Hello experts, I would like to split the  fourth part of below lines . Please provide your suggestion if I can use REGEX for it.  Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data/abc-NNNN/00000000001 Projects/IMGSD-102/Data/abc-NN/00000000001 Projects/IMGSD-102/Data/abc-N/00000000001   Now I need to get the answer as below. abc-NNN abc-NNN abc-NNNN abc-NN abc-N Kindly provide your suggestion for the same.   

I have added some custom notable event statues say a , b , c. I have modified the transition rules for "new" status such that ess_analyst  role should not  be able to make transition from new to a ,  b and c statuses.  But the issue is while  status a and b are hidden from the "Edit events" box, the c is not . Though the transition to status c is still disabled for analyst.   the id for a = 14, b =15 and c is 10. Please help me understand why I see this  behaviour.    

Hello, i am trying to create a dependency map without the external creation of tokens that are being fed to the append searches. Here is the motive: I have a list of Sources and Targets, where as the Source of one Relation is the Target of many others and so on. This is recursive, but i would stop at 4 iterations for now ) The resulting table must only have the pairs of Source and Target Services as basis for the visualization. The first search looks something like this: index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$ | table Source_Service Target_Service The initial token is being fed via drilldown from the dashboard. So far no issue at all. So the first search creates the list of Source_Services connected to the Target_Service (token). Now i have actually two issues...sorry... First is that i cannot create the table of the pairs and create a token at the same time. The creation of the token would look something like this: index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$ | stats values(Source_Service) as results | eval list_of_Source_Services_search_one = mvjoin(results, ",") So the first issue is how to team them up in one search if possible The second issue starts once i have the token. The second search would look something like that: | append [ | search index=poc_analyze_something_rather Target_Service IN($list_of_Source_Services_Search_one$) | table Source_Service Target_Service ] However the first search does not seem to pass the token along into the append search. It is no issue at all if i make a search in the dashboard (no visualization) like this to create the token: <search>   <query>     index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$     | stats values(Source_Service) as results | eval source_list= mvjoin(results, ",")   </query>   <earliest>-15m</earliest>   <latest>now</latest>   <done>     <set token="list_of_Source_Services_Search_one">$result.source_list$</set>   </done> </search> The append search has no issues at all with this token. However there must be a way to create the list the Source and Targets without resulting to a dashboard with xml coded searches. Any idea? Thanks Mike

Hi, My requirement is to take each week monday data alone for a month in trending chart . This need to be showed for status field ,which will have ( pass,fail,error,deleted) values in it.The individual count of  status to be shown for each week monday for a month. Please let me know how to do this .