@chuck_life09    You can try something like this.   <form> <label>Input Text</label> <fieldset submitButton="false"> <input type="text" token="abc"> <label>My Value</label> <change> <condition match="$value$!=&quot;&quot;"> <set token="tmpAbc">$value$</set> </condition> <condition> <unset token="tmpAbc"></unset> </condition> </change> <prefix>NOT (</prefix> <suffix>)</suffix> </input> </fieldset> <row> <panel> <table> <title>Test $tmpAbc$</title> <search> <query>| makeresults | eval myVal="$tmpAbc$"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> ... View more

@premranjithj    Can you please check your script by executing below command? Does it gives you expected OP or any error.     ./splunk cmd python /opt/splunk/etc/apps/search/bin/dockesd.py   ... View more

@Nichiket    You can try something like this. Change values as per your requirement.    <setup> <block title="details" endpoint="configs/conf-indexes"> <input field="date"> <label>Date</label> <type>text</type> </input> <text> <![CDATA[ <script> var id="#\\/configs\\/conf-indexes\\/splunk_dashboard_metrics_summary_data\\/date_id"; //do inspect to get this Id. $(id)[0].type="time"; </script> ]]> </text> </block> </setup>   ... View more

@utk123 timechart command will work with _time field. Does your lookups has any date time column like host_created_date , etc... ? https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Timechart ... View more

Check answer on this link. https://community.splunk.com/t5/Archive/Are-there-any-Splunk-training-materials-for-new-users/td-p/248751 ... View more

@mkiran18    Can you please try this? | makeresults | eval event="{\"zip\": 67452,\"location\": \"NY\",\"author\": {\"book1\": {\"price\": 12},\"book2\": {\"price\": 11},\"book3\": {\"price\": 124},\"book4\": {\"price\": 122}}}|{\"zip\": 67453,\"location\": \"NY\",\"author\": {\"book1\": {\"price\": 12},\"book2\": {\"price\": 11},\"book3\": {\"price\": 124},\"book4\": {\"price\": 122}}}|{\"zip\": 67454,\"location\": \"CA\",\"author\": {\"book1\": {\"price\": 12},\"book3\": {\"price\": 124},\"book5\": {\"price\": 124}}}" | eval event=split(event,"|") | mvexpand event | rename event as _raw | kv | eval BookName_val="" | foreach author.*.price [ eval BookName_val= BookName_val+","+if(isnull('<<FIELD>>'),"","<<MATCHSTR>>|"+'<<FIELD>>'+"|"+zip+"|"+location)] | fields BookName_val | makemv delim="," BookName_val | mvexpand BookName_val | eval BookName = mvindex(split(BookName_val,"|"),0), price= mvindex(split(BookName_val,"|"),1), zip= mvindex(split(BookName_val,"|"),2), location= mvindex(split(BookName_val,"|"),3) | stats avg(price) as avg_price by BookName location zip | streamstats window=2 first(BookName) as pre_BookName count first(location) as pre_location | table count BookName pre_BookName location zip avg_price pre_location | eval Book= case(count==1,BookName,count>1 and BookName!=pre_BookName,BookName,1=1,"") | eval Loc= case(Book!="" OR count==1,location,count>1 and location!=pre_location,location,1=1,"") | table Book Loc zip avg_price ... View more