Im not the OP, but this helped me. ... View more

Hi @ramyaashok , I'm not sure how to create a table exactly in the way that you want. But it is possible to create a table in the following format: file status name_of_job1 name_of_job2 name_of_job_3 name_of_job_4 abc waiting time_of_job1       def collected   time_of_job2   time_of_job4 hij waiting     time_of_job3     by using the following query: your_results| eventstats count as duplicates by file | eval status = if(duplicates>1,"Data collected","waiting for data") | table file, status | join file [| search your_results | chart values(_time) over file by job limit=10] you can increase/decrease the limit parameter to put a threshold on the number of columns to be shown. ... View more

Hi @ramyaashok , If you can't set/change the type to real time, you probably don't have the permission to use real time alerts. Talk to your Splunk Admin.  BR Ralph ... View more

Hi @ramyaashok, let me understand your need: you want to insert one or more values in a text box of a dashboard, search on events using the content of this text box every 15 minutes; Is this correct? You could put the values to search in a lookup and use it for the search: you have to create a lookup (called e.g. my_lookup.csv) where there's only one field (called e.g. pattern); if the value is in your events in one specified and fixed field (called e.g. my_field), run a search like this: index=my_index [ | inputlookup my_lookup.csv | rename pattern AS my_field | fields my_field ] if instead you don't have the value in your events in one specified and fixed field, run a search like this: index=my_index [ | inputlookup my_lookup.csv | rename pattern AS query| fields query ] Use this search to create your alert to schedule with the frequency you like (e.g. 15 minutes and fire everytime you have results. If you like, you can also insert a threeshold adding at the end a condition: | stats count | where count>threeshold or managing the threeshold in the alert. Obviously, the first one is better! Ciao. Giuseppe ... View more

@ramyaashok <dashboard> <label>Color Cell</label> <row> <panel> <table> <search> <query>| makeresults | eval status="successful,unsuccessful",status=split(status,",")| mvexpand status</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <format type="color" field="status"> <colorPalette type="map">{"successful":#00FF00,"unsuccessful":#FF0000}</colorPalette> </format> </table> </panel> </row> </dashboard> Refer: https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/TableFormatsXML#Table_format_source_code_example ... View more

Hi ramyaashok, Let me understand: "unavailable" is a value in column3 field? if this is your need, in your search insert a filter like the following: index=my_index | search column3!="unavailable" | table column1 column2 column3 Bye. Giuseppe ... View more

Hi ramyaashok, if you're satisfied of this answer, please accept and/or upvote it. Bye, see next time. Giuseppe ... View more

Can you tell what role you are in? Does It have the capability to change permissions? As the lookup is Private, if you are not the creator of this lookup, you will have to be an admin to change permissions for this object. ... View more