Hi @packet_hunter, It sounds like you could use eval match to check for the field value that determines the recipient and content of your message, then use tokens to represent the field and recipient values. Set the recipient value conditionally depending on what the field value is, and use the tokenized field value in your email message to customize it. See: http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/EmailNotificationTokens and https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eval Here's an example use of eval + match to evaluate the "source" field for different values and set the "env" token accordingly. This search was used to generate form input labels. <search> <query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query> </search> source: https://answers.splunk.com/answers/495097/why-is-my-dashboard-search-not-getting-updated-wit.html#comment-495121 ... View more

I think I might see the problem, or a place to start troubleshooting. I created a similar dashboard to yours using different data and a very slightly modified query so that I could generate the input values. As pointed out here: https://answers.splunk.com/answers/329960/duplicate-values-causing-conflict.html I think there might be an issue with your field for label and field for value settings in the dropdown input. I was getting a "conflicting values" error until I made sure that the field was the same as the token ("env") that was getting set in the query. Here is the relevant part of my sample code that worked. <fieldset> <input type="time" searchWhenChanged="false"> <label>Select a time:</label> <default>Last 24 hours</default> </input> <input type="dropdown" token="env" searchWhenChanged="false"> <label>Environment</label> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <search> <query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query> </search> <default>Metrics</default> </input> <input type="text" token="type" searchWhenChanged="false"> <label>Request Type</label> </input> <input type="text" token="type2" searchWhenChanged="false"> <label>Company</label> </input> </fieldset> Hope this helps! ... View more

Hi @rarneson, I think this info in our docs might apply to your situation: http://docs.splunk.com/Documentation/Splunk/6.5.1/DistSearch/PropagateSHCconfigurationchanges#Management_of_app-level_knowledge_objects I'm not sure what the workaround might be, though. I'm going to ask around for advice, will post an update when I learn more. Hope this helps! ... View more

Hey @kcnolan13, I just heard back from our engineering team and there is an issue with the script as shown in the docs. Specifically, the issue is where it checks for queries starting with 'search' and then prepends 'search' if it's not found. Here is an updated script that should fix the problem. Note this update here: " # If the query doesn't already start with the 'search' operator or another # generating command (e.g. "| inputcsv"), then prepend "search " to it. if not (searchQuery.startswith('search') or searchQuery.startswith("|")): searchQuery = 'search ' + searchQuery" I will update the docs. Let me know how this works for you! import urllib import httplib2 from xml.dom import minidom baseurl = 'https://re-latitude.sv.splunk.com:8089' userName = 'guest' password = 'guest' searchQuery = '| inputcsv foo.csv | where sourcetype=access_common | head 5' # Authenticate with server. # Disable SSL cert validation. Splunk certs are self-signed. serverContent = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/auth/login', 'POST', headers={}, body=urllib.urlencode({'username':userName, 'password':password}))[1] sessionKey = minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue # Remove leading and trailing whitespace from the search searchQuery = searchQuery.strip() # If the query doesn't already start with the 'search' operator or another # generating command (e.g. "| inputcsv"), then prepend "search " to it. if not (searchQuery.startswith('search') or searchQuery.startswith("|")): searchQuery = 'search ' + searchQuery print searchQuery # Run the search. # Again, disable SSL cert validation. print httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/search/jobs','POST', headers={'Authorization': 'Splunk %s' % sessionKey},body=urllib.urlencode({'search': searchQuery}))[1] ... View more