Unfortunately this is not working the panel is always displayed and does a search.  No matter the data point I click in the chart the search happens but doesn't use the date/time of the click.  Even my "labelApp" token is not displaying properly.  See below: Three corrections: The panel you are trying to hide is "Drill Down Events".  It does not appear before you select an index.  In fact, it does not appear after you select an index to populate the panel titled "Total Combined Requests Per Time_Span Graph ($labelApp$)", either.  No matter what you do, this panel will never appear because the token $drilldown1$ can never be populated in this code. $labelApp$ IS displayed properly in that panel's title.  When selection is "All", it displays an asterisk ("*").  This is the value of "All". No matter what datapoint you click, token $drilldown1$ cannot be populated based on your drilldown logic, <eval token="drilldown1">$earliest$</eval>.  The search used in "Total Combined Requests Per Time_Span Graph ($labelApp$)", namely baseSearch2, does not produce a field named earliest.  This is why nothing can happen when you click in that panel. ... View more

This is quite confusing.  You should not flatten your multivalue req_id_list in the first place.  First, make sure your list is multivalue: | stats list(request_id) as req_id_list No mvjoin allowed.  Then, use with parentheses after IN operator. (See documentation in Logical expression options.) | search req_id IN ($req_id_clause$)   ... View more

3. I dont want click 27 times on each to select all of them 4. I want click one time on  "Select all matches" as it is in Studio to select all matched values. Then, implement my sample code with the label "Select all matches".  It will not magically show checkmarks over 27 selections, but it will do exactly what 27 clicks will accomplish. ... View more

Have you looked at extraction_cutoff in limits.conf? ... View more

I do not recommend where command as a general substitute for search command, but @ITWhisperer is correct in that regex is more appropriate for your use case, especially because your data comes from inputlookup. | inputlookup uf_ssl_kv_lookup | where match(hostname, "^AB100\d+TILL") AND NOT match(hostname, "TILL(100|101|102|150|151)$")   ... View more

Like @livehybrid and yourself said, there are a milliard of method to perform match.  Here is another given that you know that listA does not contain domain name. | eval matching=if(listA == mvindex(split(listB, "."), 0), "OK", "NOT OK") split-mvindex is slightly less expensive than regex/match.  But the difference is really small.  The real question is like @livehybrid asked: Are there some constraints in your use case that would prefer one solution over another? ... View more

The "All" selection in the mock dashboard I posted earlier fulfills exactly the same functionality of "Select all" in Dashboard Studio.  You can make the "All" selection on top of the choice list.  As I explained the last time, Dashboard Classic (Simple XML) does not support "select all" via UI function.  If you want the user to have the capability to functionally do what "Select all" does, add the "All" selection like I suggested.  Otherwise, tell your users that they have to go manually select every choice. (Users may be used to the idea that "All" means "Any".  If that is a problem, you can make an "All" entry using semantics of "any" (*), then name the special selection I demonstrated something like "All match".) ... View more

Due to security I was not sharing complete message . So below mentioned event is getting returned You can post sample event in text after sanitation, that is, replacing sensitive information, be it field name or field value, with fake strings.  The key is to preserve structure of data, such as punctuation and other "major separators". Based on your screenshot, it is clear that your events themselves are not in JSON.   That is why the field audit.addBy is not present at search time.  This is also why your spath command has no effect.  On the other hand, your events do contain a JSON message. What you need is to first extract that JSON message.  Try this. kubernetes_cluster="abc*" index="aaaa" sourcetype = "kubernetes_logs" source = *pub-sub* | rex "^[^\{]+(?<json_portion>\{.+\})" | spath input=json_portion path=audit.addBy | stats count by audit.addBy   ... View more

I would like to understand how to perform a lookup on multiple values separated by a delimiter. As I explained in my initial comment, there is no such match. (I mean, you CAN perform complicated maneuvers with such a table to accomplish matching.  And I have.  But don't call that a lookup.)  Please explain exactly how you are going to use this lookup (using data illustration), AND what exact "problems" does mvexpand cause (again, using data illustration). ... View more

But I need select All Matches: It's about time you explain exactly this sentence means.  Make sure you illustrate data, desired output based on illustrated data, and explain the use case without SPL. ... View more

