Hello richgalloway, Again thanks for the tip here, both replies are VERY helpful, If there is a way to give you each 20 karmas I would. I will try the script method as well, eholz1 ... View more

Wow two good ideas. I will try it  out. One of my main questions would be monitoring a flle or using a script - is one method better that the othe?   In my case, I might have to try the http event collector.   Thanks, eholz ... View more

Hello richgalloway and giuecello, Thanks, I am just embarking on trying to make progress in dashboard use, etc. Your suggestions are very helpful   eholz1 ... View more

Hello gcusello     What you say makes total sense, will do, and richgalloway says the same, so I will look into creating an app..   Thanks so much,   eholz1 ... View more

OK , Thanks Again, I will review things, and give it a shot.  I do appreciate the reponses - Next I realized I may have to do this row by row 🙂   eholz1 ... View more

Hello, I am trying to hide or show a panel depending on a search result. I have this search sourcetype=linux_secure user=smith eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction) | stats last(UserAction) by Date,host,user | sort - Date | where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" the search returns "On" or "Off" as the last "UserAction" I have two panels, panel1 and panel2 If the search in panel1 gives "On" for the result for user "smith", I want to show panel2 then "smith" logs off... then if I rerun the search in panel1 and it returns UserAction == "Off" I want to hide panel2 So far no luck in understanding match for the search result or eval for the search result Here is my logic: <table> <search id="log_action"> <query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction) | stats last(UserAction) by Date,host,user | sort - Date | where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query> <earliest>-15m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <progress> <condition match="$result.last(UserAction)$==Off"> <set token="hide_panel">true</set> <unset token="hide_panel"></unset> </condition> <condition match="$result.last(UserAction)$==On"> <set token="hide_panel">false</set> <unset token="hide_panel"></unset> </condition> </progress> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> I am not desiring to use any inputs here for a form, like drop downs, etc I do know I am not understanding the use of the SimpleXML tags, etc. like <done> or result vs. job, etc any suggestions will help, Thanks Again, eholz1   ... View more

Hello richgalloway, Thanks are not enough for the help provided by this forum and your replies, I will try the "done" tag. thanks again, eholz1 ... View more

Hello and I need some help on simple xml and dashboards I have a token "hide_panel" I have two panels - one gets an "Off" (panel1) result in the search, the other panel (panel2) gets an "On" result in the search. I want to show the "On" panel when the dashboard opens, and if a search is run on panel1 - that has ";Off" in the result, hide panel2. I am not understanding the tags: <progress> I do have a sample that works using a dropdown - but have yet to understand how to set and unset the token so panel2 shows first, and then hides My code is like this: <search> <query>sourcetype=linux_secure user=* eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction) | stats last(UserAction) by Date,host,user | sort - Date | where 'last(UserAction)' == "Off"</query> <earliest>-35m@m</earliest> <latest>now</latest> <progress> <condition match="'job.UserAction' == Off"> <!-- unset token="hide_panel"></unset --> </condition> <condition match="'job.UserAction' == Off"> <set token="hide_panel">false</set > </condition> </progress> <sampleRatio>1</sampleRatio> </search>   Any suggestions will help, thanks, eholz1 ... View more

Thanks eholz1 ... View more

This seems to be an excellent tip. But, it no works for me. I get two rows back from as search - sorted by _time. Each row has a field called UserAction. One row (the latest) has a UserAction value of "Off", the earlier row has a value of "On" Ideally I would like to show only one row - "On" and when the "Off" comes in I would like to hide that row. I have tried two panels in a parent dashboard - my idea was to hide the panel that has the "On" search result. I would also like to have the "Off" panel hidden on the parent dashboard. I have tried things as shown here - but it seems the second panel is always hidden regardless of my token <set token="showPanel">true</set>. If I set it to false - the dashboard remains hidden. I am missing something  but have not yet found what I am missing Thanks for a helpful resource eholz1 ... View more

Hello Thanks for the reply. I will check your revision and see what happens. I have also seen how to hide a dashboard panel, but cannot get that to work with way I want.   Thanks, eholz ... View more

500 karmas to richgallowy - thanks ... View more

Hello,   I have to rebuild things now. I will get things going, and post the seaerch, etc here. thanks for the tips eholz1 ... View more

Hello RichGalloway,   Thanks for the reply - I will check the sourcetype. for a "custom" index should I configure the Universal forwarder in its outputs.conf or on the indexer's inputsd.conf? I am going to try to delete the source type - not sure how to do that - but I will dig around for that. The file being monitored does not have duplicate dates, etc.   Thanks Again, eholz1 ... View more

Thanks again for the clarification - I am still learning! ... View more

Thanks again for the tips. Now one last dump question - how do I verify that this works? Do I need any other settings in the props.conf file to allow the data to be viewed in a search? When I configure the props.conf file with the source "my_source", I still see all the data in the log file that i do not need.   Thanks again, eholz1 ... View more

hello richgallowy, I will give this a shot, and see what happens. and come back if I have any questions.  could I add an "OR" to this like:  EXTRACT-error = Error(?<Error>.*)$ OR Notice(?<Notice>.*)$ thanks for the support, eholz1 ... View more

Forgot to ask, I have collectd installed on the remote host, not the indexer. Should collectd be installed on the indexer and point to the remote host I want to monitor?   Thanks, eholz1   ... View more

Hello Chaker, Thanks for responding to my question. I will review the links you placed in your respose. This will help. Thank you very much for taking the time to respond.   Eholz1     ... View more