This is data file( ip -- [time] text &&& ip -- [time] text &&& ip -- [time] text &&&) 41.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - - -> i want to this ↓ ip -- [time] text ip -- [time] text ip -- [time] text   What can I do? (use LINE_BREAKER, etc)

Hello everyone I hope you guys are doing just great!   I have a sort of simple question but I have not been able to come up with a solution.. I want to be able to filter out rows of a table where there are multivalues based a numeric criteria, this is an example: I have this: AGENT INX ROCKS TASK XX_9 7 9 -6 T Y U TY-8 GY-0 FG-67 XX_10 7 -49 -66 UY IO UJI TY-8E G-0 VG-67   I would like to only remove all rows in the table where  the multivalue field "INX" have negative numbers and have something like this: AGENT INX ROCKS TASK XX_9 7 9 T Y TY-8 GY-0 XX_10 7 UY TY-8E   I have tried using mvfilter and mvfind and mvindex but... every trial has not been successful yet so I really love you guys for helping me out thanks a LOTTTT kindly, Cindy

Hi, My dashboard has a row-clickable table.  allassetstable.on("click", function(e) { // Bypass the default behavior e.preventDefault(); // Displays a data object in the console console.log("Clicked the table:", e.data); });  Now once I clicked the table, I got this from console:  Clicked the table: {click.name: "database_id", click.value: "dfd033abe230eb961276fd5981c209f11b7925ee8736474265196215bc0f8b7d", click.name2: "database_id", click.value2: "dfd033abe230eb961276fd5981c209f11b7925ee8736474265196215bc0f8b7d", row.database_id: "dfd033abe230eb961276fd5981c209f11b7925ee8736474265196215bc0f8b7d", …} click.name: "database_id" click.name2: "database_id" click.value: "dfd033abe230eb961276fd5981c209f11b7925ee8736474265196215bc0f8b7d" click.value2: "dfd033abe230eb961276fd5981c209f11b7925ee8736474265196215bc0f8b7d" earliest: "1621956660.000" latest: 1624819906 row.anomaly_count: "144" How should I modify the JS code to get the value stored in click.value instead of the entire data block? I tried e.data.click.value before but it didn't work out.  Thank you in advance!  Regards,

My source dashboard has a clickable table and once a user clicks a row the user will be taken to a destination dashboard and the token will be set to database_id which is then passed in to run a search on the destination dashboard. Now both two dashboards are using a single JS file. But I realized that the token will not be successfully passed in to the search as the token value is not set when the destination dashboard reads the JS file. Could someone please provide help on how should I transfer the token value between two dashboards using SplunkJS? Thank you in advance! Here's the code for event handler on the source dashboard:   allassetstable.on("click", function(e) { // Bypass the default behavior e.preventDefault(); // set token name and value tokenSet.set("databaseID_tok", e.data.click.value); // link back to asset-specific anomalies page utils.redirect("Ano","_blank"); });     Below is the code for search on the destination dashboard:   var search2 = new SearchManager({ id: "ano", preview: true, cache: true, latest_time: "now", search: "index=anomalies database_id=$databaseID_tok$" }, {tokens: true});      

I have a search result like below: { [-]    dt: 2021-06-24T22:46:40.7013297Z    flds: [ [-]      { [-]        fn: username        nv: LearningRegApplication      }      { [-]        fn: dbQueries        nv: SQL_QUERIES=Select emp.fieldA, emp.fieldB, emp.fieldC, emp.fieldD from Template.table emp WHERE (UPPER(emp.fieldA) = UPPER(:emp.fieldA)) AND (UPPER(emp.fieldB) = UPPER(:emp_fieldB)) AND (UPPER(emp.fieldC) IN (UPPER('aaa'), UPPER('bbb'), UPPER('ccc'), UPPER('ddd')))      }    ]    sf: EmployeeLogic    sid: T1-SECURITY-{A-8FE-76E9-C3A2-ED890B}    sm: GetAsync    stat: Success    tid: yb6Any-PG00IG53 } I used   |SPATH OUTPUT=status PATH=stat | SPATH OUTPUT=nv PATH=flds{}.nv | SPATH OUTPUT=fn PATH=flds{}.fn | Table fn nv host status.  The results return 4 columns.  Each row has the array of the 2 sets of key-value pair in the fn/nv stacked together.   But host and status has only hostname and status values as follows: fn            nv              host             status (Row 1) username     LearningRegApplication                                                                                          MyHost  Success (Row 1) dbQueries     SQL_QUERIES=Select emp.fieldA, emp.fieldB, emp.fieldC, emp.fieldD from Template.table emp WHERE (UPPER(emp.fieldA) = UPPER(:emp.fieldA)) AND (UPPER(emp.fieldB) = UPPER(:emp_fieldB)) AND (UPPER(emp.fieldC) IN (UPPER('aaa'), UPPER('bbb'), UPPER('ccc'), UPPER('ddd')))   And I have uploaded a CSV file that contains all query fields name.  I want to see each field was queried by which application and insert them in that field row (not sure what is the best way to present this information).  So the output may look like something below: fieldA  LearningRegApplication fieldB  LearningRegApplication, AThirdApp fieldC  LearningRegApplication, ASecondApp fieldD  LearningRegApplication fieldE  ASecondApp, AThirdApp fieldF  AForthApp   :   :  What is the way to use the full CSV list of field names to insert the app to each SQL field name?

Hi, Is it possible  from Splunk universal/heavy forwarder to forward data to third party REST API endpoint over https using basic authentication ? I have use case where Splunk universal/heavy forwarder has to forward data to Splunk enterprise + 3rd party client REST api endpoint for processing data. Is this use case possible ?