Like @bowesmana says, if your data is as you illustrated, and if your search is exactly like you have shown, the search should give you the correct results.  So, my speculation is that in your real search, spelling of myfiled in spath and in stats are different.  For example, maybe your actual search was spelled like |spath output=myfiled path=audit.addBy | stats count by myfield By the way, there should be no need for spath as @bowesmana says.  This search should give you exactly the same result kubernetes_cluster="abc*" index="aaaa" sourcetype = "kubernetes_logs" source = *pub-sub* | stats count by audit.addBy   ... View more

I need the multivalue field to remain unchanged in the external lookup so that I can accurately compare user IDs with other lookups. I have tried using mvexpand before exporting, but it introduced By making the output a comma-delimited list is exactly keeping the multivalue unchanged.  If userid from other data sources are to match 890000, for example, the only way to do this is to make 890000 on its own row. If you want concrete help from volunteers, you need to carefully describe your use case.  How is this to "compare user IDs with other lookups?" What does the data look like?  What are symptoms of "problems" caused by mvexpand?  As always, illustrate your point with exact data (anonymize as necessary). ... View more

Is it possible that your raw event is noncompliant?  This is what your illustrated event format suggests.  If that format is exact, Splunk cannot extract anything other than "name" field.  There are two elements that violates JSON syntax.  The mock event contains two bare strings that are not key-value pairs, as pointed out as "MISSING-KEY1" and "MISSING-KEY2" in the following pretty-print of a "corrected" conformant JSON object: { "name": "", "MISSING-KEY1": "", "pid": 8, "level": 50, "error": { "message": "Request failed with status code 500", "name": "AxiosError", "stack": "AxiosError: Request failed with status code 500\n )", "config": { "transitional": { "silentJSONParsing": true, "forcedJSONParsing": true, "clarifyTimeoutError": false }, "adapter": [ "xhr", "http" ], "transformRequest": [ null ], "transformResponse": [ null ], "timeout": 0, "xsrfCookieName": "X", "xsrfHeaderName": "X-", "maxContentLength": -1, "maxBodyLength": -1, "env": {}, "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "Authorization": "", "User-Agent": "", "Accept-Encoding": "gzip, compress, deflate, br" }, "method": "get", "MISSING-KEY2": "" }, "code": "ERR_BAD_RESPONSE", "status": 500 }, "eventAttributes": { "Identifier": 2025732, "VersionNumber": "A.43" }, "msg": "msg:data:error", "time": ":48:38.213Z", "v": 0 } If your actual events are non-compliant, Splunk will not have a value for error.status. By the way,  the command "eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx")" is wasted as your stats command does not use the field status. ... View more

usually we use this easier option for this - choice called "All" using "*" as value I understand the desire to use a simpler method.  However, as your this reply to @gcusello says, that option will not satisfy your use case which is to make sure all listed options are a match, not "any" as "*" would have done. ("*" should really be named "Any", not "All") My solution, on the other hand, meets that requirement; it is functionally equivalent to Dashboard Studio's "Select all" mouse action.  If I am not mistaken, @woodcock's suggestion uses a similar concept except it populates an additional text box. ... View more

I know it's already a party.  But I have to agree with @PickleRick that throwing out a random SPL snippet is not a good way to use volunteers' time.  Here are four golden rules of asking an answerable question that I call four commandments: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at). Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output without SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious. In this spirit, if I have to read your mind, I will start by reverse engineering what your data look like: Some your raw data contains text strings like "Duplicate Id's that needs to be displayed ::::::[6523409, 6529865]".  Given such an event, the desired output is a multivalue field containing values 6523409 and6529865.  Let us call this field "duplicate_ids".  Something to this effect: _raw duplicate_ids blah, blah, blah Duplicate Id's that needs to be displayed ::::::[6523409, 6529865] - and more blahs 6523409 6529865 Is this the use case?  If yes, here is what I do   | rex "Duplicate Id's that needs to be displayed :*(?<duplicate_ids>\[[^\]]+\])" | eval duplicate_ids = json_array_to_mv(duplicate_ids)   (The above requires Splunk 8.1 or later.  But it is not the only way to do this.) Here is an emulation for you to play with and compare with real data   | makeresults | fields - _time | eval _raw = "blah, blah, blah Duplicate Id's that needs to be displayed ::::::[6523409, 6529865] - and more blahs" ``` data emulation above ```   ... View more

