Version 1.9.0 of Event Timeline Viz is up on Splunkbase now: https://splunkbase.splunk.com/app/4370   Added support for different locales, based on what you've set in Splunk. Supported locales: English, Italian, Dutch, German, French Note that tooltips and example dashboards will still appear in English. Fixed bug where the time shown on the visualization was reflecting the time zone of the client OS, not the user preference set in Splunk. Fixed bug with the 'Disable Zoom' option where zoom could still be enabled when it was set to false. ... View more

Hi @ianthomas, Looks like that is a bug - I've never noticed it because my computer and Splunk time zones have always been in sync. The issue comes because the "now" time is generated via JavaScript, and so it obeys the time zone of the local PC. I can make a tweak to ensure that the time zone set by Splunk is used to generate "now".   I'll let you know when I've posted an update to the app on Splunkbase. Cheers. Daniel   ... View more

Hi @SureshkumarD, I tried out your code - the rows aren't showing up as links because of the table formatting / row color setting. Remove this line from your code: "rowColors": "> rowBackgroundColors | maxContrast(tableRowColorMaxContrast)",   That is causing the "link" effect on the clickable rows to disappear. Here's the full viz code: "visualizations": { "viz_qFxEKJ3l": { "type": "splunk.table", "options": { "count": 5000, "dataOverlayMode": "none", "drilldown": "none", "backgroundColor": "#FAF9F6", "tableFormat": { "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByBackgroundColor)", "headerBackgroundColor": "> backgroundColor | setColorChannel(tableHeaderBackgroundColorConfig)", "headerColor": "> headerBackgroundColor | maxContrast(tableRowColorMaxContrast)" }, "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "$row.URL.value|n$", "newTab": true } } ],  Give that a go on your dashboard. ... View more

Hi @SureshkumarD, To get the drilldown working from a field in a table you can use the drilldown options: "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "$row.URL.value|n$", "newTab": true } } ]   You can set that up in the UI with the following:   ... View more

Hi @sumarri, I created a dummy search to mock up your data, and created a lookup with 104,000 entries: | makeresults count=140000 | streamstats count as id | eval account="account" . substr("000000000".tostring(id),-6), keep="true" | table account, keep | outputlookup "accounts_to_keep.csv" This will be our lookup file, replicating what you have in your lookup. It has the account ID and a "keep" field, and that's it.   Next, I created a dummy search to generate a bunch of data, with accounts we don't care about and the 104,000 we do care about: | makeresults count=200000 | streamstats count as id | eval account="account" . substr("000000000".tostring(id),-6) | eval data=random()%10000, label="whatever", _time=relative_time(now(), "-" + tostring(random()%1000) + "m") | table account, data, label, _time   To use the lookup to identify the accounts we want to keep you can use this SPL: | inputlookup accounts_to_keep.csv append=t ``` use eventstats if stats messes up your data | eventstats values(keep) as keep by account ``` | stats values(*) as * by account | search keep="true" | fields - keep This add the contents of the lookup to the results (append=t) Then we use stats to combine the keep field with the events in the search If this messes up your data, you can run eventstats instead, but that may run into memory issues with massive result sets. Finally, we search for all the events where the keep field is set to "true" Depending on how big your lookup gets, you may want to make the lookup a KV store collection. ... View more

Hi @ejwade, I'm with @bowesmana on this - I don't think it's possible to run | collect with multiple index locations. You could do this instead: | makeresults count=2 | streamstats count | eval index = case(count=1, "myindex1", count=2, "myindex2") | appendpipe[| search index="myindex1"| collect index=myindex1] | appendpipe[| search index="myindex2"| collect index=myindex2] You will need an appendpipe command for each index you want to export to, but you should know the destination indexes in advance anyway. ... View more

