You have token contention for the serviceName token which is what is causing your issue.  You are using change to set the token that you are also using as the token for the drop down selector.  You need to make a choice on how you want the token to be populated, either have the drop down selections populate serviceName or the change event on the input.  The quickest fix is to just assign a different token to the drop down selector: <form> <label>Test</label> <fieldset submitButton="false" autoRun="true"> <input type="time" token="timePicker"> <label></label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="serviceNamedropdown"> <label>Service</label> <choice value="">Select a Service</choice> <choice value="lpd">LPD</choice> <choice value="cart">Cart</choice> <choice value="identity">Identity</choice> <default>Select a Service</default> <initialValue>Select a Service</initialValue> <change> <condition value="lpd"> <set token="serviceName">index=test1</set> </condition> <condition value="cart"> <set token="serviceName">index=test2</set> </condition> <condition value="identity"> <set token="serviceName">index=test3</set> </condition> </change> </input> <input type="radio" token="byHost" searchWhenChanged="true"> <label>By Host</label> <choice value="by host">Yes</choice> <choice value="">No</choice> <default>by host</default> <initialValue>by host</initialValue> </input> </fieldset> <row> <panel> <title>Web Request</title> <chart> <search> <query>$serviceName$ | timechart count</query> <earliest>$timePicker.earliest$</earliest> <latest>$timePicker.latest$</latest> </search> <option name="charting.chart">line</option> </chart> </panel> </row> </form> ... View more

I played with your example and adjusted the date of it so I wouldn't have to mess with max lookbehind: <Interceptor> <AttackCoords>-80.33100097073213,25.10742916222947</AttackCoords> <Outcome>Interdiction</Outcome> <Infiltrators>23</Infiltrators> <Enforcer>Ironwood</Enforcer> <ActionDate>2020-05-24</ActionDate> <ActionTime>00:07:00</ActionTime> <RecordNotes></RecordNotes> <NumEscaped>0</NumEscaped> <LaunchCoords>-80.23429525620114,24.08680387475695</LaunchCoords> <AttackVessel>Rustic</AttackVessel> </Interceptor> I got the date/time to pull correctly with the below parameters: TIME_PREFIX = <ActionDate> TIME_FORMAT = %Y-%m-%d</ActionDate>%n <ActionTime>%H:%M:%S ... View more

Based on a previous answer: https://community.splunk.com/t5/Getting-Data-In/How-to-set-date-time-stamps-across-two-lines-in-xml-where-time/td-p/256531 it appears as if you can ignore the line break so it would be something like this: TIME_FORMAT= %Y-%m-%d</ActionDate><ActionTime>%H:%M:%S ... View more

I'm not 100% on your requirements.  If you just want to alert when a there are zero events for anything that falls into the below query in a 24 hour period you can do it easily with this: earliest=-35d@d latest=@d index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888" | append [ makeresults count=1] | timechart span=1d count(host) as count | where count=0  That will alert you if there is a single day with no events with that query.  The append with makeresults ensures you never get "no results" back from the query.  If you need it to be a rolling 24 hour period you can do it with this: earliest=-35d@d latest=@d index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888" | append [ makeresults count=1] | timechart span=1h count(host) as count | streamstats sum(count) as 24hcount time_window=24h | where '24hcount'=0 If you need something more complicated where you need it so any combination of fields in your table are not seen in a day you can do that with this: index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888" | eval ClownCar=host."|".field1."|".field2."|".field3."|".field4 | append [ makeresults count=1] | timechart span=1d limit=0 count(host) as count by ClownCar | foreach * [eval NoEvents=mvappend(if('<<FIELD>>'=0, "<<FIELD>>", null()),NoEvents)] | where isnotnull(NoEvents) | fields _time NoEvents | mvexpand NoEvents | rex field=NoEvents "(?<host>[^\|]+)\|(?<field1>[^\|]+)\|(?<field2>[^\|]+)\||(?<field3>[^\|]+)\||(?<field4>[^\e]+)" | fields - NoEvents If you need that by a rolling 24 hour period you can do that with this: index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888" | eval ClownCar=host."|".field1."|".field2."|".field3."|".field4 | append [ makeresults count=1] | timechart span=1h limit=0 count(host) as count by ClownCar | foreach * [eval NoEvents=mvappend(if('<<FIELD>>'=0, "<<FIELD>>", null()),NoEvents)] | where isnotnull(NoEvents) | fields _time NoEvents | mvexpand NoEvents | streamstats time_window=24h count as 24hcount by NoEvents | where '24hcount'=24 | rex field=NoEvents "(?<host>[^\|]+)\|(?<field1>[^\|]+)\|(?<field2>[^\|]+)\||(?<field3>[^\|]+)\||(?<field4>[^\e]+)" | fields - NoEvents 24hcount ... View more

