Hi intern_jos, Yes, you can enable this in the Visualization Format options: and click on show data values . The result will be the values on the bars: Hope this helps ... cheers, MuS ... View more

Hi digitalX, If I understand your request correct, you are after setting threshold in a lookup table. This can be achieved by using the match_type in transforms.conf to specify the field you want to match on as a wildcard, then populate your lookup table just like you've planned to. transforms.conf : [score] filename = score.csv match_type = WILDCARD(value) And your score.csv : mySearch,value,score foo,5*,2 foo,10*,3 boo,30*,5 If you now use this run everywhere command you can get back the score based on the fake count which was made by the first eval command: Count is 101 | gentimes start=-1 | eval count="101" | eval mySearch="foo" | lookup score value AS count mySearch AS mySearch and the results will look like this: Count is 55 | gentimes start=-1 | eval count="55" | eval mySearch="foo" | lookup score value AS count mySearch AS mySearch and the result will look like this: Bear in mind, this has some limits. Because the wild card match for 10* will work from 100 until 109, but also matches 1000 and/or 10000 for example! Nevertheless I hope this helps and Grüess nach Chur 😉 cheers, MuS Update after the comments: Use this as score.csv Search,lower,upper,score foo,50,99,2 foo,100,999,3 foo,1000,9999,5 boo,50,99,20 boo,100,999,30 boo,1000,9999,50 and use it with inputlookup instead of lookup in the search: | gentimes start=-1 | eval count="999" | eval mySearch="foo" | append [|inputlookup score ] | filldown count mySearch | where mySearch=Search AND count>=lower AND count<=upper This should do what you need. ... View more

Hi ramabu, take this run everywhere dashboard (assuming you have access to index=_internal ) and you will get an idea how to do it: <form> <label>Drop down pie</label> <fieldset submitButton="false"> <input type="dropdown" token="field1"> <label>Please select:</label> <search> <query>index=_internal | stats count values(sourcetype) AS sourcetypes by sourcetype</query> <earliest>@d</earliest> <latest>now</latest> </search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> <choice value="*">all</choice> <default>*</default> </input> </fieldset> <row> <panel> <chart> <search> <query>index=_internal sourcetype=$field1$ | stats count by date_minute</query> <earliest>@d</earliest> <latest>now</latest> </search> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="count">10</option> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">pie</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">right</option> </chart> </panel> </row> </form> Hope this helps ... cheers, MuS ... View more

Hi Murali2888, I'm not aware if there is a capability http://docs.splunk.com/Documentation/Splunk/6.3.2/Security/Rolesandcapabilities that can be enabled or disabled to achieve this - maybe some else knows better 😉 But you can remove the top right corner export button from a Dashboard with this option hideEdit="true" see docs http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/PanelreferenceforSimplifiedXML or the button left corner export button from a chart with this option <option name="link.visible">false</option> Hope this helps ... cheers, MuS ... View more

Hi daniel333, Yes, this is possible using stats - take a look at this run everywhere example: index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames This will create a list of all field names within index _internal . Adopted to your search this should do it: index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames Hope this helps ... cheers, MuS ... View more

Hi jeremiahc4, This can have multiple reasons why it is not working. Here is a list of common troubleshooting: Did you restart Splunk after the change? Did you clear Server and client asset caches after the change http://docs.splunk.com/Documentation/Splunk/6.3.2/AdvancedDev/CustomizationOptions#Clear_client_and_server_assets_caches_after_customization ? Did you clear the browsers cache? Check with your Browser debugging tool if the dark.css gets loaded at any stage. Hope this helps ... cheers, MuS ... View more

Hi mdhtdm24, could it be that you have Splunk light free instead Splunk light? Splunk light free is limited to one user, see docs for more details http://docs.splunk.com/Documentation/SplunkLight/latest/GettingStarted/AboutSplunkLightaccounts or this link http://docs.splunk.com/Documentation/SplunkLight/latest/GettingStarted/AboutSplunkLight#Splunk_Light_Free_versus_Splunk_Light Hope this helps ... cheers, MuS ... View more