(By the way, I have renamed your post as it looks like there was a typo and you meant "slow" not "low".) I am assuming (since you mentioned XML), that you are using Classic dashboards, not Dashboard Studio? Given this assumption, it is likely that you have a lot of tokens being used in various searches. These searches will execute whenever a dependent token is changed. Without careful management of these token updates, you may find (and are probably experiencing) that searches run multiple times even when you thought they would only execute once. It is very difficult to advise for your specific usecase without sight of the source, but you may be able to control when searches execute by using additional tokens (I know this sounds counter-intuitive) which are only set when a search completes, using a done handler. In this way, you can enforce the order in which searches are executed. Another check that you may be able to do with your dashboard, is to temporarily introduce a trace function to see when searches are executed so you can figure out which ones might need changing. I have done this sort of thing before by using appendpipe and outputlookup to store the trace in a csv file for later analysis. There may be other ways to achieve this with other browser/js tools. ... View more

It is not clear what is going on here: Is your "custom app" just a place holder for the dashboard and lookup files? Are the lookups csv files or kv stores? Is your processing done entirely in SPL or do you have custom commands (in your app)? What was the nature of the "graphical upgrade", and in what way has it affected your app/dashboard? Can you downgrade/rollback the upgrade to fix the issue? ... View more

Try inserting a positive lookahead (assuming "uicgrupp" is the correct spelling and not "uicgroup") https://regex101.com/r/8BaFP2/2 description\": \"Process .+?(?=uicgrupp)(?<uicgroup>[^\"]+)\" ... View more

https://regex101.com/r/8BaFP2/1 description\": \"Process (?<uicgroup>[^\"]+)\" ... View more

Try expanding the multivalue field `bsod` | stats values(fct_version) as ForticlientVersion | mvexpand ForticlientVersion ... View more

You don't have fields called ERRORS or WARNINGS. Try something like this index=nms-log-idx sourcetype="sea-nms-log" ("ERROR" OR "WARNING") | eval severity=case(searchmatch("ERROR"), "ERRORS", searchmatch("WARNING"), "WARNINGS") | stats count by severity | transpose 0 header_field=severity | fields - column ... View more

Your events do not have values for P1Sender at the same time as values for the other fields you are searching on. You need to find a field that has corresponding values in both sets of events so you can correlate the data. As @PickleRick says, we have no idea what your data looks like! ... View more

Dashboard Studio still does not have some of the capabilities of SimpleXML dashboards. You might have better luck approaching this with Classic SimpleXML. ... View more

What permissions do you have set up for the alert?   ... View more

In what way do they not work? Please can you be more specific about your issue. Having said that, multi-value fields from stats are often truncated to 100 entries. You could try adding limit=128 or even limit=0 ... View more

Try this dashboard <form version="1.1" theme="light"> <label>Multi-select usecase</label> <init> <set token="show_usecase"></set> </init> <fieldset submitButton="false"> <input type="multiselect" token="usecase" depends="$show_usecase$"> <label>Select Use Case</label> <choice value="All">All</choice> <default>All</default> <search> <query>| makeresults | eval use_case_title=split("NRC1: High Severity IDS Alert,NRC2: New Malware Detection,NRC3: Splunk Health Check Failed,NRC4: Too Many Failed Logins per Device",",") | mvexpand use_case_title | sort use_case_title</query> </search> <fieldForLabel>use_case_title</fieldForLabel> <fieldForValue>use_case_title</fieldForValue> <initialValue>*</initialValue> <prefix>"(</prefix> <suffix>)"</suffix> <valuePrefix>\"</valuePrefix> <valueSuffix>\"</valueSuffix> <delimiter>,</delimiter> <change> <eval token="form.usecase">case(mvcount('form.usecase')=0,"All",mvcount('form.usecase')&gt;1 AND mvfind('form.usecase',"All")&gt;0,"All",mvcount('form.usecase')&gt;1 AND mvfind('form.usecase',"All")=0,mvfilter('form.usecase'!="All"),1==1,'form.usecase')</eval> <eval token="usecase_choice">if('form.usecase'=="All","(\"*\")",'usecase')</eval> </change> </input> </fieldset> <row> <panel> <title>Report Results</title> <table> <search id="dynamic_report_search"> <query> | makeresults | fields - _time | eval usecase_choice=$usecase_choice$ </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="count">50</option> </table> </panel> </row> </form> Obviously, I have tweaked the searched to dummy up the data. Assuming this basic dashboard works, (as it does in my environment), then I suspect there is something else going on in your dashboard which you haven't shown e.g. your actual spl and my best guess is that there are other searches and tokens being changed which is affecting how the dashboard operates. ... View more