It appears the board has ate my answer I wrote earlier to prove that multiple eval spaths is faster than using even 1 spath command.  I'll try again. Using your original query with your sample here is your search performance on my local machine's splunk install:   | makeresults | eval data="{ \"version\":\"v0.2\", \"prints\":{ \"urls\":[ { \"response_time\":256, \"uri\":{ \"bool\":false, \"name\":\"abc\" }, \"Time\":{ \"total\":52, \"db\":11 } }, { \"response_time\":578, \"uri\":{ \"bool\":false, \"name\":\"xyz\" }, \"Time\":{ \"total\":78, \"db\":13 } } ] } }" | spath input=data path=prints.urls{} output=urls | spath input=urls path=response_time output=response_time | spath input=urls path=uri.name output=uri_name | spath input=urls path=Time.db output=db_time | spath input=urls path=Time.total output=total_time | table _time, rv, av, wm, an, et, uri_name, response_time, db_time, total_time   This search has completed and has returned 1 results by scanning 0 events in 0.119 seconds The query I originally proposed:   | makeresults | eval data="{ \"version\":\"v0.2\", \"prints\":{ \"urls\":[ { \"response_time\":256, \"uri\":{ \"bool\":false, \"name\":\"abc\" }, \"Time\":{ \"total\":52, \"db\":11 } }, { \"response_time\":578, \"uri\":{ \"bool\":false, \"name\":\"xyz\" }, \"Time\":{ \"total\":78, \"db\":13 } } ] } }" | eval response_time=spath(data, "prints.urls{}.response_time"), uri_name=spath(data, "prints.urls{}.uri.name"), db_time=spath(data, "prints.urls{}.Time.db"), total_time=spath(data, "prints.urls{}.Time.total") | table _time, rv, av, wm, an, et, uri_name, response_time, db_time, total_time   This search has completed and has returned 1 results by scanning 0 events in 0.099 seconds The search proposed by @to4kawa    | makeresults | eval _raw="{\"version\":\"v0.2\",\"prints\":{\"urls\":[{\"response_time\":256,\"uri\":{\"bool\":false,\"name\":\"abc\"},\"Time\":{\"total\":52,\"db\":11}},{\"response_time\":578,\"uri\":{\"bool\":false,\"name\":\"xyz\"},\"Time\":{\"total\":78,\"db\":13}}]}}" | spath prints.urls{} output=urls | mvexpand urls | spath input=urls | rename Time.db as db_time, Time.total as total_time, uri.name as uri_name   This search has completed and has returned 2 results by scanning 0 events in 0.244 seconds And if you have a requirement that each url in the url array appears on it's own row in your table here's my modified version with the caveat I posed above about mvexpand being problematic on large data sets:   | makeresults | eval data="{ \"version\":\"v0.2\", \"prints\":{ \"urls\":[ { \"response_time\":256, \"uri\":{ \"bool\":false, \"name\":\"abc\" }, \"Time\":{ \"total\":52, \"db\":11 } }, { \"response_time\":578, \"uri\":{ \"bool\":false, \"name\":\"xyz\" }, \"Time\":{ \"total\":78, \"db\":13 } } ] } }" | eval urls=spath(data,"prints.urls{}") | mvexpand urls | eval response_time=spath(urls, "response_time"), uri_name=spath(urls, "uri.name"), db_time=spath(urls, "Time.db"), total_time=spath(urls, "Time.total") | table _time, rv, av, wm, an, et, uri_name, response_time, db_time, total_time   This search has completed and has returned 2 results by scanning 0 events in 0.113 seconds Ultimately you can see that using a single pipe eval with the spath command on each field you want will produce a more performant query by about 17% to your original query and at 48% improvement compared to the one by @to4kawa. ... View more

