Thanks, and sorry I was not clear enough. I want to do this with props and transforms so that the fields are reusable. ... View more

I know it has been a while since this question was asked but here is a simple xml dashboard that will show all the other dashboards in the app along with the descriptions and links to them. It is populated dynamically with a rest search. All you would need to do would be to edit the app nav to look something like the below example if you call the dashboard "overview". If you don't call it "overview" then change the first view element to whatever you named the dashboard. Specifically, it is looking for the name that is shown in the URL bar, not the editable label in the dashboard. Navigation <nav search_view="search"> <view name="overview" default="true" /> <view name="search" /> <view name="analytics_workspace" /> <view name="datasets" /> <view name="reports" /> <view name="alerts" /> <view name="dashboards" /> </nav>   Dashboard <dashboard version="1.1" theme="dark"> <label>Overview</label> <row id="cards"> <panel> <table> <search> <query>| rest /servicesNS/-/$env:app$/data/ui/views splunk_server=local | rename eai:acl.app as app | search isDashboard=1 app=$env:app$ title!=$env:page$ | table label description app title | sort label</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <drilldown> <link target="_blank">/app/$row.app$/$row.title$</link> </drilldown> </table> </panel> </row> <row id="styles_row"> <panel> <html> <style> /* Hide the styles panel */ #styles_row { display: none; } /* Remove search tools (refresh, etc) */ .element-footer.dashboard-element-footer { display: none !important; } /* Remove hover background color */ #statistics .results-table tbody td.highlighted { background-color: #FAFAFA !important; } /* Remove hover background color dark mode */ .dashboard-panel[class*="dashboardPanel---pages-dark"] #statistics .results-table tbody td.highlighted { background-color: #31373B !important; } #statistics.results-table { padding: 10px; box-sizing: border-box !important; } /* Style the table to make it just a simple container element */ body table { width: 100% !important; min-width: 100% !important; display: block; box-sizing: border-box !important; border: none !important; -webkit-box-shadow: none !important; box-shadow: none !important; } [id^="cards"] table tbody td { font-family: Splunk Platform Sans,Proxima Nova,Roboto,Droid,Helvetica Neue,Helvetica,Arial,sans-serif !important; } /* Hide the table header */ thead { display: none; } /* Make the tbody a grid layout */ tbody { display: grid; grid-template-columns: 33% 33% 33%; box-sizing: border-box !important; column-gap: 10px; row-gap: 10px; border: none !important; } /* Bold the dashboard title */ tr td:nth-child(1) { font-weight: bold; } /* Make the card text black in light mode */ tr td:nth-child(2) { color: #000000 !important; } /* Make the card text white in dark mode */ .dashboard-panel[class*="dashboardPanel---pages-dark"] tr td:nth-child(2) { color: #FFFFFF !important; } /* Hide the 3rd (app) and 4th (title) columns */ tr td:nth-child(3), tr td:nth-child(4) { display: none; } /* Turn the table rows into cards */ tbody tr { border-radius: 5px; border: 1px solid #999999; padding: 10px; } tbody tr, tbody tr td { box-sizing: border-box !important; display: block; background: #FAFAFA !important; } .dashboard-panel[class*="dashboardPanel---pages-dark"] tbody tr, .dashboard-panel[class*="dashboardPanel---pages-dark"] tbody tr td { background: #31373B !important; } .table td { padding-top: 0 !important; padding-bottom: 0 !important; } </style> </html> </panel> </row> </dashboard>   ... View more

As of the time of writing this it is only available on single value, single value icon, and single radial visualizations. I very much would like to see them add it for line graph visualizations. ... View more

Couldn't you theoretically deploy an app with a scripted input that would make changes to files in etc/system/local? Not saying this is the best method because if it fails you could brick the forwarder, but I would think it is theoretically possible if there are no other means possible. ... View more

