I am getting my events from an xml file. In that xml file, there is tag which gives the BuildID of a software. For instance: <BuildID>SoftwareBuildVer.2.0.6</BuildID> . I have been able to extract the SoftwareBuildVer.2.0.6 as a BuildID field in Splunk using regex. I want to be able to use BuildID + DateTime of the file creation to uniquely identify the source in Splunk. I have been able to create a final field, BuildAndDate, which has values that looks like this: SoftwareBuildVer.2.0.6 March 22, 2018 12:05PM . I plan on using the values in this field in a dashboard dropdown menu so that when a user selects a particular BuildAndDate value from the dropdown, the source which contains that particular BuildID is returned, and a new dashboard is generated based on the newly determined source value. Here is my simple xml for the dashboard (changes in dropdown to use BuildAndDate field has not been added yet): <form> <label>XXXX_Dashboard</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="source_tok" searchWhenChanged="true"> <label>Selected BuildID/DateTime</label> <fieldForLabel>source</fieldForLabel> <fieldForValue>source</fieldForValue> <search> <query>| tstats max(_time) AS mostRecent where host=XXXX sourcetype=XXXX groupby source, sourcetype, host| sort -mostRecent | fields source | rex mode=sed field=source "s/(\\\)/\1\1\1/g"</query> <earliest>0</earliest> <latest></latest> </search> <prefix>source="</prefix> <suffix>"</suffix> </input> </fieldset> <row> <panel> <html depends="$alwaysHideCSSOverride$"> <style> .select2-container .select2-choice {width: 520px;} .select2-drop .select2-search {width: 528px; background-color: white;} .select2-drop .select2-results {width: 528px;} .select2-drop-active {width: 530px !important;} .select2-container-active {width: 530px !important;} .splunk-status-indicator { border-radius: 15px !important; border: 2px solid white; font-size: 10px !important; line-height: normal !important; white-space: normal !important; <!--word-spacing: 100vw !important;--> overflow-x: hidden !important; display: flex; justify-content: center; align-items: center; word-break: break-word; padding: 3px; } div.facet-label { visibility: hidden !important; } div.viz-facet { <!--border: 2px solid red !important;--> padding:0 !important; height: 30% !important; width: 5% !important; margin: 0 15px 15px 0 !important; } div.facets-container { <!--background-color: lightgrey;--> background-image: url("/static/app/status_indicator_app/images/arrow.png"); background-repeat: no-repeat; background-size: 100% 45%; margin-top: 55px; } </style> </html> </panel> </row> <row> <panel> <viz type="status_indicator_app.status_indicator"> <search> <query>host=XXXX index=XXXX $source_tok$ | eval NewTime=strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N") | eval _time=NewTime | eventstats max(_time) AS latestScan by Description | where _time=latestScan | stats count by StepResult, Description | eval color=case(StepResult=="Passed","green",StepResult=="Skipped","gold", StepResult=="Failed","red") | eval StepResult = Description</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> <option name="height">275</option> <option name="refresh.display">progressbar</option> <option name="status_indicator_app.status_indicator.colorBy">field_value</option> <option name="status_indicator_app.status_indicator.fillTarget">background</option> <option name="status_indicator_app.status_indicator.fixIcon">check</option> <option name="status_indicator_app.status_indicator.icon">field_value</option> <option name="status_indicator_app.status_indicator.precision">0</option> <option name="status_indicator_app.status_indicator.showOption">1</option> <option name="status_indicator_app.status_indicator.staticColor">#555</option> <option name="status_indicator_app.status_indicator.useColors">true</option> <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option> <option name="trellis.enabled">1</option> <option name="trellis.size">small</option> <option name="trellis.splitBy">Description</option> </viz> </panel> </row> </form> The dashboard currently works, but it directly makes use of the source in the dropdown. I want the BuildAndDate to be what shows up in the dropdown, and it should be used to determine the source which is then used to produce the new dashboard. The issue I am having is mapping the BuildAndDate to its source, and the source then displaying all events in the source based on that. RIght now, clicking on a BuildAndDate value only returns one event, i.e. one line in the xml file ( <BuildID>SoftwareBuildVer.2.0.6</BuildID> ) instead of returning all the events in the xml in which <BuildID>SoftwareBuildVer.2.0.6</BuildID> is contained in. This query produces the BuildAndDate field and value as expected: host=XXXX sourcetype=XXXX | eval mostRecent=strftime(_time, "%B %d, %Y %I:%M%p") | eval BuildAndDate = BuildID+" "+mostRecent | stats values(BuildAndDate ) as BuildAndDate Goal: Click on BuildAndDate value in dropdown and generate new dashboard via that selection. Any help would be appreciated. Thanks in advance. ... View more

