Looks like as of Splunk 8.1 you should be able to pipe in tokens into the sendemail command. https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Sendemail If you have a scenario where you may need to email multiple groups across different applications from one search than you may be able to utilize the "map" command piped directly to the "sendemail" command. (May need to some testing on this, but I'm pretty sure I have seen this done before)  Note: map command will attempt to dispatch a search for each row from the parent search returned. There is a default limit of the max searches it will attempt to send (maxsearches=10)  You can find more here. https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Map Example: | search index IN ("app_index_1", "app_index_2") CASE(ERROR) | bucket span=1h _time ``` mapping notification user by eval or lookup or possible derived from the _raw data (This example is just setting a hardcoded list of users to each application) ``` | eval notification_users_email=case( 'index'=="app_index_1", mvappend("user_1@acme.com", "user_3@acme.com", "user_5@acme.com"), 'index'=="app_index_2", "user_2@acme.com" ) | stats count as error_count values(notification_users_email) as notification_users_email by _time, app ``` Trigger criteria for more than 50 errors for specific application in a 1 hour time window ``` | where 'error_count'>50 ``` prepare notification user field to be formatted for the sendemail command (convert multivalue field of unique values to a comma delimeted list of users) ``` | eval notification_users_email=mvjoin(notification_users_email, ",") ``` prepare message to send to email list for the application ``` | eval message='app'." had ".'error_count'." errors in a one hour time window. Please investigate..." ``` each row returned from the parent search will be piped into the map command and send out its own email to the list of users associated with the applications meeting the alert criteria ``` | map search="sendemail to=\"$notification_users_email$\" message=\"$message$\"" maxsearches=10     ... View more

I agree with @richgalloway response here for this particular example.  However if you want a more generalize approach to parsing out a table being ingested in Splunk with this format in _raw (capable of accounting for different headers and not having to build out a regex for each time) you may want to try the SPL below. <base_search> ``` Doing this before an mvexpand occurring later in the search pipeline can help attribute the expanded data back to it's orginal event (if needed) ``` | streamstats count as event_count ``` Extract Info from table title (this is the one line that would need to be adjusted for each unique table depending on title format and data you would want extracted from it ``` | rex field=_raw "Disk\s+Utilization\s+for\s+(?<Server>[^\s]+)\s+in\s+(?<Region>[^\s]+)\s+(?<Environment>[^\s]+)\s+\-(?<Server_IP>[^\s]+)" ``` Parse individual rows from the table as a multivalued field ``` | spath input=_raw path=table.tr output=data | fields - _raw ``` mvexpand each row to it's own event ``` | mvexpand data ``` replace tags with standardized breakers for parsing ``` | eval item_data=replace(replace(replace(replace('data', "\<\/t(?:h|d)\>\<t(?:h|d)[^\>]*\>", "<BREAK>"), "^\<t(?:h|d)[^\>]*\>", "<START>"), "\<\/t(?:h|d)\>", "<END>"), "(\<START\>|\<BREAK\>)(\<BREAK\>|\<END\>)", "\1#NULL#\2") ``` set a row count for each table ``` | streamstats count as row_number by event_count ``` assign row type depending on the row number (assumes that the table has a header) ``` | eval row_number='row_number'-1, row_type=if( 'row_number'==0, "header", "data" ), ``` remove start and end tags ``` data_mv=split(replace(replace(item_data, "\<START\>", ""), "\<END\>", ""), "<BREAK>"), ``` trim of any leading or tailing spaces from each entry in the table ``` data_mv=case( mvcount(data_mv)==1, trim(data_mv, " "), mvcount(data_mv)>1, mvmap(data_mv, trim(data_mv, " ")) ) | fields - data, item_data ``` pull header fieldnames into each row of the table to stitch it all together ``` | eventstats list(eval(case('row_type'=="header", 'data_mv'))) as header by event_count ``` mvzip to attribute each table entry to the header field (we will loop through this field to build the table further down the search pipeline) ``` | eval data_mv_zip=mvzip(header, data_mv, "<DELIM>") | fields - header, data_mv ``` we no longer need the row that only holds the header info now that it has been pulled into each data entry row of the table ``` | where NOT 'row_type'=="header" ``` initialize json object that will hold KV pairs of header_fieldname/row_entry ``` | eval table_json=json_object() ``` loop through the MV field and build the json_object containing all KV assignments ``` | foreach mode=multivalue data_mv_zip [ | eval key=mvindex(split('<<ITEM>>', "<DELIM>"), 0), value=mvindex(split('<<ITEM>>', "<DELIM>"), 1), table_json=json_set(table_json, 'key', 'value') ] | fields - key, value, row_type, data_mv_zip ``` spath the json_object just built ``` | spath input=table_json ``` remove the json_object now that we dont need it ``` | fields - table_json ``` list out data in the order that you want it displayed ``` | table _time, event_count, Server, Region, Environment, Server_IP, "Filesystem", "Type", "Blocks", "Used %", "Available %", "Usage %", "Mounted on" ``` remove any placeholder #NULL# values with actual null() values since table has been generated ``` | foreach * [ | eval <<FIELD>>=if( '<<FIELD>>'=="#NULL#", null(), '<<FIELD>>' ) ] You can see the output I got locally using this method below. This method should also account for null values in a the html table as well, whereas the regex shared from your original post makes the assumption that table entries always have a leading and trailing space wrapping a non-null value. Which is true for this table you shared, but for generalizing parsing a html table you may run into issues doing it that way. As a proof on concept here is some output of some simulation data I put together with 3 separate events, each with their own html table and sets of data with their own headers and piping them through this method. Below is the SPL used to generate this screenshot. | makeresults | eval _raw="<p align='center'><font size='4' color=blue>Example: Table 1</font></p> <table align=center border=2> <tr style=background-color:#2711F0 ><th>sample_field_1</th><th>sample_field_2</th><th>sample_field_3</th><th>sample_field_4</th></tr> <tr><td>table1_row1_column1</td><td></td><td>table1_row1_column3</td><td></td></tr> <tr><td>table1_row2_column1</td><td>table1_row2_column2</td><td>table1_row2_column3</td><td>table1_row2_column4</td></tr> <tr><td>table1_row3_column1</td><td></td><td>table1_row3_column3</td><td>table1_row3_column4</td></tr> <tr><td>table1_row4_column1</td><td>table1_row4_column2</td><td>table1_row4_column3</td><td>table1_row4_column4</td></tr> <tr><td></td><td></td><td></td><td>table1_row5_column4</td></tr> </table></body></html>" | append [ | makeresults | eval _raw="<p align='center'><font size='4' color=blue>Example: Table 2</font></p> <table align=center border=2> <tr style=background-color:#2711F0 ><th>sample_field_5</th><th>sample_field_6</th><th>sample_field_7</th></tr> <tr><td></td><td>table2_row1_column2</td><td>table2_row1_column3</td></tr> <tr><td>table2_row2_column1</td><td>table2_row2_column2</td><td>table2_row2_column3</td></tr> <tr><td>table2_row3_column1</td><td></td><td>table2_row3_column3</td></tr> <tr><td></td><td>table2_row4_column2</td><td></td></tr> <tr><td>table2_row5_column1</td><td>table2_row5_column2</td><td>table2_row5_column3</td></tr> </table></body></html>" ] | append [ | makeresults | eval _raw="<p align='center'><font size='4' color=blue>Example: Table 3</font></p> <table align=center border=2> <tr style=background-color:#2711F0 ><th>sample_field_1</th><th>sample_field_2</th><th>sample_field_3</th><th>sample_field_4</th><th>sample_field_5</th><th>sample_field_6</th></tr> <tr><td>table3_row1_column1</td><td></td><td>table1_row1_column3</td><td></td><td>table1_row1_column5</td><td>table1_row1_column6</td></tr> <tr><td>table3_row2_column1</td><td>table3_row2_column2</td><td>table1_row2_column3</td><td>table3_row2_column4</td><td>table1_row2_column5</td><td>table1_row2_column6</td></tr> </table></body></html>" ] ``` Extract Table Titles ``` | spath input=_raw path=p.font output=table_title | streamstats count as event_count | spath input=_raw path=table.tr output=data | fields - _raw | mvexpand data | eval item_data=replace(replace(replace(replace('data', "\<\/t(?:h|d)\>\<t(?:h|d)[^\>]*\>", "<BREAK>"), "^\<t(?:h|d)[^\>]*\>", "<START>"), "\<\/t(?:h|d)\>", "<END>"), "(\<START\>|\<BREAK\>)(\<BREAK\>|\<END\>)", "\1#NULL#\2") | streamstats