Hello, what you describe here looks a lot like what is described in section Conditional linking of http://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/DrilldownLinkToDashboard. Only the conition on the name of the field is not according to the documentation. Did you already check this? ... View more

Hello, here you go: | makeresults count=5 | eval Orig_No=random() | eval New_Orig_No=Orig_No/100 | fields New_Orig_No In this case, the five values of the Orig_No column are used to compute the content of New_Orig_No (division by 100 in the example). The column Orig_No is then dropped to kee only the New_Orig_No column ... View more

Hello, sorry, but the question is a bit too broad. Can you please add details/examples? ... View more

Hello, would this be helpful? https://splunkbase.splunk.com/app/3118/#/overview ... View more

Hello, this should do : | makeresults | eval someField="[Status: 4] [myfield2: myvalue2][myfield3:myvalue3] [myfield4:myvalue4]" | rex field=someField "myfield2: (?<myextractvalue2>[A-Za-z0-9]+)" | rex field=someField "myfield3:(?<myextractvalue3>[A-Za-z0-9]+)" | rex field=someField "myfield4:(?<myextractvalue4>[A-Za-z0-9]+)" ... View more

( is a bold parenthesis) ... View more

Hello, do you wat to dislay only the rows where Variance>=120, or to display the whole table only if at least one row contains Variance>=120? In the first case, a where close is enough before |table, on the second case, conditional display of panels sould do the trick ... View more

Hi, depending on where you want to do the user cration, the REST API is handy. Please refer to http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#authentication.2Fusers and https://answers.splunk.com/answers/186077/can-we-create-a-user-with-splunk-rest-api-access.html ... View more

Hello, What is the pb? The new tab is not open or the google page is not displayed? To me, the url should be : https://www.google.com/search?&q=$dbinit$ ... View more

Hello, In the description, you mention network.csv, but when you show the content of the csv files, server.csv has two different contents. I suppose one of the two is in fact network.csv. Can you please update so I can have a look? ... View more

Hi. This should do the trick. Note that the names I used for the fields can of course be changed. | makeresults | eval message="Authentication Details:\nIP Address: 255.255.255.255\nCountry: FR\nNew Device: true\nRequested Application ID: https://www.myapplication.com/\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nTime since last Authentication from Office: N/A\nMobile OS Version: N/A\nDevice Model: N/A\nDevice Lock Enabled: N/A\nDevice Rooted or Jailbroken: N/A\nDevice enrolled in MDM: N/A\nPingID App Version: N/A\nAction: MyAction\nPolicy Met: Default Policy\nRule Met: \"Default Action\"\n" | rex field=message "Country: (?<Country>\w+)" | rex field=message "Application Name: (?<appName>[A-Z\/]+)" | rex field=message "nMobile OS Version: (?<mobOsVer>[A-Z\/]+)" ... View more

Hi, are you getting data out of Splunk and rying to read it in python? Or trying to get data in? ... View more

Hi, what about this? | makeresults | eval Parameter="321 d, 10 h, 48 m and 46 s" |eval ts=strptime(Parameter,"%j d, %H h, %M m and %S s") ts is what you need ... View more

Hi, I think this is what you are looking for: https://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Fillnull ... View more

Hi. Can you be lease ive more details? In case you use the color by value configuration, do you want to keep the color and change the ranges, or keep the ranges and changes the colors, or both? ... View more

Hi, you could join the two searches using the Job_Name and/or orderid information. Please check: http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Join ... View more

Hi. I did more or less the same starting from Splidget app (https://splunkbase.splunk.com/app/3648/#/details) Her is what I did: I write into a lookup table the content of the comment, together with the information relative to the event (these information are then used later as a key to display the content of the comments in the dashboard). This is quite easy, thanks to the already existing code in the Slidget app. On the UI: enable the Splunkpad part of splidget on your dashboard Upon click on the button used to set the status of the event (I assume there is such a button), take advantage of the Splunkpad code to create your own code to link the comment and the event). On the spl part, use the lookup to add the display of the comment with the fields you used as keys. Of course, this requires some js code behind!! I hope this helps to get started. ... View more

Hi. In case your first four columns are static, why not create an html table and customize it in order to get the right look ad feel and then run as many searches as needed to set tokens with the values to be displayed on the last column? This would I think answer your question, and enable the interaction with the dropdown value you mentioned. ... View more

Hello, how can you expect a timechart if the last line of the search is a table not containing _time? To me, it should end with | table _time jra_conn bam_conn bib_conn ... View more