Try something like this | foreach NUM TIME STATUS DURATION [| spath <<FIELD>>] | spath COMPONENTS{} output=components | mvexpand components | spath input=components NAME | spath input=components Tasks{}.ITEM{} output=items | mvexpand items | spath input=items | fields - components items _raw ... View more

Essentially, you should probably deploy universal forwarders on your gitlab servers to send the logs to your Splunk indexers. ... View more

Table representation / visualisation in Splunk is not the same as Excel (other spreadsheet providers are available!) - you cannot merge cells in a column or row for that matter. Having said that, you could use stats with the list function to simulate this feature. ... View more

In SimpleXML, you could have a html panel with your comment. You could then make this panel depends on the existence of a token. You could then set or unset this token depending on a result from your dashboard panel search ... View more

Tokens (I presume Type_of_deployment is a token set by some input on your dashboard) are delimited by dollar signs and the search will wait for the input for the token to be completed. The search is probably waiting for a token called "IIS_for_XServers cs_uri_stem=" (which doesn't exist) - try doubling up the dollars for the variables index=whatever sourcetype=whateverXxX [ | inputlookup FileName.csv |$Type_of_deployment$ | return host=$$IIS_Server ] OR ([| inputlookup FileName.csv |$Type_of_deployment$ | return host=$$IIS_for_XServers cs_uri_stem=$$Pattern_for_Servers]) | timechart span=$Span_Timechart$ count by host   ... View more

| rex "(?<lastword>[\w-]+)\W*?$" ... View more

Subsearches are limited to 50,000 events - this is usually silent (no error message) - is there anything in the search log to show that this may have happened? ... View more

stdev is supported as an aggregation function to stats commands not a function to eval command ... View more

Please expand on your usecase. If you don't have the field listed in the table, it isn't available to click on for drilldown anyway. Or are you trying to pass on a value from a field which isn't displayed? If so, and the column is always in the same place, for example first, you could use CSS to hide the column <row> <panel depends="$STYLES$"> <html> <style> #hiddencolumns table td:nth-child(1), #hiddencolumns table th:nth-child(1) { display: none !important; } </style> </html> </panel> <panel> <input type="dropdown" token="cols" searchWhenChanged="true"> <label>Show Details</label> <choice value="_time">Just Time</choice> <choice value="_time,_raw">Time and Raw</choice> <default>_time,_raw</default> <initialValue>_time,_raw</initialValue> </input> <table id="hiddencolumns"> <title>Show only . [$cols$] - $changed$</title> <search base="base"> <query>| eval run_on_change = "$cols$ - ".(random()%10) | table run_on_change $cols$</query> </search> <option name="refresh.display">progressbar</option> <drilldown> <set token="changed">$row.run_on_change$</set> </drilldown> </table> </panel> </row> ... View more

MLTK detects anomalies by looking at deviations from a model of "expected" behaviour, so the first thing you need to do is create a search which returns what you decide is normal behaviour. In your case, this could be average duration per API per hour/day/whatever time period is appropriate for your data. The tricky bit is that you may need to create a model for each API (which isn't ideal). A workaround to this is to normalise the data in some way. ... View more

| metadata type=sourcetypes | where lastTime < relative_time(now(),"-1h") ... View more

Please can you share the config? ... View more

Does this help | eval Status=mvappend("Primary_".Status_Primary,"Secondary_".Status_Secondary) | stats count by Status ... View more

How have you configured the input? ... View more

I didn't notice that - $cols$ was updated in the search, not the XML - just remove the <fields>$cols$</fields> line ... View more

There doesn't appear to be anything wrong with your dashboard - indeed, if I run a copy of it (with a different base search) it appears to work. Can you provide more details, e.g. which version of Splunk are you running? ... View more

| stats count ... View more

You can create pre-built panels which you can then add to your dashboards. ... View more