All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

So the UF is not phoning home  successfully and not popping up in the Clients tab on the DeploymentServer? Change your deploymentclient.conf on your UF stanza as below: [target-broker:deploymentSer... See more...
So the UF is not phoning home  successfully and not popping up in the Clients tab on the DeploymentServer? Change your deploymentclient.conf on your UF stanza as below: [target-broker:deploymentServer] targetUri = https://10.128.0.5:8089  
I have installed & configured  microsoft_o365_email_add_on_for_splunk but not getting log in splunk search. Please  help me how to fix it.          
I assumed your fields are already extracted. After some thought, actually the stats doesn't add anything here. It should be enough to just do the xyseries. As long as you have fields properly extract... See more...
I assumed your fields are already extracted. After some thought, actually the stats doesn't add anything here. It should be enough to just do the xyseries. As long as you have fields properly extracted.
Hello Team, I am configuring Splunk, but the UF (Universal Forwarder) details are not reflecting in the Deployment Server's client list. I have added the following stanza in the UF's `deployment... See more...
Hello Team, I am configuring Splunk, but the UF (Universal Forwarder) details are not reflecting in the Deployment Server's client list. I have added the following stanza in the UF's `deploymentclient.conf` file: ``` [deployment-client] clientName = UF phoneHomeIntervalInSecs = 60 [target-broker:deploy] targetUri = 10.128.0.5:8089 ``` (10.128.0.5 is the IP of the Deployment Server) And in the Deployment Server's `server.conf`, the following details are present: ``` [general] serverName = deploy pass4SymmKey = $7$k63bewtZlaVREpHJcD6fGt6hysZ/GvxJ0Tfq0BW5PhmF/qItBTzTA== [sslConfig] sslPassword = $7$boaNPEqR2Gmt9DQPKp9ZJ0iho9HdJFoRuxVZMwBu/q8g/v9ZKzsEvw== enableSplunkdSSL = false [lmpool:auto_generated_pool_download-trial] description = auto_generated_pool_download-trial peers = * quota = MAX stack_id = download-trial [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder peers = * quota = MAX stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free peers = * quota = MAX stack_id = free [deploymentServer] disabled = false ``` And in the `serverclass.conf`, I have added the following details: ``` [global] [serverClass:uf_class] whitelist.0 = uf [serverClass:uf_class:app:forwarder_app] ``` Even after adding these details, the issue persists. Please suggest some solutions.
ok , so if both the options are checked then it all the panels should  be red , it will be green only if the count is 0 in the panel which means if the panel is showing 0. this is same if unsolved... See more...
ok , so if both the options are checked then it all the panels should  be red , it will be green only if the count is 0 in the panel which means if the panel is showing 0. this is same if unsolved option is only checked. If solved is checked then all the panels color should be green . Hope I am clear this time.
I have used the uniqueId and message in xyseries, but getting that error message for xyseries. I have 2 log events and both will have uniqueId in that event, now I want both log events to be in ... See more...
I have used the uniqueId and message in xyseries, but getting that error message for xyseries. I have 2 log events and both will have uniqueId in that event, now I want both log events to be in my result table only when they both have same value for uniqueId. While as per below query it brings even the logs events which do not have same uniqueId or matching message in them. index=finder_db AND (host="host1" OR host="host2") AND (("Wonder Exist here")  OR ("Message=Limit the occurrence" AND "FinderField=ZEOUS")) | table uniqueId, FinderField by uniqueId  | stats values(FinderField) as FinderField, values(FinderField) as FinderField by uniqueId   Host1 and host2 in this query is my servers name where these log would exist. I am searching 2 string in log events, one is "Wonder Exist here" and second is starting with Message=  and both log will have uniqueId which I want to match for both events and bring as 1 single row in result   Hope I am able to explain and thanks for help
Did not know that you could do this on an "app level", but it might be worth looking into different push modes! Thanx
So what are you looking to change? The application and the way it logs errors?
