Dear Splunk Community, I need some help fetching data from a source, then use the results as a searchparameter for different other searches  and put all of the results into one statistics table. I have (names have been changed): One index : [myIndex] One host : [myHost] Source one : [/xxx/xxx/xxxxx/xxxx/log/xxxxxxx/*/*.log] Source two : [/yyy/yyy/yyyyy/yyyy/log/yyyyyyyyy/firstlogfile.log] Source three : [/zzz/zzz/zzzzz/zzzz/log/zzzzzzzz/seconflogfile.log] I have the following dashboard: In the upper left you see a statistics table. A RUNID is basically a timestamp. I have a lot of different files that contain the RUNID. I collect all the files and then display each RUNID only once (so duplicates are not shown) using the following query:   index="myIndex" host="myHost" source="/xxx/xxx/xxxxx/xxxx/log/xxxxxx/*/*.log" | eval source=replace(source,"^/xxx/xxx/xxxxx/xxxx/log/xxxxxx/","") | eval source=replace(source,"/.*","") | stats values(source) by source | fields source | rename source AS "RUNID" | sort RUNID desc   When I click any RUNID another search is performed in the upper right (DATA) statistics table. This has the following query:   index="myIndex" host="myHost" source="/xxx/xxx/xxxxx/xxxx/log/xxxxxx/$tokenRUNID$/*.log" CTJT* $meldingen$ | fields _time, _raw | rename _time AS "Datum" | convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Datum) | eval _raw = replace(_raw,"^[^#]*#", "") | rename _raw AS "Sensor Activiteit" | sort Datum desc    In the bottom (center) I have 3 single value fields that show ERRORS, WARNINGS and INFO. For each I have the following code (with the exception of the field ERROR/WARN/INFO) :    index="myIndex" host="myHost" source="/xxx/xxx/xxxxx/xxxx/log/xxxxxx/$tokenRUNID$/*.log" CTJT* AND CASE("ERROR") | stats count   And at last I have a single value field showing the profile:   index="myIndex" host="myHost" source="/yyy/yyy/yyyyy/yyyy/log/yyyyyyyyy/firstlogfile.log" OR source="/zzz/zzz/zzzzz/zzzz/log/zzzzzzzz/seconflogfile.log" $tokenRUNID$ "started with profile" | rex field=_raw "profile\s(?<whatever>[^\s\r]+)" | stats count by whatever | fields - count     So right now I have multiple data searches in different representations (single value fields, data tables etc.). I would like to create the following: A table with RUNID's where the table also shows the PROFILE, DATE and the WARNINGS, ERRORS and INFO counts right next to it. It should look like this, but populated: So I basically want to place multiple searches and results into one statistics table. I have tried playing with appendcols like described in this topic: https://community.splunk.com/t5/Splunk-Search/multiple-search-output-in-a-single-table-list-something/m-p/39644#M9063 But using index gives me the error  Unknown search command 'index'. How can I manage to get the above? Thanks in advance.    

Hi guys,    Probably very simple question but I just tangled myself in the logic.  I want to create 2 fields, one with today's date so I have that one | eval today_date=strftime(now(),"%B %d, %Y") and the second one where I want to subtract 30days from that date. How do I get about it?

I'm working on calculating the storage space taken up by a specific user. I would like to calculate the total size of their search artifacts at any given time - we would like to see if they are hitting their storage limits regularly. This will indicate we need to increase the storage limit. I'm running this search to get the jobs for a specific user: | rest /services/search/jobs | search author=<user> The next thing to do would be to calculate the size of all jobs that have not expired yet. I can get the life of the search (ttl field) and when the search started (published field), and a sum of those should give the time the search expires. However, if I check the "Jobs" report, the "Expires" field does not correspond to what I calculate. There must be some additional factor involved in the calculation of the "Expired" field..?

Hi,  I have a log like this : 2021-09-01T07:25:12.314Z id-xxx-xxx-xxx STATE {"Id":"id-xxx-xxx-xxx","timestamp":"2021-09-01T07:25:12.145Z","sourceType":"my_sourcetype","source":"source_name","Type":"my_type","event":{"field":"my_field"},"time":169,"category":"XXX"} My props.conf is like that : [extract_json] TRUNCATE = 999999 SHOULD_LINEMERGE=true NO_BINARY_CHECK=true TIME_PREFIX=timestamp: MAX_TIMESTAMP_LOOKAHEAD=10000 BREAK_ONLY_BEFORE ={$ MUST_BREAK_AFTER=}$ SEDCMD-remove-header = s/^[0-9T\:Z]*.*\s*{/{/g My issue is that I need to extract only the json element from my logs but with those parameters from my props I get a bad extraction : the end of my json ( {"field":"my_field"},"time":169,"category":"XXX"} ) goes to an other event line and is not in json. I have children brackets into parent bracket and I think my SEDCMD is not correct. I would have the entire json element in one event.  Can you help me please ? Thank you !

Hi , I have a splunk app in a cluster environment which I need to hide from list of apps from the UI.  To do this, I have made the following changes in SH Deployer: [ui] is_visible = true This works fine, however, I can access the dashboard of this app, if I have the url handy (which is OKAY), the only problem here is, If I try to go to search url of the app, it gives 404 error. Any idea or leads on how to search index /navigate to search window of the app. TIA!