the large size logs like as below it's not a regular json data, therefore need to using rex to get fields A logs have name and uid B and C logs have uid and oid the dashboard accept input name, it allow multiple name with comma then using the name to find the uid and figure out the related uid and oid data from B logs and exclude from c logs so, I don't know how to  1. in a search statement substitute using the value of users be a keyword 2. combine the field data with comma for using  function search data in (...)    Thanks. -- for example: A logs: ... x1 ...uid=123... ... y2 ...uid=456... ... z3 ...uid=789... B logs: .... oid=989 ...uid=123 ... .... oid=566 ...uid=456 ... .... oid=486 ...uid=789 ... C logs: ...cancel_order... oid=989 ...uid=123 ... ...cancel_order... oid=566 ...uid=456 ... ...cancel_order... oid=486 ...uid=789 ... a dashboard has a input box text: users, and user can input multiple users with comma the value of users will be like "x1,z3" I wont to put the value in a search statement such us | makeresults | eval users="x1,z3" | eval names=replace(users, ",", " OR ")    =>excepted result: x1 OR z3 | search source="alog" $names$     => Substitute the names value into keyword | rex "name=(?<name>\S+)" | rex "uid=(?<uid>\d+)" | table name,uid | join type=left max=0 uid [ source="blog"  | rex "uid=(?<uid>\d+)" | rex "oid=(?<oid>\d+)" | search uid in (uids)    => uids combin the uid values with comma ex: (123,456,789) | table uid,oid ] | join type=left max=0 oid [ source="clog" cancel_order | rex "uid=(?<uid>\d+)" | rex "oid=(?<oid>\d+)" | search uid in (uids)    => uids combin the uid values with comma ex: (123,456,789) | table uid,oid,status ] | where isnull(status) | stats count(oid) by name

Hi, i have created classic dashboard based on saved search because my saved search used as asset management search which contain a lot of fields. For now i need to create 3 input textbox and 1 drilldown. Below are search that i used to match my token with search. | savedsearch "test 1" | search hostname=$hostname$, ip=$ip$, ID=$id$, location=$location$ However, search above doesn't work for the inputs field. Also i might need to add more inputs fields in future. Please assist me on this. Thank you 

We are currently ingesting ServiceNow Logs through the Splunk Add-on for Service Now TA. However, the logs aren't being parsed properly, as they are in a raw log format, which makes it increasingly difficult to build any kind of dashboard etc. Does anyone have any knowledge or experience in changing ServiceNow logs from a raw format to a structured format? Any help would be greatly appreciated

Hello Team, I have 2 input drilldown filter - filter1, filter2. Filter2 is based on the token from filter1.  When i click submit i should pass the token from filter1, filter2 to create a new dashboard.