Just as a follow up. The reason for the large lookup files is because we have to run multiple dbxquery and dbxlookup commands to bring data in from multiple sources (hundreds of thousands of records). However, we now working with our DBAs to assist in writing more efficient queries that will join multiple tables/views. Hopefully, reducing the number and runtime for the queries. Thanks @bowesmana and @richgalloway for your help. God bless, Genesius ... View more

@richgalloway  I believe I might have confused the issue. When a lookup file is created with the | outputlookup command, it is available to be used with the | lookup command. When a lookup file is created with the | outputcsv command, it is not available to be used with the | lookup command. Both of my lookup files, abc.csv and xyz.csv, were created with the | outputcsv command. Therefore, the | lookup command cannot be used. This works. | inputlookup abc.csv | lookup xyz.csv field1 output field2 This does not. | inputcsv abc.csv | lookup xyz.csv field1 output field2 Thanks and God bless, Genesius ... View more

@richgalloway  A lookup file created using the | outputcsv command is not accessible to the | lookup command. Unless I missed it somewhere, when the | lookup command is run, Splunk looks for the whatever.csv file in the current applications lookups folder. /opt/splunk/etc/apps/search/lookups Where those created by the  | outputcsv command are in the /opt/splunk/var/run/splunk/csv folder. And the | lookup command has no way of knowing this. Thanks and God bless, Genesius ... View more

@Gr0und_Z3r0  Thank you. What is the complete tag syntax? Thanks and God bless, Genesius ... View more

TY @bowesmana  That is not the case. The searches for both dropdowns are the same inputlookup* file; one dropdown is one field, and the other is the other. But only one of the dropdowns has the filter box.  *Have to use inputlookup and not index because data is originating from dbconnect. The second dropdown (displays the filter box) is text. The first dropdown is a number (no filter box displayed). I converted to a string (added AAA in front of the number), but this did not work either. Each dropdown search includes one of these | search fieldA=$fieldA_from_other_dropdown$ | search fieldB=$fieldB_from_other_dropdown$ I also tried reversing the order of the dropdowns in the dashboard. But this did not fix the issue. Thanks for any guidance you can provide. God bless, Genesius ... View more

@PaulPanther  Apologies for the delay in replying. Priorities constantly shift where I work. I did not try with Example 1 because the cell color needs to change after the results from the search appear on the dashboard. They are not the result of an input (no token to be set). Concerning Example 2. Is user the column name where the string is to be found? Here is my code. I'm only using one color to match. Since every cell contains the string CPU the cell should be changed to that color. Once I know that works, then I can add other colors and other values for those colors. "viz_tiles_3": { "type": "splunk.table", "title": "Hyper-V Host Max Metrics - 3", "dataSources": { "primary": "ds_main_tiles" }, "options": { "hypervHostMaxMetrics": { "data": "> table | seriesByName(\"hypervHostMaxMetrics\") | formatByType(hypervHostMaxMetrics_ColumnFormatEditorConfig)", "rowColors": "> table | seriesByName('hypervHostMaxMetrics') | pick(hypervHostMaxMetrics_RowColorsEditorConfig)", "rowBackgroundColors": "> table | seriesByName(\"hypervHostMaxMetrics\") | matchValue(hypervHostMaxMetrics_RowBackgroundColorsEditorConfig)" } }, "context": { "hypervHostMaxMetrics_ColumnFormatEditorConfig": { "string": { "unitPosition": "after" } }, "hypervHostMaxMetrics_RowColorsEditorConfig": [ "#b5b5b5" ], "hypervHostMaxMetrics_RowBackgroundColorsEditorConfig": [ { "match": "CPU", "value": "#5C33FF" } ], "someValue": "> primary | seriesByIndex(0) | lastPoint()" } } Thanks and God bless, Genesius         ... View more

@PaulPanther  Thank you. I will check these out and get back to you after the weekend. God bless, Genesius ... View more

@PaulPanther  In Studio, using a case statement in the SPL results with an additional value in the field. I use a case statement in Classic; however, this is within the format tags. No additional values. I could perhaps modify this value's font color to the color of the overall cell based on the case statement. Hmmm! Let me think about that one. Thanks and God bless, Genesius ... View more

@PaulPanther  Many questions. My code did not work.   "viz_qRFCeLJ6": { "type": "splunk.table", "options": { "columnFormat": { "Tags": { "rowBackgroundColors": "> table | seriesByName('hypervHostMaxMetrics') | matchValue(hypervHostMaxMetricsRowBackgroundColorsEditorConfig)" } } }, "context": { "hypervHostMaxMetricsRowBackgroundColorsEditorConfig": [ { "match": "*S1*", "value": "#1F4D5B" }, { "match": "*S2*", "value": "#D81E5B" } ] },   How do I search for wildcards? From my original post, the data will look something like this: HOST-S1-123456 CPU 30.0% W MEM 14.0% N NET 85.0% C Because hypervHostMaxMetrics contains at least 1 occurrence of % C, the background should be red. If there were no % C, but at least 1 occurrence of %W, the background should be orange. And if there are no occurrences of % C and no occurrences of % W, meaning there are 3 occurrences of % N, the background should be green. In the above-supplied code, I am using the S1 or S2 as these are in the HOST because there is only one occurrence of either of these per cell. Where the % C, W, N might have 1, 2, or 3 occurrences. troubleshooting wildcards and not the occurrences of the match. I am only using the json for rowBackgroundColors, rowColors, and countRowColorsEditorConfig pertaining to the string. The numeric color formatting is not required. In Classic I used the <format> tags to select the color based on the % C, W, or N using a case statement/command.   <format type="color" field="Hyper-V Host Max Metrics"> <colorPalette type="expression">case (match(value,"% C"), "#FF0000",match(value,"% W"), "#FFA500",match(value,"% N"), "#008000")</colorPalette> </format> ​   How do I do the same in DS? I changed match to matchValue as explained in the Selector and formatting functions page I referred to in the original post. But this did not work either. Thanks again for your help. God bless, Genesius ... View more

@PaulPanther  I'm going to show some love right now and hand out the karma. I will hopefully get a chance today to review and implement it, and mark as the resolution. Always something going on. As I told my staff this morning. " I didn't know, 😋 , we had a DS Examples app. Reel Cool!" Thanks and God bless, Genesius ... View more