I think you are looking for a stepped line graph? You could do something like this (I changed the second instance of 6/11 to 7/11 to show the changes separately, I also added another 12/11 to show the impact of having two values for the same date where one is negative and the other positive.) | makeresults format=csv data="date,change 25/10/2023,6000 31/10/2023,0 6/11/2023,2500 7/11/2023,500 12/11/2023,-7800 12/11/2023,800 16/11/2023,500" | eval _time=strptime(date,"%d/%m/%Y") | streamstats sum(change) as total | autoregress total | eval row=mvrange(0,2) | mvexpand row | eval total=if(row=0,total_p1,total) | table _time total Note that this chart only works well with _time for the x-axis, other scales not so well.  

Please check the aws s3 logs in the splunk end it may be due to permission issue from aws end. Once you go through the logs you will get clear visibility.  the logs will be under /opt/splunk/var/log/splunk and serach for aws.

i am using splunk fully on prem - no cloud option as per documentation TA to be installed on UF, you can refer to below link https://community.splunk.com/t5/Security/Universal-Forwarder-Technology-Add-On/m-p/669359#M17403 As i understood, TA to be installed on Indexers (already done) and on UF   Thanks

Hi @anooshac , you can use in the first multivalue the following search: | makeresults | eval group="a" | append [| makeresults | eval group="b"] | append [| makeresults | eval group="c", subgroup="x"] | append [| makeresults | eval group="c", subgroup="y"] | dedup group | sort group | table group and in the second multivalue the following search: | makeresults | eval group="a" | append [| makeresults | eval group="b"] | append [| makeresults | eval group="c", subgroup="x"] | append [| makeresults | eval group="c", subgroup="y"] | table group subgroup | search group=$group$ | eval value=group.if(isnotnull(subgroup),"_".subgroup,"") then you can use the second value in your panels. Obviously thgis is a sample to adapt to your search. Ciao. Giuseppe  

Hi Yuanlui, I dont think the devs will change the code!!! Thank you, option one seems to do the trick. Its taken me a bit of time to work through the answer to try and understand it and i am still struggling with the sed magic, but will persevere. thank you again.

Hi @Splunkerninja , check if the url is effectively referred to an image and if it has a compatible format for an image (png or jpg) or if you're using a too large size. In this last case, please try a smaller size. Ciao. Giuseppe

Hi @AL3Z .. Please check this Splunk Advisory: https://advisory.splunk.com/advisories/SVD-2023-1104 the Splunk Cloud affected version is - Versions below 9.1.2308 The Splunk Cloud fix version is --------- 9.1.2308   So you should ask the Splunk Cloud Support and ask them to upgrade your Splunk Cloud to the fix version 9.1.2308, thanks. 

Could you please share more insights about the bug like id or official statement? Did it get resolved in newer release? was asking because i didn't find any relevant info in 'fixed issues' section of the release notes.. 

Suppose that is raw data, and suppose the table in your original post is desired result - illustrate again if that's not the case, can you describe the logic to obtain that table from this table?  Also, can you post the output of the chart command that I proposed (replacing "month" with "date month" if that's the correct field name), and tell us why that output is not desired?  Post both the actual search and actual results in text (anonymize as needed).