count as row_number by event_count | eval row_number='row_number'-1, row_type=if( 'row_number'==0, "header", "data" ), data_mv=split(replace(replace(item_data, "\<START\>", ""), "\<END\>", ""), "<BREAK>"), data_mv=case( mvcount(data_mv)==1, trim(data_mv, " "), mvcount(data_mv)>1, mvmap(data_mv, trim(data_mv, " ")) ) | fields - data, item_data | eventstats list(eval(case('row_type'=="header", 'data_mv'))) as header by event_count | eval data_mv_zip=mvzip(header, data_mv, "<DELIM>") | fields - header, data_mv | where NOT 'row_type'=="header" | eval table_json=json_object() | foreach mode=multivalue data_mv_zip [ | eval key=mvindex(split('<<ITEM>>', "<DELIM>"), 0), value=mvindex(split('<<ITEM>>', "<DELIM>"), 1), table_json=json_set(table_json, 'key', 'value') ] | fields - key, value, row_type, data_mv_zip | spath input=table_json | fields - table_json | fields + _time, table_title, event_count, sample_field_* | foreach * [ | eval <<FIELD>>=if( '<<FIELD>>'=="#NULL#", null(), '<<FIELD>>' ) ]   ... View more

Looks like the HEC event is sending the "Request.body" field as a string literal and splunks KV_MODE=json (or INDEXED_EXTRACTION=json) is extracting it that way.  It should be possible to extract it from there still but if you want it extracted at search time you may need to either adjust the source sending the data to send "Request.body" as a valid json array or set up a calculated field in props.conf to get the desired fields extracted (regex is also an option using props/transforms) Here is some SPL of simulated data to give an example of what I think is going on and how Splunk is extracting the fields. | makeresults | eval _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": \"[ { \\\"recordLocator\\\": \\\"RYVBNQ\\\" } ]\", \"hostname\": \"IT-SALI\" }", example="Example 1: JSON Payload sent with 'Request.body{}' as a string wrapped in quotes" | spath input=_raw | append [ | makeresults | eval _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": [ { \"recordLocator\": \"RYVBNQ\" } ], \"hostname\": \"IT-SALI\" }", example="Example 2: JSON Payload sent with 'Request.body{}' as a json array (no quotes)" ``` The spath below would better represent how splunk would parse it at search time using KV_Mode=json if the array wasn't wrapped in double quotes ``` | spath input=_raw ] | fields - _time | fields + example, _raw, "Request.body", "Request.body{}.recordLocator" Output looks something like this. It is also possible to still get those fields in your search pipeline if that is the route you want to go. | makeresults | fields _ time | eval _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": \"[ { \\\"recordLocator\\\": \\\"RYVBNQ\\\", \\\"depStartDate\\\": \\\"2023-12-14T14:00:19.671Z\\\", \\\"depEndDate\\\": \\\"2023-12-15T09:20:19.671Z\\\" } ]\", \"hostname\": \"IT-SALI\" }", example="Example 1: JSON Payload sent with 'Request.body{}' as a string wrapped in quotes" | spath input=_raw ``` This spath command should extract fields in "Request.body" fully and will be available with fieldnames formatted with a leading "{}" since it is an array ``` | spath input=Request.body | fields + _raw, Request.body, "{}.*"   Snapshot of the expected output From here you can rename the funky "{}.*" fields by doing the SPL | rename "{}.*" as * ... View more

Adding a by-field of "serial_number" in you final stats will display you chart like this. Similarly, instead of the stats you could do a    | chart count as count over serial_number by result    and this should give you results ver similar. For an overall Pass/Fail visual across all serial number you can do a stats like this   | stats count as count by result   and the resulting chart shows something like this     ... View more

