Hi All, I have a dashboard with a dropdown of about 40 choices that come from a search query (not static). Each choice should "unhide" the respective panel on the dashboard.  I do not think I am grasping the <done>, <change>, <finalized>, <condition match>, etc elements I need to figure this out.  I have created a dummy version of my actual dashboard below:       <form> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="dashboard"> <label>Dashboard Selection</label> <fieldForLabel>Picker</fieldForLabel> <fieldForValue>Picker</fieldForValue> <search> <query>| makeresults | eval Picker = "Apple,Orange" | eval Picker = split(Picker,",") | stats count by Picker</query> </search> </input> </fieldset> <row> <panel> <html>DEBUG TOKENS : : : showapple - $showapple$ || dashboard - $dashboard$</html> </panel> </row> <row> <panel depends="$showapple$"> <title>Apple Dashboard</title> <table> <search> <query>| makeresults | eval Events = "10.10.10.10" | table Events</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$showorange$"> <title>Orange Dashboard</title> <table> <search> <query>| makeresults | eval Events = "192.168.1.1" | table Events</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>        You will notice I do not have any code to decipher when showapple or showorange is true.  I basically tried iterations of this code to make it work:       <done> <condition> <eval token="showapple">if($dashboard$="Apple","TRUE",null())</eval> <eval token="showorange">if($dashboard$="Orange","TRUE",null())</eval> </condition> </done>       I have tried using the above in different areas, and I always get null().  I also tried doing <change> instead of <done> so the dashboards would change depending on the dropdown value instantly, but I did not have success there either.

I have below JSON event where there are errors present in a field which is a list. I want to extract the values in the list and group them with another field which is part of an object of the same event.  After grouping I want to count them like below output. I am using below query but not getting the expected output. Any help on this will be highly appreciated.  Sample JSON Event1   { "errorList": ["There is an ErrorA", "There is some other ErrorB", "Ohh another ErrorC"], "Details": { "type": "ABC" } }     Sample JSON Event2   { "errorList": ["There is some other ErrorB", "Ohh another ErrorC"], "Details": { "type": "XYZ" } }     Expected Output   Type Error Count ABC There is some other ErrorB 3 ABC There is an ErrorA 4 XYZ Ohh another ErrorC 2     Query I am trying      BASE_SEARCH | rex field=MESSAGE "(?<JSON>\{.*\})" | spath input=JSON | rename Details{}.type as "Type" | rename errorList{} as "Error" | stats count as Count by "Type" "Error" | table Type, Error , Count  

I have a search which triggers an alert if an event hasn't be received by 6.20 am. That alert works fine but it needs to send data into another system. That system needs a unique id within it's Key field. key=$result._time$ won't work as the event doesn't exist. Is there a way to add a unique value into that key field on an event that doesn't exist? The search is: sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"

Hello everyone, Have you ever wondered why microsoft does not documented Operation types with Unicode + meaning? You don´t need to anymore. I have made the needed research (anyone can do) and here are the results: %%2458 = Read %%2459 = Write %%2457 = Delete      

I have an alert with a "Send email" trigger action when the number of results is greater than zero. The aim is to send a table of results inline in the email. This isn't currently working - no email is being received when there are valid qualifying events in the search period (previous day). The alert was deployed using the SHC deployer, and is owned by "nobody". If I "Open in Search" I see results. If I clone the alert so a local version is run under my user context, I get the alert email sent.   Looking into _internal events, I can see that when the "nobody" search runs, no results are returned, and hence no email is sent - this isn't an issue with email configuration. Why does this search in this context give me no results?

Hi all, I have a correlation search that passes alerts from another system into ES and I need to prevent the urgency of the alert from being changed by ES. Essentially I (think I) need ES to ignore the priority of any asset or identity associated with the incident so that the urgency doesn't change. Cany anyone offer any advice on how to do this? Thanks very much  Edit: I should add, I didn't create the original correlation search and I don't have much experience in this area, hence the question. Thanks again!

I am testing PAVO Getwatchlist Add-on 1.1.7 on Splunk Enterprise 9.0.0 It looks working almost fine. I need to use additional columns and set configration in getwatchlist.conf like following. 1=additional1 2=additional2 3=additional3 ... I expected that field name of additional columns become "additional1", "additional2" ... But, it became "1", "2", ... I have tried to modify getwatchlist.py like following. $ diff getwatchlist.py getwatchlist_fix.py 388c388 < row_holder[add_col] = self.format_value(row[int(add_col)]) --- > row_holder[add_cols[add_col]] = self.format_value(row[int(add_col)]) After that, the field names became "additional1", "additional2" ... as expected. I am not sure which behavior is correct. But, I feel "additional1", "additional2" ... are better.

I've tried to explore every links and docs in the AppDynamics website, but i still can't find any related information 1. Is there any user limit on AppDynamic? Or we have freedom to create as many user as we want, per controller? And what's the controller term actually means? Is it counted as an account or a license that I've purchased? 2. Is there any data ingest or data usage limit on AppDynamic Pro plan, like limited each month only 300GB and i have to pay more if i need to increase it, or is the one i found at your docs is correct (100GB/Day/User) Regards, Yohan

Hello Kindly assist me in this query/solution. I have a long list of IPs that logged in. Out of this list, I want to know the percentage of only 5 IPs. When I use this query ---My base query----         | search NOT IPs IN ("IP.A", "IP.B", "IP.C", "IP.D", "IP.E") | stats count by IP | eventstats sum(count) as perc | eval percentage= round(count*100/perc,2) | fields - perc         It gives me a table like this IP Count Percentage IP.A 52 37 IP.B 35 26 IP.C 22 18 IP.D 44 17 IP.E 11 2 The Total percentage =100%. But when I use this query ---My base query---- ip=*         | stats count by IP | eventstats sum(count) as perc | eval percentage= round(count*100/perc,2) | fields - perc         I get about 5 pages of all the list of the IPs and their respective percentages including the IP.A to IP.E in a table which all together totals 100% but the percentages of IP.A to IP.E changes completely. The 5 IPs shouldn't give me a 100%. It should a percentage fraction of the whole. Please help.