@ITWhisperer  |search filed1=Enabled OR "Enabled" OR "Disabled" OR Disabled From the above search Enabled returns one row in search, "Enabled" in double quotes returns second row, Disabled returns third row and "Disabled" in double quotes returns fourth row. Field1---> dc(servers) Enabled--> 10 Enabled--> 3 Disabled-> 23 Disabled->6   ... View more

Hi @gcusello  I have moved the * to secondary dashboard. The token in the URL of the secondary dashboard is like this : ?selected_value=10.6.1%0D%0A In the secondary dashboard query comes like this, with * in the new line. | search "_version"="10.6.1 *" If i do not use *, no rows are getting displayed. I have to move the * next to 10.6.1 (| search "_version"="10.6.1*") , then the rows related to 10.6.1 are getting displayed, including 10.6.1, 10.6.12-105.x86_64,10.6.12-120.x86_64,10.6.13-111,10.6.13-111.x86_64 The carriage return in secondary dashboard query is causing the query to fail. I could not figure out from where the carriage return is coming from. Thank you. ... View more

Hi @gcusello  <drilldown> <link target="_blank">/app/app_name/server_list?selected_value=$click.value$&amp;location_tok2=$location_tok2$&amp;Cust_id=$Cust_id$</link> </drilldown>   Thank you. ... View more

Hi @gcusello  Version sum(Count) 1 30 2 8.8.0 3 3 10.2.2-1370.x86_64 2 4 10.5.1-1582.x86_64 1 5 10.5.5-106 28 6 10.5.5-106.x86_64 17 7 10.6.1 18 8 10.6.12-105.x86_64 19 9 10.6.12-120.x86_64 756 10 10.6.13-111 5 11 10.6.13-111.x86_64 1   ... View more

@gcusello                    In the target dashboard query comes like this, with * in the new line. | search "_version"=10.6.1 * If i do not use *, no rows is getting displayed. If i move the * next to 10.6.1 (10.6.1*) , then the rows related to 10.6.1 are getting displayed, including 10.6.1, 10.6.12-105.x86_64,10.6.12-120.x86_64,10.6.13-111,10.6.13-111.x86_64 ... View more

Hello @gcusello  Your query worked for me after changing it to append. I have one more problem. For drill-down, I can see the following token in the URL. selected_value=8.8.0%0D%0A* Here %0D%0A means a space. I just want to pass 8.8.0*, with out a space. The rtrim in source dashboard is unable to trim the space at the end of 8.8.0. Please suggest. Thank you ... View more

Hi @gcusello, sourcetype=abc index=123 | spath _url | search _url=US OR ASIA |spath "_US_ version" | stats dc(hostname) by  US_ version |rename US_ version as version |appendcols [search sourcetype=abc index=123 | spath _url | search _url=US OR ASIA |spath "_ASIA_ version" | stats dc(hostname) by  ASIA_ version |rename ASIA_ version as version ] | stats sum(dc(hostname)) by  version    Here i want the results of both US_version and ASIA_version. All the results int both the searches. But now the problem is ,its displaying only the common version numbers. Thank you. ... View more

Thank you Mr.Rich. This is my requirement. base search.. |search "_attributes.xxx.total" |stats dc(servername) by _attributes.xxx.total base search.. |search "_attributes.yyy.total" |stats dc(servername) by _attributes.yyy.total From these two searches i want a cobination like the below with a wild card. But it wouldn't work this way.Please suggest how to achieve it. base search.. |search "_attributes.*.total" |stats dc(servername) by _attributes.*.total   ... View more

Thank you for your reply. Is there anyway to forward only the data to splunk  that got generated after the latest event indexed in splunk.  ... View more

Hi richgalloway, Please find the actual problem below: With limit=0 in chart , the chart displays all the available values of taken_date in each row by hostname. The header will have the corresponding taken_date value for each column. But I would like to display 30 columns (limit=30) . Columns header should be in descending order of taken_date. Now unlimited columns are displayed from oldest of taken_date to the latest of the taken_date . Current search with problem: base search from JSON.. | eval row1=strptime(taken_date,"%b %d %Y %H:%M:%S:%3N%p") | eval col1=strptime(taken_date,"%b %d %Y %H:%M:%S") | chart limit=0 values(row1) as date1 by hostname col1 | fillnull value=NULL So from the below query, i am trying to get 30 days older to latest value of taken_date in chart. Here the latest of taken_date can be a week old. The 30 days old date can six months old. The date&time functions which work only on _time and current time(now()) etc, would not work in this context. In the below query i am expecting the values from 30 days old of taken_date to latest of taken_date. 30 days old date is derived by substracting 30 days from latest of taken_date. latest of taken_date can be a week old,2 weeks old or any. base search from JSON.. | eval row1=strptime(taken_date,"%b %d %Y %H:%M:%S:%3N%p") | eval col1=strptime(taken_date,"%b %d %Y %H:%M:%S") | stats max(row1) as max_row1 by row1 hostname max(col1) as max_col1 by col1 | eval max_row1_30= max_row1-2629743 | eval max_col1_30= max_col1-2629743 | where row1 > max_row1_30 AND where col1 > max_col1_30 | chart limit=0 values(row1) as date1 by hostname col1 | fillnull value=NULL Thank you. ... View more