I think utilizing a lookup to track timestamps and changes of the onlineStatus by serialNumber would work for this. | search index="XXXX" invoked_component="YYYYY" "Genesys system is available" | spath input=_raw output=new_field path=response_details.response_payload.entities{} | mvexpand new_field | fields new_field | spath input=new_field output=serialNumber path=serialNumber | spath input=new_field output=onlineStatus path=onlineStatus | where serialNumber!="" | lookup Genesys_Monitoring.csv serialNumber | where Country="Egypt" | stats latest(onlineStatus) as latestOnlineStatus, latest(_time) as latestStatusEpoch by serialNumber, Country | lookup host_online_status_tracking serialNumber, Country OUTPUT latestOnlineStatus as previousLatestOnlineStatus, latestStatusEpoch as previousLatestStatusEpoch | inputlookup append=true host_online_status_tracking | stats first(latest*) as latest*, first(previous*) as previous* by serialNumber, Country | outputlookup host_online_status_tracking | where ('latestStatusEpoch'>'previousLatestStatusEpoch' OR isnull(previousLatestStatusEpoch)) AND NOT 'latestOnlineStatus'=='previousLatestOnlineStatus'   The lookup is referenced to pull in the latest onlineStatus and timestamp from the previous time this search was run. You can see that there is an outputlookup that updates the lookup everytime with the most up-to-date data about each unique serialNumber.  The final where clause is what will determine if the alert will fire or not while the lookup itself should stay updated with onlineStatuses. The idea is that the alert should only fire once after the onlineStatus changes since the lookup will be updated as well. Run 1:     Serial_1: Status=Up         Exported to lookup ----> Serial_1: Status=Up Run 2:     Serial_1: Status=Down <----> Previous_From_Lookup=Up         Alert Fires         Exported to lookup ----> Serial_1: Status=Down Run 3:     Serial_1: Status=Down <----> Previous_From_Lookup=Down         Alert doesn't fire since statuses match         Exported to lookup ----> Serial_1: Status=Down Run 4:     Serial_1: Status=Up <----> Previous_From_Lookup=Down         Alert Fires         Exported to lookup ----> Serial_1=Up . . .          That is the idea anyways. Hope this helps! ... View more

Sounds like you may have the old version still lingering around in <app>/local/data/ui/views/ ... View more

Would an aggregated resulting dataset be sufficient for your ask? I tried to do what I think you are asking by utilizing a stats command to aggregate data from the two indexes together but has just a compressed overview of the analysis. Example of output with simulation data: To achieve this with the base searches you provided would look like this. (index=sith broker sithlord!=darth_maul) OR (index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")) | fields + _time, index, Jname, saber_color, domain, master, strengths, mentor, skill, mission, Sname, strength, teacher, actions | tojson str(saber_color) str(domain) str(master) str(actions) str(mentor) str(mission) str(skill) str(strength) str(strengths) str(teacher) output_field=unique_field_combos_json | fields + _time, index, Jname, Sname, unique_field_combos_json | eval name=coalesce('Jname', 'Sname') | stats min(_time) as earliest_event, max(_time) as latest_event, count as total_count, count(eval('index'=="jedi")) as jedi_count, count(eval('index'=="sith")) as sith_count, values(index) as indexes, dc(index) as dc_indexes, latest(eval(case('index'=="jedi", unique_field_combos_json))) as jedi_unique_field_combos_json, latest(eval(case('index'=="sith", unique_field_combos_json))) as sith_unique_field_combos_json by name | eval scenario=if( 'dc_indexes'==1, case( 'indexes'=="jedi", "Jedi Only", 'indexes'=="sith", "Sith Only" ), "Jedi and Sith" ) | foreach *_unique_field_combos_json [ | eval unique_field_combos_json=if( isnotnull('<<FIELD>>'), mvappend( 'unique_field_combos_json', json_set('<<FIELD>>', "type", "<<MATCHSTR>>") ), 'unique_field_combos_json' ) ] | fields - *_unique_field_combos_json | mvexpand unique_field_combos_json | fromjson unique_field_combos_json | fields - unique_field_combos_json | fields + name, type, scenario, total_count, jedi_count, sith_count, saber_color, domain, master, actions, mentor, mission, skill, strength, strengths, teacher | stats values(*) as * by name | fields + name, type, scenario, *_count, saber_color, domain, master, actions, mentor, mission, skill, strength, strengths, teacher | eval scenario_sort=case( 'scenario'=="Jedi and Sith", 1, 'scenario'=="Jedi Only", 2, 'scenario'=="Sith Only", 3 ) | sort 0 +scenario_sort | fields - scenario_sort   To generate the simulation data was a doozy since I dont have a datagen setup right now but was able to put something together using build in splunk commands. SPL used to simulate for reference. | makeresults count=1000 | eval low=1, high=[ | makeresults | eval