Have you tried? |tstats summariesonly=true count from datamodel=Authentication by _time,Authentication.tag,Authentication.user span=60m ... View more

Hi @andrewtrobec, You can listen on the token change event to know if dropdown value changed. To listen the change: require([ "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function (mvc) { // get default token model var tokens = mvc.Components.getInstance("default"); tokens.on("change:tok_input", function(model, value) { console.log("Dropdown value changed: " + String(value)); }); }); Reference: http://dev.splunk.com/view/webframework-developapps/SP-CAAAEW4 ... View more

Hi @denzelchung, I think what you should do instead is have a separate token for each search. For understanding: Let's say search1 sets token1 to true when it is done executing so and so for search2 and search3 . And also after setting these tokens on search:done you also check for a condition that will set your token done if and only if each token for each search is set. The condition can be like if token1=true and token2=true and token3=true then set token done . This condition should be there for each search so whichever search is executed last will have this condition satisfy to true and will set your token done . For your reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/PanelreferenceforSimplifiedXML#condition_.28form_input.29 Cheers, Harsh ... View more

Hi @nick405060 , Can you try this and tell me if this is what you are trying to get. I think your on click event handler is getting called every time but you are setting the value to true in each case which is not toggling the token value. require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function ($, mvc) { // get default token model var tokens = mvc.Components.get("default"); // set default value for token tokens.set("clicked", "false"); $("#btn-submit").on("click", function () { console.log("changing token value from " + tokens.get("clicked") + " to " + (tokens.get("clicked")=="true" ? "false" : "true")); // toggle token value tokens.set("clicked", tokens.get("clicked")=="true" ? "false" : "true"); }); }); ... View more

Hi @snigdhasaxena, You have to set timerange to be the token in the panel's options. Click on the edit search button at top right of the panel Under timerange select your shared token timerange ... View more

Hi @AshimaE, try this on your data (please ignore till | eval _raw="[{\"name\":\"planning\",\"confidence\":0.98},{\"name\":\"sales\",\"confidence\":0.12}]" ) : | makeresults count=1 | eval _raw="[{\"name\":\"planning\",\"confidence\":0.98},{\"name\":\"sales\",\"confidence\":0.12}]" | spath | eval all_fields=mvzip('{}.name', '{}.confidence', ",") | fields all_fields | mvexpand all_fields | makemv delim="," all_fields | eval name=mvindex(all_fields, 0) | eval confidence=mvindex(all_fields, 1) | table name, confidence This will process your JSON array to table in Splunk which will be easy to process later on. If you have all of your events in one single event as JSON array then I would recommend splitting it into one single JSON object and ingest. Because parsing at search will reduce the performance of your search. Hope this helps 🙂 ... View more