Please clarify - if you have unsolved checked, it should be red if the count is greater than 0 but if it is 0 then the panel is green? Since you are using checkboxes, what do you want if both boxes ... See more...
Please clarify - if you have unsolved checked, it should be red if the count is greater than 0 but if it is 0 then the panel is green? Since you are using checkboxes, what do you want if both boxes are checked?
Hi we have Java based application & they are getting every minute error (EventLogger)    
NO for unsolved it will be red if the count is  0  then only the panel color will be green .  And for solved all panels should be green nothing should be red.
Hello everyone, I'm facing challenges with integrating Splunk and Jira using the Splunk Add-on for Jira Cloud. I've set up a new input using a token from an admin account and created an indexer to c... See more...
Hello everyone, I'm facing challenges with integrating Splunk and Jira using the Splunk Add-on for Jira Cloud. I've set up a new input using a token from an admin account and created an indexer to centralize the data. However, despite these configurations, I am unable to retrieve the events as expected. I have verified that the token is valid and have ensured the input configurations in Splunk are correct, but nothing seems to work properly. The Jira admin account has the necessary permissions to access the required events, yet no data is being collected in Splunk. I am seeking advice or suggestions on what might be causing this issue. If anyone has encountered similar problems or has ideas on steps to resolve this, I would greatly appreciate your insights. Thank you in advance for your help!
There is insufficient information - what application, what errors, what logger, what customer? Please provide more detail about your usecase.
I am getting this error  Error in 'xyseries' command: At least one data field must be specified. Should my initial search provide already a table for stats and xyseries ? Can I put condition for... See more...
I am getting this error  Error in 'xyseries' command: At least one data field must be specified. Should my initial search provide already a table for stats and xyseries ? Can I put condition for 2 log events that they must match uniqueID? As I do not want to combine 2 log events where uniqueId in both is not matching.
If I understood correctly, you want red and green if unsolved is checked and green and red if unsolved is not checked? <form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" the... See more...
If I understood correctly, you want red and green if unsolved is checked and green and red if unsolved is not checked? <form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <init> <set token="rangeColors">"0x118832","0xd41f1f"</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="srStatus"> <label>Status</label> <choice value="1">solved</choice> <choice value="0">unsolved</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>solved=</valuePrefix> <delimiter> OR </delimiter> <default>0</default> <initialValue>1,0</initialValue> <change> <eval token="rangeColors">if(isnotnull(mvfind($form.srStatus$,"0")),"\"0x118832\",\"0xd41f1f\"","\"0xd41f1f\",\"0x118832\"")</eval> </change> </input> </fieldset> <row> <panel> <title>MINOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_minor.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="minor">minor</set> <unset token="major"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>MAJOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_major.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="major">major</set> <unset token="minor"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>CRITICAL EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_critical.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="critical">critical</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>WARNING EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_warning.csv``` | search $srStatus$ | stats count</query> <earliest>0</earliest> <latest></latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="warning">warning</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="critical"></unset> </drilldown> </single> </panel> </row> <row> <panel> <title>MINOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=minor | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>MAJOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=major | stats count as Total by date</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>CRITICAL ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=critical | stats count as Total by date | appendpipe [ stats count | eval Message="No critical Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>WARNING ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=warning | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel depends="$minor$"> <title>Minor Events</title> <table id="sbc_minor_table"> <search> <query>| inputlookup sbc_minor.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$major$"> <title>Major Events</title> <table id="sbc_alarm_table"> <search> <query>| inputlookup sbc_major.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$critical$"> <title>Critical Events</title> <table id="sbc_critical_table"> <search> <query>| inputlookup sbc_critical.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$warning$"> <title>Warning Events</title> <table id="sbc_warning_table"> <search> <query>| inputlookup sbc_warning.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
I'm not sure what "columns" you want from this data but assuming that you want to have a table with various messages per id and status you might want something like <your initial search> | stats va... See more...