Hi @PATAN, With Dashboard Studio, you can either dynamically color the text OR the background - as far as I know, you can't do both. You could achieve this effect a couple of ways though - create two visualisation panels, one for Dropped, and one for NotDropped, and make them show/hide depending on the value of the token.   Another option (if you are using Absolute mode) is to put a square behind the single value box which colors itself based on the token, and the single value changes the text color based on the token (with a transparent background). Here's some example code: { "visualizations": { "viz_UVeH0JP5": { "type": "splunk.singlevalue", "dataSources": { "primary": "ds_VyZ1EWbM" }, "options": { "majorColor": "> majorValue | matchValue(majorColorEditorConfig)", "backgroundColor": "transparent" }, "context": { "majorColorEditorConfig": [ { "match": "NotDropped", "value": "#2f8811" } ] } }, "viz_eKO2ikid": { "type": "splunk.rectangle", "options": { "fillColor": "> fillDataValue | rangeValue(fillColorEditorConfig)", "rx": 10, "strokeColor": "> strokeDataValue | matchValue(strokeColorEditorConfig)" }, "context": { "fillColorEditorConfig": [ { "value": "#171d21", "to": 100 }, { "value": "#088F44", "from": 100 } ], "fillDataValue": "> primary | seriesByType(\"number\") | lastPoint()", "strokeDataValue": "> primary | seriesByType(\"number\") | lastPoint()", "strokeColorEditorConfig": [ { "match": "Dropped", "value": "#D41F1F" }, { "match": "NotDropped", "value": "#d97a0d" } ] }, "dataSources": { "primary": "ds_dSLmtNBD" } } }, "dataSources": { "ds_VyZ1EWbM": { "type": "ds.search", "options": { "query": "| makeresults\n| eval value=\"$status$\"\n| table value" }, "name": "dummy_search" }, "ds_dSLmtNBD": { "type": "ds.search", "options": { "query": "| makeresults\n| eval value=if(\"$status$\"=\"Dropped\",100,0)\n| table value" }, "name": "background" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" }, "input_I2IoVEpX": { "options": { "items": [ { "label": "Dropped", "value": "Dropped" }, { "label": "Not Dropped", "value": "NotDropped" } ], "token": "status", "selectFirstSearchResult": true }, "title": "Dropdown Input Title", "type": "input.dropdown" } }, "layout": { "type": "absolute", "options": { "width": 1440, "height": 960, "display": "auto" }, "structure": [ { "item": "viz_eKO2ikid", "type": "block", "position": { "x": 610, "y": 180, "w": 250, "h": 130 } }, { "item": "input_I2IoVEpX", "type": "input", "position": { "x": 630, "y": 70, "w": 198, "h": 82 } }, { "item": "viz_UVeH0JP5", "type": "block", "position": { "x": 610, "y": 180, "w": 250, "h": 130 } } ], "globalInputs": [ "input_global_trp" ] }, "description": "", "title": "colors" }     ... View more

@alfredoh14,   Here's some SPL that gives you a table with the app name, short name, and SQL: | makeresults count=3 | streamstats count as id | eval sql=case(id=1,"'' as \"FIELD\",''Missing Value'' AS \"ERROR\" from scbt_owner.SCBT_LOAD_CLOB_DATA_WORK", id=2,"'' as \"something \",''Missing Value'' AS \"ERROR\" from ART_owner.ART_LOAD_CLOB_DATA_WORK", id=3, "from Building_Mailer_owner.Building_Mailer_") | fields sql ``` The above was just to create the source data ``` | rex field="sql" "from\s+(?<lk_wlc_app_short>.+?)_owner" | lookup lookup_weblogic_app lk_wlc_app_short | table lk_wlc_app_short, lk_wlc_app_name, sql   The regular expression pulls out the table name in the SQL, eg "from XXXX_owner", and uses the short code to match the app name from the lookup. To make the lookup work, you will need to ensure that the matches are NOT case sensitive, or make sure your lookup fields match what is in the SQL.   ... View more

hi @Elupt01, You can update the navigation menu to include links to all of you dashboards. If you go to:  Settings > User Interface > Navigation Menus > default You will see a text box where you can put in XML to define your navigation. There are a few ways to show items. Note: DASHBOARD_NAME refers to the name of the dashboard as seen in the URL, not the title. To link a single dashboard on the main navigation bar use this format: <view name="DASHBOARD_NAME" />   To create a dropdown with a bunch of dashboards, use this format: <collection label="Team Dashboards"> <view name="DASHBOARD_NAME_1" /> <view name="DASHBOARD_NAME_2" /> <view name="DASHBOARD_NAME_3" /> </collection>   If you want the dashboards to be automatically added to the menu when you create them, use this format: <collection label="Team Dashboards"> <view source="unclassified" /> </collection> The "unclassified" here means it will list all dashboards not explicitly mentioned in the navigation menu.   There are a few other tricks you can do, like using URLs as menu links: <a href="https://company.intranet.com" target="_blank">Team Intranet Page</a>   Have a look at the dev docs for more detailed info: https://dev.splunk.com/enterprise/reference/dashboardnav/ ... View more

