{ "visualizations": {}, "dataSources": { "ds_6STCWAXt": { "type": "ds.search", "options": { "query": "index=dsi_splunk host=dev_splunkmanager script=backup \n| sort _time \n| stats earliest(_time) as debut by pid\n| convert timeformat=\"%d/%m/%Y %H:%M\" ctime(debut)" }, "name": "backupId" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Période globale" }, "input_backup": { "options": { "items": ">frame(label, value) | prepend(formattedStatics) | objects()", "token": "backupId", "selectFirstSearchResult": true }, "title": "Backup", "type": "input.dropdown", "dataSources": { "primary": "ds_6STCWAXt" }, "context": { "formattedConfig": { "number": { "prefix": "" } }, "formattedStatics": ">statics | formatByType(formattedConfig)", "statics": [], "label": ">primary | seriesByName(\"debut\") | renameSeries(\"label\") | formatByType(formattedConfig)", "value": ">primary | seriesByName(\"pid\") | renameSeries(\"value\") | formatByType(formattedConfig)" }, "hideWhenNoData": true } }, "layout": { "type": "grid", "options": { "width": 1440, "height": 960 }, "structure": [], "globalInputs": [ "input_global_trp", "input_backup" ] }, "description": "", "title": "Backups Cloner" }

Change the name of a field using the rename command.   | rename cs4 as suser_display, cs3 as folder   You can use SEDCMD settings in props.conf to remove unwanted fields from events.   [mysourcetype] SEDCMD-cs2Label = s/cs2Label=Group or User//  

Thank you all for this thread!   I've been working on Splunk for close to 10 years and JUST ran into this today for the first time and thought I was losing my mind because I can't find any record of etc/system/default/deploymentclient.conf on any of my systems.     Thank you for confirming that I'm not the only one thinking this is really, really weird but seems "normal"  

Hi @bishopolis   -  I’m a Community Moderator in the Splunk Community.  This question was posted 12 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 

Thank you very much!   ... | eval output1=json(output) | eval output3 = json_extract(output1, "data.affected_items{}.id") | eval output3 = replace(output3,"[\[\]\"]","") | makemv output3 delim="," | mvexpand output3 | rename output3 as id   returns all ids in a column, so it seems it is what I need for further processing of this data. Thanks a lot!