Hi Roelof, Please find the actual problem below: With limit=0 in chart , the chart displays all the available values of taken_date in each row by hostname. The header will have the corresponding taken_date value for each column. But I would like to display 30 columns (limit=30) . Columns header should be in descending order of taken_date. Now unlimited columns are displayed from oldest of taken_date to the latest of the taken_date . Current search with problem: base search from JSON.. | eval row1=strptime(taken_date,"%b %d %Y %H:%M:%S:%3N%p") | eval col1=strptime(taken_date,"%b %d %Y %H:%M:%S") | chart limit=0 values(row1) as date1 by hostname col1 | fillnull value=NULL So from the below query, i am trying to get 30 days older to latest value of taken_date in chart. Here the latest of taken_date can be a week old. The 30 days old date can six months old. The date&time functions which work only on _time and current time(now()) etc, would not work in this context. In the below query i am expecting the values from 30 days old of taken_date to latest of taken_date. 30 days old date is derived by substracting 30 days from latest of taken_date. latest of taken_date can be a week old,2 weeks old or any. base search from JSON.. | eval row1=strptime(taken_date,"%b %d %Y %H:%M:%S:%3N%p") | eval col1=strptime(taken_date,"%b %d %Y %H:%M:%S") | stats max(row1) as max_row1 by row1 hostname max(col1) as max_col1 by col1 | eval max_row1_30= max_row1-2629743 | eval max_col1_30= max_col1-2629743 | where row1 > max_row1_30 AND where col1 > max_col1_30 | chart limit=0 values(row1) as date1 by hostname col1 | fillnull value=NULL Thank you. ... View more

Hi niketnilay, Please find the actual problem below: With limit=0 in chart , the chart displays all the available values of taken_date in each row by hostname. The header will have the corresponding taken_date value for each column. But I would like to display 30 columns (limit=30) . Columns header should be in descending order of taken_date. Now unlimited columns are displayed from oldest of taken_date to the latest of the taken_date . Current search with problem: base search from JSON.. | eval row1=strptime(taken_date,"%b %d %Y %H:%M:%S:%3N%p") | eval col1=strptime(taken_date,"%b %d %Y %H:%M:%S") | chart limit=0 values(row1) as date1 by hostname col1 | fillnull value=NULL So from the below query, i am trying to get 30 days older to latest value of taken_date in chart. Here the latest of taken_date can be a week old. The 30 days old date can six months old. The date&time functions which work only on _time and current time(now()) etc, would not work in this context. In the below query i am expecting the values from 30 days old of taken_date to latest of taken_date. 30 days old date is derived by substracting 30 days from latest of taken_date. latest of taken_date can be a week old,2 weeks old or any. base search from JSON.. | eval row1=strptime(taken_date,"%b %d %Y %H:%M:%S:%3N%p") | eval col1=strptime(taken_date,"%b %d %Y %H:%M:%S") | stats max(row1) as max_row1 by row1 hostname max(col1) as max_col1 by col1 | eval max_row1_30= max_row1-2629743 | eval max_col1_30= max_col1-2629743 | where row1 > max_row1_30 AND where col1 > max_col1_30 | chart limit=0 values(row1) as date1 by hostname col1 | fillnull value=NULL Thank you. ... View more

Hi, Thank you for your reply. As shown in the image in my original post, i want to transform results from "PRESENT" to "DESIRED". There will will 100's of hostname and each hostname will be have date entries for 30 days. Each host can have date/time from same day and for the last 30 days needs to fetched and showed in the in "DESIRED" format. If a hostname has 45 dates for the last 30 days, then we need to generate 45 columns dynamically . Thank you. ... View more

Hi, Your query returns all the dates in header and all hotnames in one single long row. It wouldn't suit the requirement. As shown in the "DESIRED" image of the original message,i would like to have all hostname is first column and later followed by dates columns. The column header for dates should be like col1,col2,col3 etc generated dynamically based on count of dates. Thank you. ... View more

Each date value should come in a separate column as shown in the "DESIRED" image above. Your query is showing all the dates in once single column. Thank you. ... View more