index="sith", fields_to_gen=split("Sname|saber_color|strength|teacher|actions", "|") | append [ | makeresults | eval index="jedi", fields_to_gen=split("Jname|saber_color|strengths|mentor|skill|mission|master|domain", "|") ] | mvexpand fields_to_gen | fields - _time | eval value_format=if( match('fields_to_gen', "^[A-Z]name$"), "name", 'fields_to_gen' ) | rename fields_to_gen as fieldname | tojson str(fieldname) str(value_format) output_field=field_format_json | fields + index, field_format_json | stats values(field_format_json) as field_format_json by index | eval field_format_json_array="[".mvjoin(field_format_json, ",")."]" | fields - field_format_json | streamstats count as index_number_assignment | stats max(index_number_assignment) as index_count | return $index_count ], rand=round(((random()%'high')/'high')*('high'-'low')+'low') | fields - low, high | rename rand as index_number_assignment ``` distribute timestamps ``` | streamstats count as iter | eval _time=now()-('iter'/10) | join type=left index_number_assignment [ | makeresults | eval index="sith", fields_to_gen=split("Sname|saber_color|strength|teacher|actions", "|") | append [ | makeresults | eval index="jedi", fields_to_gen=split("Jname|saber_color|strengths|mentor|skill|mission|master|domain", "|") ] | mvexpand fields_to_gen | fields - _time | eval value_format=if( match('fields_to_gen', "^[A-Z]name$"), "name", 'fields_to_gen' ) | rename fields_to_gen as fieldname | tojson str(fieldname) str(value_format) output_field=field_format_json | fields + index, field_format_json | stats values(field_format_json) as field_format_json by index | tojson str(index) str(field_format_json) output_field=json | streamstats count as index_number_assignment | fields + index_number_assignment, json ] | fromjson json | fields - json, index_number_assignment | eval json=json_object() | foreach mode=multivalue field_format_json [ | eval fieldname=spath('<<ITEM>>', "fieldname"), json=json_set(json, 'fieldname', spath('<<ITEM>>', "value_format")."_") ] | fields - field_format_json | spath input=json | fields - json, fieldname | fields + index, * | foreach *name [ | eval low=1, high=5, rand=round(((random()%'high')/'high')*('high'-'low')+'low'), <<FIELD>>='<<FIELD>>'.'rand' | fields - low, high, rand ] | foreach * [ | eval low=1, nested_high=10, nested_rand=round(((random()%'nested_high')/'nested_high')*('nested_high'-'low')+'low'), high='nested_rand', rand=round(((random()%'high')/'high')*('high'-'low')+'low'), <<FIELD>>=if( NOT match("<<FIELD>>", "[A-Z]name$") AND NOT "<<FIELD>>"=="index", '<<FIELD>>'.'rand', '<<FIELD>>' ) | fields - low, high, rand, nested_high, nested_rand ] | eval Jname=if( 'index'=="jedi" AND 'Jname'=="name_1", "name_unique_jedi", 'Jname' ), Sname=if( 'index'=="sith" AND 'Sname'=="name_2", "name_unique_sith", 'Sname' ) ``` (index-=sith broker sithlord!=darth_maul) OR (index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")) | fields + _time, index, Jname, saber_color, domain, master, strengths, mentor, skill, mission, Sname, strength, teacher, actions ``` | tojson str(saber_color) str(domain) str(master) str(actions) str(mentor) str(mission) str(skill) str(strength) str(strengths) str(teacher) output_field=unique_field_combos_json | fields + _time, index, Jname, Sname, unique_field_combos_json | eval name=coalesce('Jname', 'Sname') | stats min(_time) as earliest_event, max(_time) as latest_event, count as total_count, count(eval('index'=="jedi")) as jedi_count, count(eval('index'=="sith")) as sith_count, values(index) as indexes, dc(index) as dc_indexes, latest(eval(case('index'=="jedi", unique_field_combos_json))) as jedi_unique_field_combos_json, latest(eval(case('index'=="sith", unique_field_combos_json))) as sith_unique_field_combos_json by name | eval scenario=if( 'dc_indexes'==1, case( 'indexes'=="jedi", "Jedi Only", 'indexes'=="sith", "Sith Only" ), "Jedi and Sith" ) | foreach *_unique_field_combos_json [ | eval unique_field_combos_json=if( isnotnull('<<FIELD>>'), mvappend( 'unique_field_combos_json', json_set('<<FIELD>>', "type", "<<MATCHSTR>>") ), 'unique_field_combos_json' ) ] | fields - *_unique_field_combos_json | mvexpand unique_field_combos_json | fromjson unique_field_combos_json | fields - unique_field_combos_json | fields + name, type, scenario, total_count, jedi_count, sith_count, saber_color, domain, master, actions, mentor, mission, skill, strength, strengths, teacher | stats values(*) as * by name | fields + name, type, scenario, *_count, saber_color, domain, master, actions, mentor, mission, skill, strength, strengths, teacher | eval scenario_sort=case( 'scenario'=="Jedi and Sith", 1, 'scenario'=="Jedi Only", 2, 'scenario'=="Sith Only", 3 ) | sort 0 +scenario_sort | fields - scenario_sort ... View more

