I tried @johnhuang 's solution with a change , it populates but not quite the way i wanted. ========= (`index=A) OR (index=B) | eval pwd_expires=if(nopassexpire==1, "True", "False"), account_type=if(type=="S", "Service Account", account_type) | table is_interactive,account_name,cn,au,acct_name,elid,full_name,full_name,email_address,manager_name,service_account_name,job_title,lob,pwd_expires,service_accout_name,account_type,service_account_id,service_account_id,owner_elid,au_owner_name,au_owner_email | eventstats MAX(*) AS * BY au | eval elid=coalesce(elid,owner_elid) | eval au_owner_email=coalesce(au_owner_email,email_address) | eval au_owner_name=coalesce(au_owner_name,full_name) | eval service_accout_name=coalesce(service_account_name,cn) | eval service_account_id=coalesce(service_account_id,app_id) | rename acct_name as user, account_type as type| eval user=lower(user) | table user type pwd_expires is_interactive service_account_id service_account_name au au_owner_name job_title au_owner_email elid manager_name lob ========= I changed stats to eventstats , it populates value, but i think because of the usage of MAX() function I am not seeing multiple service_account_id or service_acount_names asociated to each au. I am just seeing one entry. But in real the multivalue fields should be split into different rows , but now MAX() messes things up,  and stats values() is creating some multivalue fileds !!!!     stuck !! ... View more

@Sukisen1981  Not an indexed field. Just a regular field. And  as i check now elid and others are not empty for all rows.    ... View more

@johnhuang  - I tried with Stats(value) and sharing you the screenshot. Some of them are multivalue fields, I believe thats why the remaining fields are not populating . Stats(max) removes the multivalue with one value , but then again , rest of the fields are not populating, and also I would want each multivalue field to become separate rows.  Please find the attachment and suggest. ... View more

In my case , I have to search for fields in index bayseian, if the field/fields is not found (means no value), I have to check the other index, where that field might be there but with a different field name. And there is one common field between these two datasources  to correlate . ... View more

I am trying to make it work. Here is my SPL, and this one works and gives me the expected results. and I am having trouble converting it to a stats . =================================================================== `index=bayseian` account_type="Service Account" OR cred="False" OR type=W | join type=left au [ search index=alts sourcetype=auxilary  | fields service_account_id,service_account_name,au,owner_elid,au_owner_name,au_owner_email ] | eval pwd_expires=if(nopassexpire==1, "True", "False"), account_type=if(type=="S", "Service Account", account_type) | eval elid=coalesce(elid,owner_elid) | eval au_owner_email=coalesce(email_address,au_owner_email) | eval au_owner_name=coalesce(full_name,au_owner_name) | eval service_accout_name=coalesce(cn,service_account_name) | eval service_account_id=coalesce(service_account_id,app_id) | rename acct_name as user, account_type as type | eventstats dc(sourcetype) as dc_st | where dc_st>1 | eval user=lower(user) | dedup user | rex field=user "[^:]+:(?<user>[^\s]+)" | table user type pwd_expires is_interactive service_account_id service_account_name au au_owner_name job_title au_owner_email owner_elid manager_name lob | eval _key=user+".key" ============================================================== Any help please? ... View more

I did rename, but it didn't append based on the common field it just appended randomly Here is the query ================================ | inputlookup citizen_data | eval ID1 = ID | rename ID1 as citizen_ID | stats values(name) as name, values(state) as state  by citizen_ID | appendcols [ search index=bayseian souretype=herc | stats values(mobile) as mobile, values(email) as email by citizen_ID ] | table ID, name, state, mobile, email ============================================ ... View more

@johnhuang  - Such a simple yet brilliant solution. I got what I wanted.  Thank you so much, Sir.   ... View more

@johnhuang  -Thanks.  The way I wanted to implement isn't yielding me result. It is failing. I was thinking, is there any way I could condition match and put the same regex logic. So I tried it but it didn't help..Could you suggest any simpler implementation , to validate this text field. <input type="text" token="value"> <label>Value</label> <condition match ..> </condition>         ... View more

@jcraumer  I am new to JavaScript , could you elaborate a bit about the positioning of the if condition in the JavaScript ,please . ... View more

@kamlesh_vaghela How do I stop the dashboard button from submitting, if there is a validation error message ?  I get the validation error message , But even if I don't fix the entry, it still allows me to submit that record.  ... View more

Thank you so much. ... View more

@ITWhisperer  I tested the regex,  It matches when it finds a doublequote , but  it cannot match spaces in the beginning or end. var res = userInput.match("(^\s|\"|\s$)"); ... View more

@ITWhisperer  Sorry for the bother, But could you have a quick glance if the logic is okay, with the added regex.Please ! =========================== require([ 'underscore', 'splunkjs/mvc', 'jquery', "splunkjs/mvc/simplexml/ready!" ], function(_, mvc, $) { var tkn_value = splunkjs.mvc.Components.getInstance("tkn_value_id"); tkn_value.on("change", function(e) { console.log(e) // e.preventDefault(); if (!isValueValid(e)) { alert("Enter Valid Value") return false; } }) function isValueValid(userInput) { console.log(userInput) var res = userInput.match("(^\s|\"|\s$)"); if (res == null) return true; else return false; } }) ================================== ... View more

@ITWhisperer  Thank you. By changing the logic, do you mean something like this.. ? ====== function isFieldValid(userInput) { console.log(userInput) var res = userInput.match(^\s|\"|\s$); if (res == null) return true; else return false; ... View more

Yes, I referred to that link. I  wrote a spl , something like this. | inputlookup myLookUp_Name  | rename lookUp_field as common_field | appendcol [ index = myIndex sourcetype=mySourcetype table SPL_field1, SPLfield2, SPL_field3]   | table lookup_field1 lookup_field2 common_field SPL_field1 SPL_field2 SPL_field3  | outputlookup myLookUp_Name append=t  Above SPL generated the correct output that I would expect to see in the amended kvstore lookup, But after executing the query, although the message in the job inspector said that the collection is updated , but when I checked the look up | inputlookup myLookUp_Name  -- > It had no changes, new columns weren't added. ... View more

@kamlesh_vaghela  Hi Kamlesh, I see the line  userInput.match( The regex inside it appears to be matching with a URL field ..starting with Https:/ etc... But in my case the URL field has a different meaning , the field could contain any string , it doesn't necessarily have to be a web url address.   Can we modify the regex , so that it matches for  - no space padded  in the beginning of the string - no space padded in the end of the string - There should  not be any double quotes sign "  entered in the string. If any of the above matches, it should prompt the user to re-enter the value.  User should keep in mind not to enter strings with spaces in front or end or add any " sign in the input string. ... View more

@PickleRick   hmm.. That makes sense. thanks for the input. ... View more