Hi @danspav/ @bowesmana  ,    Thanks for your response,    I has tried this way, still getting different values in URL Here is my URL after selection of pie chart,    &%26form.office_filter%3DFront%20Office=& I'm getting %26, %3D instead for =  , %20 instead of space i had tried this way in actual info, <input type="multiselect" token="office_filter" searchWhenChanged="true"> <label>Front/Back office</label> <choice value="Front Office">Front Office</choice> <choice value="Back Office">Back Office</choice> <default>Front Office</default> <prefix>(</prefix> <suffix>)</suffix> <initialValue>Front Office</initialValue> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>,</delimiter> <change> <eval token="office_filter_drilldown">replace($form.office_filter$ + "","([^,]+),?","&amp;form.office_filter=$1")</eval> </change> </input> <drilldown> <link target="_blank">/app/antivirus_details?form.compliance_filter=$click.value$&amp;$office_filter_drilldown$&amp;form.machine=$machine$&amp;form.origin=$origin$&amp;form.country=$country$&amp;form.cacp=$cacp$&amp;form.scope=$scope$</link> </drilldown> Can you please ensure this! Thanks! Manoj Kumar S

hi yuanliu, Do you have any updates? We need filter out events where a user has only Eventcode=4776 over a while, and exclude events where 4770 or 4768, or 4624 precede 4776, because we think that this situation is reasonable and that only the presence of 4776 alone is illegal.

Wait a second. Whenever I see "compare" and "appendcols" in the same sentence I raise my brow questioningly. Remember that appendcols doesn't preserve any order between the two searches. I'd probably go with single search with two timeframes limited with <your search> (earliest=$main_picker.earliest$ latest=$main_picker.latest$) OR (earliest=$secondary_picker.earliest$ latest=$secondatry_picker.latest$) Then you can classify, stats and whatever you want.

No. The only "variable" (runtime-determined) parts of the config are those explicitly defined as such in specs. For example - serverName parameter in [general] section of server.conf. The specs say that it can contain environment variables so it can be dynamically set. For other parameters you define constant values.

Check this server.conf setting that you may be  missing: goes under sslOptions sslCommonNameToCheck = <commonName1>, <commonName2>, ... * If set, and 'sslVerifyServerCert' is set to "true", splunkd limits most outbound HTTPS connections to hosts which use a certificate with one of the listed common names.  

Remember that during the ingestion phase Splunk mostly processes the event as a whole - extractions (unless you have indexed fields) are done in search time. So if you wanted to encrypt part of the raw message (for now even leaving aside the question how to do it), you'd have to extract a part of the message into a field, encrypt this field, replace the original part of the raw message with the encrypted field value and finally "forget" the extracted and encrypted field values (so they do not get indexed alongside the raw event). Very, very ugly and error-prone. And we haven't even touched the question about _how_ to encrypt the value.

Do a quick test: [ | makeresults | eval search="| makeresults" ] If you look into the job log you'll see that while the internal search will get expanded to Expanded index search = ([ | makeresults | eval search="| makeresults" ]) After the subsearch is evaluated and the result is returned to the outer search it will be treated as a string, with the pipe control character escaped Expanded index search = (\| makeresults) Which means that you will be searching for literal pipe character and "makeresults" word.

I am sorry for the confusion, I updated the original question.   The idea is to dynamically create strings of eval commands in a sub search (depending on a lookup e.g.) and then applying these to the base search by literally putting the into the search command. I hope I could clarify this now.

Hi @duesser, pleae try this: index=abc [ | makeresults | addinfo | eval earliest=relative_time(info_min_time,"-60s"), latest=info_max_time | fields earliest latest ] Ciao. Giuseppe