Check the answer by veganjay here: https://answers.splunk.com/answers/129773/advice-for-when-you-have-more-than-100-automatically-extracted-fields.html It worked for me. ... View more

I think earliest and latest should be enclosed in $ since they are tokens. I've used a similar piece of code and that worked for me. ... View more

You can edit/create alert_actions.conf and make changes to the options under [email] stanza. http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Alertactionsconf ... View more

<input type="time" searchWhenChanged="true"> <label></label> <default> <earliest>-7d@w0</earliest> <latest>@w0</latest> </default> <change> <condition match="isnum($earliest$) OR isnum($latest$)"> <eval token="sel_time">tostring(($latest$-$earliest$)/60)+"m"</eval> </condition> <condition> <eval token="sel_time">tostring((relative_time(now(), $latest$)-relative_time(now(), $earliest$))/60)+"m"</eval> </condition> </change> </input> <panel> <table> <title>$sel_time$</title> <search> <query>index=_internal | head 1 |eval minutes=$sel_time|s$ , earliest=$earliest|s$, latest=$latest|s$ | table earliest, latest, minutes</query> <earliest>$earliest$</earliest> <latest>$earliest$</latest> </search> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="drilldown">row</option> <option name="dataOverlayMode">none</option> <option name="count">10</option> </table> </panel> This will create a new token,sel_time, which calculates the minutes contained in the time range. Time picker gives you earliest and latest tokens in epoch/Unix timestamp ( if you select date range or specify date/time explicilty) or in string format like "-7d@w0" (if you select relative time range presets). Logic: sel_time token is set based on the type of earliest and latest. If both are numeric, sel_time token is the difference between the epoch provided by the latest and earliest tokens of your time picker input divided by 60. For all other cases, latest and earliest tokens are converted to epoch and the difference in seconds is divided by 60 and stored in sel_time token. In your question: 3. use the token inside a custom time frame ex: 7d-$sel_time$, your $sel_time$ should have m at the end to specify that the value given by $sel_time$ is in minutes. Here the string conversion and the concatenation of "m" at the end is done so sel_time token can be used along with relative time presets without modification. ... View more

Query = ..... | eval zip=mvzip(splunk_column_name, actual_column_name) |mvexpand zip |rex field=zip "(?<splunk_column_name>[^,]+),(?<actual_column_name>[^,]+)" | fields - zip |eval zip=mvzip(splunk_column_name,actual_column_name) |foreach field* [eval x<<MATCHSTR>>=if(match(zip,"^<<FIELD>>"),replace(zip,"^.*,",""),'')] | foreach field* [eval {x<<MATCHSTR>>}=<<FIELD>> | fields - x<<MATCHSTR>>,zip] | stats values(*) by ***[list of fields] *** | rename values(*) AS * splunk_column_name is a multivalued field containing the list of field names (field1, field2, field3,..) actual_column_name is a multivalued field containing the list of actual field names ( 1. for event_type_id="download" , you have filename, bytes ... 2. for event_type_id="client_error" , you have error_code, description .... ) | eval zip=mvzip(splunk_column_name, actual_column_name) |mvexpand zip |rex field=zip "(?<splunk_column_name>[^,]+),(?<actual_column_name>[^,]+)" | fields - zip |eval zip=mvzip(splunk_column_name,actual_column_name) This part of the query expands the multivalued fields splunk_column_name, actual_column_name and creates a new field named zip which contains these the values in these two fields combined. |foreach field* [eval x<<MATCHSTR>>=if(match(zip,"^<<FIELD>>"),replace(zip,"^.*,",""),'')] This part of the query creates new fields x1, x2, x3 .... (x1 contains the column names for field1, x2 for field2 ......) You will get something like this Timestamp,event_type_id,field1,field2,splunk_field_name,actual_field_name,zip,x1,x2 3/20/16 12:00:00.000 AM,download,file1,30,field1,filename,"field1,filename",filename, 3/20/16 12:00:00.000 AM,download,file1,30,field2,size in bytes,"field2,size in bytes",,size in bytes 3/20/16 12:00:00.000 AM,client_error,404,Not Found,field1,error_code,"field1,error_code",error_code, 3/20/16 12:00:00.000 AM,client_error,404,Not Found,field2,description,"field2,description",,description | foreach field* [eval {x<<MATCHSTR>>}=<<FIELD>> Creates new fields with the names of fields as retrieved from x1, x2 ,... and takes value from field1, field2,... Timestamp,event_type_id,filename,size in bytes,error_code,description 3/20/16 12:00:00.000 AM,download,file1 ,,, 3/20/16 12:00:00.000 AM,download,,30,, 3/20/16 12:00:00.000 AM,client_error,,,404, 3/20/16 12:00:00.000 AM,client_error,,,,Not Found | fields - x<<MATCHSTR>>,zip] | stats values(*) by ***[list of fields] *** | rename values(*) AS * Removes x1, x2, x3 .... , zip and use stats to get values for all fields for a particular event in one row. Timestamp,event_type_id,filename,size in bytes,error_code,description 3/20/16 12:00:00.000 AM,download,file1,30,, 3/20/16 12:00:00.000 AM,client_error,,,404,NotFound ... View more

You can edit the alert_actions.conf (etc/system/local) pdf.footer_enabled = 1 pdf.header_enabled = 1 pdf.header_left = pdf.header_center = description pdf.header_right = pdf.footer_left = logo pdf.footer_center = title pdf.footer_right = timestamp,pagination ... View more