Your base query should be a superset of the queries in your dashboards <form theme="dark"> <label>2808 Leandro Matos</label> <search id="web"> <query>index=web | stats count by host, clientip, categoryid </query> <earliest>-7d@d</earliest> <latest>@d</latest> </search> Your panel searches can then be based on this search further refining it to your needs <panel> <chart> <search base="web"> <query>search categoryId=$listcategoria$ | stats sum(count) as count by categoryId</query> </search> ... View more

Have you tried transpose? ... View more

You need to evaluate the status of each step and recombine them into a single row per event (stats), then evaluate your success condition ... | eval status1=if(step=1,status,null) | eval status2=if(step=2,status,null) | eval status3=if(step=3,status,null) | eval status4=if(step=4,status,null) | eval status5=if(step=5,status,null) | eval status6=if(step=6,status,null) | stats values(status1) as status1, values(status2) as status2, values(status3) as status3, values(status4) as status4, values(status5) as status5, values(status6) as status6 by event | eval overall=if(status1="SUCCESS" AND status2="SUCCESS" AND status4="SUCCESS" AND status5="SUCCESS", "SUCCESS", "IN PROGRESS") | table event, overall   ... View more

You could use a hidden panel to set up your styles   <row depends="$STYLES$"> <panel> <html> <style> .main-section-body { background:greenyellow !important; } </style> </html> </panel> </row>   Use a different style for each environment ... View more

How about something like index=_audit action="alert_fired" | convert timeformat="%m-%d" ctime(_time) AS date | stats count by ss_name, date Then use a stacked bar chart in your dashboard panel  ... View more

Hi @dkgs  You can only provide the expression  LINE\":\"\|(?<user>[^\s]*)\s Unfortunately, I can't see a way of providing the max_match=0 part so you will only be able to extract the first match. To get all the instances in a multivalue field on a more permanent basis, you may have to adopt the transforms and props configuration approach  ... View more

... | eval deployment=case(in(server,"srv1","srv7","srv9"),"Fin",in(server,"srv15","srv19","srv21"),"Jpn",in(server,"srv100","srv102","srv110"),"Bra") ... View more

See duplicate question and answer here  ... View more

Are you sure lookup tables are the way to go? Why not schedule daily reports? ... View more

In your first 2 queries, you are removing fields where distinct count is 1, but you don't appear to be doing this in the last query. Would this not account for the "missing" fields? ... View more

How about something along these lines: index=_internal | head 1 | eval _raw="<BLAdets> <Bladetsmeta> <Metadata><Key>FIELD_1</Key><Label>FIELD 1 test</Label><Value>this is the value of field 1</Value></Metadata> <Metadata><Key>FIELD_2</Key><Label>FIELD 2 test</Label><Value>this is the value of field 2</Value></Metadata> <Metadata><Key>FIELD_3</Key><Label>FIELD 3 test </Label><Value>this is the value of field 3</Value></Metadata> </Bladetsmeta> </BLAdets>" | spath BLAdets.Bladetsmeta.Metadata output=Metadata | rex field=Metadata "\<Key>(?<key>[^\<]*)\</Key>.*\<Value>(?<value>[^\<]*)\</Value>" | eval meta=mvzip(mvzip(key,value,">"),key,"</") | eval meta=mvmap(meta,"<"+meta+">") | spath input=meta ... View more

It looks like you need to replace "/n" with "\n" or perhaps "\n\t" ... View more

Just take it back to 1 spath ... | spath certificates{} output=certificates | mvexpand certificates | table certificates ... View more

Something like set your span to 8h and then trigger the alert on custom condition of "search TradeCount < 2000" ... View more

How are the URLs delimited in FieldA? it looks like in some instances there is a space but not others. Try: | rex max_match=0 field=FieldA "\/(?<FieldB>[^\/]*)( |$)" | mvexpand FieldB If there is no space between in some instances, use: | rex max_match=0 field=FieldA "\/(?<FieldB>[^\/]*)(https:| |$)" | mvexpand FieldB   ... View more

I am not sure what your base data is but let's assume it is a log of logins with timestamps. So, something like: ... base search ... | bin _time span=1h | stats count by _time | sort -count | where count >= 200 | head 5 That is, bucket events into 1h bins, count events in those bins, sort counts descending, only take counts above 200, just take the top 5 ... View more

Try limiting the number of events with head index="cx_aws" source="notification-service" | head 1 | spath ... I am not sure if this is the right query but it seems to be the one from your image. The point is that head will reduce the number of events from the base search, in this case to 1 i.e. the latest event ... View more

Have you looked at this answer from the archives? Essentially, the escaping is removed from the escaped double quotes, and the embedded field is unquoted, before parsing with spath, allowing the whole log to be parsed as you were hoping for. ... View more