I'm not sure what "columns" you want from this data but assuming that you want to have a table with various messages per id and status you might want something like <your initial search> | stats values(Message) as Message by UniqueId Status | xyseries UniqueId Status Message
Hello Folk, I am getting multiple error on application error on application & customer want to disable for error logger with suppression. can you please guide me how to the class & method name for e... See more...
Hello Folk, I am getting multiple error on application error on application & customer want to disable for error logger with suppression. can you please guide me how to the class & method name for error suppression.   Thanks 
I want to have result in table with 2 or 3 log events combined based on unique key in all events and return 1 single row for all those events having unique key in them. for all my log events I have ... See more...
I want to have result in table with 2 or 3 log events combined based on unique key in all events and return 1 single row for all those events having unique key in them. for all my log events I have a common unique key for which I want to combine them and get in table as single row for that unique key and if value for any column is not present then null for that particular cell in table.   Log event 1:  Message="Taken the response",UniqueId="329wey98fywe",Status=Pending Log event 2:  Message="Process completed",UniqueId="329wey98fywe",Status=Finalized Log event 3:  Message=,UniqueId="329wey98fywe",Status=Pending
Hi @livehybrid , Thanks for this info and sample query it helps me complete the query I needed.
ok this is the source code <form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <fieldset submitButton="false"> <input type=... See more...
ok this is the source code <form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <fieldset submitButton="false"> <input type="checkbox" token="srStatus"> <label>Status</label> <choice value="1">solved</choice> <choice value="0">unsolved</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>solved=</valuePrefix> <delimiter> OR  </delimiter> <default>0</default> <initialValue>1,0</initialValue> </input> </fieldset> <row> <panel> <title>MINOR EVENTS</title> <single> <search> <query>| inputlookup sbc_minor.csv | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x118832","0xd41f1f"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="minor">minor</set> <unset token="major"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>MAJOR EVENTS</title> <single> <search> <query>| inputlookup sbc_major.csv | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x118832","0xd41f1f"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="major">major</set> <unset token="minor"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>CRITICAL EVENTS</title> <single> <search> <query>| inputlookup sbc_critical.csv  | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">["0x118832","0xd41f1f"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="critical">critical</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>WARNING EVENTS</title> <single> <search> <query>| inputlookup sbc_warning.csv  | search $srStatus$ | stats count</query> <earliest>0</earliest> <latest></latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">["0x118832","0xd41f1f"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="warning">warning</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="critical"></unset> </drilldown> </single> </panel> </row> <row> <panel> <title>MINOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=minor | stats count as Total by date | appendpipe      [ stats count     | eval Message="No Minor Alerts"      | where count==0      | table Message      | fields - Alarm_Type Region message IP Severity Time date]  | transpose 0  | eval allnulls=1  | foreach row*      [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ]  | where allnulls=0  | fields - allnulls  | transpose 0 header_field=column   | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>MAJOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=major | stats count as Total by date</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>CRITICAL ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=critical | stats count as Total by date | appendpipe      [ stats count     | eval Message="No critical Alerts"      | where count==0      | table Message      | fields - Alarm_Type Region message IP Severity Time date]  | transpose 0  | eval allnulls=1  | foreach row*      [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ]  | where allnulls=0  | fields - allnulls  | transpose 0 header_field=column  | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>WARNING ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=warning | stats count as Total by date | appendpipe      [ stats count     | eval Message="No Minor Alerts"      | where count==0      | table Message      | fields - Alarm_Type Region message IP Severity Time date]  | transpose 0  | eval allnulls=1  | foreach row*      [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ]  | where allnulls=0  | fields - allnulls  | transpose 0 header_field=column  | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel depends="$minor$"> <title>Minor Events</title> <table id="sbc_minor_table"> <search> <query>| inputlookup sbc_minor.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$major$"> <title>Major Events</title> <table id="sbc_alarm_table"> <search> <query>| inputlookup sbc_major.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$critical$"> <title>Critical Events</title> <table id="sbc_critical_table"> <search> <query>| inputlookup sbc_critical.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$warning$"> <title>Warning Events</title> <table id="sbc_warning_table"> <search> <query>| inputlookup sbc_warning.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>