Do you have any sample configuration that can guide me how to set it up? Looking forward to your help. Does the setup link below work? This is the only docs that I can find. https://community.splunk.com/t5/All-Apps-and-Add-ons/Setup-Secure-Encrypted-Syslog/m-p/391221   ... View more

One last question? All the column table that were append to it like location, siteid and etc. The result show two data entry for every row. How to make it to not duplicate the data. Thanks in advance! ... View more

It worked! Thanks again for all your help! ... View more

Another way. How to add a column to the results table based on an existing field above like loction, siteid and etc...? ... View more

How to display or add location, siteid append to the column. ... View more

Awesome It worked! Thank you so much ... View more

Hi, I'm still need your help to apply this drill down in my case. I still don't know how to do it. ... View more

Hi, Just want to follow up on my case. Did anyone have any idea on how to apply the drill down method on my case? I really need help. Thanks ... View more

Hi, Just want to follow up on my case. Do you have any idea on how to apply the drill down method on my case? ... View more

If I used this method my drill down is working as expected This is the drill down serach quey | search sourcetype="powerdata", location="$location$", siteid="$siteid$" | timechart max("powerdata{}.$click.name2${}.current") as current by powerdata{}.$click.name2${}.plugname&display.general.type=visualizations What I want is to make the drill down work with the plugname on the legend as the below search query This is my search query siteid= location= | foreach powerdata{}.plug*{}. [ eval eachplug<> = mvappend(eachplug<>, "<>=" . '<>') | fields - <> ] | foreach eachplug [ nomv <> | eval allplugs = mvappend(allplugs, "plug=<>, " . <>) | fields - <> ] | mvexpand allplugs | rename allplugs AS _raw | kv | timechart limit=0 max(current) AS max_current BY plugname I need to used this method and how do I apply this method for the drill down? ... View more

In my case for the drill down, how do I define the plugname to match the exact plug when click on the legend or bar chart. I try to used your method as of now when I click on the legend it's only know the plugname, but didn't know which plugname belong to the exact plug in JSON. See below link is my raw JSON that sent to Splunk. I really need help to make it work for my case of the drill down. https://answers.splunk.com/answers/757905/how-to-rename-label-in-splunk-legend-that-not-effe.html ... View more

Hi, Just want to follow up any idea on how to apply the drill down in my case. I really need help to get this to work. ... View more

Based on the above search query in my case. How would I do it for the drill down? I've try but doesn't work the way it supposed. Can you please help? See a link for JSON raw data that send to splunk https://answers.splunk.com/answers/757905/how-to-rename-label-in-splunk-legend-that-not-effe.html ... View more

Here is my new question. Thanks https://answers.splunk.com/answers/789135/how-do-i-make-a-drill-down-details-from-when-click.html?minQuestionBodyLength=80 ... View more

Now the search query is working base on Search query: siteid=* location=* | foreach powerdata{}.plug*{}.* [ eval eachplug<<MATCHSEG1>> = mvappend(eachplug<<MATCHSEG1>>, "<<MATCHSEG2>>=" . '<<FIELD>>') | fields - <<FIELD>> ] | foreach eachplug* [ nomv <<FIELD>> | eval allplugs = mvappend(allplugs, "plug=<<MATCHSTR>>, " . <<FIELD>>) | fields - <<FIELD>> ] | mvexpand allplugs | rename allplugs AS _raw | kv | timechart limit=0 max(current) AS max_current BY plugname In addition, next step I would like to be able to click on individual plug name on the bar chart or from the legend label for the drill down details. As of now when I click it. It said no result found. Please I really need help and thank you in advance. ... View more

Hi woodcock, In addition, I would like to be able to click on the legend label for drill down to see individual activity current occur per plug name. Here is my search string | search siteid=$siteid$ location=$location$ | foreach powerdata{}.plug*{}.* [ eval eachplug<> = mvappend(eachplug<>, "<>=" . '<>') | fields - <> ] | foreach eachplug* [ nomv <> | eval allplugs = mvappend(allplugs, "plug=<>, " . <>) | fields - <> ] | mvexpand allplugs | rename allplugs AS _raw | kv | timechart limit=0 max(voltage) AS max_voltage BY plugname The bar chart work great as expected, but need to be able to click on a single legend for the drill down on the bar chart. I don't know how to do it. ... View more

Never mind the warning just went away now. Thanks for all your help. ... View more

I got the warning message on my bar chart said Field 'allplugs' does not exist in the data. Only when I select individual siteid and location from my drop down. when using this search string on my dashboard | search siteid=$siteid$ location=$location$ | foreach powerdata{}.plug*{}.* [ eval eachplug<<MATCHSEG1>> = mvappend(eachplug<<MATCHSEG1>>, "<<MATCHSEG2>>=" . '<<FIELD>>') | fields - <<FIELD>> ] | foreach eachplug* [ nomv <<FIELD>> | eval allplugs = mvappend(allplugs, "plug=<<MATCHSTR>>, " . <<FIELD>>) | fields - <<FIELD>> ] | mvexpand allplugs | rename allplugs AS _raw | kv | timechart limit=0 max(current) AS max_current BY plugname But when I select ALL from my drop down the warning working great. How to bypass the the 'allplugs' when not selected ALL? ... View more

It work!!! Thank you so much! ... View more

Need your help see below ... View more