In the documentation on dataset literals there is an example query: FROM [ { state: "Washington", abbreviation: "WA", population: 7535591 }, { state: "California", abbreviation: "CA", population: 39557045 }, { state: "Oregon", abbreviation: "OR", population: 4190714 } ] WHERE population > 5000000 SELECT state If I try to run this or any other query with a dataset literal I get an error: Error in 'SearchParser': Missing a search command before '{'. Error at position '26' of search query 'search FROM [ { state: "Washington", a'. Any idea why? Thanks.

Hello, I am working in an environment where I have to create multiple deployment servers. Here two questions came to my mind: - Is it possible for deployment servers to deploy apps without having any license? - Can I just add manually the license to each deployment server? or is it only possible to do this via a license master? Thank you. Regards.

Gentlemen,  Need some help with lookup command.  i have a lookup table (csv) which is a master list of user accounts. It looks something like this. user_id first last email phone manager             I have a Scheduled search that runs daily . This search  shows only the users that been modified , updated or newly created . How can i append the results of this search to my above csv lookup file in such a way that it does not create duplicates ?   Basically  if the user record already exits in the csv and if the search finds one of his attributes has been updated ( for example: manager ),  then the outlookup should update the existing user record  in the csv rather than creating a duplicate one.  Hope i am clear. I read some posts about users recommending   to use the below command, but don't understand how does appending solve this use case ?  Should i be using this ?   | append [inputlookup <lookup_csv>]   The "Scheduled Search"  is configured to "append"  to the csv lookup in its properties.     Thanks in advance

I'm trying to match all domains from a lookup file with a base search and get a count of the events for each one even if there are no events matching (0 count): mysite.com  count 12 anothersite.com count 5 myothersite.com count 0         index=application sourcetype=mysource | lookup myfile.csv Domain as <corelated event field> | append [ | inputlookup myfile.csv | fields Domain] | stats count as total by Domain | fillnull value=0 total | table total | sort -total         If you can, please explain your answer - whether there is a syntax error, a keyword misuse, or conceptual error on my part. 

I have two search queries: | metadata index=* type=sources that results in something like the following (under the source field) /lorem/ipsum/dolor/sit/tortor-adaptor.log /lorem/ipsum/dolor/sit/tortor-adaptor.log.1 /lorem/ipsum/dolor/sit/tortor-adaptor.log.10 /lorem/ipsum/dolor/sit/tortor-adaptor.log.11 /lorem/ipsum/dolor/sit/tortor-adaptor.log.12 /lorem/ipsum/dolor/sit/tortor-adaptor.log.13 /lorem/ipsum/dolor/sit/tortor-adaptor.log.14 /lorem/ipsum/dolor/sit/tortor-adaptor.log.15  then there's the following search | tstats values(source) where index=* that produces something like the following (under the values(source) field) /lorem/ipsum/dolor/sit/tortor-adaptor.log /lorem/ipsum/nunc-test.log.1 /lorem/ipsum/dolor/sit/pulvinar/ex-eros.log /comsed/ipsum/dolor/ut-eget.log /donec/sit/nam-libero.log.1 /aliquet/ipsum/dolor/sit/vel-arcu.log   Why is Splunk showing me different results? Also, how can I search for all the increments of the source if I know what it is? For example, if I have "/lorem/ipsum/dolor/sit/tortor-adaptor.log" how can I find all of its increments (e.g. "/lorem/ipsum/dolor/sit/tortor-adaptor.log.1, /lorem/ipsum/dolor/sit/tortor-adaptor.log.2, /lorem/ipsum/dolor/sit/tortor-adaptor.log.3")?