Hi @kevin_larsson, Here's a dashboard you can use to get started: It has 2 dropdowns: Deployment Date - this just works out the past 7 days and lists them in MMM DD format (the token is in unix epoch format) Range - This is a list of +/- day ranges to spread out your search. The token is a number indicating the days to add or subtract from your date. Behind the scenes when you change one of the dropdowns there is an eval token that calculates the relative time difference between your selected time and the +/- range. <change> <eval token="earliest">relative_time($deployment_date$,"-" . $form.range$ . "d")</eval> <eval token="latest">relative_time($deployment_date$,"+" . $form.range$ . "d")</eval> </change> $deployment_date$ is the value for the Date dropdown, and $form.range$ is the value for the +/- dropdown. It would be easy enough to change the range to minutes, days, months etc. Here's the full code for the dashboard: <form version="1.1" theme="light"> <label>My Dashboard</label> <fieldset submitButton="false"> <input type="dropdown" token="deployment_date" searchWhenChanged="true"> <label>Deployment Date</label> <fieldForLabel>label</fieldForLabel> <fieldForValue>starttime</fieldForValue> <search> <query>|gentimes start=-7 | eval label = strftime(starttime,"%b %d") | reverse</query> <earliest>-1m@m</earliest> </search> <change> <eval token="earliest">relative_time($deployment_date$,"-" . $form.range$ . "d")</eval> <eval token="latest">relative_time($deployment_date$,"+" . $form.range$ . "d")</eval> </change> <selectFirstChoice>true</selectFirstChoice> </input> <input type="dropdown" token="range" searchWhenChanged="true"> <label>Range</label> <choice value="1">+/- 1 Day</choice> <choice value="2">+/- 2 Days</choice> <choice value="3">+/- 3 Days</choice> <choice value="4">+/- 4 Days</choice> <choice value="5">+/- 5 Days</choice> <default>1</default> <initialValue>1</initialValue> <change> <eval token="earliest">relative_time($form.deployment_date$,"-" . $form.range$ ."d")</eval> <eval token="latest">relative_time($form.deployment_date$,"+" . $form.range$ ."d")</eval> </change> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval earliest=$earliest|s$, latest=$latest|s$ | eval earliest_readable=strftime(earliest,"%Y-%m-%d"), latest_readable=strftime(latest,"%Y-%m-%d") | table earliest, earliest_readable, latest, latest_readable</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>   Cheers, Daniel ... View more

Hi @isxtn, There's probably going to be a few ways to tackle this - here's one that may work for you: | rex field=_raw "q=(?<q>.+?)(&|\\\u\d)" That breaks down like this: Create a field called "q" that uses up all characters until it sees either: an & or the literal string "\u" followed by a number This should match when things are correctly separated by an ampersand, but also if the ampersand is character encoded. The question mark after the .+ in the regex tells Splunk to not use greedy matching, so it will stop looking at the first "&" or "\u" that it sees. To avoid the "Regex: PCRE does not support \L, \l, \N{name}, \U, or \u" error, I've escaped both the backslash and the u character. Here's a test search to show  it in action: | makeresults | eval raw = "apple: honeycrisp ball: baseball car: Ferrari query: param1=val1&param2=val2&param3=val3&q=goodbye+cruel+world\\u0026param=val status: 200@apple: honeycrisp ball: baseball car: Ferrari query: param1=val1&param2=val2&param3=val3&q=goodbye+cruel+world&param=val status: 200" | makemv raw delim="@" | mvexpand raw | rename raw as _raw | rex field=_raw "q=(?<q>.+?)(&|\\\u\d)" | table _raw, q That results in: Cheers, Daniel ... View more

Well spotted!  I had a couple of variations, and left this in but you're right, the foreach isn't needed here. ... View more

Hi @SplunkGuru001, There is a paid-for product that integrates with Splunk and can do thick client synthetic monitoring called 2 Steps. You can set up monitoring to: Log into a desktop via RDP or Citrix Open an application Use the app - e.g. search, enter text, login (including 2 factor authentication) Close the app log out For each step you can see performance and availability stats, along with screenshots on error, and even videos of the process - all from within Splunk. It's all integrated into a Splunk app on Splunkbase: https://splunkbase.splunk.com/app/4546 Might be worth checking out.   Cheers, Daniel   ... View more

Alternatively, just run: | spath path="E2ETraceEvent.ApplicationData.TraceData.DataItem.TraceRecord.Description" output=description ... View more

Hi @DWRoelands, This may not be the most elegant, but to avoid regex you can use: | xpath outfield=description "/*[name()='E2ETraceEvent' and namespace-uri()='http://schemas.microsoft.com/2004/06/E2ETraceEvent' ]/*[name()='ApplicationData']/*[name()='TraceData']/*[name()='DataItem']/*[name()='TraceRecord']/*[name()='Description']" That creates a description field with the correct text: It does obey the namespace, but it's not the easiest to read. Falling back to regex, if you run a sedcmd you can strip the namespaces and use your original xpath: | rex mode=sed "s/xmlns=\"[^\"]+\"//g" | xpath outfield=description "//E2ETraceEvent/ApplicationData/TraceData/DataItem/TraceRecord/Description" Cheers, Daniel       ... View more

Hi @roopeshetty, Try this props: [ confluent_kafka_api ] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n])+confluent_kafka_ CHARSET=UTF-8 PREAMBLE_REGEX =^#.+$   The preamble_regex removes the comments from the data The line_breaker is set to a new line (in brackets) followed by the words "confluent_kafka_" (not in brackets) There's no time field in the data, so it's set to CURRENT. See if that helps. Cheers, Daniel ... View more

