Hi, I seem to be having a mental block which maybe someone can help with. I have an input dropdown which runs a query to populate values in the dropdown, depending on the value selected I want to set two more token. The condition match should be on the first 6 characters of the selected value, so if aaaaaa* set two new tokens and if aaaaab* set a different two. All tokens are then used in panels on the dashboard and should refresh each time the value in the dropdown is changed. sample xml below that will hopefully give the idea. <input type="dropdown" token="iptoken" searchWhenChanged="true"> <label>Apply Engine</label> <fieldForLabel>value</fieldForLabel> <fieldForValue>value</fieldForValue> <search> <query>index=ti-u_* sourcetype=$iptoken$ value=aaaaa** | table value |dedup value |sort value</query> <earliest>@y</earliest> <latest>now</latest> </search> <<change> <condition match="$iptoken$==&quot;aaaaaa*&quot;"> <set token="newtoken1">newvalue1</set> <set token="newtoken2">newvalue2</set> </condition> <condition match="$iptoken$==&quot;aaaaab*&quot;"> <set token="newtoken1">newvalue1</set> <set token="newtoken2">newvalue2</set> </condition> </change> </input> thanks in advance ... View more

Hi, Any thoughts appreciated. I have some connection data captured at connection termination, it has connection start and end times. CONSTA and CONEND in the format "2022-10-18 15:40:00.000000". What I'd like to do is timechart in say 5 minute intervals the number of connections that were active in those intervals. So all connections in an interval 15:40 - 15:45 that had started but not terminated and repeat that across the timechart so 15:45 - 15:50 etc. Hopefully that make sense. Thanks in advance Steve ... View more

Hi, I have some data which spans multiple systems example below: "system" "app" "fld1" "fld2" "fld3" sys1         appA   1           0          0 sys1         appA   0           0         0 sys1        appB    0          1 What I'm trying to do is create a generic dashboard so I would need to rename the fields based on the "app" value. So something similar to: when app=="appA" rename "fld1" as "appAfld1",  rename "fld2" as "appAfld2" when app=="appB" rename "fld1" as "appBfld1" Then in a table only show the renamed fields, so a conditional table statement again based on the "app" value. Any ideas on how/if that can be achieved?  Alternately I just create separate dashboards but a lot of repetition in that so I suspect there is a way to do it. Thanks in advance for any ideas. ... View more

Hi, in anything else this would seem very simple but I seem to be flummoxed trying to do this in splunk. Probably not helped by having zero regex knowledge. I have a field that has values in the format:  AAAABBCC I want to return all values that have BB in position 5, if anyone could be so kind as to  provide a sample I can then pull it apart and try and work out how it does it. Thanks. ... View more

Hi, I have data as below sample: Date Time val1 val2 val3 ...... 21/08/31 01:00:00 2 1 2 2 2 2 2 1 1 2 69 1 0 2 0 0 3 3 21/08/31 02:00:00 1 1 0 1 1 1 0 0 0 0 0 0 0 1 0 1 1 0 21/08/31 03:00:00 2 1 1 2 2 2 0 1 0 2 1 0 0 2 0 1 2 2 21/08/31 04:00:00 1 1 1 1 1 1 67 0 1 150 205 0 169 312 0 0 2 2 21/08/31 05:00:00 1 0 1 1 1 1 0 0 0 70 1 2 0 1 1 1 2 58 I can calculate the max value for a specific date and time and show as a single value panel on a dashboard. What I'd like to do it find the max value for the latest time reported in the data for a date. index=my_index sourcetype=my:sourcetype Date="21/08/31" Time="03:00:00"| eval max_val = max(val1, val2, val3, val4 ....) |stats max(max_val) as mymax So in the sample where latest Time is "05:00:00" is there a way I can code that rather than hard specify the value? thanks in advance for any thoughts ... View more