Hai, I am looking for one match condition, Here is my requirement, <condition match="&quot;boilerrole&quot;== IN('$result.roles$')"> <set token="boiler">true</set> <unset token="turbine"></unset> </condition> if my boilerrole matches to any of the value in "result.roles".(result.roles contains a results of multiple roles) --> my "boiler"  token should be true. is it possible. the above query is not worked for me, Can any one help me.

Hi, all!  I am want to custom the search command when I click the element but I don't know how to write the search using values from the clicked element like Auto function.  For example, here's my dashboard and I hope that when I click on one of the Call_Session_ID, then it will jump to the search which combines the four different times with the same Call_Session_ID. Thanks a lot for your help!  

i would like to find a query where it is looking for the word 'DISK' &  ##% is above a certain percentage. i have the following but does not seem to work. (\N*Disk\D*)([0-9][0-9]|\d{2,})\% so from the example below. i should only be left with "Logging Disk Usage 85%" example: CPU 99% Logging Disk Usage 85% /VAR log  87%

HI, I have events in splunk, where two fields description and msg denotes error messages. When I try to use to below. I tried renaming msg and description to same values but I am not getting an count. index=work  status=failure | stats count by description |appendcols [search index=work tag=error | stats count by msg] I  see below result: Description   Count          msg                            10              Account locked Login failed    20 How can I get below? Error                  Count Account Locked 10 Login failed           20

Hi All, What I'm trying to do is to have a chart with time on x-axis and percentages by ResponseStatus on y-axis.  To do that I come up with the below Splunk search query:     match some http requests | fields _time,ResponseStatus,RequestName | eval Date=strftime(_time, "%m/%d/%Y") | eval ResponseStatus=if(isnull(ResponseStatus), 504, ResponseStatus) | eventstats count as "totalCount" by Date | eventstats count as "codeCount" by Date,ResponseStatus | eval percent=round((codecount/totalCount)*100) | chart values(percent) by Date,ResponseStatus      But it is hitting the disk usage limit (500MB - which I can't increase) for a 10 days interval. And I'd like to be able to have this on a 3/4 months interval. What I have noticed is that If I only run the match part of the query, I get all the events without hitting any disk limit, which makes me think the problem is with the counting and group by part of the query. My guess is that Splunk is making the computation by keeping in-memory (or, trying to do so and eventually swapping to disk) the full event message even if I specified the useful fields via the fields command.  Is there any way to either effectively have Splunk ignore all the remaining part of the message or obtain the same result via a different path? Thanks a lot!