This is the new link to the documentation. https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Configuredistributedsearch#Use_the_CLI ... View more

punct can be super helpful for trying to diagnose issues by looking at the kinds of events in your logs. I use this pretty regularly on Windows machines when there is an issue going on. index=wineventlog | stats latest(_raw) as _raw count by source, punct | sort - count   ... View more

Yes, if it can be done with stats that would be best. It is the Splunky way to do it. ... View more

Have you tried using a left (also called outer) join vs and inner join. An inner join will only give you data where the node_id appears in both sets of data. A left join will give you all the results from the base search joined where it matches in the sub search. ... View more

You can search the internal Splunk logs to see if there are any errors logged. If you run this what do you get? index=_internal sendemail sourcetype!=splunkd_ui_access sourcetype!=splunkd_remote_searches ERROR   ... View more

This is the beauty of using DNS CNames to reference all your Splunk servers in configuration. Ideally you don't put references to any physical names in your configs. That way when you switch servers you can build your new server along side your old server and then when you want to switch to a new servers you just flip the CName over to the new server. ... View more

I think this should work. You shouldn't need to include the host=* or sourcetype=* as every event has a host and sourcetype. |tstats count from datamodel={your data model} where index="es_web" AND {your data model}.action="blocked" by {your data model}.category |sort 5 -count ... View more

The event code description trimming is not turned on by default. You need to specifically turn it on in a local props.conf. ... View more

Your second stats will not work because after the first stats you only have the User ID and count fields. The info_max_time and info_min_time fields no longer exist. ... View more

There are a number of event codes that have static descriptions of the event in each iteration of the event. This page shows how to trim off the event descriptions on ingest. This can save a lot of data. https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration ... View more

Something like this should work. I called the lookup db_names.csv ... change that to whatever your actual lookup is named. Everything above the comment just emulates the data you gave. | makeresults count=1 | eval _raw="DatabaseName,Instance,CPUUtilization A,A1,10 A,A2,20 C,C1,40 C,C2,50 D,D,60" | multikv forceheader=1 | fields - _time, _raw, linecount ```^^^^ This emulates the data you gave ^^^^``` | eval inst_cpu=Instance+"#"+CPUUtilization | fields - Instance CPUUtilization | inputlookup db_names.csv append=true ```<-- change the lookup name here``` | stats list(inst_cpu) as inst_cpu by DatabaseName | mvexpand inst_cpu | eval Instance=mvindex(split(inst_cpu,"#"), 0) | eval CPUUtilization=mvindex(split(inst_cpu,"#"), 1) | fillnull value="NULL" Instance CPUUtilization | fields - inst_cpu     ... View more

You could do something like this. Imagine a lookup that looks like this. ip_lookup.csv ip 10.10.53.22 127.0.0.1 192.168.0.54     index=myindex ([| inputlookup ip_lookup.csv | stats values(eval("ip=\""+src_ip+"\"")) as search | eval search=mvjoin(search, " OR ")])   This produces ...   index=myindex (src_ip="10.10.53.22" OR src_ip="127.0.0.1" OR src_ip="192.168.0.54")   ... or ...   index=myindex ([| inputlookup ip_lookup.csv | stats values(eval("src_ip!=\""+ip+"\"")) as search | eval search=mvjoin(search, " AND ")])   This produces ...   index=myindex (src_ip!="10.10.53.22" AND src_ip!="127.0.0.1" AND src_ip!="192.168.0.54")     You could even just put the sub-search into a macro that references the lookup to make using it easier for reuse. An example would be like this. Macro name: my_ip_macro Macro definition:   [| inputlookup ip_lookup.csv | stats values(eval("src_ip=\""+ip+"\"")) as search | eval search=mvjoin(search, " OR ")]     Search using the macro:   index=myindex `my_ip_macro`     ... View more

What do you mean by pulling the _raw? Do you mean "pulling" as in removing _raw from the fields list? Are you using the collect command to add the events into another index? If you do and don't explicitly set a sourcetype then you will not incur a licensing hit for the data copied to the other index. ... View more