Hi @davilov, Here's a way I've found to hide/show a panel based on a dropdown. It depends on 3 steps: Define a dropdown with options for each panel you'd like to show/hide, in this example I've called the token "show_panel", and we choose to show/hide two panels or show them all. Set your panel visualisations to hide when there is no data, under the "Visibility" setting:   Update the searches for your visualisations to compare a known string (i.e. the possible token values) to the current token value:   ``` I only want to show this panel if we have selected "Bar Chart" from the drop down:``` | eval _show="Bar Chart" | search _show="$show_panel$" | fields - _show​   You can get a bit fancier by creating chain searches to compare the text so that the search doesn't rerun every time you change the dropdown.   Here's a sample dashboard:   { "visualizations": { "viz_QNQd730H": { "type": "splunk.table", "title": "Table of data", "dataSources": { "primary": "ds_BGrBVi8Q" }, "hideWhenNoData": true }, "viz_JM2qhOeK": { "type": "splunk.bar", "title": "Bar Chart", "dataSources": { "primary": "ds_KD6bNQc9" }, "options": { "xAxisTitleText": "Time", "xAxisLineVisibility": "show", "yAxisTitleText": "Score", "yAxisLineVisibility": "show", "yAxisMajorTickVisibility": "show", "yAxisMinorTickVisibility": "show" }, "hideWhenNoData": true } }, "dataSources": { "ds_BGrBVi8Q": { "type": "ds.search", "options": { "query": "| windbag\n| table source, sample, position\n| eval _show=\"Table\"\n| search _show=\"$show_panel$\"\n| fields - _show" }, "name": "table_search" }, "ds_KD6bNQc9": { "type": "ds.search", "options": { "query": "| gentimes start=-7\n| eval score=random()%500\n| eval _time = starttime\n| timechart avg(score) as score\n| eval _show=\"Bar Chart\"\n| search _show=\"$show_panel$\"\n| fields - _show" }, "name": "barchart" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" }, "input_hs0qamAf": { "options": { "items": [ { "label": "All", "value": "*" }, { "label": "Bar Chart", "value": "Bar Chart" }, { "label": "Table", "value": "Table" } ], "defaultValue": "*", "token": "show_panel" }, "title": "Choose you panel", "type": "input.dropdown" } }, "layout": { "type": "grid", "options": { "width": 1440, "height": 960 }, "structure": [ { "item": "viz_QNQd730H", "type": "block", "position": { "x": 0, "y": 0, "w": 720, "h": 400 } }, { "item": "viz_JM2qhOeK", "type": "block", "position": { "x": 720, "y": 0, "w": 720, "h": 400 } } ], "globalInputs": [ "input_global_trp", "input_hs0qamAf" ] }, "description": "https://community.splunk.com/t5/Dashboards-Visualizations/Conditionally-show-hide-panels-based-on-dropdown-selection-in/m-p/686803#M56222", "title": "Splunk Answers Post" }     ... View more

Your best bet to switch from a chart to a table is to show/hide pre-built panels using tokens.  Tables have different options in the XML code - e.g. column formatting, coloring, drill-downs, highlighting when the mouse hovers. None of these options are relevant for a chart visualization type. The main reason you can't use tokens to change from a chart to a table vis is that the charts use a <chart> tag, while the table vis uses a <table> tag. Simple XML doesn't support using tokens to set XML tags in the dashboard code like that. The cleanest way, in my opinion, is to have hidden panels that you switch between using tokens. ... View more

Hi @GaryZ, As far as I understand, this is not possible with dashboard studio so the best solution would be to have both charts there, but only one displaying depending on the token. However, you can do it with Classic Dashboards (i.e. simple XML dashboards). Here's an example:   <form version="1.1" theme="light"> <label>Splunk answers</label> <fieldset submitButton="false"> <input type="dropdown" token="chart" searchWhenChanged="true"> <label>Chart Style</label> <choice value="line">Line Chart</choice> <choice value="column">Bar Chart</choice> <default>line</default> <initialValue>line</initialValue> </input> </fieldset> <row> <panel> <title>Chart</title> <chart> <search> <query>| gentimes start=-20 | eval sample=random()%100 | eval _time = starttime | timechart span=1d max(sample) as value</query> <earliest>-20d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">$chart$</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>   The trick here is to create a token with the value of the chart you'd like to show ("line" or "column") and then use that token in the XML:   <option name="charting.chart">$chart$</option>     This might get annoying to develop though, as you can't edit the chart while this value is set. You can always change it while editing and then change it back when you're done.       ... View more

