Outstanding - that does exactly what I wanted. Thank you very much! That really is some advanced stuff. Also, I hadn't seen an asterisk used in the table command before. ... View more

lookup does not, but you may be able to achieve what you're looking for by using a KV Store instead. See this link for configuring a KV Store from a CSV file: http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/ConfigureKVstorelookups And see this link for examples of using a where clause with the KV Store (in the "Filters and queries" section): http://dev.splunk.com/view/SP-CAAAEZH ... View more

Are you trying to achieve something like this? I only have two dropdowns in my example, but the key is the link statement in the drilldown for the single value: <form> <label>Dashboard - Link to second dashboard</label> <fieldset submitButton="false"> <input type="dropdown" token="field1"> <choice value="1">Choice 1</choice> <choice value="2">Choice 2</choice> <choice value="3">Choice 3</choice> <default>1</default> </input> <input type="dropdown" token="field2"> <choice value="1">Choice 1</choice> <choice value="2">Choice 2</choice> <choice value="3">Choice 3</choice> <default>1</default> </input> </fieldset> <row> <panel> <single> <search> <query>index=_audit | stats count</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <drilldown> <link>/app/sandbox/second_dashboard?field1=$field1$&amp;field2=$field2$</link> </drilldown> </single> </panel> </row> </form> Then in the "receiving" or low level dashboard, you should be able to reference the tokens passed on the query string: <dashboard> <label>Second Dashboard</label> <row> <html> <div> Field 1: $field1$<br/> Field 2: $field2$ </div> </html> </row> </dashboard> ... View more

Thank you - I used custom JavaScript to solve a similar issue previously, but your question made me reconsider whether there was a way to do it purely with SPL. ... View more

Based on your example, you should be able to set the width and height using jQuery: $('input5-input').css('width','400px'); $('input5-input').css('height','300px'); or CSS: input#input5-input { width: 400px; height: 300px; } ... View more

If you're talking about embedding the PHP page inside your dashboard, you should be able to do that with a iFrame tag like this: <row> <panel> <title>Panel 1</title> <html> <iframe src="http://www.google.com" width="100%" height="500" frameborder="0" /> </html> </panel> </row> ... View more

This will require JavaScript, and below is some code I just tested out: In your dashboard XML, add a script attribute to your form or dashboard tag: <form script="yourjavascript.js"> and add an id attribute to your text field: <input type="text" token="yourtoken" id="yourfieldid"></input> Create yourjavascript.js in the following directory (create the subfolders if they don't already exist): $SPLUNK_HOME\etc\apps\<yourapp>\appserver\static and add the following code: require([ "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function(mvc) { $('button').on("click", function(e) { // find text field with id starting with yourfieldid $('[id^=yourfieldid]:text').val('') }); }); Restart Splunk for the new JavaScript file to be recognized. My example assumes that there is only one button on your dashboard. ... View more

I am running Splunk 6.3.3, and my setup.xml looks like the following and doesn't prompt me to re-enter previously entered credentials: <block title="Add Account Info" endpoint="storage/passwords" entity="_new"> <input field="name"> <label>Username</label> <type>text</type> </input> <input field="password"> <label>Password</label> <type>password</type> </input> </block> I wonder if there is a discrepancy in either your endpoint or entity value. ... View more

That looks perfect - he would just need to add | sort parent Version before the stats clause if he wants the order to be identical to his first example, but otherwise this is an elegant solution. ... View more

Can you try single-quotes in your eval statements instead of double-quotes? ... View more

If I understand correctly, make a copy of $SPLUNK_HOME\etc\apps\<your app>\default\data\ui\nav\default.xml and place it in $SPLUNK_HOME$\etc\apps\<your app>\local\data\ui\nav\default.xml (You may need to create the local folder structure if it doesn't already exist.) Then, you can edit your local copy of default.xml. You can either comment out or remove entirely the following line: <view name="search" default='true' /> Restart Splunk and you should no longer see Search in the top nav. ... View more

What mode are you searching in? (See the dropdown list on the right under the search icon.) Interesting fields do not show up in Fast Mode - they only show up in Smart or Verbose Mode. I'm not sure if there's a way to make them show up by default. ... View more