So using this method below I believe will do it.   ``` This join is to pull in an array of all Regions you want to search for in the 'Region' multivalue field ``` ``` There are other way to make the list (hardcoded, macros, lookups) I'm just using a lookup as a POC for if the list is large and is easy to maintain ``` | join type=left [ | inputlookup list_of_regions | stats values(list_of_regions) as list_of_regions | eval list_of_regions_array=mv_to_json_array(list_of_regions) | fields - list_of_regions ] ``` Convert array to multivalue field of all regions to search for ``` | eval list_of_regions=json_array_to_mv(list_of_regions_array) | fields - list_of_regions_array ``` Use the regions multivalue field to build a regex ``` | eval list_of_regions_regex="(?i)(".mvjoin(list_of_regions, "|").")" ``` pipe in the regex build from regions into this eval to loop through multivalue fields ``` | eval Test_loc_method2=case( isnull(Region), null(), mvcount(Region)==1, if(match(Region, $list_of_regions_regex$), replace(Region, ".*".$list_of_regions_regex$.".*", "\1"), null()), mvcount(Region)>1, mvmap(Region, if(match(Region, ".*".$list_of_regions_regex$.".*"), replace(Region, ".*".$list_of_regions_regex$.".*", "\1"), null())) ) | fields - list_of_regions, list_of_regions_regex ``` Pipe in matches that returned into the 'list_of_regions' lookup to pull back a formatted version of the match. Note: This lookup definition must have case sensitivity turned off for this part to work as intended. ``` | lookup list_of_regions list_of_regions as Test_loc_method2 OUTPUT list_of_regions as formatted_matched_region     Full SPL I used to generate this output   | makeresults | fields - _time | eval Region=split("sh Bangalore Test|Chennai|Hyderbad", "|") | append [ | makeresults | fields - _time | eval Region=split("test China 1|India| ", "|") ] | append [ | makeresults | fields - _time | eval Region=split(" |Loc USA 2|London", "|") ] | append [ | makeresults | fields - _time | eval Region=split("lowercased china to test|New York|usa (America)", "|") ] ``` This join is to pull in an array of all Regions you want to search for in the 'Region' multivalue field ``` ``` There are other way to make the list (hardcoded, macros, lookups) I'm just using a lookup as a POC for if the list is large and is easy to maintain ``` | join type=left [ | inputlookup list_of_regions | stats values(list_of_regions) as list_of_regions | eval list_of_regions_array=mv_to_json_array(list_of_regions) | fields - list_of_regions ] ``` Convert array to multivalue field of all regions to search for ``` | eval list_of_regions=json_array_to_mv(list_of_regions_array) | fields - list_of_regions_array ``` Use the regions multivalue field to build a regex ``` | eval list_of_regions_regex="(?i)(".mvjoin(list_of_regions, "|").")" ``` pipe in the regex build from regions into this eval to loop through multivalue fields ``` | eval Test_loc_method2=case( isnull(Region), null(), mvcount(Region)==1, if(match(Region, $list_of_regions_regex$), replace(Region, ".*".$list_of_regions_regex$.".*", "\1"), null()), mvcount(Region)>1, mvmap(Region, if(match(Region, ".*".$list_of_regions_regex$.".*"), replace(Region, ".*".$list_of_regions_regex$.".*", "\1"), null())) ) | fields - list_of_regions, list_of_regions_regex ``` Pipe in matches that returned into the 'list_of_regions' lookup to pull back a formatted version of the match. Note: This lookup definition must have case sensitivity turned off for this part to work as intended. ``` | lookup list_of_regions list_of_regions as Test_loc_method2 OUTPUT list_of_regions as formatted_matched_region     Note: I created a lookup for this example with CSV named "list_of_regions.csv" and with lookup definition named "list_of_regions". On the definition I turned off the case-sensitivity to allow for a formatted region to be returned on the last step if desired. You don't necessarily have to use a lookup for this method to work, I just found that if the list gets large that storing them in lookups sometimes makes things easier to maintain.  If you only really need to use the list of regions for a single search you could probably just have them hardcoded into the search itself (Or just build the hardcoded regex based of your list) I just was sharing how you can sometimes pipe in $token$ into an eval function and it seemed to fit your use-case here. And for reference of what the lookup looks like here is a screenshot of what I used for this.   ... View more

