That's a cool way to remove something from a string! I'll add that to my repertoire, thanks! ... View more

Glad to hear that 🙂 ... View more

If I understand your problem correctly, you have to set your search range to "-1h@h" it will then always start the search at the beginning of the last hour. For example if you start a search at 12:05 with "-1h@h" the range will be 11:00-12:00. _______________________________________ If this was helpful please consider awarding Karma. Thx! ... View more

If I understand @angadbagga correctly, he wants to remove the date stamp on the line chart on the bottom (see lower left of the attached screenshot)   ... View more

I don't think this is possible with the classic dashboard layout because of simple XML limitations.  It is very easily achievable with the new dashboard studio though (which you can choose upon creation of the dashboard) because it allows you to move panels wherever you want on the dashboard. Hope this helps! _______________________________________ If this was helpful please consider awarding Karma. Thx!   ... View more

The percentage shown is calculated as part of the Pie Chart Visualisation. As far as I know there are no Formatting Options (UI or SourceCode) that can change this. So the only way I can imagine is to make a custom visualisation that is an exact copy of the Splunk-Build Pie Chart and modify the code in there.  But I don't know if that effort is worth it. My only other guess would be to look into the code of the page and see if there is a possibility to modify it through HTML Code Inserted into the XML Code of the Dashboard but that's a far stretch _______________________________________ If this was helpful please consider awarding Karma. Thx! ... View more

If you are sure that the field which includes the phone number ist called "phone" then the extraction should work. Since you want a list of phone numbers though, the second part of your query should use the extracted field: | stats values(phone_number) as PhoneNumber by sessionId _______________________________________ If this was helpful please consider awarding Karma. Thx!   ... View more

Are you sure the field you want to extract from is called body? If you want to extract from the event itself and not a specific field use: | rex field=_raw ... View more

| lookup Blocked_IP src_ip OUTPUT src_ip as is_blocked creates a field is_blocked for every event where a matching IP is found in the lookup. | where isnull(is_blocked) then removes all events where the field is_blocked has a value (all events that have a matching ip). ... View more

These articles could help you: https://community.splunk.com/t5/Splunk-Search/Masking-data-using-regex-during-Indexing/m-p/319796 https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata ... View more

| transaction jsessionid maxspan=5s means that the first and the last event the transaction is build with can't be further apart than 5 seconds. You can also set minutes or hours like this: - maxspan=10m - maxspan=1h   Edit: As far as I know there is no timelimit option for the transaction command. I also wasn't able to find it in the documentation for the command: https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Transaction ... View more

You could try the following: index=anIndex sourcetype=aSourceType | transaction transaction_identifier startswith="START" endswith="COMPLETED OK" | table startTimeRaw, endTimeRaw   The transaction_identifier has to be a value that is found in all relevant events and specific to that instance. For example, if you want to track a purchase then the transaction_identifier could be the ID of the transaction. Or if you want to track the session of a user you could use the username or the user's ID as the transaction_identifier. ... View more

In that case I can totally understand why you wouldn't want to create a custom list or lookup!  Interested in your problem I found out that you can get a complete list of your dashboards with the command: | rest /servicesNS/-/-/data/ui/views "-" are for user and app apparently. Using the - - you'll see any dashboard on your system. You could do a subsearch on it and return only the label of the dashboards as a column.. then compare the name column of your search with the label of the dashboard list and then do the if function from my first comment? ... View more

Maybe you could create a list of all your current dashboards and set the count field with an if function.. If the Name of your Dashboard in your self-made list exists in the index, output the count for the dashboard from the index otherwise output 0. ... View more

Hi, I have no knowledge of how this type of search behaves..but if this kind of directory also has fields can't you just use |fields attribute_name_field to get rid of any other field but the name?  (like I said im just blindly guessing since I have never used Idapsearches! I hope you can resolve your problem!) ... View more

Hi @simonafcbrown, (relatively new member here as well so I might be wrong about some stuff and PLEASE anybody correct me if I write something wrong 🙂) From what I understand from your post you have already indexed your csv file through the "add Data" function of Splunk.  If not you have 2 options: 1. Click the splunk logo(top left), click add Data and upload your csv as an input file. During this process you can set an Index your Data will get sent into. (Default or custom Index) To access this data in a search for your dashboard simply start your search with: index=yourIndexName searching with just this string will give you any indexed events in the selected time range! Then you can follow up with your desired search. 2. You can also create a Lookup from your csv Data. A  file with columns and rows can be loaded as a Lookup in Settings->Lookup->new file (Lookup table files) Then also create a new Lookup Definition for your uploaded Lookup File. You can access the created Lookup File in your search through: | inputlookup yourLookupName if all was done correctly you can search your source for data! To add your search to a Dashboard just go to "Save as" in the top right of your search and create a Dashboard  from there. You can also add Searches to existing Dashboards here if you pick "Existing" I hope my explanation was helpful!  also for most of the questions you have, docs.splunk is your friend 🙂 https://docs.splunk.com/Documentation   ... View more

Even though it would technically work it's not quite what I'm looking for. My goal was to avoid if or case functions to make the formatting of the tag_value easier.. but maybe it's the only possible way.  Thanks for your suggestion though! Maybe it'll help anyway. ... View more

Hey,  I'm relatively new to Splunk so I don't know if there is a more elegant way to do this but the following code should work just fine: | makemv ip | makemv user | makemv system | mvexpand ip | mvexpand user | mvexpand system | dedup user ip system This should output a row for every combination in your source excluding the duplicates. If the fields are already multivalue then you can skip all the "Makemv" lines! ... View more