Hi Team, I am stuck with a query that is not working. I have set up a summary index that collects data every 1 hour and every 15min. I have a field 'isCostChanged' which I want to count basis 'Yes' and 'No' in Summary Index. Using this query : index=summary-my-sumdata splunk_server_group=default reporttype=costchangecount reporttime=fifteenmin isCostChanged=* | stats sum(count) as Total, sum(eval(isCostChanged="true")) as CostChanged, sum(eval(isCostChanged="false")) as NoCostChanged by CountryCode | eval CostChangeRatio=round((CostChanged/Total)*100,2) | eval NoCostChangeRatio=round((NoCostChanged/Total)*100,2) | fields CountryCode, NoCostChanged, CostChanged, CostChangeRatio   What its doing - Total count is correct but the count for isCostChanged=true and =false is not correct, the count is less if I do this below to verify the data, the count is correct | stats sum(count) as Total by isCostChanged Can you help how to achieve this  Thanks in advance  Nishant

Hi,  Wondering if anyone can help.  I am trying to create a new field called FS_Owner_Mail using |eval from both the mail and FS_Owner existing fields but not too sure how to work it into the below search.   index=varonis sourcetype=xxx:varonis:csv:reports | eval User_Group=replace(replace('User_Group',"xxxxl\\\\","")," ","") | join type=left User_Group [ search index=ad source=xxx_adgroupmemberscan memberSamAccountName="*_xxx" earliest=-48h | dedup groupSamAccountName, memberSamAccountName | rename groupSamAccountName as User_Group, memberSamAccountName as Member | join type=left Member [ search index=ad source="xxx_aduserscan" samAccountName="*_xxx" | dedup samAccountName | rename samAccountName as Member | table Member, displayName, mail] | stats values(Member) as Member, values(displayName) as DisplayName, values(mail) as Mail by User_Group | eval User_Group=replace(replace('User_Group',"_xxx","")," ","")] | table Access_Path Current_Permissions, DisplayName, FS_Owner, Flags, Inherited_From_Folders, Mail, Member, User_Group

Hello All,  1) I would like to add radio button / any way to select - one of the results of my below REST query search, QUERY :    |rest /services/data/ui/views | table id label updated "eai:userName" "eai:data" "eai:appName" 2) This Query search is saved as a dashboard (auto-refresh) and I have added few text boxes (User Name, Commit Branch, User Token) as show in the attached image. These text boxes will be manually filled by user.     Use Case: I need to choose any one row via radio button (or any other technical way) and then click on the SUBMIT button to send the selected row data and text box (manually entered by user) data to my custom python script.  What is the way to achieve this use case in Splunk, Any help on this is appreciated.  Thanks!

I have a data field categ_hierarchy in the format of a series of up to 8 category IDs joined by ">>". For example: categ_id1>>categ_id2>>categ_id3>>...>>categ_id8  Category id 1 is required but category ids 2 through 8 are optional.  Category Ids are strings without the '>' cahracter in them. They might have whitespace that I want to trim from the beginning or end.  Here are 2 examples: simulink/index>>simulink/simulink-environment>>simulink/programmatic-modeling support/parallel-221>>parallel-computing/index I want to lookup each category id and get back the associated category name for each category id and then reconstruct the category names into a similarly formated path:  categ_name1>>categ_name2>>categ_name3>>...>>categ_name8  Here are the two examples constructed from the lookup results Simulink >> Simulink Environment Fundamentals >> Programmatic Model Editing Parallel Computing >> Parallel Computing Toolbox Is there any way to simplify my SPL from this?  | rex field=category_hierarchy "(?<categ_id1>[^>]+)(>>(?<categ_id2>[^>]+))?(>>(?<categ_id3>[^>]+))?(>>(?<categ_id4>[^>]+))?(>>(?<categ_id5>[^>]+))?(>>(?<categ_id6>[^>]+))?(>>(?<categ_id7>[^>]+))?(>>(?<categ_id8>[^>]+))?" | eval categ_id1=trim(categ_id1), categ_id2=trim(categ_id2), categ_id3=trim(categ_id3), categ_id4=trim(categ_id4), categ_id5=trim(categ_id5), categ_id6=trim(categ_id6), categ_id7=trim(categ_id7), categ_id8=trim(categ_id8) | lookup category_lookup category_id AS categ_id1 OUTPUTNEW category_name AS categ_name1 | lookup category_lookup category_id AS categ_id2 OUTPUTNEW category_name AS categ_name2 | lookup category_lookup category_id AS categ_id3 OUTPUTNEW category_name AS categ_name3 | lookup category_lookup category_id AS categ_id4 OUTPUTNEW category_name AS categ_name4 | lookup category_lookup category_id AS categ_id5 OUTPUTNEW category_name AS categ_name5 | lookup category_lookup category_id AS categ_id6 OUTPUTNEW category_name AS categ_name6 | lookup category_lookup category_id AS categ_id7 OUTPUTNEW category_name AS categ_name7 | lookup category_lookup category_id AS categ_id8 OUTPUTNEW category_name AS categ_name8 | eval category_name_hierarchy=categ_name1 | eval category_name_hierarchy=if(isnull(categ_name2), category_name_hierarchy, category_name_hierarchy." >> ".categ_name2) | eval category_name_hierarchy=if(isnull(categ_name3), category_name_hierarchy, category_name_hierarchy." >> ".categ_name3) | eval category_name_hierarchy=if(isnull(categ_name4), category_name_hierarchy, category_name_hierarchy." >> ".categ_name4) | eval category_name_hierarchy=if(isnull(categ_name5), category_name_hierarchy, category_name_hierarchy." >> ".categ_name5) | eval category_name_hierarchy=if(isnull(categ_name6), category_name_hierarchy, category_name_hierarchy." >> ".categ_name6) | eval category_name_hierarchy=if(isnull(categ_name7), category_name_hierarchy, category_name_hierarchy." >> ".categ_name7) | eval category_name_hierarchy=if(isnull(categ_name8), category_name_hierarchy, category_name_hierarchy." >> ".categ_name8) | table category_hierarchy, category_name_hierarchy I know I could split the category_hierachy field by the ">>" delimeter but I don't know how to lookup each of the category Ids in the resulting multivalue field.  Any help would be appreciated!! Thanks, Rena