Few different ways to approach this if I understand you problem correctly | makeresults | fields - _time | eval Region=split("Bangalore|seattle|bangalore|Galveston|sh bangalore Test", "|") ``` Different Eval Methods ``` | eval test_loc_method1=mvfilter(match(Region, "(?i)bangalore")), test_loc_method2=mvdedup( case( isnull(Region), null(), mvcount(Region)==1, if(match(Region, "(?i)bangalore"), "Bangalore", null()), mvcount(Region)>1, mvmap(Region, if(match(Region, "(?i)bangalore"), "Bangalore", null())) ) ) ``` Rex Method ``` | rex field=Region "(?<rec_loc>(?i)bangalore)"  Mostly just depends on how you want the outputted eval field to look. test_loc_method2 gives a clean single value result with a hardcoded result given that the regex pattern is found somewhere in the multivalue field.   ... View more

You may need to put single quotes around your field in the where clause Example: | makeresults | eval "Fail%"=25 | where 'Fail%'>10 ... View more

Should be able to fit both conditions into one if() logic statement if((spath(logs, "test_name")=="Motor" OR spath(logs, "test_name")=="Pass"), 'logs', null()) or maybe even something like this. if(spath(logs, "test_name") IN ("Motor", "Pass"), 'logs', null()) ... View more

So there are two ways I can think of parsing this One using MVExpand <base_search> | spath path=info.indicators{} output=indicators | table indicators | eval time_count_indicator_json=case( isnull(indicators), null(), mvcount(indicators)==1, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()), mvcount(indicators)>1, mvmap(indicators, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null())) ) | fields - indicators ``` Method 1 using MVExpand ``` | mvexpand time_count_indicator_json | spath input=time_count_indicator_json | fields - time_count_indicator_json and another that is parsing an array of json_objects matching your criteria of only events "timeCountIndicator" <base_search> | spath path=info.indicators{} output=indicators | table indicators | eval time_count_indicator_json=case( isnull(indicators), null(), mvcount(indicators)==1, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()), mvcount(indicators)>1, mvmap(indicators, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null())) ) | fields - indicators ``` Method 2 parsing MV Field as array of json_objects ``` | eval time_count_indicator_json_array="[".mvjoin(time_count_indicator_json, ",")."]" | spath input=time_count_indicator_json_array | fields - time_count_indicator_json, time_count_indicator_json_array | rename "{}.*" as * I personally find the mvexpand method to be a much cleaner output to work with. Method 2 could potentially lead to mvfields being unaligned if any of the json_objects have a null value for that field. But depend on the use case and data volume you are trying to parse because mvexpand can be memory intensive.  SPL used to replicate: | makeresults | eval _raw="{\"env\": \"prod\", \"host\": \"prod\", \"name\": \"appName\", \"info\": {\"data\": [], \"indicators\": [{\"details\": {\"A.runTime\": 434, \"A.Count\": 0, \"B.runTime\": 0, \"B.Count\": 0}, \"name\": \"timeCountIndicator\", \"status\": \"UP\"}, {\"details\": {\"A.downCount\": 2, \"A.nullCount\": 0, \"B.downCount\": 0, \"B.nullCount\": 0}, \"name\": \"downCountIndicator\", \"status\": \"UP\"}, {\"details\": {\"A.runTime\": 333, \"A.Count\": 2, \"B.runTime\": 21, \"B.Count\": 4}, \"name\": \"timeCountIndicator\", \"status\": \"UP\"}], \"status\": \"DOWN\"}, \"metrics\": {}, \"ping\": 1}" | spath path=info.indicators{} output=indicators | table indicators | eval time_count_indicator_json=case( isnull(indicators), null(), mvcount(indicators)==1, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()), mvcount(indicators)>1, mvmap(indicators, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null())) ) | fields - indicators ``` Method 1 using MVExpand ``` | mvexpand time_count_indicator_json | spath input=time_count_indicator_json | fields - time_count_indicator_json ``` Method 2 parsing MV Field as array of json_objects ``` ``` | eval time_count_indicator_json_array="[".mvjoin(time_count_indicator_json, ",")."]" | spath input=time_count_indicator_json_array | fields - time_count_indicator_json, time_count_indicator_json_array | rename "{}.*" as * ``` ... View more

