I have a set of results for the search with id="base_metrics_search" which provide 3 panels with data.  The events each contain a bunch of question metrics and have two fields of note: question_id and is_answered, which I'd like to use to provide data for another 2 panels. An example result set would be: question_id is_answered 1 1 2 0 3 1 4 0 5 0 6 1 7 1 8 1 9 0 10 0 11 1 12 0 13 0 14 1 15 1   How do I find the ids of the first 5 answered and unanswered questions? The first 5 of each type could be in any order. I am hoping to use two tokens to pass these values to other panels using a multivalue or comma separated list. So for the above example, I would end up with something like: answered_ids = 1,3,6,7,8 unanswered_ids = 2,4,5,9,10 I have searched around the doc and I haven't figured out what SPL to use to do this. I am currently using a chained search approach using "head" but this gives me results in the first panel but none in the second:  (I'm using splunk enterprise 8.2.2) <panel> <title>Top Questions</title> <table> <title>Answered Questions</title> <search base="general_metrics_base"> <query>| head limit=5 (is_answered=1) | fields ...</query> </search> <option name="drilldown">none</option> <option name="refresh.display">none</option> </table> <table> <title>Unanswered Questions</title> <search base="general_metrics_base"> <query>| head limit=5 (is_answered=0) | fields ...</query> </search> <option name="drilldown">none</option> <option name="refresh.display">none</option> </table> </panel> I'm looking into passing just the question_Ids on since I need to do further querying in those next two panels anyway.  I assume the answered questions search gets rid of events in the base_metrics_search results preventing the unanswered questions panel search from using them. Should the second panel (for the unanswered questions) of a pair of panels, both in a chained search based off the same original search, get the same original results set to process that the base_metrics_search returned to the first panel? Thanks in advance for any help you could offer!

I want to create the new_field when other values of field_1 is less than of first value. Here in below example as 23 greater than other values then do sum of all which is 44. for 10 is the smallest then its result is 10 for 11 there is one more value is less which is 10 then do sum with 10 then result is 21

When i have query data  result from search in field worker id it show >> domain\worker_id search result Example  ABC\123456  it have domain name front of worker id. If i would like to deleted only domain  ABC\  in field and result  show only number of worker id  . Example    ABC\123456   >>> 123456 Please recommend  how to query in search. Best Regards, CR

Hello, I'm struggling to convert two status codes (200 and 400) from ms to secs and display the values in a line chart. tmdEvntMs is the API response time in ms, and httpStatus is my status codes. I tried using foreach, and  it just converts the response time back to ms.  timechart span=6h avg(tmdEvntMs) AS avg_response by httpStatus | foreach * [eval avg_response=round(avg_response/1000, 2)]   Any suggestions would be greatly appreciated. Thank you

Hi, I'm using the following search string in Infoblox reporting:     sourcetype=ib:audit index=ib_audit | sort -_time | rename TIMESTAMP as "Timestamp", ADMIN as "Admin", ACTION as "Action", OBJECT_TYPE as "Object Type", OBJECT_NAME as "Object Name", EXEC_STATUS as "Execution Status", MESSAGE as "Message", host as "Member" | search Admin=* Action=Created OR Action=Deleted "Object Type"="IPv4 Network Container" OR "Object Type"="IPv4 Network" | fields + Action, Admin, Member, "Object Name", "Object Type", "Comment" Timestamp |fields - _raw, _time     This search is to alert on new network or network containers created via the audit log. What I would like to do in addition to this, is pull in the comment from the network, which looks like this from the splunk search: 2022-10-03 15:00:23.984Z [guestrw]: Created Network 192.168.100.0/24 network_view=default extensible_attributes=[[name="Building",value="B2"]],address="192.168.100.0",auto_create_reversezone=False,cidr=24,comment="DDIguy Reporting test",common_properties=[domain_name_servers=[],routers=[]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False "commentDDIGUY Reporting test"  Can someone please help me understand how I can pull that into the first search query?   

I'm a bit confused. If I have accelerated datamodels and upgrade CIM version and the update adds new fields in datamodels... What then? Will my datamodels keep at old definition version since they are accelerated and you can't edit accelerated datamodels? Will I have to rebuild my accelerations from scratch? That could be a bit... unfotunate since my summaries are huge.

Hi, I am b/t a rock and a wall, looking for any suggestion to solved this.   I am using the URL ToolBox to dissect URI "ut_path" into fields separated by "/" characters. For instance >>>      index=foo sourcetype="bar" Requested_URI=* | lookup ut_parse_simple_lookup url AS Requested_URI | fields ut_* Requested_URI User_ID | table User_ID RequestUri ut_scheme, ut_netloc, ut_path, ut_query, ut_fragment, ut_params ut_path = /a1/f1/f2/f3/4/5 ut_path = /a1/f1/f2 ut_path = /a1/f1/f2/f3/f4 ut_path = /a1/f1/f2/f3       The "ut_path" field has different value paths of varying length, each section (like f1) needs to get extracted into a new field so that I can run stats on it.    Is there a way to auto-extract dynamically, or conditionally? Thank you!