안녕하세요 릴리, 두 차트는 사용된 시간 범위로 인해 다르게 나타납니다. 첫 번째 차트는 데이터가 있는 경우에만 차트에 선을 표시하는 Splunk 검색에서 가져온 것입니다. 두 번째 차트는 데이터가 없더라도 "전체 기간"에 대한 타임라인을 표시하는 Dashboard Studio의 차트입니다. 차트 2를 차트 1처럼 보이게 하려면 데이터와 일치하도록 시간 범위를 설정하면 됩니다.       데이터와 일치하도록 시간 범위를 설정하면:   (저는 한국어를 잘 못해서 번역기를 사용해야 했어요.) ... View more

@NoIdea, There are different namespaces for tokens - default, submitted, and environment. You're running into the issue because you're using the "default" tokens. These are the ones we normally  use as they are updated on the fly, whereas the submitted tokens are only updated after clicking the submit button. You can refer to these tokens using the namespace followed by a colon, eg: Default: $tok1$ Submitted: $submitted:tok1$ I've tried to understand the values you've put for the tokens and made an alternative dashboard showing the use of submitted tokens: <form version="1.1" theme="light"> <label>answers</label> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="tok1" searchWhenChanged="false"> <label>Tok1</label> <choice value="All">*</choice> <choice value="&quot; &quot;AND upper(STATUS)=upper('Active')&quot;">Y</choice> <choice value="&quot; &quot;AND upper(STATUS)=upper('Inactive')&quot;">N</choice> <prefix>Status="</prefix> <default>*</default> </input> <input type="text" token="tok2" searchWhenChanged="false"> <label>UserID</label> <default></default> <prefix> AND UserID=\"*" + upper(</prefix> <suffix>) + "*"</suffix> </input> </fieldset> <row> <panel id="table_1"> <html><h2>Using $$tok1$$</h2><table><tr><td><strong>$$tok1$$=</strong></td><td><textarea>$tok1$</textarea></td></tr><tr><td><strong>$$tok2$$=</strong></td><td><textarea>$tok2$</textarea></td></tr></table> <style>textarea{padding: 4px; font-size:16px;resize:none;width: 300px;border: 1px solid black;} div[id^="table"] td{border:1px solid black;padding: 4px;} div[id^="table"]{width: fit-content; } </style> </html> </panel> </row> <row> <panel id="table_2"> <html><h2>Using $$submitted:tok1$$</h2><table><tr><td><strong>$$submitted:tok1$$=</strong></td><td><textarea>$submitted:tok1$</textarea></td></tr><tr><td><strong>$$submitted:tok2$$=</strong></td><td><textarea>$submitted:tok2$</textarea></td></tr></table></html> </panel> </row> <row> <panel> <html><h2>The Search</h2>| search * $submitted:tok1$ $submitted:tok2$ </html> </panel> </row> </form> By putting your evals and conditionals directly into the values the form should work:   Hopefully that gets you closer to what you're after. There is another way to tackle this - but I don't quite understand your search. It's almost SPL but not quite. If the above isn't what you're after, can you explain your search a bit more? ... View more

I think I understand -  try this search to create a table with fields: _time, percentage and one or more columns based on the value calculated each hour: | gentimes start=-7 | eval sample=random()%100 | eval perc=random()%50 | rename starttime as _time | append[|makeresults | eval sample=100, perc=45| table _time, sample, perc] | timechart span=1d max(sample) as name, avg(perc) as "percentage" ``` Calculate how we name the fields based on the value of: name ``` | eval rename_field_to=if(name=100,"C","N/A") | eval "The Sample Yields {rename_field_to}" = name | fields - rename_field_to, name   This will create three or four columns: _time = time percentage = hourly average of the perc field The Sample Yields C  =  If the max for that hour was 100 The Sample Yields N/A = If the max for that hour was not 100 If you only want "The Sample Yields C" or nothing, then you can filter out with a | search name="C" after the timechart command. The main SPL is :  | eval "The Sample Yields {rename_field_to}" = name That will allow you to name a field using the value of another field.   If you want NA to simply be N/A then you can do a rename: | rename "The Sample Yields N/A" as "N/A" Is that closer to what you were after?       ... View more