refer to below response as this was a duplicate of that. ... View more

Beware that mvexpand can really chew through memory on your search head if you have a large amount of events that it's being applied to. This can cause it to terminate early if your admins are enforcing memory limits on searches or can cause the PID to get killed by OOM Killer on a nix box.  If you are okay with a multivalued list type view in your table for each event it's unnecessary to mvexpand.  If you do have a requirement that each row be one url array, then just be careful on the amount of data it is being applied to. Also even though the same amount of spaths are in my original solution, the performance is still better than invoking the spath search command the same amount of times because it is on a single pipe eval which means it's processed all at once.  Having multiple pipes with spath will cause it to stop and start at each pipe which will add an admittedly negligible performance reduction. ... View more

You can use spath in an eval command and you can chain all of the fields into a single eval with a comma separating each field.  This will make it more performant and it removes the need to do multiple spath commands: basic search rv=*, av=*, wm=*, an=*, et=* | eval response_time=spath(data, "prints.urls{}.response_time"), uri_name=spath(data, "prints.urls{}.uri.name"), db_time=spath(data, "prints.urls{}.Time.db"), total_time=spath(data, "prints.urls{}.Time.total") | table _time, rv, av, wm, an, et, uri_name, response_time, db_time, total_time Here's a run anywhere example using your sample data to demonstrate that it will work.  Keep in mind it won' t have the rv, av, wm, an, and et fields due to that not being present in the sample example: | makeresults | eval data="{ \"version\":\"v0.2\", \"prints\":{ \"urls\":[ { \"response_time\":256, \"uri\":{ \"bool\":false, \"name\":\"abc\" }, \"Time\":{ \"total\":52, \"db\":11 } }, { \"response_time\":578, \"uri\":{ \"bool\":false, \"name\":\"xyz\" }, \"Time\":{ \"total\":78, \"db\":13 } } ] } }" | eval response_time=spath(data, "prints.urls{}.response_time"), uri_name=spath(data, "prints.urls{}.uri.name"), db_time=spath(data, "prints.urls{}.Time.db"), total_time=spath(data, "prints.urls{}.Time.total") | table _time, rv, av, wm, an, et, uri_name, response_time, db_time, total_time ... View more

Hi @danielbb, There are some limited things you can use to track who and when an alert is modified, but tracking what was modified can be a bit tricky.  My friend @efavreau and I presented at last years .conf about how to track changes to your knowledge objects and how to export them from Splunk so you can do version controlling outside of splunk.  In that presentation we have a query that you can use to track who and when a change is made to an object here: https://github.com/paychex/Splunk.Conf19/blob/master/CYA_Audit_Splunk_Query Lines 36-40 in that query won't work without you creating a lookup file of your objects that can be done with this but check out the readme here first. If you want you can check out the slide deck and presentation itself here: https://conf.splunk.com/watch/conf-online.html?search=FN1315#/ As for the what that was changed you may be able to find some information in the splunkd_conf sourcetype in the _internal index: index=_internal sourcetype=splunkd_conf data.asset_uri=savedsearches data.optype_desc=WRITE_STANZA The data.payload arrays will have the information that was changed and the data.asset_uri array will have the specific savedsearch/report/alert that was modified. ... View more

You sure can.  Just modify it slightly:   | eval "Field.Message"=case('Field.Message'="All transfers were successful", "Success", 'Field.Message'="Some transfers failed", "Failed", 1=1, 'Field.Message') ... View more

