Hi @ITWhisperer  I edited my post because it does not suit with my whole table. Please look at my first post I have just edited. Thanks a lot!  ... View more

OK @gcusello  I understand what happened : when I save the code, the text "form.text2" appears in the input field :  I removed the text and pressed enter and now the input text2 is cleared and results appeared.  The drilldown works perfectly.  In my final dashboard, I removed the input text1, to see how it's behave, and one input do the job.  Thanks for your patience ! I will vote for the post with the right code. ... View more

@gcusello really ? so I really don't understand what happen by my side... ... View more

Yes sorry I added it and nothing change.  What I found out is it seems to work only with _internal index, I tried with another index like : index=main * form.text2 and no result again. And it works with _internal index because the string "form.text2" appears in _internal logs due to my multiple searches !  Try to your side with another index you will see and tell me if you have same issue please.   ... View more

@gcusello  I had the same idea : trying without the base search. I copy/paste your code and only change the query :         <form> <label>clone</label> <fieldset submitButton="false"> <input type="text" token="text1"> <label>Text 1</label> <default>*</default> </input> <input type="text" token="text2"> <label>Text2</label> <default>form.text2</default> </input> </fieldset> <row> <panel> <table> <search> <query> index=test sourcetype=test_st $text1$ $text2$ | stats first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as logCount by Id | eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <option name="drilldown">cell</option> <drilldown> <set token="form.text2">$click.value2$</set> </drilldown> </table> </panel> </row> </form>     It did not work as well.  When I open the query, I have this query :  index=test sourcetype=test_st * form.text2 | stats first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as logCount by Id | eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt => 0 event When I remove "form.text2" from the query, results appear. I tried with another index like : index=main * form.text2 and no result again    ... View more

I tried this : index=test sourcetype=test_st $text1$ $text2$ | fields env _time TxName Id and this :  index=test sourcetype=test_st $text1$ $text2$ | fields * no one work... ... View more

I tried to remove the refresh setting but nothing change :  <form> <label>Clone</label> <search id="baseSearch"> <!-- The base search--> <query>index=test sourcetype=test_st $text1$ $text2$</query> <earliest>$global-time-picker.earliest$</earliest> <latest>$global-time-picker.latest$</latest> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="global-time-picker" searchWhenChanged="true"> <label>Global Time Picker</label> <default> <earliest>-30m</earliest> <latest>now</latest> </default> </input> <input type="text" token="text1"> <label>Text 1</label> <default>*</default> </input> <input type="text" token="text2"> <label>Text2</label> <default>$form.text2$</default> <initialValue>*</initialValue> </input> </fieldset> <row> <panel id="table"> <title>log</title> <table> <search base="baseSearch"> <query>| stats first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as logCount by Id | eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt </query> </search> <option name="refresh.display">progressbar</option> <drilldown> <set token="form.text2">$click.value2$</set> </drilldown> </table> </panel> </row> </form> I remove it also from your code example and it works (actually it works since the beginning) More strange, I get result with the query :  index=_internal * form.text2 But nothing with my query :  index=test sourcetype=test_st * form.text2 I really don't understand.  ... View more

Hi @gcusello  Still same error : here is my code : <form> <label>Clone</label> <search id="baseSearch"> <!-- The base search--> <query>index=test sourcetype=test_st $text1$ $text2$</query> <earliest>$global-time-picker.earliest$</earliest> <latest>$global-time-picker.latest$</latest> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="global-time-picker" searchWhenChanged="true"> <label>Global Time Picker</label> <default> <earliest>-30m</earliest> <latest>now</latest> </default> </input> <input type="text" token="text1"> <label>Text 1</label> <default>*</default> </input> <input type="text" token="text2"> <label>Text2</label> <default>$form.text2$</default> <initialValue>*</initialValue> </input> </fieldset> <row> <panel id="table"> <title>log</title> <table> <search base="baseSearch"> <query>| stats first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as logCount by Id | eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt </query> </search> <option name="refresh.display">progressbar</option> <drilldown> <set token="form.text2">$click.value2$</set> </drilldown> </table> </panel> </row> </form> ... View more

Hi @anilchaithu  Yes the panel in built on a base search (you can see the code in my reply to to @gcusello). I tried the token but no success because the base search is waiting for a value that I have not selected yet. (see the picture in my other reply).   ... View more

Hi @gcusello, I tried your settings but all searches send "no result found" :    here is the source code :  <form theme="light"> <label>Clone</label> <search id="baseSearch"> <!-- The base search--> <query>index=test sourcetype=test_st $text1$ $text2$</query> <earliest>$global-time-picker.earliest$</earliest> <latest>$global-time-picker.latest$</latest> <refresh>5m</refresh> <refreshType>delay</refreshType> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="global-time-picker" searchWhenChanged="true"> <label>Global Time Picker</label> <default> <earliest>-30m</earliest> <latest>now</latest> </default> </input> <input type="text" token="text1" searchWhenChanged="true"> <label>Raw Document Text Search</label> <default>*</default> </input> <input type="text" token="text2"> <label>Text2</label> <default>form.text2</default> </input> </fieldset> <row> <panel id="table"> <title>log</title> <table> <search base="baseSearch"> <query>| stats first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as Count by Id | eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt </query> </search> <option name="refresh.display">progressbar</option> <drilldown> <set token="form.text2">$click.value2$</set> </drilldown> </table> </panel> </row> and when I open the search I got this :  index=test sourcetype=test_st * form.text2 | stats first(env) as env earliest(_time) as startsAt first(TxName) as TxName count(Id) as Count by Id | eval startsAt=strftime(startsAt, "%d-%m-%Y %H:%M:%S.%3Q") | sort -startsAt What I did wrong ?  ... View more