Hi @athorat, You can see all the scheduled searches that are enabled with an earliest time as "all time" with the below:     | rest /servicesNS/-/-/saved/searches search="is_scheduled=1" search="disabled=0" search="dispatch.earliest_time=0" timeout=0 | table dispatch.earliest_time, title, eai:acl.app, eai:acl.owner, search       However, people can get around this by: Using the term "earliest=-10y" in their searches Using 1 instead of 0 for the dispatch.earliest_time Hiding the earliest/latest in a macro or subsearch But that should find the immediate culprits for you.   You can also look in the _audit index to find searches being run with all time:     index=_audit action=search info=completed search_et IN(0,"N/A") | stats count, sum(total_run_time) as total_run_time values(provenance) as provenance by app, user | fieldformat total_run_time=tostring(total_run_time,"duration") | sort - total_run_time     There are ways to avoid appearing in this search, but that should give you a good starting point. Cheers, Daniel ... View more

Hi @harshal_chakran, You can set up the tokens in Dashboard Studio from the search results for the Single Value viz - see the docs article on Setting tokens from search results. When you create your search, check the "Use search results or job status as tokens" checkbox: Now once the search runs, you can use a token like this: $search name:result.<field>$ In our case it would be: $Single_Value_Search:result.list_of_id$ Now in your single value drill-down you can link to the Simple XML dashboard using the token: This will link to the Simple XML dashboard with the list_of_id token being set. Cheers, Daniel   ... View more

Hi, Yes, sort 0 - sort will reverse sort by the "sort" field. The zero means sort all fields.  This bit: | search Month=* Is used to filter out unneeded data. In our results set we have the raw data from the index and our calculated stats.  We only want the stats, so we search for all rows that have a field called Month that is not null. If your search results look ok without it, then you can safely remove this bit. ... View more

Actually, you could get simpler than that still. | gentimes start=-217 | eval _time=starttime, mydata=-1*(random()%1000/100) | eval Month=strftime(_time,"%Y %m") | stats count(mydata) AS nobs, mean(mydata) as mean, min(mydata) as min by Month | reverse ``` Create random test data ``` ``` Work out Max, min, mean from the data ``` | eval means = nobs * mean | appendpipe[|stats sum(nobs) as nobs, sum(means) as mean, min(min) as min| eval mean=mean/nobs, Month="All" ] | fields - means Comparing the two methods, this one is accurate to twelve or so decimal places. ... View more

HI @Strangertinz, Try this search:   | makeresults | eval _raw="{ \"Key1\": \"Value1\", \"Key2\": { \"subKey2_1\": \"sub value1 for key2\", \"Manifest\": [{ \"flight\": \"start\", \"City\": \"Los Angeles\", \"code\": 7870, \"Inventory\": { \"snacks\": 300, \"status\": \"full\" } }, { \"flight\": \"end\", \"City\": \"Las Vegas\", \"code\": 7470, \"Inventory\": { \"snacks\": 56, \"status\": \"near empty\" } } ], \"subKey2_3\": \"sub value3 for key2\" }, \"Key3\": \"Value3\", \"Key4\": \"Value4\"}" | fromjson _raw ``` Above is just to format the data into a JSON event``` ``` Get the JSON data from Key2``` | fromjson Key2 ``` Split out the origin and destination fields``` | eval Origin = mvindex(Manifest,0) | eval Destination = mvindex(Manifest,1) | fields - Manifest, _raw, _time, Key2 ``` Update the field names so we know which was Origin and which was Destination``` | rex mode=sed field=Origin "s/\"([^\"]+)\":/\"\\1_Origin\":/g" | rex mode=sed field=Destination "s/\"([^\"]+)\":/\"\\1_Destination\":/g" ``` Extract all the fields from the JSON array ``` | fromjson Destination | fromjson Origin | fromjson Inventory_Destination | fromjson Inventory_Origin | fields - Inventory_End, Inventory_Origin ``` Table everything out on one row ``` | table City_Origin, code_Origin, snacks_Origin, status_Origin, City_Destination, code_Destination, snacks_Destination, status_Destination I'm using rex mode=sed to update the JSON with more descriptive names for the duplicated fields. The output is: Is that what you were looking for?   Cheers Daniel ... View more

Hi @raghul725, That's not a silly question at all. This SPL creates field names based on field values: | eval {rvl_status} = count The curly brackets create a field whose name will be the value of the rvl_status field, and it is assigned count as it's value. In this case, rvl_status can be:  "E_Successful" or  "F_Successful" So those curly brackets create fields called "E_Successful" or "F_Successfu" with the value of count. We use that to work out how many of each kind are there so we can work out the no_successful value. If you're still unsure about it, perhaps this answers question covers it better: Solved: About usage of {} in eval - Splunk Community -Daniel ... View more

Hi @monik0277, Like @caiosalonso mentioned, there are multiple sources for credentials. If you are using Splunk authentication (local Splunk accounts) then the password complexity rules are kept in authentication.conf. This REST call will show you the password rules: | rest splunk_server=local /services/configs/conf-authentication/splunk_auth | table minPasswordDigit, minPasswordLength, minPasswordLowercase, minPasswordSpecial, minPasswordUppercase, passwordHistoryCount, enablePasswordHistory, forceWeakPasswordChange, expirePasswordDays   You can also see the rules through the UI under Settings -> Users and Authentication -> Password Management Cheers, Daniel ... View more