existing_fieldname=if( isnotnull('<<FIELD>>'), mvappend( 'existing_fieldname', "<<FIELD>>" ), 'existing_fieldname' ) ] ``` Parse out prefix and suffix of the new field ``` | eval prefix=case( isnull(existing_fieldname), null(), mvcount(existing_fieldname)==1, mvindex(split(existing_fieldname, "."), 0), mvcount(existing_fieldname)>1, mvmap(existing_fieldname, mvindex(split(existing_fieldname, "."), 0)) ), suffix=case( isnull(existing_fieldname), null(), mvcount(existing_fieldname)==1, mvindex(split(existing_fieldname, "."), 1), mvcount(existing_fieldname)>1, mvmap(existing_fieldname, mvindex(split(existing_fieldname, "."), 1)) ) ``` Use chart function to display unique combos of prefix/suffix from inherited fieldnames ``` | chart limit=50 count as count over prefix by suffix ``` Replace numbers in the table with "X" to signify that the prefix/suffix combo was found in the data ``` | foreach * [ | eval <<FIELD>>=if( NOT "<<FIELD>>"=="prefix", if( '<<FIELD>>'>0, "X", null() ), '<<FIELD>>' ) ]

@shocko  I love the question. The answers are complicated.  I'll respond below for Simple XML Dashboards. For Dashboard Studio, please submit a different and detailed question to the Splunk Community. 1) themes out of the box are light and dark. You can look through the docs on how to create your own, if you wish: https://dev.splunk.com/enterprise/docs/developapps/createapps/buildapps/adduithemes/ 2) If you search your Splunk filesystem for bootstrap-dark.css, you'll find the file that provides dark theme. 2.5) If you don't have access to the filesystem, you can use your browser dev tools to get the URL to bootstrap-dark.css. 2.7) Be warned. It's a BIG file. Formatted pretty, it comes to >7300 lines 3) You're better off to change the font, IMHO, to use CSS overrides. To read more: https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/UseCSS https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/PanelreferenceforSimplifiedXML Finally, note in that last example, you can include css style inside an HTML panel within a dashboard. Searching through this larger Splunk Answers Community for "html css style dashboard panel", should yield you plenty of examples. Here's a great one from my friend Niket to get you started with nearly ready copy/paste code: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-add-style-to-panel-titles-in-my-dashboard/m-p/405736  

If I am understanding your question correctly I usually parse out an array of json objects as a mutlivalued field first and then use an mvexpand against that MV field. After this you can SPATH each json_object individually so its contents will be on its own row.  This will also prevent situation where there are some json objects whose key's may have null values and them not properly aligning in the final output. Here is an example: | makeresults | eval event_id=sha256(tostring(random())), json_object="[{\"field1\": \"value_a\", \"field2\": \"value_b\", \"field3\": \"value_c\"},{\"field1\": \"value_x\", \"field2\": \"value_y\", \"field3\": \"value_z\"},{\"field1\": \"value_q\", \"field2\": \"value_r\", \"field3\": \"value_s\"},{\"field1\": \"value_a\", \"field2\": \"value_r\", \"field3\": \"value_c\", \"field4\": \"value_w\"},{\"field2\": \"value_a\", \"field3\": \"value_b\", \"field4\": \"value_s\"}]" | eval mv_json_object=spath(json_object, "{}") | fields - json_object | mvexpand mv_json_object | spath input=mv_json_object | fields - mv_json_object

If you plan on using a deployment server to update your TA or apps, then that would be the easiest route. It's a lot to cover on the deployment server if you haven't used it before, give the link below a read if you can: https://docs.splunk.com/Documentation/Splunk/9.1.2/Updating/Deploymentserverarchitecture Splunk also covers the deployment server part in this training: Splunk Enterprise System Administration https://www.splunk.com/en_us/pdfs/training/splunk-enterprise-system-administration-course-description.pdf https://www.splunk.com/en_us/training/course-catalog.html?filters=filterGroup2SplunkEnterpriseCertifiedAdmin   The gist of a deployment server is: Your non-distributed Splunk instances check into your deployment server (DS) to retrieve any apps you want to deploy. The TAs/apps are all on your DS (etc/deployment-apps) and you manage what app your Splunk instances get with the DS serverclass.conf.