Is this sort of what you're looking for? | makeresults | eval PercentTimeOnPrem = 50 | eval PercentTimeOffPrem = 25 | eval PercentTimeOnVPN = 15 | eval PercentTimeIdle=10 | fields - _time | stats values(PercentTimeOnPrem) as "Percent in Office" values(PercentTimeOffPrem) as "Percent Out of Office" values(PercentTimeIdle) as "Percent Time Idle" values(PercentTimeOnVPN) as "Percent on VPN"| transpose To have a pie chart, all you need is too columns. One with labels and one with values. Your stats table should look like this: Label | Value ~~~~ Percent in Office | 50 Percent Out of Office | 25 Percent Time Idle | 10 Percent on VPN | 15 ... View more

Upvote BainM's answer on the transaction command. It is super helpful if you have a common identifier across events that you want to group together. You can get delta information about the time between the different events in the same transaction along with the event count which is what I think you're looking for. ... View more

@Escher Is this what you were looking for? ... View more

Glad it works! ... View more

If you have to do a linux cron job, put the command in place using crontab. Your schedule should look something like this. https://crontab.guru/#0_21_*_*_* ... View more

This is also relevant if you don't want to use the fillnull command. There's an option in the visualization tab. https://answers.splunk.com/answers/474799/how-to-delete-data-points-with-null-values-by-host.html ... View more

So it should look something like this: Javascript: my_script.js require([ 'underscore', 'jquery', 'backbone', '../app/my_app/components/myComponent', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function (_,$,Backbone, myComponent, mvc) { #Use your component var my_comp = new myComponent(); my_comp.doStuff(); }); XML: <form script="my_script.js"> ... </form> ... View more

There's a couple ways you can do this. You can use tokens and the "depends" attribute in simplexml. This will run a search any time all of the tokens defined in the "depends" list are specified. You would basically include the token value in your search that populates the lookup. I haven't tested the below, but it should be something similar to this. If you're feeling bold, you can add a custom javascript file to your simplexml dashboard and create your dropdown there with a search manager. It will work the same way with tokens as well. <input type="text" token="my_token_to_add"> <label>sourcetype</label> <default></default> <initialValue>splunkd</initialValue> </input> <input type="dropdown" depends="$my_token_to_add$" searchWhenChanged="true"> <label>My Label</label> <search> <query> index=_internal | eval myfield="$my_token_to_add$" | outputlookup my_lookup append=true</query> <earliest>-5m</earliest> <latest>now</latest> </search> </input> As a side note, you can also add this value in the form itself to refresh periodically. <form refresh="30"> .... </form> ... View more

So are you able to actually leverage npm and node in development for Splunk? I've noticed there's a node instance in the bin directory that you can run using ./splunk cmd node I'm very interested in learning how to do this if you could offer any advice. ... View more