Hi,    I have two different queries running on same dashboard but a different panel.  Below is the query one which results the "reqid" as the output (ex:123456) Query 1: sourcetype=test*-cloudwatch-logs file.txt | rex "RequestId: (?<reqid>[\S+]*)\s" | table reqid | dedup reqid Output return as ex : 123456   Then, i would like feed the output of query1 as input of query2.   Query 2:  $query1_output$ | rex "uploaded to: s3://sample-us-east-1-s3/transmit-os/(?<filename>.*)" | table filename     Can someone suggest me is this right way of passing? How can i update the source code (XML) for the changes?   Thanks.

Hello, I am trying to build a new app using the Add-On Builder and am having problems getting OpenSSL functioning with my input. Has anyone successfully accomplished this and has the commands they can share? This is the command I am using to import the module to "myapp/bin/lib" /Applications/Splunk/bin/splunk cmd pip3 install pyopenssl --target /Applications/Splunk/etc/apps/myapp/bin/lib --trusted-host pypi.org --trusted-host files.pythonhosted.org  I then use this in myapp's code: from lib.OpenSSL import SSL  This is the error I get when testing: File "/Applications/Splunk/etc/apps/myapp/bin/lib/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import crypto, SSL ModuleNotFoundError: No module named 'OpenSSL'

I updated to 8.2.2.1 and suddenly all of our unit test output is polluted with hundreds of Authorization Failed messages,  each coming from various calls to splunk.rest.simpleRequest. The Authorization failures themselves are perfectly normal - many of our tests actually assert that ownership and permissions are set the right way, and testing that involves trying to do things with the wrong user and asserting that the thing fails.   What's problematic is how formerly nice clean unit test output to the console or to stdout is now polluted with all this stuff about these normal failures. for example,  picture dozens or hundreds of these: Authorization Failed: b'{"success":false,"messages":[{"text":"It looks like your Splunk Enterprise\\nuser account does not have the correct capabilities to be able to post licenses.\\nReach out to your local Splunk admin(s) for help, and/or contact Sideview support\\nfor more detail."}]} Curious if anyone has run into this or knows where the messages might be coming from.

Hi team,      I am new to the splunk. I am just running a splunk query with an ID name to get the file assocaited with it from the logs. Event logs are looks below from the splunk, Logs:   the log files are    RequestId: abcd File uploaded to: s3://test/sample/file.json   source: source name   host: host name   etc   how can i run a query to search splunk event logs and look for .JSON file and return the full JSON file name? Any help is appreciated.   Thanks.

Our scrum team used to have a single Splunk dashboard, and a link to it on our Jira board, so that the product manager could easily jump to it when he was checking on our progress.  Now I've added 6 more dashboards, but would rather not add 6 more links if I can help it.  Is there a way to link to all of them at once?  The dashboard names share a common prefix for easy filtering, but filtering doesn't affect the URL so it doesn't seem like that will help.  Can I create a dashboard that contains links to other dashboards?  Or some sort of home page that's specific to our team?

Hi Team, Could someone help me with the field extraction for the below complex data(1000 lines of data I concised to 10 lines of data ) : columns to be extracted are statement_text , cnt, total_reads, total_writes, db_name statement_text="SELECT ISNULL("Interface Entry Header"."timestamp",@3) AS "timestamp",ISNULL("Interface Entry Header"."ImageURL",@8) AS "ImageURL",ISNULL("Interface Entry Header"."Pick Date Time",@7) AS "Pick Date Time",ISNULL("Interface Entry Header"."Start Execution",@7) AS "Start Execution",ISNULL("Interface Entry Header"."End Execution",@7) AS "End Execution",ISNULL("Interface Entry Header"."Send Request",@7) AS "Send Request",ISNULL("Maximo Issue Type$Interface Entry Line"."Header Entry No_",@4) AS "Maximo Issue Type$Interface Entry Line$Header Entry No_",ISNULL("Maximo Issue Type$Interface Entry Line"."Entry No_",@4) AS "Maximo Issue Type$Interface Entry Line$Entry No_" FROM "Algeria".dbo."Tango$Interface Entry Line" AS "Maximo Issue Type$Interface Entry Line" WITH(READUNCOMMITTED) WHERE ("Maximo Issue Type$Interface Entry Line"."Header Entry No_"="Interface Entry Header"."Entry No_") ORDER BY "Maximo Issue Type$Interface Entry Line$Header Entry No_" ASC,"Maximo Issue Type$Interface Entry Line$Entry No_" ASC) AS "SUB$Maximo Issue Type" WHERE ("Interface Entry Header"."Interface Code"=@0 AND "Interface Entry Header"."Direction"=@1 AND "Interface Entry Header"."Status"=@2) ORDER BY "Source No_" ASC,"Entry No_" ASC OPTION(OPTIMIZE FOR UNKNOWN, FAST 50)",    cnt="12",    total_reads="31", total_writes="0",   db_name="test"  I couldn't able to extract the statement_text column completely and the remaining columns are working fine index="index" source="source1"| rex field=_raw "statement_text\=\"(?<statement_text>[@ ( ) $ . , \"A-Z ! ^ | \" - _ : { } A-Z a-z _ 0-9]+]+)\""   | rex field=_raw "cnt\=\"(?<cnt>[0-9]+)\"" | rex field=_raw "diff_reads\=\"(?<diff_reads>[0-9]+)\""| rex field=_raw "total_writes\=\"(?<total_writes>[0-9]+)\"" | rex field=_raw "db_name\=\"(?<db_name>[A-Z a-z _ 0-9]+)\"" Please provide me rex for statement_text column where the data can be extracted till the 2nd column "cnt"