Interesting question. Is the requirement to have a single view or simply a single PDF? If it's the latter, you might consider a custom search command to iterate over the results of the generating search and create each view separately. Then you could merge the resulting PDFs, either with a command line tool or in Python itself (I found some code samples with a quick search), and email it through the script, or maybe generate an alert with a link to the file location. I've never tried anything like this, so I don't know how feasible it is, but maybe it's helpful. ... View more

That's odd. You changed the field in the timechart command, right? timechart span=1d count BY legend (or newfield). sowings is probably right about the lookup being best, especially if you will ever reuse this. ... View more

I'm also curious about this. Any update? ... View more

@jbsplunk, thanks for the reply. In general, to clean a distributed index, do I have to bring down Splunk on all indexers at once? Or could I bring down Splunk on each indexer one at a time, so that any data coming in could go to the remaining indexers? ... View more

You can replace the actual value of the ApiKey field with rex: ...| rex field=ApiKey mode=sed "s/123/NiceName/" I don't know of a way to run multiple sed commands in one rex statement, so you'd need four of those. If you wanted to create a new field, you could do an eval with a bunch of nested ifs, something like this: ...| eval newfield=if(ApiKey="123","Foo",if(ApiKey="456", "Bar", if(ApiKey="789","Baz",if(ApiKey="abc123","Fiz","Faz")))) and then break up the timechart by newfield instead of ApiKey. I don't know of a way to rename the lines in the legend, though there may be one. ... View more

@lancealotx, would you mind posting your search and what actually shows up in the legend? I'm unclear what's unreadable about it. ... View more

Dangit. Thanks. ... View more

It can't be done in simple xml? ... View more

No problem, @HansK. Could you click the checkmark to accept the answer? ... View more

What if the user doesn't have permission to edit transforms.conf? Say it's a file they generated on the fly. ... View more

I used stats to split out the max by each host and instance, then used eval to create a new field (eval hostInstance = instance . ":" . host), then displayed the max value with the conjoined field. Inelegant but functional. I think this is the way to go, though: ...| stats max(Value) as Max by instance,host | dedup instance sortby -Max Still have to mess with numbered instances and case-sensitivity, but it's less ugly. Also, if you want to keep the top X readings per instance instead of the top 1, you can say "dedup X instance sortby -Max". ... View more

This is ugly, but it might work for you. This is modified from a query I ran on my own test data, so it may need tinkering. index=test-tibco parent_job_id=80353 | eval foo=event_time . "::" . child_job_id ."::" . MessageText . "::" | transaction service_name, parent_job_id | rex max_match=20 field=foo "^(? .?)::(? . ?)::(? .*?)::\s" | table service_name, parent_job_id, EventTime, ChildJobId, MessageTextItem The first eval joins your three target three fields into one field for each event. I used a double colon to join, but it can be any character sequence that doesn't appear in your data. After the transaction command, foo contains the sequence of all events in the transaction. The rex command splits the foo field back into its components. Note the max match parameter must be set to some number greater than 1 to match multiple entries in the field. Unfortunately there doesn't seem to be a way to make it unlimited (setting it to 0 didn't work), so you'll have to set it high enough to cover the maximum number of transaction events in your environment. I don't know what the performance implications of a high max match would be. Miscellaneous notes: Your MessageText field has spaces in the data, while my test data does not. Since there is a terminating :: delimiter at the end of foo, I think this will still work, but those spaces are something to keep in mind if you have to play with the regex. Also, I tried to keep the three fields joined as one, but the formatting didn't work out; trying to figure out tab characters in headers and such didn't make sense. I hope this helps. ... View more

@BryanBerry, I'm not sure I'm parsing your data correctly. Why do you need the first transaction command that includes the child_job_id? Also, have you considered using eval to create a new field that concatenates event_time, child_job_id, and MessageText before you calculate the transaction? ... View more

What is the recommended solution on 4.3.2? Wildcards don't seem to work anymore. ... View more

Okay, thanks. Next question: Can I override an intention in the target view? I'm testing with another view that has a stringreplace intention with a default value for the field I'm trying to pass in, and the search contains that $parameter$ explicitly. The search time (which isn't a parameter in the target search) is passed through correctly, but the other field ends up with the target's default value. ... View more

That might work, but it would make your current data different from your historical data, and people might get unexpected results if they search across both sets. If you don't care about that, or if you're going to delete the old data, it's probably fine. If you don't mind, would you post a line from your "table _time Used" so I can see what the format looks like? Or print "table _time Used Multiplier" to see if the multiplier is always 1? The eval method should work, but without seeing the exact data it's hard to get the correct syntax. ... View more