Still works, thank you! ... View more

Answered my own question - the script below worked for me: require([ 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function(mvc) { console.log('JavaScript loaded'); // Debug log to confirm script is running var defaultTokenModel = mvc.Components.getInstance('default'); var submittedTokens = mvc.Components.getInstance('submitted'); document.getElementById('submit_button').addEventListener('click', function() { var comment = document.getElementById('html_ta_user_comment').value; console.log('Submit button clicked'); // Debug log to confirm button click console.log('Comment:', comment); // Debug log to show the comment value defaultTokenModel.set('tokComment', comment); console.log('Token set:', defaultTokenModel.get('tokComment')); // Debug log to confirm token is set // Trigger the search by updating the submitted tokens submittedTokens.set(defaultTokenModel.toJSON()); }); }); By adding the line submittedTokens.set(defaultTokenModel.toJSON());, we ensured that the search is refreshed whenever the token value changes. ... View more

mvmap is your friend here. See this example which creates 2 random MV fields and then does the comparisons | makeresults | fields - _time | eval f1=mvrange(0,10,(random() % 3 + 1)) | eval f2=mvrange(5,20,(random() % 4 + 1)) | eval f1_exists_in_f2=max(f1_exists_in_f2, mvmap(f1, if(isnotnull(mvfind(f2, f1)), 1, 0))) | eval f1_values_in_f2=mvmap(f1, if(f1=f2, f1, null())) | eval f1_values_not_in_f2=mvmap(f1, if(f1!=f2, f1, null())) | table f1 f2 f1_exists* f1_values* ... View more

You need to install the following packages to get these commands: "strace" to get the strace command "tcpdump" to get the tcpdump command "sysstat" to get the iostat command "elfutils"  to get the eu-stack command   ... View more

Simply echoing xpac's excellent solution with my own, since I've encountered this as well, but perhaps another wording will help future readers as well.   When you write regex in a |rex command, backslashes must be used carefully, because there are multiple levels of escaping. The first is SPL level escaping, because the rex command accepts the argument for the regular expression in quotes, which means you must escape the " character with \ so your regex string can include it. Call this the SPL parsing step. For this to work, \ must also be a special character for the SPL parser. All this only applies to SPL commands like |rex and |regex that accept the regular expression as a string bounded by quotes. For these though, all " and \ characters must be escaped so they appear as literal in the true regular expression For the regular expression itself, " is not a special character, but \ is. So if you need to look for something like a literal \ in the message, your regex must specify \\, and your SPL must specify \\\\. SPL escapes this once to \\, which regex treats as a literal \. This is very annoying for cases where your message is escaped json formatting, as the string \" appears in the message itself. If you need to search for this in a |rex command, you'll need \\\\\".   For other methods of regex written in Splunk .conf files like field extractions, transforms, LINE_BREAKER, timestamp lookahead, etc., the regular expression syntax does not need to be escaped again because there's no SPL parser interpreting it first. Example: message you're searching: {\"key\": \"value\"} regex you want applied (and what should work in .conf files): {\\"key\\": \\"value\\"} how you must write the SPL command: | rex field=_raw "{\\\\\"key\\\\\": \\\\\"value\\\\\"}" ... View more

The thread is even older now, but I also found you need to specify  `'alert.suppress': 0` when posting to `/servicesNS/{owner}/{app}/saved/searches/` to make sure it's an alert and not a report. In total, I specified at least the below parameters to create an alert   { 'is_scheduled': 1, 'cron_schedule': '09-59/10 * * * *', 'alert_comparator': 'greater than', 'alert_threshold': 5, 'alert_type': 'number of events', 'alert.suppress': 0, }     ... View more