Hello , I have data like below. I need to frame a query such that I can calculate number of desync for each rate-parity-group.   For example: "rate-parity-group":{"CN":{"avail":11,"price":11}}} rate-parity-group":{"CK":{"avail":18,"price":0},"CL":{"avail":36,"price":0},"CM":{"avail":18,"price":0}}}, "rate-parity-group":{"CL":{"avail":18,"price":0},"CM":{"avail":36,"price":0}}} Expected outcome  rate-parity-group  total-desync CL                                        54(36+18) CM                                      54 CK                                       18   Since CK,CM,CL all these rate-parity-group is dynamic so I m facing problem.  Could someone help me to get the desync count at rate-parity-group. Sample data attached in screenshot.   Thanks in Advance  

Is there a way to retrieve what time range does a search use?, I have tried using this endpoint curl -k -u admin:pass https://localhost:8089/services/saved/searches/search_name/history but i guess it is not returning its time range Thank you

Hi, I would like to know how to run searches using different time ranges in dropdown. For example, an input in the dropdown would be labelled "Yesterday", and I would like to assign 2 different time ranges to the same label, such that I can run 2 different searches using the separate time ranges by just selecting one input from the dropdown. I have tried defining 4 tokens under the same label, but it doesn't work, ie.   <choice value="yesterday">Yesterday</choice> <condition label="Yesterday"> <set token="custom_earliest">-8d@d+7h</set> <set token="custom_latest">@d+7h</set> <set token="breakdown_earliest">-1d@d+7h</set> <set token="breakdown_latest">@d+7h</set> </condition>    Thanks

Hello, I have a chart with dynamic field names displayed as table and would like to change the order of the columns:     Name Season 1 Season 2 Season 3 Name1 10000 11111 22222 Name2 9999 9997 9998 Name3 7777 5555 6666     How can I change the order of the columns? The number of Seasons is flexible and it should always start with the latest one -> Name  Season3  Season2  Season1

Hi. I work with ServiceNow, a ticketing platform.  I wish to get only the current "new" incidents and display it in a dashboard, but when I put "| search status=New" I get results which turned "resolved" already. Is there a way I can display only the current new incidents?

I'm trying to collapse a of data into earliest/lastest by _time,  with the time is contiguous.  Such as:  2022-08-27 07:36:00 2022-08-27 07:37:00 2022-08-27 07:38:00 2022-08-27 07:39:00 2022-08-27 07:40:00 2022-08-27 07:44:00 2022-08-27 07:45:00 2022-08-27 07:46:00 2022-08-27 08:31:00 2022-08-27 08:32:00 2022-08-27 08:33:00 2022-08-27 08:34:00 2022-08-27 08:35:00 earliest:                               latest: 2022-08-27 07:36:00   2022-08-27 07:40:00 2022-08-27 07:44:00   2022-08-27 07:46:00 2022-08-27 08:31:00   2022-08-27 08:35:00 THoughts? 

Hi, how can I combine two fields (2.1 and 2.2) into one field (Main calculation) I have a table :    I would like to convert it into something like this :   where START_TIME is the value of 2.1  and the FINISH_TIME is the value of 2.2 field. Completion_time is sum of both two fields  (0.35 + 60.53)   SPL query:   | eval finish_time_epoch = strftime(strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S") | eval start_time_epoch = strftime(strptime(START_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S") | eval duration_s = strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S") - strptime(START_TIME, "%Y-%m-%d %H:%M:%S") | eval duration_min = round(duration_s / 60, 2) | rename duration_min AS Completion_time   | eval Process=if(Process="013","2.1 Main calculation",Process) | eval Process=if(Process="014","2.2 Main calculation",Process) | table Process,  2.START_TIME, 3.FINISH_TIME , 4.Completion_time | sort -START_TIME, -FINISH_TIME | sort +Process | transpose 0 header_field=Process column_name=Process | dedup Process