Hi @joelsz, Using Splunk 9.1.0 I set up 3 dashboards: dash_a, dash_b, dash_c When you click a button it loads the corresponding dashboard, and that's all.  I've added some starter CSS to pretty up the buttons: <form version="1.1" theme="light"> <label>Dash_C</label> <fieldset submitButton="false"> <input id="linkToOtherDash" type="link" token="link_dash"> <label>View other Dashboard:</label> <choice value="dash_a">Dashboard 1 ↗</choice> <choice value="dash_b">Dashboard 2 ↗</choice> <choice value="dash_c">Dashboard 3 ↗</choice> <change> <condition value="dash_a"> <link target="_blank">/app/search/dash_a</link> </condition> <condition value="dash_b"> <link target="_blank">/app/search/dash_b</link> </condition> <condition value="dash_c"> <link target="_blank">/app/search/dash_c</link> </condition> </change> </input> </fieldset> <row><panel depends="$CSS$"><html><style> .splunk-linklist{ width:fit-content!important; } .splunk-linklist button{ min-width: 120px; } .splunk-linklist button span{ -webkit-box-pack: left; justify-content: left; -webkit-box-align: left; align-items: left; } .splunk-linklist button{ background-color: #dddddd82; margin: 4px 2px 0px 0px; transition: 0.3s; } .splunk-linklist button:hover { background-color: #007abd!important; color: white!important; } </style></html></panel> </row> </form> Note that if you click a button, then go back to the original dashboard and click edit then cancel, it will load the second dashboard again. If you want to avoid that then update the links and remove target="_blank" . ... View more

Hi @deepdive100., You can create the column name based on what the field "name" is set to using by: |makeresults |eval sample="100" |eval name=if(sample=100,"C",N/A) |timechart max(sample) by name This creates a table with columns: _time, C. If the values are less or more than 100, there'll be an additional column "N/A" If you have a dashboard and you want to pick which column is displayed, you could do something like: |makeresults |eval sample="100" |eval name=if(sample=100,"$DROPDOWN_TOKEN$",N/A) |timechart max(sample) by name And set up an input that sets the token $DROPDOWN_TOKEN$.   ... View more

Hi @Hemant93, Masking sensitive data is typically performed on the Heavy Forwarder / Indexer before it goes into the Splunk index. We can do that job with a props.conf file. [maskpii] SEDCMD-pii-dob = s/@dob=['"][^'"]+['"]/@dob='***MASKED***'/g SEDCMD-pii-ssn = s/@ssn=['"][^'"]+['"]/@ssn='***MASKED***'/g This file uses the maskpii sourcetype, and tells Splunk to change any dob or snn value to "***MASKED***". Put that props file on either the heavy forwarder or indexer (wherever your data is sent first) and restart Splunk. Using that file I ingested your sample data and here's the result:     ... View more

Hi @PaulaCom, Here's a way to convert your date to "Jan", "Feb" etc: strftime(date_field, format) see docs We can use the field Order_Date like this: eval month = strftime(strptime(Order_Date, "%d/%m/%Y"), "%b") That adds another step of converting the date to a unix timestamp, then converting that timestamp to the Month in english. Now that we have the month, we can make it a field by using special curly brackets: | eval {month} = Total That will create a field called "Jan" or "Feb" with the value of the total for sales. Here's the Search all together:   |makeresults | eval data="Account_No=\"123\", Total=\"15.00\", Order_Date=\"1/01/2023\"@@Account_No=\"123\", Total=\"35.00\", Order_Date=\"15/02/2023\"@@Account_No=\"123\", Total=\"45.00\", Order_Date=\"19/02/2023\"@@Account_No=\"456\", Total=\"15.00\", Order_Date=\"1/01/2023\"@@Account_No=\"456\", Total=\"50.00\", Order_Date=\"25/01/2023\"@@Account_No=\"456\", Total=\"10.00\", Order_Date=\"19/02/2023\"" | makemv data delim="@@" | mvexpand data | rename data as _raw | extract ``` The above just creates the test data``` | eval month = strftime(strptime(Order_Date, "%d/%m/%Y"), "%b") | stats sum(Total) as Total by Account_No, month | eval {month}=Total | fields - Total, month | stats sum(*) as * by Account_No | table Account_No, Ja*, Fe*,Ma*,Ap*,Ma*,Jun*, Jul*,Au*,Se*,Oc*,No*,De*  The last table bit at the end is so that the months are listed in the right order. The result is: Hopefully that gets you closer to what you were looking for.   Cheers, Daniel ... View more