Hello, I have a main search, with an append command. Some events contain just the user; others just the addr; and still others both the user and the addr. The issue is I only know user. However, to find events which contain just the addr I need to search the log for events where the user!="" and where addr!="". Then I can run a new search on log with $addr=addr. I will use dedup at the end. |append [ search index ="events" AND source="log" AND (user="$userId_tok$" OR [ search index ="events" AND source="/log" AND user="$userId_tok$" | head limit=1 | eval addr="\"".addr."\"" | return $addr ] Can OR work with subsearches? I hope that makes sense. Thanks and God bless, Genesius ... View more

Hello, I have the results from a dashboard dropdown feeding another dropdown; and I receive this error. There is also a Timepicker input. Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: host=host. Here is the first input. <input type="dropdown" token="hostName"> <label>Host Name</label> <prefix>host="</prefix> <suffix>"</suffix> <default>*</default> <choice value="*">All</choice> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> index=test_linuxevents AND host!="*splunk*" AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$ | stats count by host </query> </search> </input> This is the second input, which generates the error. <input type="dropdown" token="userId"> <label>user</label> <prefix>user="</prefix> <suffix>"</suffix> <default>*</default> <choice value="*">All</choice> <fieldForLabel>user</fieldForLabel> <fieldForValue>user</fieldForValue> <search> <query> index=test_linuxevents AND host=$hostName$ AND sourcetype="Unix:UserAccounts" AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$ | rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)" | dedup user </query> </search> </input> In second input, I am using host=$hostName$. This is similar to what Splunk Dashboard Examples App has coded with user=$username$. /simple_xml_examples/simple_form_cascading/editxml?form.username= <fieldset autoRun="true"> <input type="dropdown" token="username"> <default>*</default> <choice value="*">All</choice> <fieldForLabel>user</fieldForLabel> <fieldForValue>user</fieldForValue> <search> <query>index=_internal | stats count by user</query> <earliest>-24h</earliest> <latest>now</latest> </search> </input> <input type="radio" token="source"> <default>*</default> <choice value="*">All</choice> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> <search> <query>index=_internal user=$username$| stats count by sourcetype</query> <earliest>-24h</earliest> <latest>now</latest> </search> </input> </fieldset> What am I missing? Thanks in advance for your help. God bless, Genesius ... View more

Hello, I have searched Answers and will continue to search after I post this. I'm not sure I am entering the correct search terms. I have a input dropdown (dynamic) on a dashboard. Note: This works with no issues <input type="dropdown" token="sudoUserName"> <label>Select a User ID.</label> <prefix>sudoID="</prefix> <suffix>"</suffix> <default>*</default> <choice value="*">All</choice> <fieldForLabel>sudoID</fieldForLabel> <fieldForValue>sudoID</fieldForValue> <search> <query> index=linuxevents process="sudo" AND "COMMAND=" | rex field=_raw ".*sudo:\s(?&lt;SLMsudo&gt;.*$)" | rex field=SLMsudo "(?&lt;sudoID&gt;[A-Za-z0-9]+).*COMMAND=(?&lt;sudoCommand&gt;.*$)" | dedup sudoID </query> <earliest>$Selected_Time_Range.earliest$</earliest> <latest>$Selected_Time_Range.latest$</latest> </search> </input> Problem. I need to match the token sudoUserName to the field sudoID. However, the field sudoID is a field created during running of the below SPL using rex on _raw, which creates SLMsudo. From there another rex to create sudoID. I only want events where the sudoID matches the sudoUserName. (Apologies if I am repeating myself.) Here is the code for that portion. index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$ | rex field=_raw ".*sudo:\s(?&lt;SLMsudo&gt;.*$)" | rex field=SLMsudo "(?&lt;sudoID&gt;[A-Za-z0-9]+).*COMMAND=(?&lt;sudoCommand&gt;.*$)" | eval sudoID=$sudoUserName$ | table SLMsudo, sudoID, host, sudoCommand, _time The eval command is kicking off this error. Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([boolean expr], [expr], [expr]). Please let me know if there is any other information you require. Thanks and God bless, Genesius ... View more

Hello, I’m having issues with a report not displaying correctly. If I save a bar chart as a normal report, the Y-axis is populated with values. Once I add it to a dashboard, the Y-axis values disappear. Saving the report as a pivot first, the Y-axis values display in the pivot editor. Once I save it, the Y-axis values disappear. In pivot editor, if I change from bar to column, the Y-axis is populated with values. Has anyone experienced values of the Y-axis disappearing? I will supply screenshots and SPL in an update. I am rushing off to a meeting right now. But I was hoping someone might have an answer before I post the screenshots and SPL. I checked this answer, https://answers.splunk.com/answers/555512/y-axis-values-vanish-when-exported-to-dashboard.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev and that is not the issue. I viewed it on a wide screen monitor as a single panel on a row. Still no Y-axis values. Thanks and God bless, Genesius ... View more

Hello, Novice, but getting better. I am searching the Internet, Splunk Docs, and Splunk Answers for an answer. Meanwhile, I figured to post my issue. After the general search commands (index, sourcetype, etc.) I want to perform branching to different SPL commands based on the value of a field. For example in pseudo code. if process=snmpd (| rex message=(blah, blah, blah) | stats count(process), blah, blah, blah) if process=sudo (| rex message=(blah, blah, blah) | stats count(process), blah, blah, blah) etc., etc.,..... I'm figuring this will be a combination of where, eval, case. However,I haven't figured out which one or combinations this would be. I will continue to research and test. And any guidance or direction is appreciated. Thanks in advance and God bless, Genesius ... View more