The solution works with 10.0 despite what the documentation says, and I am fairly confident that it also worked with earlier versions, although I do not have access to those environment at present. If it is not working for you, please can you provide more details e.g. exactly what you have in the source of your dashboards, what errors (if any) are reported, what works and does not work. ... View more

Good that it is all working for you again. It sounds like you were doing the right thing all along and that there was something about your environment at the time which was causing this (intermittent) issue. If it happens again, please provide more detail about your environment (obfuscated, of course), in case there is something that someone could suggest needs tweaking. ... View more

@kknairr How can you tell that using Dashboard Studio will make this easier of OP when it is not clear what they are actually trying to do? Particularly when they are not on the latest version of Splunk, and as far as I remember, Dashboard Studio does not (easily?) support CSS as a way to modify the appearance of dashboards! ... View more

Some ids are auto-generated so you would have difficulty assigning a style to them as you probably cannot predict what id will be assigned. Some elements can have ids assigned to them but not the dashboard label. If you are trying to change the style of the label, use its class not its id. ... View more

OK so the error message tells you what to do! "layout": { "globalInputs": [ "index_filter" ], ... View more

Try like this "inputs": { "index_filter": { "type": "input.text", "title": "Search Index Name", "options": { "token": "index_filter", "defaultValue": "" } } }, ... View more

Without the single quotes (and it is important to use single quotes not double quotes), Splunk treats it as two fields 'sc' minus 'status'. With the single quotes, the field name becomes a single field name i.e. 'cs-status'. Whenever you have a field name with "special characters" including spaces, you should use single quotes when referencing the field, e.g.' field name with spaces' ... View more

As an example using dummy generated data: | makeresults count=10 | eval cs_url_stem=mvindex(split("ABC",""),random()%3) | eval sc_status=(1+random()%4)*100 ``` Lines above generate dummy data - remove when copying to your search ``` | stats count as requests count(eval(sc_status=200)) as success by cs_url_stem | eval pct=100*success/requests ... View more

What do your event actually look like - please provide an obfuscated example and your current query so we can see how you are processing the events / files? ... View more

As I said, I don't think this is possible using tokens in this way because the label is set before the searches run. You might be able to do it with some javascript though. ... View more

I am not sure you will find such a thing. There are APIs to retrieve dashboard views and there are APIs to retrieve scheduled searches, etc. But, I am guessing this is not what you are after? What are you trying to do? Perhaps there may be another way to approach it? ... View more

This is a very similar issue - instead of matching with "JOB ", you need to match with "APPL = " #props.conf [yourSourcetype] EVAL-core_key = case(hostname == "aa01" AND match(description, "APPL\\s+=\\s+"), replace(description, "(?s)^.*?APPL\\s+=\\s+(.{3}).*$", "\\1"), hostname == "bb01" AND match(description, "APPL\\s+=\\s+"), replace(description, "(?s)^.*?APPL\\s+=\\s+..(.{3}).*$", "\\1"))   ... View more

Assuming this has been already parsed as JSON, and that for "aa01" you want the next 3 characters after "JOB ", and for "bb01" you want to skip an extra 2 characters before taking the next 3, you could try this: | rex field=description "aa01.+?JOB (?<core_key>...)" | rex field=description "bb01.+?JOB ..(?<core_key>...)"   ... View more