I have a lookup | inputlookup citizen_data , it has fields ID, Name, State. I have another sourcetype | index=bayseian souretype=herc , that has fields citizen_ID, mobile, email. My target is to enrich the "citizen_data" lookup with additional columns so that, while doing  |inputlookup citizen_data, I should see ID, Name, State, Mobile, Email. NOTE :  ID field in the lookup is same as citizen_ID field in the sourcetype and I wanted the appendcol to link properly as per the matching ID data. But when I executed my query with appendcol, it does append new columns/fields in the lookup, but it doesn't link or match them comparing  the common field i.e.  the ID. It just randomly appends the new coloumns. The rows contain incorrect data. Any suggestion  how to append properly by  the common field (ID/citizen_ID)?

Hello Splunkers, I have 2 panel and 1 Text Box filter in my splunk dashboard. I want to hide and show the panels depending on text box values. Example, if text box is empty, then panel A should only be visible. if text box is having some value, then panel b should only be visible. Default is textbox is empty, hence only Panel A should be visible.

Hello, we are forwarding Logs from a host via universal forwarder. As the universal forwarder is not able to filter events(logs we went for adjusting tarnsforms.conf and props.conf After editing those files we indeed only ingested the expected and desired logs according to the RegEx in transforms. However the indexed volume stayed the same. So i tried to send all events to the nullqueue and check the indexed volume again. For some reason even with zero events the query for indexed volume still is very high. Here the snippets from the relevent files and queries: 1. search query for getting indexed volume: index="_internal" source="*metrics.log" per_index_thruput series=<my index> | eval GB=kb/(1024*1024) | timechart span=2min partial=f sum(GB) by series 2. rather boring one => the search to check on event count index=<my index> | stats count 3. stanza in transforms.conf (to kill all events for testing) [<my transformation>] REGEX = . DEST_KEY = queue FORMAT = nullQueue 4. stanza in props.conf for sourcetype [<my sourcetype>] TRANSFORMS-setnull = <my transformation> ------------------------------------------------------------------------ I also tried with TRANSFORMS-set...no idea what the difference between the two is, but that doesn't work as well. So the nullqueue is working as i have no events in the index, however the query for indexing volume is off the charts. Any help would be apriciated. Thanks, Mike  

Hi everyone, i got two URLs which i want to represent in one regex group. The dest Port (443) will be in a seperate group Here are two examples. my.url.is.here:443 http://myurl.de/tasks/search/home?   When i use the following regex "(?<url>[^\s:]+):?" the first example is fine, but the second only catches "http" because it only matches till the ":" Can someone help and fix my regex? Thanks.

Hi I need to show id1,id2 on timechart have table with these columns: index="myindex" | table duration servername id1 id2 duration     Time                                          servername      id1   id2 2.643000 2021-22-11 18:30:45 Server1               111 32 2.009000 2021-22-11 18:30:45 Server2               321 72 need to create timechart that show durations by servernames and additional column data id1, id2 Any idea? Thanks

Hi All, Hoping someone out there can help me unravel the mystery I'm currently facing. We have a KV Store that we use to hold MISP values which is checked against when running various security alerts. We have 3 searches that are querying MISP data source and based on the results should add any new entries into the KVStore. Basics of the search we run are below:      | misp command to get new records in last 24hrs | bunnch of evals to format data | append [| inputlookup MispKVstore] | dedup | outputlookup append=false MispKVstore     We have this running 3 times to get details for different types of values - but all are stored in the same KVstore. Issue we are having is, once we reach 50 rows in the KV Store, updates are not being made as expected. Each time the search runs, it will add new entries for that category, but seems to delete / discard the values added by the other searches. All column names are consistent between the searches, I have updated the Max_rows_per_query as we thought we might be being affected by the 50k limit, but this has not resolved the issue. Seeking any tips, tricks, troubleshooting advice anyone is able to give to help get this sorted. Thanks in advance