Hi, Is there any way to get all the values in the column from the lookup table to build the default choice option in the drop-down? I want to remove the hard-coded list of hosts in the default and populate it from the look up. I don't want to use static option with All=* as it may pull other host names when I will add the records in the lookup for other environment/location values. Can some one advise, please? <input type="multiselect" token="host" searchWhenChanged="true"> <label>VM Host</label> <prefix>host=</prefix> <delimiter> OR host=</delimiter> <search> <query>| inputlookup gw_host.csv | search environment=stage | dedup hostname | fields hostname</query> <earliest>-15m</earliest> <latest>now</latest> </search> <fieldForLabel>host</fieldForLabel> <fieldForValue>hostname</fieldForValue> <default>h101,h102,h103</default> </input> File: gw_host.csv location,environment,hostname 1,stage,h101 2,stage,h102 3,stage,h103 Thanks, AJ. ... View more

Hi there, Can someone help me with reading the tokenized string and assign the keys to each index retrieved. It is difficult for me as it is not key/value format to read. Log sample: CustomerService getPointDetails 6686 0x00000000 Successful Response 2 3 0 Louis/ST=Missouri/C=US PRODESB6_STL|18234799|180817043259896 SAML 0 0 I know which values is for what field in the sequence they appear in the logs. It does has space as a value too. I did tried below but since there are more than 20 fields I have to extracts, the query becomes very long and ugly and can cause performance too. index=app sourcetype = audit | eval tokenString=mvindex(split(mvindex(split(_raw,"gtid("),1),"): "),1) | eval temp=split(tokenString," ") | eval field0=mvindex(temp,0) | eval field1=mvindex(temp,1) I did check few regex option on web, that was also long query too. Please advise. Thanks, ... View more