Hi @tayshawn, this isn't a Splunk question: if you AWS ECS sends logs in json format, you should ask to AWS if it's possible to have logs in a different format, but probably it's very difficoult! Anyway, if you use the Splunk Add-On for AWS, you should have the parser to read these logs and extract all the fields, so you can put them in a table as you want, but without changing the original source. Ciao. Giuseppe

Hi @gcusello  I tried having below query which works if i select goodsdevelopment in the 1st dropdown , i get options pertained to airbag. if i select materialdomain in the 1st dropdown , i should get options pertained to material,sm. 1.If I want use data entity dropdown to be multi select since domain can have multiple data entity…how the below query  need to be modified? ...I am using 3 different inputtoken  for inbound query&3 different outputtoken for outbound query 2.Also how do i auto cleared the existing search result pannel  whenver new domain is selected  Query used:       <input type="dropdown" token="tokSystem" searchWhenChanged="true">         <label>Domain Entity</label>         <fieldForLabel>$tokEnvironment$</fieldForLabel>         <fieldForValue>$tokEnvironment$</fieldForValue>         <search>           <query>| makeresults           | eval goodsdevelopment="a",materialdomain="b,c",costsummary="d"</query>         </search>         <change>           <condition match="$label$==&quot;a&quot;">             <set token="inputToken">test</set>             <set token="outputToken">test1</set>           </condition>           <condition match="$label$==&quot;c&quot;">             <set token="inputToken">dev</set>             <set token="outputToken">dev1</set> <condition match="$label$==&quot;m&quot;"> <set token="inputToken">qa</set> <set token="outputToken">qa1</set> </condition> </change> ------ <row> <panel> <html id="messagecount"> <style> #user{ text-align:center; color:#BFFF00; } </style> <h2 id="user">INBOUND </h2> </html> </panel> </row> <row> <panel><table> <search> <query>index=$indexToken1$ source IN ("/*-*-*-$inputToken$")  | timechart count by ObjectType```| stats count by ObjectType</query> <earliest>$time_picker.earliest$</earliest> <latest>$time_picker.latest$</latest> <sampleRatio>1</sampleRatio> </search> ------<row> <panel> </style> <h2 id="user">outBOUND </h2> </html> <chart> <search> <query>index=$indexToken$ source IN ("/*e-f-$outputToken$-*-","*g-$outputToken$-h","i-$outputToken$-j") </query> <earliest>$time_picker.earliest$</earliest> <latest>$time_picker.latest$</latest> <sampleRatio>1</sampleRatio> </search>

Extract the error number from the message and use that instead of message, e.g. index=etc message="error 1" OR message="error 2" OR message="error N" | rex field=message "error (?<error>\d+)" | chart count by instance_name, error You will have to change the regex in the rex statement so you extract what you want - the one above just extracts the number after the word "error " Note if you want the message to be one of A OR B OR C, you use message=A OR message=B OR message=C rather than message=A OR B OR C You can also use message IN ("A","B","C")  

You don't have any field constraint or prefix/suffix values in your ZoneId_tok token, so this search query index=5_ip_cnv sourcetype=ftae_hmi_alarms $Zoneid_tok$ |eval Time=_time |transaction Alarm startswith=*$Zoneid_tok$",1,0,192" endswith=*$Zoneid_tok$",0,0,192" maxevents=2 will translate into index=5_ip_cnv sourcetype=ftae_hmi_alarms ZONE_A OR ZONE_B OR ZONE_C... |eval Time=_time |transaction Alarm startswith=*ZONE_A OR ZONE_B OR ZONE_C...",1,0,192" endswith=*ZONE_A OR ZONE_B OR ZONE_C...",0,0,192" maxevents=2 the first search line may be fine with your data if you are just looking for those words in your raw data, but I expect that you do not have events that have the startswith and endswith strings with the expanded token string. Without seeing an example of your data, I suspect you do not need to specify the zone data in the startswith and endswith strings.  On a separate note regarding transaction, it can silently give you wrong results if your data set is large, as it will have to hold onto partial transactions until it finds an end event, so if you have long durations, you can potentially end up with results that are wrong. It is generally possible to use stats to replace transaction which can achieve the same thing, but doing so requires some knowledge of your data.    

Since 2020s the dropdown lookup moved to  ITSI content pack app There is a content pack DA-ITSI-CP-unix-dashboards that contains an automatic lookup for some sourcetypes. The lookup is Lookup-dropdowns, relying on a csv lookup named dropdowns.csv. And coupled with an automatic lookup named "dropdownsLookup". The issue was that the csv lookup is not shipped with the app, but is being created/updated by a scheduled search "dropdowns_lookup_migrate" That scheduled search was running, but failed to create the lookup because of fields names issues. As a consequence, every time a search triggers the automatic lookup, the lookup throw an error because it does not find the csv file to load. To address the issue : - we ran the search "dropdowns_lookup_migrate" manually (without the append=t) to create the dropdowns lookup manually once to create the base lookup with the correct fields. If you have no entities, the lookup has only one line with "all_hosts". - then we waited for the search bundle to replicate to the indexers After that, the lookup error stopped.

Oh, thanks! It is working in the most cases. I found that it turns out there are cases when the installation event (new version) is generated faster than the removal event (old version). There are not many such cases, about 50 hits per week, but maybe it is possible to take this case in query? Thank you again so much for your help.

Just wanted to add this one for future readers. Another important advantage of HEC over TCP is error handling. Specifically, if you send data to a TCP endpoint, there is no interaction. No response from the TCP endpoint to let you know data has been received and processed. If there are load issues on the server or Queues are filled up, there is a chance that data will get lost. Data may get dropped and the sending process will not have any idea there was an issue. With HEC, you get an HTTP response such as a 400 or 500 error indicating problems. While most of the possible errors are specific to HEC, at least 2 would be an advantage over TCP.  (Server is busy and Internal Server Error) https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/TroubleshootHTTPEventCollector#Possible_error_codes Receiving these codes, a sender would know there is a problem.. And could attempt to resent the data again later.  You can also configure your "use Ack" which will allow the sender to check and confirm that data has been received and indexed before purging those events from the system. 

There is no such thing as "generic PII data scan". Firstly, you need to define what you want to find, then define how this data can be expressed, then you search for it. And you'll always get false positives and false negatives. That's just how it is with automated searching for such loosely defined stuff. The more precisely defined format, the better (like IBAN numbers).