@michael_vi First, thank you for the help! I was able to get this script updated here and it puts it in a alphabetical list. Thank you again import requests import json # Splunkbase API endpoint to get a list of all apps splunkbase_api_url = "https://splunkbase.splunk.com/api/v1/app/" # Initialize an empty list to store all apps all_apps = [] # Initialize offset and batch size offset = 0 batch_size = 25  # You can adjust this if needed while True:     # Construct the URL with the current offset     params = {"offset": offset}     response = requests.get(splunkbase_api_url, params=params)         if response.status_code == 200:         # Parse the JSON response to access the list of apps         apps = response.json()                 # Add the retrieved apps to the list         all_apps.extend(apps['results'])  # Use ['results'] to get the apps                 # Calculate the total number of apps from the response         total_apps = apps['total']                 # If we have collected all apps, break the loop         if offset >= total_apps:             break                 # Increase the offset for the next request         offset += batch_size     else:         print("Failed to retrieve apps. Status code:", response.status_code)         break # Extract 'appid' (app names) from the 'results' app_names = [app['appid'] for app in all_apps] # Sort the app names in alphabetical order app_names_sorted = sorted(app_names) # Create a dictionary with the sorted app names as a list app_data = {"app_names": app_names_sorted} # Save the app data to a JSON file as before output_file_path = "splunkbase_apps.json" with open(output_file_path, 'w') as json_file:     json.dump(app_data, json_file, indent=4)  # Use indent to format JSON print(f"App data has been saved to {output_file_path}")

Hi @Dustem, yes, you should create an alert, scheduled e.g. one time  day like the following: index="xx" | bin _time span=15m | stats dc(dest_port) as dc_ports by _time src_ip dest_ip | where dc_ports > 10 | streamstats count as consecutive_triggers by src_ip dest_ip reset_on_change=Ture | where consecutive_triggers>=5 | collect index=my_summary that triggers the conditons you need and saves results in a summary index. then if the alert is named "scan" you can search on the summary for the search_name="scan" in the last three days: index=my_summary search_name=scan | stats count BY src_ip dest_ip | where count>5 Obviously you have to adapt my approach to your Use case. Ciao. Giuseppe

OK,  I think I've gotten there with this search: index=felix_emea sourcetype="Felixapps:prod:log" Action = "Resp_VPMG" | dedup EventIndex | rex field=Message "^<b>(?<Region>.+)<\/b>" | rex "Response Codes:\s(?<responseCode>\d{1,3})" | rex field=Message ":\s(?<errCount>\d{1,4})$" | bin _time span=1h | stats count by _time responseCode Region | eval {Region}=count | fields - count Can you tell me the purpose of thise line in your code: | fields - log_level count  as to me that drops the 'count' and 'log_level' fields yet log_level is a value you are trying to chart. Thanks, Steve  

With high expectations I tried it and sadly it didn't work for me. However, building on your idea that it didn't like the CSS to be initially empty I eventually found the following solution: <dashboard version="1.1" theme="light"> <label>GABS Test css</label> <row> <panel> <table id="doneID"> <title>Test</title> <search> <done> <condition match="'job.resultCount' == 0"> <set token="doneTableHeightCSS">height: 50px !important;</set> <set token="doneTableAlertCSS">position:relative; top: -130px !important;</set> </condition> <condition> <set token="doneTableHeightCSS"></set> <set token="doneTableAlertCSS"></set> </condition> </done> <query> | stats count | search count=5 </query> <earliest>@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> </table> </panel> </row> <row depends="$never_set$"> <panel> <html> <style> #doneID .splunk-table { 1; $doneTableHeightCSS$ } #doneID .alert-info{ 1; $doneTableAlertCSS$ } </style> </html> </panel> </row> </dashboard>   More than happy to give you the credit for it. If you re-submit it I'll accept it as a solution.

@efavreau You're right about 21:00 Sunday GMT would be 5:00 Monday BJT but if you see the cron, it is running from 0-13 on a Sunday which is incorrect and we need to exclude that. How can we exclude this extra cron schedule.

Hi @av_ ! Your expression looks correct to account for the 8 hour difference, assuming the cron job is executing in your timezone. 21:00 Sunday GMT would be 5:00 Monday BJT. So if that is not working as expected, then the cron job may not be running out of your GMT timezone. If it's running out of the BJT timezone, then the cron needs to be re-written to: */5 5-22 * * 1-5 Did you test that? What was the result? If that also isn't working, then more details are needed for people to figure out why the cron is executing in neither timezone

This is still very confusing But in our query, we used to get results only for previous month, not for the date range(its not accepting the double quotes ("") for the number, when I remove "". its not accepting the string :(.. query we used for reference... First of all, WHAT is not accepting what?  Are you talking about an editor in Splunk Answers (this forum), a Splunk UI, a Splunk dashboard, or Splunk search window, or SPL?  What does "not accepting" mean?  Does the UI give you some error message?  Does Splunk give an Error?  Or you are expecting one output and Splunk gives a different output? If so, what is the input, what is the context, what is the expected output and why do you expect that output in this context? Second, let me try to interpret your question: You are saying that a user sees different results when using these selections in Splunk's pre-defined time selector: 1 "Previous month" in "Presets" 2 "Between" selector in "Date range" Is this accurate?  What is relationship between that SPL snippet and Splunk's time selector, or your dataset?

Hi @efavreau, changing it from 1-5 would miss some alerts which are supposed to trigger monday morning. As I said there's a time difference. The splunk instance is in GMT while the alerts are being scheduled for China Time.

Hi @av_ ! To double-check cron expressions, I may resort to using a tool like crontab guru. When I put the expression you provided in there, it suggests the 0-5 part of the cron expression includes Sunday. https://crontab.guru/#*/5_21-23,0-13_*_*_0-5 So if we change that part from 0-5 to 1-5, it appears that may work for you. Good luck! If you find this hopeful please give it a thumbs up!