Hi @thenormalone, Saved searches won't know about the global time you set in the dashboard because it is cached results that it is pulling.  You have to tell the results to filter based on the sub-searches global time and that can be accomplished by adding this to your search:  | addinfo | where _time>=info_min_time and _time<info_max_time   Here's what it would look like with the full xml you provided: <form> <label>Test1</label> <search id="query1" ref="query_01"> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <search id="query2" ref="query_02"> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="time_token" searchWhenChanged="true"> <label></label> <default> <earliest>-7d@d</earliest> <latest>@d</latest> </default> </input> </fieldset> <row> <panel> <chart> <title>Count by Resource</title> <search base="query2"> <query>| addinfo | where _time>=info_min_time and _time<info_max_time | timechart count by timerName limit=0 | fields - NULL</query> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.text">Day</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">319</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <single> <title>Count</title> <search base="query02"> <query>| addinfo | where _time>=info_min_time and _time<info_max_time | search "x=null" | stats count</query> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">0</option> <option name="useThousandSeparators">1</option> </single> </panel> </row> </form>   ... View more

I looked at your query and am not seeing a reason why you are using appencols.  If your goal is to compare the work amount to the DurationMinutes you can do that without running the same query again in appendcols and ensure it's on the same project with the below query: index="inlooxtt" StatusName!=Paused StatusName!=Completed StatusName!=Cancelled PerformedByName!=Donado* | eval Horas=(DurationMinutes/60), WorkAmount=if(ContactDisplayName!="null", WorkAmount, null()) | stats dedup_splitvals=true sum(Horas) as Tiempo sum(WorkAmount) as Tiempo2 by ProjectName | eval Tiempo=round(Tiempo,2) | rename Tiempo as Tiempo | sort ProjectName   I noticed in your append cols you only wanted to include WorkAmounts where the ContactDisplayName!="null".  Adding an eval that accomplishes that allows you to do this in a single query. ... View more

That query is very complicated for what you are trying to accomplish.  This is much simpler and accomplishes your goal: index="alert" source="alert*" insight="User alert" | lookup account_ids account_id OUTPUT title platform | rename title as account | search platform="*" account="*" | append [| makeresults count=1] | timechart span=1d count(account) as count Timechart will put a zero when using count, but will be null when using sum if the field does not exist.  Since you were trying to sum a nonexistent count field it was returning a null field.  Counting a field in your data set will solve that. ... View more

You can see the slides and video here: https://conf.splunk.com/watch/conf-online.html?search=FN1315 🙂 We also posted the queries we featured on github: https://github.com/paychex/Splunk.Conf19 ... View more

I documented an answer for this that I believe can be used for cloud customer here: https://answers.splunk.com/answers/694345/how-to-upload-csv-data-file-into-splunk-by-using-r.html?childToView=816912#answer-816912 It requires powershell, but if some enterprising soul wants to port the concepts to another language, it should be possible. ... View more