Hi @bowesmana  Without filtering on a particular id here is the result of my search :  index="A" sourcetype="B" source="*C"  | dedup id | spath output=instances path=instances{}.id | eval instances_count=mvcount(instances) | where isnull(instances_count) | fields account_id region name id vpc_id insight | eval account_sg=account_id."___".id | spath output=group_id path=rules{}.grants{}.group_id | table id group_id   I tried a query like that :  index="A" sourcetype="B" source="C"  | dedup id | spath output=instances path=instances{}.id | eval instances_count=mvcount(instances) | where isnull(instances_count) | fields account_id region name id vpc_id insight | eval account_sg=account_id."___".id | table id | rename id as group_id | join type=inner group_id [search index="A" sourcetype="B" source="C" | dedup id| spath output=instances path=instances{}.id| eval instances_count=mvcount(instances)| where isnull(instances_count)| fields account_id region name id vpc_id | spath output=group_id path=rules{}.grants{}.group_id | mvexpand group_id | table group_id ] | rename group_id as id What do you think ?  ... View more

Hi again @bowesmana  I find the issue why the search did not work : with the filter sg-xxxdd5 in the first command line we can see in raw events that it returns "group_id" fields with "null" value (it was not the case days before as we can see in my previous post) :  So your stats command does not work in this case ... Without filter, your command return result like that : Probably because of stats value... All of them are identified with 0 value in "exists" column, whereas we should have both values : I tested the request by filtering on several sg-xxx of the list and after checking, some of them return only one event (the one with the id field) and not 2 including one with a group_id field, so they should appear with value as "0" in "exists" column, and other sg-xxx are like in my first post (with 2 events, one with id, other with the value id in group_id) and should appear with "1" as value of "exists" column.  How can I deal with that ?  Thanks again for your help.  ... View more

Hi @bowesmana  Thanks again for your answer. However, I tried to applied the 2 last commands in my query and it does not react as your test : The purpose of the search is to check if the value in field "id" is present in the field "group_id" and then extract the value of those "id".  To give you an example, I have filtered on a sg-xxx which returns 2 events: an event in which it appears in the value of the id field, and another event in which it appears in the group_id field. When the sg-xxx value of the id field appears in a group_id field then I want to extract it. But some ids returns only ONE event (the one with id field). Is this will cause an issue when I will run your command ?  Your query is completely what I was looking for and looks pretty good but I don't know if I apply it well because the "check_ids" fields returns nothing.  Can you help me again please ?  Thanks a lot ! ... View more

Hi @bowesmana, Thanks for your answer.  You were right your search did not work.  Here is my query :  index="A" sourcetype="B"  sg-19c | dedup id | spath output=instances path=instances{}.id | eval instances_count=mvcount(instances) | where isnull(instances_count) | fields account_id region name id vpc_id insight | eval account_sg=account_id."___".id | spath output=group_id path=rules{}.grants{}.group_id I look for events containing "sg-19c". It gave me 2 events. Here is a sample of my json data :  Event 1: { [-]    account_id: 1111    description: test    id: sg-f65    instances: [ [+]    ]    name: test    owner_id:1111    region: 222    rules: [ [-]      { [-]        from_port: xxx        grants: [ [-]          { [-]            cidr_ip: null            group_id: sg-19c            name: null            owner_id: 1111          } { [-]            cidr_ip: null            group_id: sg-e            name: null            owner_id: 1111          } { [-]            cidr_ip: null            group_id: sg-8            name: null            owner_id: 1111          } { [-]            cidr_ip: null            group_id: sg-0            name: null            owner_id: 1111          } { [-]            cidr_ip: null            group_id: sg-1            name: null            owner_id: 1111          }]}] Event 2 : { [-]    account_id: 1111    description: test    id: sg-19c } If I make a table command, I get this table in my first post :  What I want is to extract "id" present in "group_id" field.  Hope you can help me ! Thanks a lot. ... View more

Hi @493669 , The problem is when I want to filter the time picker to "last 60 minutes", show me nothing because splunk indexes in UTC.  Example value :  _time = 3/22/21 3:10:00.000 PM timestamp = 1616425200.000000  Even if I add : index=test sourcetype=stash |eval _time=timestamp with time picker filter to "last 60 minutes", I get nothing :  whereas when I increase time picker to "last 4 hour", I have events on last hour : How can I deal with that ?    ... View more

I tried your code, but it gave me this : What I want is to have automatically the username selected by default, and not to click on "Select".  That's why I tried to put the token into the <default> value, but it does not work at all.  I use this user token in multiple queries on my dashboard, and since there is only one value for a user then I would like this value to be the default. ... View more