Hi all, I know it is possible to only show rows / panels if a token is set,   <row depends="$token$">   Is it possible to only show the row if the token has a specific value?   <row depends="$token$ == 1">   Thanks for any help

Hi there! I am trying to join an event table (E1) with a summary table (S1). S1 is just a summary table containing stats derived from the event table (E1). I am trying to accomplish this cause I have to compare the stats to each event. The query runs smoothly but won't give me the correct stats. Whenever I try to run them separately, the results are correct but when joined together as with the query below, it gives the wrong answer. For context, it gives bigger values for the stats. Hope anybody can help! Thank you in advance! Please see query below.      index=test sourcetype=aws* earliest=-0.5d@d | search source=*RDS* metric_name=AbortedClients | bin span=5m _time | stats count as DataCount by _time, metric_name | table _time, metric_name, DataCount | join left=L right=R where L.metric_name = R.metric_name [ | search source=*RDS* metric_name=AbortedClients | bin span=5m _time | stats count as DataCount by _time, metric_name | stats sum(DataCount) as TotalCount, avg(DataCount) as Average, stdev(DataCount) as StanDev, p25(DataCount) as P_25, p50(DataCount) as P_50, p75(DataCount) as P_75 by metric_name | eval IQR = P_75 - P_50 | eval LB = P_25 - (IQR*1.5) | eval UB = P_75 + (IQR*1.5) | eval OneThres = Average + (2 * StanDev) | table metric_name, TotalCount, Average, StanDev, P_25, P_50, P_75, IQR, LB, UB, OneThres ]      

Hi I am trying to understand how indexes and sourcetype are defined. Let's say I have an app with a web component and a database component. Should the web component and db component be different indexes?  And the sourcetype is a category within each index? Does Splunk automatically determine the sourcetype based on the data it ingested? Or is this something that is manually done?

I have following events in the log. Although there are lot of rows in it but I interested in these rows only and in extracting "time: and anything after "subject:"     --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: RE: Hello this is first email --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is second email --- 2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is third email ---     So need to a create a report like this - Time Subject 2016 2021-09-11 11:01:19 RE: Hello this is first email 2016 2021-09-11 11:01:21 Re: Hello this is second email 2016 2021-09-11 11:01:22 Re: Hello this is third email   Thanks!

I have the below test raw logs CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=testuser1 sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-01 15:58:50.624 destinationHosts=N/A eventId=4762037341417287789 CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=domain\\testuser sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-02 15:58:50.624 destinationHosts=N/A eventId=4762037341417287788 CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=tuser sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-04 15:58:50.624 destinationHosts=N/A eventId=4762037341417287787 CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=N/A sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-03 15:58:50.624 destinationHosts=N/A eventId=4762037341417287786   I am trying to use rex to extract a field called loginName, in which the regex will capture all entries after the "loginName=" text. I have tried ...| rex field=_raw "(loginName=)(?<loginName>[^\=]+)(?=\s)", but it does not capture all events. Please assist.

For example: |  tstats count from datamodel=test where * by test.url, test.user  | rename test.* AS * | search NOT     [ | inputlookup list_of_domains        | rename domain AS url        | fields url ] | table url, user   I want this to show me the urls from the DM that do NOT appear in the lookup, and then give me the corresponding usernames from the DM. But, this is not working properly. When I run this search, I still see some of the urls that are in the lookup. Please help!

  I have this query and I want to add another data series/line to this chart. How can I do it? index="eniq_voice" |where localDn="ManagedElement=TO5CSCF01" |bucket _time span=15m |stats max(CPULoad_Total) as CPULoad_Total by localDn _time |timechart max(CPULoad_Total) as CPULoad_Total I want to add this to the query with a linechart: |stats max(CPULoad_Max) as CPULoad_Max by localDn _time |timechart max(CPULoad_Max) as CPULoad_Max by localDn _time

I'm trying to extract field That looks like "Alert-source-key":"[\"abcdd-gdfc-mb40-a801-e40fd9db481e\"]"     I have tried this "Alert-source-key":"(?P<Alert_key>[^"]+)" but i'm getting results like "[/" since it is checking for only