hello, i have a dashboard with multiselect input and dropdown input but for some reason they are both greyed out and the search is not updating after selecting at the first time. also i have no option to configure default value for both of them <form> <label>List of Pause Events with Times</label> <fieldset submitButton="false"> <input type="multiselect" token="serialnumber" searchWhenChanged="false"> <label>Serial Number</label> <prefix>SerialNumber = </prefix> <fieldForLabel>sn</fieldForLabel> <fieldForValue>sn</fieldForValue> <search> <query>index="emea_fdm" | `SerialNumber`</query> <earliest>0</earliest> <latest></latest> </search> <delimiter>OR</delimiter> </input> <input type="dropdown" token="sourcetype" searchWhenChanged="false"> <label>Source Type</label> <prefix>sourcetype = "</prefix> <suffix>"</suffix> <fieldForLabel>st</fieldForLabel> <fieldForValue>st</fieldForValue> <search> <query>index="emea_fdm" sourcetype="fdm_*_system"</query> <earliest>0</earliest> <latest></latest> </search> </input> </fieldset> <row> <panel> <title>EMEA</title> <table> <search ref="List of Pause Events with Times"></search> <option name="count">20</option> <option name="drilldown">cell</option> <drilldown> <link target="_blank">/app/St/report?s=SSYS-List%20of%20Pause%20Events%20with%20Times</link> </drilldown> </table> </panel> </row> </form> ... View more

hello, i have this configuration in my props.conf file: [f170_system] BREAK_ONLY_BEFORE = ^\w\s\d+\s\d{2}:\d{2}:\d{2} DATETIME_CONFIG = NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_PREFIX = ^ TIME_FORMAT = %b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 30 category = Custom pulldown_type = true and i have events from two types: Nov 11 21:43:17 : Info:copyconfig Sep 20 23:29:54 manager: for those who has ":" after timestamp the timestamp is incorrect so for example, splunk shows 6.2.2019 while in the event is 11.11.18 for those who has "manager:" after timestamp everything is ok. any idea why ? ... View more

Hello, i have these 3 stanzas in my transforms.conf file: [set_f270_header] REGEX = (^\$\w+\s\d+|^\-\-\-\-\- header) FORMAT = sourcetype::f270_header DEST_KEY = MetaData:Sourcetype [set_f270_system] REGEX = (^\w{3}\s+\d+\s\d{2}|^\-\-\-\-\- System Log) FORMAT = sourcetype::f270_system DEST_KEY = MetaData:Sourcetype [set_f270_joblog] REGEX = (^\$\w+\s\d+|^\-\-\-\-\- joblog) FORMAT = sourcetype::f270_joblog DEST_KEY = MetaData:Sourcetype my files names are for example: 037388b4-0f12-410e-a8ab-a795e9244e22.sanitized.joblog 130dab3c-3e62-45a0-aefe-f160c0dd3325_header 73dc67bc-db07-49d5-a12c-a1ed12f54fee_System+Log Beside them, i have more file types, but I don't want to index them right now. My problem is that the files are not indexed correctly and I got all the file types in my sourcetype What am I doing wrong ? ... View more

Hi I have two values that i need to check which one of them is bigger and calculate the gap between them how can i do it ? i tried this : | rex "Current temp Front block = (?<Front>.+)" | rex "Current temp Rear block = (?<Rear>.+)"|eval gap=coalesce(Front>Rear, Front-Rear, Rear-Front) |table Front Rear gap But gap is returning empty ... View more