I basically have 3 KPIs that I want to do a search on search1 will be for yesterday and search 2 will be for some period in the past(note here it is just yesterday) Then I want to join them together based on a common field, in this case, it is Date My sample search is below: This is my sample search: | makeresults | eval data = " 1-Sep 657 34 35; 2-Sep 434 34 35; " | makemv delim=";" data | mvexpand data | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)" | fields + Date kpi1 kpi2 kpi3 | fields - _time | search kpi1 = * |rename kpi1 as "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" | rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" | rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures" | join type=outer [ | makeresults | eval data = " 1-Sep 657 34 35; 2-Sep 434 34 35; " | makemv delim=";" data | mvexpand data | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1_d>\d+)\s+(?<kpi2_d>\d+)\s+(?<kpi3_d>\d+)" | fields + Date kpi1_d kpi2_d kpi3_d | fields - _time | search kpi1_d = * |rename kpi1_d as "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times_d" | rename kpi2_d as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures_d" | rename kpi3_d as "Incoming Calls in Mobile Office Directions - Assignment Failures_d" ] My question is why are the field names not appearing across the top in the same order they are in the search, that is in search2? That is 1,2,3 in the search and then 1,2,3 from left to right in the table. It does this for the first search. But it changes the order for the second search. The picture below hopefully demonstrates this. Note: the names I am using are a bit cumbersome. The issue does not happen if I just use the kpi names kpi1,kpi2, and kpi3. So I am trying to understand why it does it for the names I have chosen. Note2: I can explicitly use the fields command to rearrange them but I would ideally like to not have to do this ... View more

How do I round only certain columns/fields ? below this | foreach * [eval <<FIELD>>=round('<<FIELD>>',2)] will round all the fields to 2 decimal places. How do I do it for just fields that start with kpi I was thinking something like this, | foreach * [eval <<kpi*>>=round('<<kpi*>>',2)] but I think there might be more to it. Can you advise? sample data search: | makeresults | eval data = " 1-Sep 0 55.5555 57.7777; 2-Sep 0 56.6666 58.8888; " | makemv delim=";" data | mvexpand data | rex field=data "(?<Date>\d+-\w+)\s+(?<Other1>\d+)\s+(?<kpi2>\d+(\.\d+)?)\s+(?<kpi3>\d+(\.\d+)?)" | fields + Date Other1 kpi2 kpi3 | search Other1=* | foreach * [eval <<FIELD>>=round('<<FIELD>>',2)] ... View more

I have a dashbaord with a number of panels. Some panels return results. Some don't — No results found. . Can I remove the panels that say No results found. ? I am thinking of some code or way of doing it dynamically or as the dashboard is drawn. Alternatively, I can just run the dashboard, note the ones to be removed and then remove them. Example of a No results found. panel in the dashboard. Possible related questions: https://answers.splunk.com/answers/79155/remove-empty-panels-after-a-search.html https://answers.splunk.com/answers/590872/how-can-i-showhide-panels-dynamically-with-tokens.html https://answers.splunk.com/answers/687286/in-a-splunk-dashboard-can-i-have-all-the-panels-in.html EDIT1 This is what I tried. The panel still shows saying no results found! . I want to hide or not display this. Any ideas? How does it work? Am I setting show_panel token the correct way? I am setting it inside the progress/condition tags. I presume that , once run, this sets the token show_panel , and this is then somehow passed to the depends="$show_panel$" , which determines if the panel is displayed or not. Is my understanding correct? <row depends="$show_panel$"> <panel> <title>Test 123 - I want to hide this as it results in - no results found!</title> <table> <search id="search_logic"> <query> index=core .... </query> <earliest>-60m@m</earliest> <latest>now</latest> <progress> <condition match="'job.resultCount' == 0"> <set token="show_panel">true</set> </condition> </progress> </search> </table> </panel> </row> EDIT2 This is the Splunk dashboard that that link refers to if I am not mistaken. I can't find what you are referring to, unless I am missing something. The other dashboard examples I can think of is Splunk 6.x Dashboard examples but I can't find the token reference in there either. EDIT3 This is the code from the example mentioned below in the quotes. and this works for me. But My follow on question is do you need 1 token per chart you want to do it on? Initially I am thinking yes. but may ask the question elsewhere. <dashboard> <label>Null Search Swapper - show_hide_panels_that_have_no_results_found</label> <description>show_hide_panels_that_have_no_results_found</description> <row> <panel> <title>Search Logic Based on Result Count</title> <input type="radio" token="index_switcher"> <label>Choose Index</label> <choice value="index=_internal">index=_internal</choice> <choice value="index=_null">index=_null</choice> <initialValue>index=_null</initialValue> </input> <search id="search_logic"> <query>$index_switcher$ | top sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> <!-- Progress event has access to job properties only --> <progress> <condition match="'job.resultCount' == 0"> <set token="show_html">foob</set> </condition> <condition> <unset token="show_html"/> </condition> </progress> </search> <chart rejects="$show_html$"> <title>Top sourcetypes for index=_internal</title> <search base="search_logic" /> <option name="charting.chart">bar</option> <option name="charting.legend.placement">none</option> </chart> <html depends="$show_html$"> <p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p> </html> </panel> </row> </dashboard> ... View more