I know this question is about two years old but I had to solve this issue for my team and I wanted to share the solution I came up with. @harsmarvania57 is correct that there is not a direct way to import with api, but if you are feeling adventurous there is an alternative way of doing this if the file is not extremely massive. I only had powershell to work with when I created this and I wrote a script that does the following steps: converts the csv into json escapes any escapes \ and escaped quotes \" in the json elements (you'll see why later) escapes any quotes in the json body takes the fully escaped json body and passes it into a splunk search via api and curl Using makeresults the search splits out the different rows and parses the json into the appropriate columns and outputs the results into the csv. This is the reason we had to do all of the earlier escaping. The powershell script is below. I have wrapped things you need to change in curly brackets with a label in between {change me} : $csvjson = import-csv "{absolute path to file}" | ConvertTo-Json $escapingescapedescapes = $csvjson -replace '\\\\', '\\\\\\' $escapingescapedquotes = $escapingescapedescapes -replace '([^\\])\\"','$1\\\"' $fileescaped = $escapingescapedquotes -replace '([\n\r]\s+)"(.*)":(\s+)"(.*)"(,?[\n\r])','$1\"$2\":$3\"$4\"$5' $search = '| makeresults count=1 | fields - _time | eval data="'+$fileescaped+'" | eval data=trim(data, "[]") | rex field=data mode=sed "s/(\s+)\},/\1}█/g" | makemv data delim="█" | mvexpand data | eval data="[".data."]" | spath input=data | fields - data | rename "{}.*" as * | outputlookup {lookup file name goes here}' Add-Type -Assembly System.Web $searchencoded = [System.Web.HttpUtility]::UrlEncode("$search") curl.exe -k -u {credentials here} -X POST https://{put your domain here}/services/search/jobs -d exec_mode=oneshot -d output_mode=csv -d count=0 -d search="$searchencoded" Remove-Variable -Name pass Remove-Variable -Name csvjson Remove-Variable -Name escapingescapedescapes Remove-Variable -Name escapingescapedquotes Remove-Variable -Name fileescaped Remove-Variable -Name search Remove-Variable -Name searchencoded The four things that need to be changed are {absolute path to file} on line 1 which should have the path to your file (e.g. C:\Users\dmarling\Desktop\test.csv ), {lookup file name goes here} on line 5 which should have the name of your lookup file that you are writing to (e.g. myTestLookup.csv ), '{credentials here}' on line 7 is where you will need to put your splunk login credentials (e.g. admin:P@ssW03d ), and {put your domain here} on line 7 which should have the domain and potentially ip address that you are connecting to via curl (e.g. localhost:8089 ). The above process will take a csv that looks like this: column1,column2,rownum a,b,1 b,a,2 c,a,3 d,b,4 e,a,5 f,e,6 a,a,7 b,b,8 c,c,9 d,"d,""4\""""",10 and turn it into this: | makeresults count=1 | fields - _time | eval data="[ { \"rownum\": \"1\", \"column1\": \"a\", \"column2\": \"b\" }, { \"rownum\": \"2\", \"column1\": \"b\", \"column2\": \"a\" }, { \"rownum\": \"3\", \"column1\": \"c\", \"column2\": \"a\" }, { \"rownum\": \"4\", \"column1\": \"d\", \"column2\": \"b\" }, { \"rownum\": \"5\", \"column1\": \"e\", \"column2\": \"a\" }, { \"rownum\": \"6\", \"column1\": \"f\", \"column2\": \"e\" }, { \"rownum\": \"7\", \"column1\": \"a\", \"column2\": \"a\" }, { \"rownum\": \"8\", \"column1\": \"b\", \"column2\": \"b\" }, { \"rownum\": \"9\", \"column1\": \"c\", \"column2\": \"c\" }, { \"rownum\": \"10\", \"column1\": \"d\", \"column2\": \"d,\\\"4\\\\\\\"\\\"\" } ]" | eval data=trim(data, "[]") | rex field=data mode=sed "s/(\s+)\},/\1}█/g" | makemv data delim="█" | mvexpand data | eval data="[".data."]" | spath input=data | fields - data | rename "{}.*" as * | outputlookup myTestLookup.csv This process has some potential pitfalls especially with very large csv files as you may run into memory constraints using mvexpand depending on the limits that are put upon you as a user. This process can be ported to be used on linux based systems, but I unfortunately did not have access to one when I was creating the above process. ... View more

