You could use a hidden panel to set up your styles   <row depends="$STYLES$"> <panel> <html> <style> .main-section-body { background:greenyellow !important; } </style> </html> </panel> </row>   Use a different style for each environment ... View more

How about something like index=_audit action="alert_fired" | convert timeformat="%m-%d" ctime(_time) AS date | stats count by ss_name, date Then use a stacked bar chart in your dashboard panel  ... View more

Hi @dkgs  You can only provide the expression  LINE\":\"\|(?<user>[^\s]*)\s Unfortunately, I can't see a way of providing the max_match=0 part so you will only be able to extract the first match. To get all the instances in a multivalue field on a more permanent basis, you may have to adopt the transforms and props configuration approach  ... View more

... | eval deployment=case(in(server,"srv1","srv7","srv9"),"Fin",in(server,"srv15","srv19","srv21"),"Jpn",in(server,"srv100","srv102","srv110"),"Bra") ... View more

See duplicate question and answer here  ... View more

Are you sure lookup tables are the way to go? Why not schedule daily reports? ... View more

In your first 2 queries, you are removing fields where distinct count is 1, but you don't appear to be doing this in the last query. Would this not account for the "missing" fields? ... View more

How about something along these lines: index=_internal | head 1 | eval _raw="<BLAdets> <Bladetsmeta> <Metadata><Key>FIELD_1</Key><Label>FIELD 1 test</Label><Value>this is the value of field 1</Value></Metadata> <Metadata><Key>FIELD_2</Key><Label>FIELD 2 test</Label><Value>this is the value of field 2</Value></Metadata> <Metadata><Key>FIELD_3</Key><Label>FIELD 3 test </Label><Value>this is the value of field 3</Value></Metadata> </Bladetsmeta> </BLAdets>" | spath BLAdets.Bladetsmeta.Metadata output=Metadata | rex field=Metadata "\<Key>(?<key>[^\<]*)\</Key>.*\<Value>(?<value>[^\<]*)\</Value>" | eval meta=mvzip(mvzip(key,value,">"),key,"</") | eval meta=mvmap(meta,"<"+meta+">") | spath input=meta ... View more

It looks like you need to replace "/n" with "\n" or perhaps "\n\t" ... View more

Just take it back to 1 spath ... | spath certificates{} output=certificates | mvexpand certificates | table certificates ... View more

Something like set your span to 8h and then trigger the alert on custom condition of "search TradeCount < 2000" ... View more

How are the URLs delimited in FieldA? it looks like in some instances there is a space but not others. Try: | rex max_match=0 field=FieldA "\/(?<FieldB>[^\/]*)( |$)" | mvexpand FieldB If there is no space between in some instances, use: | rex max_match=0 field=FieldA "\/(?<FieldB>[^\/]*)(https:| |$)" | mvexpand FieldB   ... View more

I am not sure what your base data is but let's assume it is a log of logins with timestamps. So, something like: ... base search ... | bin _time span=1h | stats count by _time | sort -count | where count >= 200 | head 5 That is, bucket events into 1h bins, count events in those bins, sort counts descending, only take counts above 200, just take the top 5 ... View more

Try limiting the number of events with head index="cx_aws" source="notification-service" | head 1 | spath ... I am not sure if this is the right query but it seems to be the one from your image. The point is that head will reduce the number of events from the base search, in this case to 1 i.e. the latest event ... View more

Have you looked at this answer from the archives? Essentially, the escaping is removed from the escaped double quotes, and the embedded field is unquoted, before parsing with spath, allowing the whole log to be parsed as you were hoping for. ... View more

Sorry, there was a mistake in this line | rex field=xy "(?<x>[^,]),(?<y>.*)" It should have been: | rex field=xy "(?<x>[^,]*),(?<y>.*)"  This picks up values of x greater than 9 i.e. more than 1 digit ... View more

... | head 1 ... View more

It looks like the script name is the 11th field assuming "|" is the delimiter so something like this might work ... base search ... | eval logmessage=_raw | makemv delim="|" logmessage | eval script=mvindex(logmessage,10) | stats count by script Indexes start at zero so index 10 for the 11th field  ... View more