Hi All, I have two dashboards, dashboard 1 and dashboard 2. I have linked them. When clicking on host from a line chart from dashboard 1, dashboard 2 opens up and filters on the selected host from dashboard 1. So far, dashboard 2 shows the correct host on the multiselect input. The issue is that I somehow override the panels in dashboard 2 with those of dashboard 1.  It may be an issue with the token, since I have tok_host=$tok_host$ on both dashboard's 1 and 2, but I am not sure if that is causing the issue. Any advise is welcome.  Thanks in advance    Dashboard 1 Input for multiselect: <input type="multiselect" token="tok_host" searchWhenChanged="true"> <label>Select Server (Multi Select)</label> <search> <query> (index=test_*_idx) |fields + host | stats values(host) as host | mvexpand host | rename host as tok_host </query> </search> <prefix>host IN (</prefix> <valuePrefix></valuePrefix> <valueSuffix></valueSuffix> <delimiter> , </delimiter> <suffix>)</suffix> <choice value="*">All</choice> <fieldForLabel>tok_host</fieldForLabel> <fieldForValue>tok_host</fieldForValue> </input> Linking the dashboard code: <drilldown> <link target="_blank">/app/XYZ_Sun_Sys/Dashboard2?form.tok_host=$click.name2$</link> </drilldown> Dashboard 2 Multiselect input code: <input type="multiselect" token="tok_host" searchWhenChanged="true"> <label>Select Server</label> <search> <query>(index=text_idx) |fields + host | stats values(host) as host | mvexpand host | rename host as tok_host</query> <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> </search> <fieldForLabel>Select Host</fieldForLabel> <fieldForValue>tok_host</fieldForValue> <choice value="*">All</choice> <delimiter> ,</delimiter> <default>*</default> </input> Dashboard 2 code for panel </fieldset> <row> <panel depends="$tok_host$"> <title> First Panel - $tok_host$ </title> <single> <title>Space Avail</title> <search> <query>index=testing_idx host=$tok_host$ |timechart span=10min avg(Speed) as speed | eval change=_time</query>  

I've got some queries I need to do periodically that use the exact same base search, one with teh weekly uniques and one with the average daily uniques. I can do these seperately: (search) | stats dc(thing) as WeeklyCount and (search) |bucket _time span=day |stats dc(thing) as DailyCount by _time |stats avg(DailyCount)   I've tried variations on appendpipe, but can't get it to work.  example: (search) | stats dc(thing) as WeeklyCount |appendpipe [ bucket _time span=day |stats dc(thing) as DailyCount by _time |stats avg(DailyCount)] returns only WeeklyCount. If I switch the order and have weeklycount in the append pipe, it gives my the correct average daily, but weekly reports as 0

I have 2 type of search messages - Problem #1 Problem #5 and other one goes like this - Solved problem_id successful: 1 Solved problem_id successful: 2 Solved problem_id successful: 3   I want to return Problems which have not been solved yet. So in the above case it should result with 5 only. What I tried :     Search1 ==> index="production" "Problem #" earliest=-3h latest=-1h | rex field=message ".*Problem #(?<problem_id>.*):.*" | stats count by problem_id |table problem_id     Extracting all Problem Ids(works fine) Search 2==>      search index="production" "Solved problem_id successful:" earliest=-3h | rex field=message ".*Solved problem_id successful: (?<problem_id>.*)" | stats count by problem_id |table problem_id     Extracting all problem ids which have been solved. (works fine )   Now to find problems which are not solved --> search1 | search not [search2]      index="production" "Problem #" earliest=-3h latest=-1h | rex field=message ".*Problem #(?<problem_id>.*):.*" | stats count by problem_id |table problem_id | search NOT [search index="production" "Solved problem_id successful: " earliest=-3h | rex field=message ".*Solved problem_id successful: (?<problem_id>.*)" | stats count by problem_id |table problem_id ]     Now above query doesn't work and for some reason just returns the result from search1. It seems not is not working for some reason. Thanks in advance. PS: I have modified the queries little bit on the fly to remove sensitive info.