I have multiple xml files which have been forwarded to Splunk from my machine. Each file has its own data which is used to create a dashboard using the Status Indicator app. My goal is have a centralized location in Splunk such that I can see all the files that have been forwarded to Splunk (a list) and when I click on each file in the list, it should take me to the dashboard unique to that specific file. Is there a way that this can be done in Splunk? Is there any place I can view the list of forwarded items in Splunk which can help me for this purpose? ... View more

I am making use of the Status Indicator App to create a dashboard which shows if steps in a process Passed, Skipped or Failed. I get my events from an xml file and I have been able to create the dashboard successfully with each step in the xml being reflected in the dashboard with their corresponding StepResult. I am trying to sort the order of events showing in the dashboard based on the timestamp gotten from each step in the xml. Using my search query, the events are sorted properly when viewed in the Events and Statistics tab, but when I use the same search query in the Status Indicator App for my dashboard, the events become ordered alphabetically instead of using the timestamp I have extracted (StartTime). Any idea why the sort stops working when I insert the same search query in the Status Indicator App dashboard? Here is my search query: host=XXXX index=XXXX | eval NewTime=strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N") | eval _time=NewTime | eventstats max(_time) AS lastestScan by Description | where _time=lastestScan | stats count by StepResult, Description, _time| sort _time | eval color=case(StepResult=="Passed","green",StepResult=="Skipped","gold", StepResult=="Failed","red") | eval StepResult = Description Also, the colors for each step no longer show, but when I get rid of the _ time field in the stats command, the colors work again. Any assistance would be appreciated. Thanks in advance. ... View more

I have an XML file which is in this format: <?xml version="1.0"?> <EvaluateMethods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <DataCollectionMethods> <DataCollectionMethod Description="xxx" StepResult="Passed"> <Steps> <Step xsi:type="xxx" Description="Dataxxx" StepResult="Passed"> <Steps> <Step xsi:type="xxx" Description="Survey" StepResult="Passed" /> <Step xsi:type="xxx" Description="Analyze survey" StepResult="Passed" /> <Step xsi:type="xxx" Description="Extract data" StepResult="Skipped" /> <Step xsi:type="xxx" Description="Analyze data" StepResult="Passed" /> <Step xsi:type="xxx" Description="Combine data from various sources" StepResult="Passed" /> <Step xsi:type="xxx" Description="Deliver results" StepResult="Failed" /> <Step xsi:type="xxx" Description="Get feedback" StepResult="Passed" /> <Step xsi:type="xxx" Description="Process feedback" StepResult="Passed" /> <Step xsi:type="xxx" Description="Make improvements" StepResult="Passed" /> </Steps> </Step> </Steps> <Start>2022-09-05T99:64:73.0990042+22:00</Start> <Files /> </DataCollectionMethod> </DataCollectionMethods> </EvaluateMethods> There are no timestamps to the steps. After adding the file to splunk, the events (comprising of the Description and StepResult) appear in alphabetical order (using the Description) when I do a splunk search. How do I order the output of my search to appear in the same order they were in the XML file (i.e. how can I make the result of my search to be displayed step-by-step as contained in the XML file?)... Thanks ... View more