Classic UI does not have a provision to allow "select all choices" with one click.  But you can make an entry that has all choices.  Maintainability of such a code depends on how you populate this multivalue input.  It can be very easy if the input is populated by a search.  Just use appendpipe, like this index=_internal | stats count by group | eval label = group | appendpipe [stats values(group) as group | eval label = "All"] In this example, I want an input that can select one or more values from field group.  For "normal" entries, label will be the same as group value.  But I use appendpipe to add a row with label "All". Here is a complete example for you to play with and compare with real use case: <form version="1.1" theme="dark"> <label>"Select all choices"</label> <description>https://community.splunk.com/t5/Splunk-Search/Multiselect-filter-Select-all-matches-in-classic-dashboard/m-p/741079#M240547</description> <fieldset submitButton="false"> <input type="multiselect" token="group_tok" searchWhenChanged="true"> <label>Select groups</label> <fieldForLabel>label</fieldForLabel> <fieldForValue>group</fieldForValue> <search> <query>index=_internal | stats count by group | eval label = group | appendpipe [stats values(group) as group | eval label = "All"]</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <initialValue>bucket_metrics,cachemgr_bucket,conf,deploy-connections,deploy-server,dutycycle,executor,instance,kvstore_connections,map,mpool,parallel_reduce_metric,per_host_agg_cpu,per_host_lb_cpu,per_host_msp_cpu,per_host_thruput,per_index_agg_cpu,per_index_lb_cpu,per_index_msp_cpu,per_index_thruput,per_source_agg_cpu,per_source_lb_cpu,per_source_msp_cpu,per_source_thruput,per_sourcetype_agg_cpu,per_sourcetype_lb_cpu,per_sourcetype_msp_cpu,per_sourcetype_thruput,pipeline,pipelineset,queue,realtime_search_data,regex_cache,search_concurrency,search_health_metrics,search_pool,searchscheduler,spacemgr,subtask_seconds,tailingprocessor,telemetry_metrics_buffer,thruput,tpool,uihttp,version_control</initialValue> <delimiter> </delimiter> </input> </fieldset> <row> <panel> <table> <search> <query>index=_internal group IN ($group_tok$) | stats count by group</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> If the multiple choices are static, the code will be harder to maintain because every time you add or delete an entry, you must add or delete from two places. (In this case, use of makeresults may help maintain sanity.) Hope this helps. ... View more

Do you mean to say pie chart is not showing labels on smaller slices?  This is what I get when I really press down both graph size and smallest slice. (0.41% is currently the smallest.)  Yes, outward labels for smaller slices have disappeared.  But each slice is still present; if I mouse over them, their individual labels, values, and shares still show (second screenshot)  This seems to be a sensible use of real estate.  Then, if you have many especially small slices, there will be a limitation as to whether your mouse cursor could land on a given slice.   This is my new emulation | makeresults | eval _raw = "PARAMETER VALUE ASDF 6 XCV 34 ERT 1 TDED 14 GHT 3 GHB 2 BNHJ 57 QWE 17 DDD 9 YYY 8 KLO 7 POL 2 YUO 82 TRYU 2" | multikv | fields - _* linecount | sort VALUE   ... View more

Not sure what you see, but this works in my instance. Data emulation is | makeresults | eval _raw = "PARAMETER VALUE ASDF 6 XCV 34 ERT 1 TDED 14 GHT 3 GHB 2 BNHJ 17 QWE 17 DDD 9 YYY 8 KLO 7 POL 2 YUO 82 TRYU 2" | multikv | fields - _* linecount ... View more

As several people urged you, please post a complete sample of event, not screen cutouts.  You can sanitize the sample any way you like, but keep quotation marks, commas, curly brackets, square brackets in exact place. Meanwhile, the cutouts give me enough info to determine that part of the event is JSON.  Here is an experiment for you. | rex "^[^{]+(?<only_json>.+})" | spath input=only_json See if more fields gets out. ... View more

Forget your extractions.  As the code snippet looks exactly like trying to use regex to extract from JSON.  Could you clarify whether the full raw event is in JSON? If it is, do not use regex.  If JSON is just part of event, the best option is to use extraction to extract the part that is JSON instead of directly extracting information fragment. ... View more