Hello @charan986, Assuming that the start and end times you want are always in the first IsAvailable=true status in the slotStatusList array and the first JBID in the RouteRequestList array, lines 6 and 7 in the below query will return the table that you are looking for: | makeresults | eval data="{ \"appointment\": {\"appointmentId\": 0,\"key\": \"\",\"Durations\": 60,\"JType\": \"Medium\",\"StartTime\": \"0001-01-01T00:00:00Z\",\"EndTime\": \"0001-01-01T00:00:00Z\",\"isDegOnly\": false,\"softId\": 112892 },\"commonID\": \"REDRF3243\",\"slotStatusList\": [{\"date\": \"2020-03-24T00:00:00Z\",\"status\": [{\"StartTime\": \"2020-03-24T06:30:00Z\",\"EndTime\": \"2020-03-24T08:30:00Z\",\"IsAvailable\": false,\"score\": 0},{\"StartTime\": \"2020-03-24T08:30:00Z\",\"EndTime\": \"2020-03-24T10:30:00Z\",\"IsAvailable\": false,\"score\": 0},{\"StartTime\": \"2020-03-24T10:30:00Z\",\"EndTime\": \"2020-03-24T12:30:00Z\",\"IsAvailable\": true,\"score\": 100}],\"error\": {\"message\": \"\"}},{\"date\": \"2020-03-25T00:00:00Z\",\"status\": [{\"StartTime\": \"2020-03-25T06:30:00Z\",\"EndTime\": \"2020-03-25T08:30:00Z\",\"IsAvailable\": false,\"score\": 0},{\"StartTime\": \"2020-03-25T08:30:00Z\",\"EndTime\": \"2020-03-25T10:30:00Z\",\"IsAvailable\": true,\"score\": 92.44},{\"StartTime\": \"2020-03-25T10:30:00Z\",\"EndTime\": \"2020-03-25T12:30:00Z\",\"IsAvailable\": false,\"score\": 0}],\"error\": {\"message\": \"\"}} ] } {\"Appointment\": {\"Durations\": 60,\"TimeSlotStartTime\": \"0001-01-01T00:00:00+00:00\",\"TimeSlotEndTime\": \"0001-01-01T00:00:00+00:00\",\"IsDefOnly\": false,\"Job\": \"Medium\",\"SoftId\": 113291},\"commonID\": \"REDRF3243\",\"GraceMinutes\": 0,\"BufferMinutes\": 0,\"RouteRequestList\": [{\"Date\": \"2020-04-02T00:00:00+00:00\",\"JBID\": 11936},{\"Date\": \"2020-04-03T00:00:00+00:00\",\"JBID\": 11936}]}" | rex field=data max_match=0 "(?<data>[^\n]+)" | mvexpand data | eval statuses=spath(data, "slotStatusList{}.status{}"), commonID=spath(data, "commonID"), firstAvailable=mvindex(mvfilter(match(statuses, "\"IsAvailable\": true")),0), StartTime=spath(firstAvailable, "StartTime"), EndTime=spath(firstAvailable, "EndTime"), JBID=mvindex(spath(data, "RouteRequestList{}.JBID"),0), JType=spath(data, "appointment.JType") | stats values(JBID) as JBID values(JType) as JType values(StartTime) as StartTime values(EndTime) as EndTime by commonID Dealing with multivalued fields in json is always a pain, but can be managed a bit by managing the parent array using mvfilter and mvindex and then using spath on the resulting output, which is what I am doing with statuses=spath(data, "slotStatusList{}.status{}") that creates a multivalued list of the different json payloads of the status array in the slotStatusList array and firstAvailable=mvindex(mvfilter(match(statuses, "\"IsAvailable\": true")),0) which returns the first status that contains "IsAvailable": true . Let me know if anything doesn't make sense. ... View more

In order to answer the KV versus lookup table question, you should ask: How much data do I plan on holding? Do you want to be able to CRUD (Create, Read, Update, and Delete) a single event or are you going to just grab everything and update the whole table each time? If you don't need single event CRUD or you have <100,000 rows in this lookup, I would probably avoid KV store. You are essentially creating a stateful table in Splunk. I have done this before and here are the pitfalls I ran into: Data ingested into splunk after my scheduled job to keep the table updated. I did not have the job look back time period overlap so I missed that latest status. Data never ingested into splunk due to a configuration mistake on file ingestion. The file rolled over and I was not watching the rolled over files so I missed that lastest status change. I accidentally deleted the table and lost all statuses when doing some data clean ups and had to start over. This is not as catastrophic as it sounds, it was just a pain in the rear to deal with. You can avoid those mistakes by ensuring you are monitoring rolled over log files and you do not have crcSalt enabled and you have overlapping search time periods in your scheduled search to keep the file updated. This means if you have a 5 minute cron like 1-59/5 * * * * I'd suggest at least an earliest time of -15m or even more depending on what you worst case ingestion delay observed is on your events. As for the search that populates and keeps the status up to date it would be something like this on the first run that I would probably go back 30 days at least to ensure you get all of your possible hosts: search that populates a list of statuses | stats max(_time) as _time latest(status) as status by printer | outputlookup LatestPrinterStatus.csv I would then create a saved search that runs every 5 minutes with a 15 minute look back search that populates a list of statuses earliest=-15m latest=now | inputlookup LatestPrinterStatus.csv append=true | stats max(_time) as _time latest(status) as status by printer | outputlookup LatestPrinterStatus.csv The inputlookup that appends the table on line 2 will ensure that you are always including everything that has ever reported previously so if you have a gap where the host doesn't report in that 5 minute query period, it will still be accounted for. ... View more