Yes, as @burwell said, try the first command of the search to see if you get results, then the first two commands, etc. That way you can identify which line is causing you to get no results. ... View more

You need to be more specific - when you say "around it", do you mean events before and after in the event pipeline? You need to identify the events you are interested in, then count the events afterwards with streamstats; then reverse the events pipeline and count the events afterwards in that direction with streamstats. then filter by counts. ... View more

Since you haven't provided example data, the first 4 lines (starting with gentimes and finishing with eval) just generate sample data and should be replaced by your search. It is usually easier for volunteers to suggest solutions if you provide sample data so we can test our solutions before making suggestions. If you are unsure, please feel free to investigate the documentation as to what these unfamiliar commands do. ... View more

| gentimes start=-1 increment=30m | rename starttime as _time | fields _time | eval Exception=mvindex(split("null pointer exception,Illegal argument exception,socket time out exception",","),random()%3) | bin _time span=1h | eval hour=strftime(_time,"%H") | where hour == 3 OR hour == 7 | eval hour=tonumber(hour)."to".(tonumber(hour)+1)."am" | stats values(Exception) as Exception by hour | transpose 0 header_field=hour column_name=Exception | fields - Exception | stats values(3to4am) as 3to4am values(7to8am) as 7to8am | eval 7to8am=mvmap('7to8am',if(isnull(mvfind('7to8am',mvjoin('3to4am',"|"))),'7to8am',null())) ... View more

Simply pass the current token values in the link to dashboard "eventHandlers": [ { "type": "drilldown.linkToDashboard", "options": { "app": "answers", "dashboard": "timepicker_drilldown_target", "tokens": [ { "token": "global_time.earliest", "value": "$global_time.earliest$" }, { "token": "global_time.latest", "value": "$global_time.latest$" } ] } } ] ... View more

In that case, please can you provide some sample data (anonymised of course) that we can work with? ... View more

Sorry, I missed the line to gather the values into multivalue fields. Here is a runanywhere example using your data showing it working | makeresults | fields - _time | eval _raw="3to4am stats: 7to8am Ex1 Ex3 Ex2 Ex1 Ex3 Ex5 Ex4 Ex6" | multikv forceheader=1 | table 3to4am 7to8am ``` the lines above create dummy data based on your example ``` | stats values(3to4am) as 3to4am values(7to8am) as 7to8am | eval 7to8am=mvmap('7to8am',if(isnull(mvfind('7to8am',mvjoin('3to4am',"|"))),'7to8am',null())) ... View more

| eval 7to8am=mvmap('7to8am',if(isnull(mvfind('7to8am',mvjoin('3to4am',"|"))),'7to8am',null())) ... View more

You could try with | rest /servicesNS/-/-/authorization/roles/ | rest /servicesNS/-/-/authentication/users although I can't guarantee it will work ... View more

Try executing each of your searches with an increasing number of lines until you find the line that causes there to be no results. ... View more

``` get all purchases ``` index=customer_data action=purchase ``` narrow down to purchases from our top 100 customers (based on purchase count) ``` [search index=customer_data action=purchase top limit=100 user_id | table user_id] ``` show type of products that each user purchased ``` | stats count, list(product_category) as product_category by user_id | stats values(count) as total count by user_id product_category | eval product_category=product_category."=".round(100*count/total,2)."%" | stats values(product_category) as product_category by user_id | eval product_category=mvjoin(product_category,", ") ... View more

| bin _time span=8h aligntime=@d ... View more

Try something like this <form version="1.1" theme="dark"> <label> Production Report</label> <fieldset submitButton="false" autoRun="true"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel depends="$stayhidden$"> <html> <style> #productreport table tbody td div.multivalue-subcell[data-mv-index="1"]{ display: none; } </style> </html> </panel> <panel> <title>IWMS Product Submission Details</title> <table id="productreport"> <search> <query>index=my_dbx sourcetype="my:dbx:details" | fillnull value="NA" SUPPORTING_DOC_NUMBER PRODUCT_SOURCE_KEY PROJECT_ID |stats count by ID INT_MESSAGE_ID APPLICATION_NUMBER APPLICATION_TYPE SUBMISSION_NUMBER SUBMISSION_TYPE SUPPORTING_DOC_NUMBER PRODUCT_SOURCE_KEY PROJECT_ID MESSAGE_STATUS MESSAGE_COMMENT LAST_UPDATE_TIMESTAMP | fields - count | sort - INT_MESSAGE_ID | foreach * [| eval &lt;&lt;FIELD>>=mvappend(&lt;&lt;FIELD>>,MESSAGE_STATUS)]</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color"> <colorPalette type="map">{"PRODUCTS NOT UPDATABLE":#DC4E41,"Project not Found":#DC4E41,"PRODUCTS UPDATE FAILED":#DC4E41,"PROCESS PRODUCTS":#F8BE34,"PRODUCTS UPDATED":#53A051}</colorPalette> </format> </table> </panel> </row> ... View more

I don't think that's possible although you might be able to use a saved search so both reports run from the same search. ... View more

Try this */5 0-2,9-11,21-23 * * * Note that is has to be a separate cron schedule or you adapt your report to check whether the search time fits in the required time periods. ... View more

Try setting your token to value2 not row.<fieldname>.value ... View more

You are right, SPL does not do recursion or loops particularly well. However, if you know the maximum depth, you could use repetition | makeresults | fields - _time | eval _raw="from to A B A C A D B E B F B G F K F L C H D I D J J M" | multikv forceheader=1 | table from to | eval path=from."-".to | eventstats values(path) as paths | foreach mode=multivalue paths [| eval path=if(mvindex(split(<<ITEM>>,"-"),-1)==from,<<ITEM>>."-".to,path)] | eventstats values(path) as paths | foreach mode=multivalue paths [| eval path=if(mvindex(split(<<ITEM>>,"-"),-1)==from,<<ITEM>>."-".to,path)] | eventstats values(path) as paths | foreach mode=multivalue paths [| eval path=if(mvindex(split(<<ITEM>>,"-"),-1)==from,<<ITEM>>."-".to,path)] The last two lines are repeated sufficient times to resolve all paths. ... View more

Perhaps if you shared some anonymised events which demonstrate the issue you are facing, we might be better placed to advise. Please use the code block </> button when inserting event data so that formatting (e.g. white spaces) of the event is preserved. ... View more