I've created a table of test results using stats list() to create a table that looks like this (the application name is only listed once against the group of tests it's related to): Application TestName Outcome Website Search One Passed   Contact Page Passed   Order Form Passed Internal Query Form Passed   Look Up Passed   I would like to amend the table so that the Application is shown in the 'TestName' column above the group of tests it's related to, so it looks like this: TestName Outcome Website   Search One Passed Contact Page Passed Order Form Passed Internal   Query Form Passed Look Up Passed   I know this breaks normal table data layout but for the purposes of my dashboard I think it will make it look more readable.

1. I have below logs: server6z: INFO could not find the logs under this path(apimanager call) server6z: INFO could not find the logs under this path(apimanager call) server6z: INFO could not find the logs under this path(apimanager call), unable to find the logs from this server. server6z: INFO could not find the logs under this path(apimanager call) server6z: INFO could not find the logs under this path(apimanager call) server6z: INFO could not find the logs under this path(apimanager call), unable to find the logs from this server. server6z: INFO could not find the logs under this path(apimanager call) i have mentioned in my props should_linemerge=false line_breaker=([\r\n]+) but i am seeing error like failed to parse timestamp defaulting to file modtime. How to resolve this issue. 2. I am getting the same issue as above for this type of logs as well Sample logs: /path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file /applicatins/dir/wrd-start/loadscript/filedata.com: line24: /applicatins/dir/wrd start/loadscript/filedata.com: not able to read the files /path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file /applicatins/dir/wrd-start/loadscript/filedata.com: line24: /applicatins/dir/wrd start/loadscript/filedata.com: not able to read the files /path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file /path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file /applicatins/dir/wrd-start/loadscript/filedata.com: line24: /applicatins/dir/wrd start/loadscript/filedata.com: not able to read the files

Hello, When I run a query I get the results as I need them in a table from Splunk but when I download the .csv file, the timestamp field changes to an incorrect date and year. Does anyone know how I can fix it?        

Hi I am trying to capture all event="DcSyncs" from my index. This index also contains event="DcID". The event "DCSyncs" can occur at anytime (pretty often though), but "DcID" occurs once every 8 hours. I am trying to get all "DcSyncs" and then take the HostName field of those results and see if that HostName field has a result for event="DcID". If it does filter it out of the results. To summarize: I am trying to collect all HostName's that have a "DCSyncs" event, but no "DcID" event. I have this setup to run on an 8 hour interval so I don't think I need the time logic of the search.  I keep trying different variations, but I think I am way off. Any help is appreciated. index=MyIndex event="DcSyncs" | join HostName [search NOT index=MyIndex event="DcID"] | table _time HostName event

I guess my real question is how do I move Splunk from one company to another, including some but not all of the data and the indexes for the selected data? I see I can copy config and indexes from the $SPLUNK_HOME, but indexes are (I guess) just metadata, referencing other data. So, a search will read the index, then use that to get the data to return and display. I am going to guess Splunk will make a copy of the indexed data, because data sources can disappear for various reasons and that would not be ideal for later searches.  

I am trying to add fields from a lookup table. However, the matching field is a multivalue field. I need to expand the matching field but do not know how to group the lookup command with a multivalue command lookup file assest.csv:  ip, host 10.10.1.1|10.100.1.1|10.10.200.1, srv1 10.10.1.2|10.100.1.2|10.10.200.2, srv2 original search that returns an IP value | [lookup assets.csv ip OUTPUT host |makemv delim="|" ip] does not work