Thank you for illustrating the use case clearly with sample data, logic, and expected result from sample.  But you also want to specify if Json1 and json2 are in the same row/event.  Here is a solution if they are.   | table Json1 json2 | transpose 0 column_name=name | spath input="row 1" | fields - "row 1" | foreach *{} [eval <<MATCHSTR>>_array = mv_to_json_array('<<FIELD>>')] | fillnull value=null | fields - *{} | stats list(*) as * | foreach * [eval "<<FIELD>>" = if(mvcount(mvdedup('<<FIELD>>')) < 2, null(), '<<FIELD>>')] | transpose 0 column_name=KeyName | search "row 1" = * | eval KeyName = if(KeyName LIKE "%_array", replace(KeyName, "_array$", "{}"), KeyName) | eval "Old Value" = mvindex('row 1', 0), "New Value" = mvindex('row 1', 1) | fields - "row 1" | foreach *Value [eval <<FIELD>> = if('<<FIELD>>' != "null", '<<FIELD>>', if(KeyName LIKE "%{}", "[]", null()))]   Here is an emulation you can play with and compare with real data.   | makeresults | fields - _time | eval Json1 = "{ \"id\": \"XXXXX\", \"displayName\": \"ANY DISPLAY NAME\", \"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\", \"modifiedDateTime\": \"2025-02-05T10:30:40.0351794+00:00\", \"state\": \"enabled\", \"conditions\": { \"applications\": { \"includeApplications\": [ \"YYYYY\" ], \"excludeApplications\": [], \"includeUserActions\": [], \"includeAuthenticationContextClassReferences\": [], \"applicationFilter\": null }, \"users\": { \"includeUsers\": [], \"excludeUsers\": [], \"includeGroups\": [ \"USERGROUP1\", \"USERGROUP2\" ], \"excludeGroups\": [], \"includeRoles\": [], \"excludeRoles\": [] }, \"userRiskLevels\": [], \"signInRiskLevels\": [], \"clientAppTypes\": [ \"all\" ], \"servicePrincipalRiskLevels\": [] }, \"grantControls\": { \"operator\": \"OR\", \"builtInControls\": [ \"mfa\" ], \"customAuthenticationFactors\": [], \"termsOfUse\": [] }, \"sessionControls\": { \"cloudAppSecurity\": { \"cloudAppSecurityType\": \"monitor\", \"isEnabled\": true }, \"signInFrequency\": { \"value\": 1, \"type\": \"hours\", \"authenticationType\": \"primaryAndSecondaryAuthentication\", \"frequencyInterval\": \"timeBased\", \"isEnabled\": true } } }", json2 = "{ \"id\": \"XXXXX\", \"displayName\": \"ANY DISPLAY NAME 1\", \"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\", \"modifiedDateTime\": \"2025-02-06T10:30:40.0351794+00:00\", \"state\": \"enabled\", \"conditions\": { \"applications\": { \"includeApplications\": [ \"YYYYY\" ], \"excludeApplications\": [], \"includeUserActions\": [], \"includeAuthenticationContextClassReferences\": [], \"applicationFilter\": null }, \"users\": { \"includeUsers\": [], \"excludeUsers\": [], \"includeGroups\": [ \"USERGROUP1\", \"USERGROUP2\", \"USERGROUP3\" ], \"excludeGroups\": [ \"USERGROUP4\" ], \"includeRoles\": [], \"excludeRoles\": [] }, \"userRiskLevels\": [], \"signInRiskLevels\": [], \"clientAppTypes\": [ \"all\" ], \"servicePrincipalRiskLevels\": [] }, \"grantControls\": { \"operator\": \"OR\", \"builtInControls\": [ \"mfa\" ], \"customAuthenticationFactors\": [], \"termsOfUse\": [] }, \"sessionControls\": { \"cloudAppSecurity\": { \"cloudAppSecurityType\": \"block\", \"isEnabled\": true }, \"signInFrequency\": { \"value\": 2, \"type\": \"hours\", \"authenticationType\": \"primaryAndSecondaryAuthentication\", \"frequencyInterval\": \"timeBased\", \"isEnabled\": true } } }" ``` data emulation above ```   The above search gives KeyName New Value Old Value conditions.users.excludeGroups{} ["USERGROUP4"] [] conditions.users.includeGroups{} ["USERGROUP1","USERGROUP2","USERGROUP3"] ["USERGROUP1","USERGROUP2"] displayName ANY DISPLAY NAME 1 ANY DISPLAY NAME modifiedDateTime 2025-02-06T10:30:40.0351794+00:00 2025-02-05T10:30:40.0351794+00:00 name json2 Json1 sessionControls.cloudAppSecurity.cloudAppSecurityType block monitor sessionControls.signInFrequency.value 2 1 For the life of me I cannot figure where does ModifiedDateTime differ.  They look identical to me. We can go more semantic with SPL but as you want the {} notation intact, this is perhaps the most direct. ... View more