mvmap() function loops through all values in multivalued field and applies an operation to each individual entry. Combining this functionality with if() conditions you can get pretty slick with working with MV fields. So for this situation you can see that we are looping through entries in the MV field `logs` So step one it it looks at the value... {"test_name": "Disable UGC USB Comm Watchdog", "result": "Pass"} We then apply the if() function to check a specific condition for this individual entry in our loop if(spath(logs, "test_name")=="Motor", 'logs', null())   spath is checking the value of key "test_name" in this entry and if it is equal to "Motor" then we are taking that individual entry (json_object) and dropping it into a new field named "selective_json" If there were multiple entries matching this criteria then selective_json would also be a multivalued field but but would be filtered down to only include the json_objects whose "test_name"=="Motor". MVMap function is great but I have found very odd bug with it sometimes. From what I can tell, without checking if the field is actually mutivalued before using mvmap against it there can be strange behavior when jumping between events. To get around that I have found that nesting it in a case() function to first check if the values of an field in each event is null, single_value, or multi_value to determine which operation to use. ... View more

You may be better off formatting your search command to be like  | search [ | inputlookup test.csv | fields + <filter_field> | rename <filter_field> as pp_user_action_name | format ] You can see here that the format command formats the output of the subsearch as a valid search string that gets used in the parent search. Example of subsearch output:  Example of this used on a local Splunk instance:   ... View more

Since you are referencing EventCode=4624 you are looking to use lack of login activity to determine if a system is inactive? If this is what you are trying to do I think this SPL may do it (provided you have a static threshold to use for time since the last login from a user) index=<windows_index> sourcetype=WinEventLog signature_id="4624" | fields + _time, dest, signature_id, user, signature | stats values(signature) as signature, latest(_time) as last_login_epoch by dest, user | eval seconds_since_last_login=now()-'last_login_epoch', days_since_last_login=round(('seconds_since_last_login'/(60*60*24)), 2), duration_since_last_login=tostring(seconds_since_last_login, "duration") ``` user exclusion list ``` ``` if this list is large then storing results in a lookup or macro may make the most sense ``` ``` Example SPL for exclusion using lookup: | lookup windows_user_exclusion_list user OUTPUT user as exclusion_user | where isnull(exclusion_user) | fields - exclusion_user ``` ``` Example SPL for exclusion using hardcoded list of users: | search NOT user IN ("user_1", "user_2", "user_3", ..., "user_n") ``` | eventstats min(seconds_since_last_login) as latest_login_on_host_by_user_in_seconds by dest | eval last_login_user=if( 'seconds_since_last_login'=='latest_login_on_host_by_user_in_seconds', 'user', null() ) | stats max(last_login_epoch) as latest_login_epoch, min(latest_login_on_host_by_user_in_seconds) as latest_login_on_host_by_user_in_seconds, values(last_login_user) as last_login_user by dest | eval days_since_last_login=round(('latest_login_on_host_by_user_in_seconds'/(60*60*24)), 2), duration_since_last_login=tostring('latest_login_on_host_by_user_in_seconds', "duration") | convert ctime(latest_login_epoch) as latest_login_by_user_timestamp | fields dest, last_login_user, latest_login_by_user_timestamp, days_since_last_login, duration_since_last_login ``` This where clause can be tuned to desired threshold ``` | where 'days_since_last_login'>14 output will look something like this   ... View more