As far as I know, the map command handles the input rows sequentially, but there is no any kind of "preview results". You have to wait for the map command to handle all rows before you're able to do anything else within your query. But it doesn't matter if some of map's subsearches returns nothing. In this case there will be just several empty rows in output table. ... View more

Hi! You can try to use gentimes + map : | gentimes start=-60 increment=1h | map maxsearches=10000 search="search index=_internal earliest=$starttime$ latest=$endtime$ | stats values(sourcetype) as sourcetypes | eval earliest=\"$starttime$\", latest=\"$endtime$\" " ... View more

Hi! Here is a workaround I usually use, when I need to set calculated time range. But maybe it's possible to implement this simpler. First of all, you should add addinfo command to your initial search: index=system_A |stats count ip_address by hostname | addinfo . This command adds several additional fields to your search results. We need info_min_time and info_max_time fields, they contains earliest and latest times (in UNIX time format) from the time range of this search. Then you should calculate new time range based on these fields. Pay attention, that if your initial time range was "All time", info_max_time equals to "+Infinity", and your calculated info_min_time might be less than 0. So, your search might look like this: index=system_A | stats count(ip_address) as cnt by hostname | addinfo | foreach info*time [eval <<FIELD>> = relative_time('<<FIELD>>', "-7d")] | fillnull value=0 info_min_time | fillnull value="" info_max_time Then edit your dashboard source code. Add section done to the initial search, and option fields to the initial panel: <panel> <table> <search> <query>index=system_A | stats count(ip_address) as cnt by hostname | addinfo | foreach info*time [eval <<FIELD>> = relative_time('<<FIELD>>', "-7d")] | fillnull value=0 info_min_time | fillnull value="" info_max_time</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <done> <set token="start">$result.info_min_time$</set> <set token="end">$result.info_max_time$</set> </done> </search> <fields>hostname, cnt</fields> <option name="refresh.display">progressbar</option> </table> </panel> In fields you should specify the set of fields you want to display on your dashboard (so, you can hide info_min_time , info_max_time , etc.). In done section you set tokens start and end with calculated values from info_min_time and info_max_time . All that's left is to set time range of your second panel with tokens start and end . <panel> <chart> <search> <query>% your search%</query> <earliest>$start$</earliest> <latest>$end$</latest> </search> </chart> </panel> That't it! Please let me know if you meet any difficulties or if you find a simpler way to implement this. ... View more

You can try this: % your search % | fields Name [| gentimes start=01/01/18 increment=1d | eval month=strftime(starttime, "%B") | dedup month | stats list(month) as months | nomv months | return $months] But I believe, it's better to remove "May" somewhere before in your search, for example, by checking for nulls or something like that. ... View more

I'm sorry for typo, I meant $token_dropdown$ (not $token_drilldown$ ) as token from your dropdown list. With the lookup command you'll create a new field region_code corresponding to testnode . And with search command you'll filter out all region codes except selected in dropdown list. ... View more

Hi! I believe the easiest way is the following: % your query % | lookup lookup_filename.csv node_code AS testnode | search region_code=$token_drilldown$ | fields - region_code Of course, you must change lookup_filename.csv and $token_drilldown$ with the names of your lookup and drilldown token. ... View more

Well, I managed to do this, but it's a bit tricky 🙂 %your_search% | eventstats first(A) as firstA | streamstats count as cnt | foreach A, B, C [eval sub_<<FIELD>>=if(cnt=1, firstA-<<FIELD>>, null)] | addcoltotals labelfield="cnt" label="newrow" | foreach A, B, C [eval <<FIELD>>=if(cnt="newrow", sub_<<FIELD>>, <<FIELD>>)] | fields - cnt, firstA, sub* If your initial search is a quite light, you can use append command. The cons are that you have to duplicate your initial search in append's subsearch: %your_search% | append [%your_search% | eventstats first(a) as firstA | head 1 | foreach A, B, C [eval <<FIELD>>=firstA-<<FIELD>>] | fields - firstA] ... View more

I'm sorry, i don't fully understand what do you mean as "row-wise". Column C filled per each row, so it could be considered as "row-wise", I believe. Could you clarify your question a little more, maybe with an example? ... View more

All right, I'm glad we cleared this up 🙂 ... View more

I've run out of ideas, sorry 😞 I tried to implement this, and it seems it works like a charm (link to screenshot: https://photos.app.goo.gl/Oo4WSGJLrbAAyHXk2 ). I don't know, maybe it depends on version of Splunk (I use 7.0.2). ... View more

It seems subsearch should be rounded with brackets. I thought Splunk does this automatically, but I likely mistaked. index=my_index field1=abc field2=def NOT ([ |inputlookup filename.csv | fields field3 ]) ... View more

Mmm, do you have lookup filename.csv with field field3 ? My subsearch is only an example, you should use your filename and fieldname. ... View more