Is it possible to change the app key of an existing app, and if so, will the previous app key become non functional, or will that continue to be accepted as well? We're looking at options to safely rotate the AppD app key, if that's possible. Thanks, Priya

Hi, Where does the data sync utility for ServiceNow get installed? Do we need a seperate server? If we need a seperate server then if that server goes down how it will affect the data to servicenow? Can someone please explain ^ Post edited by @Ryan.Paredez for formatting and title changes

Hi, I just started working with Splunk and would ask for some help. I have 3 sources, A, B and C. Source A contains fields Ordernr, Salesvalue  Source B contains fields Ordernr, Status Source C contains fields Ordernr, Producttype  All sources have around few million records. What i would like to get is a result set with: A.Ordernr, A.Salesvalue, C.Producttype  where A.Ordernr not exists in B.Status=700 and A.Ordernr exists in C.Ordernr Hope my question is clear  Thanks in advance for helping me out!       What i would like to do is to have a resul  

Hi all, i created a report, now i need to create a dashboard that takes data from this report with loadjob savedsearch. the report has as the name of the fields 1_month_previous, 2_month_previous, ......(I could not rename the names of the months in the command stats sum (DIM) as 1_month_previous, I also followed a post here in the community) I would like to create a filter in the dashboard with the names of the months instead of the previous_month. I tried with this code: <query> | makeresults | eval MPR0 = strftime (relative_time (now (), "-0month @ month"), "% B") | eval MPR1 = strftime (relative_time (now (), "-1month @ month"), "% B") | eval MPR2 = strftime (relative_time (now (), "-2month @ month"), "% B") | eval MPR3 = strftime (relative_time (now (), "-3month @ month"), "% B") | eval MPR4 = strftime (relative_time (now (), "-4month @ month"), "% B") | eval MPR5 = strftime (relative_time (now (), "-5month @ month"), "% B") | eval MPR6 = strftime (relative_time (now (), "-6month @ month"), "% B") | eval MPR7 = strftime (relative_time (now (), "-7month @ month"), "% B") | eval MPR8 = strftime (relative_time (now (), "-8month @ month"), "% B") | eval MPR9 = strftime (relative_time (now (), "-9month @ month"), "% B") | eval MPR10 = strftime (relative_time (now (), "-10month @ month"), "% B") | eval MPR11 = strftime (relative_time (now (), "-11month @ month"), "% B") | eval MONTH = mvappend (MPR0, MPR1, MPR2, MPR3, MPR4, MPR5, MPR6, MPR7, MPR8, MPR9, MPR10, MPR11) | table MONTH </query> but in Dinamic Option -> Search String by inserting this code, it returns me the names of the months separated by commas, all on a single row and not in a column to let me choose the month I need. Do you have any suggestions? I have tried mv append, split, delim, etc .. to no avail. I ask for help from you Splunk gurus. Tks BR Antonio

I want to extract the field that are on the left which are status, monitoirng status, monitoring mode and so on. Multikv command can be used when the header is at the first row. What command should I use in Splunk search if the header is at the first column?  

I have extracted two fields in my non prod splunk account. I want to use the same for the prod splunk account as well. The url for prod and non prod are different. I need these fieldextraction in prod before hand, even before the logs start falling into splunk(prod), since my splunk alert is dependent on the logs. Is there a way to export extraction from non prod and import them in prod? 

Hi all, I have a multiselect dropdown to list all the  groups, also i have 2 pie charts for the number of tasks per groups and status of the jobs of tasks.Default selection in the multiselect dropdown is "All". How to pass the tokens from the mutiselect to the charts? The queries for 2 charts are, index= "abc" sourcetype="xyz"|chart distinct_count(task) as Tasks by group The status pie chart is drilldown from the first pie chart. Tok_task is passe as token. index= "abc" sourcetype="xyz"| search task= $Tok_task$| chart distinct_count(job) as Jobs by status I just simply passed a token from multiselect to the chart. It is not working as i select multiple options. Does anyone know how to work with this?

Hi All, I have a field with the following field with values: Field_Values=case(Red="Low", 10, Blue="Medium", 28, Green="High", 14) How can I create a token in the dashboard that will have these values? This token will not be used for a filter in the dashboard or a drilldown. I am not sure if there is a default token to assign this to.  I am using the below code, but using job.resultCount is only giving me the highest value which is 3600 I need it to give me the corresponding Field_Value for when its Low, Medium or High..... any advise?  <condition match=" 'job.resultCount' &gt; 0"> <set token="Field_Values">$result.Field_Values</set> </condition>