Hi, I have a trellis which I need to enable drilldown on which should launch a custom search using a token determined by which part of the trellis is being clicked. Here is my code which is not working. I've tried $trellis.name$ and $trellis.value$ but neither works... Any help much appreciated! <single id="singleTrellis2"> <title>Breakdown of Packaged Win10 Applications</title> <search> <query>| inputlookup SCCM_data | search DevicesWithApp_2012&gt;0 AND Retired!=TRUE "Organization Name"="$dept$" "Level 01 Organization Name"="$division$" | dedup SoftwareName | eval label="_" | search Packaged_2016=TRUE | fillnull value="To_Be_Reviewed" Proven | eval Proven=if(Proven="NULL","To_Be_Reviewed",Proven) | eval Proven=if(Proven="UnProven","Awaiting_Sign_Off",Proven) | eval Proven=if(Proven="Proven","Ready_To_Deploy",Proven) | rename Proven as Proven? | stats count by Proven? | transpose header_field=Proven? column_name=Proven? | fields - Proven?</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">all</option> <option name="height">120</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">small</option> <option name="trellis.splitBy">_aggregation</option> <option name="useColors">0</option> <drilldown> <set token="proven">$trellis.name$</set> <link target="_blank">search?q=%7C%20inputlookup%20SCCM_data%20%0A%7C%20search%20DevicesWithApp_2012%3E0%20AND%20Retired!%3DTRUE%20%22Organization%20Name%22%3D%22$dept$%22%20%22Level%2001%20Organization%20Name%22%3D%22$division$%22%20%0A%7C%20dedup%20SoftwareName%20%0A%7C%20eval%20label%3D%22_%22%20%0A%7C%20search%20Packaged_2016%3DTRUE%20%0A%7C%20fillnull%20value%3D%22To_Be_Reviewed%22%20Proven%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22NULL%22%2C%22To_Be_Reviewed%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22UnProven%22%2C%22Awaiting_Sign_Off%22%2CProven)%20%0A%7C%20eval%20Proven%3Dif(Proven%3D%22Proven%22%2C%22Ready_To_Deploy%22%2CProven)%20%0A%7C%20search%20Proven%3D%22$proven$%22%20%0A%7C%20fields%20FriendlyTitle%202016Name%20Proven&amp;earliest=-24h@h&amp;latest=now</link> </drilldown> </single> ... View more

Hi, I wrote the following query to identify searches running in verbose mode but it seems to be inducing reports that have been deleted. Is there a field I can use to exclude them? I have had a look but nothing obvious comes to me.   | rest /servicesNS/-/-/saved/searches | search alert_type = "always" NOT title="instrumentation.*" | table eai:acl.owner title description *mode* is_scheduled | search display.page.search.mode=verbose   Thanks ... View more

Hi, I have the following SPL as a dashboard panel which shows realtime searches. This is so I can contact the owners and discuss them converting to a scheduled report instead: | rest /services/search/jobs | search eventSorting=realtime | eval author=upper(author) | lookup snow_sys_user_list.csv user_name as author | table author label eventSearch dv_name dispatchState, eai:acl.owner, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server However, the panel is still showing reports that have been converted to scheduled reports/alerts or deleted entirely. Is there some SPL I have to add to get it to only see "active" real-time searches? Thanks       ... View more

Hi, a user wants to see the description of a report as well as the title. I know he could click the drop down arrow but he doesn't want to have to do that for multiple (similarly named) reports to find the right one. Can I edit the table on that view to include the description for each report?   I can see his point, we have lots of reports so he could save time if that info was there.   Thanks   ... View more

Hi, can anyone make any suggestions as to how I can make this search more efficient?     index=prod_service_now sourcetype=snow:incident number=INC* | fields opened_at dv_assignment_group sys_id | dedup sys_id |search dv_assignment_group=ITSOCS* NOT dv_assignment_group="ITSOCS Logistics" | eval now = now() | eval now = relative_time(now,"@w1") | eval now = relative_time(now,"-52w") | eval earliest = relative_time(now,"-52w") | eval _time = strptime(opened_at,"%Y-%m-%d%H:%M:%S") | where _time >= earliest AND _time < now | eval new_time = relative_time(strptime(opened_at,"%Y-%m-%d%H:%M:%S"), "+52w") | eval _time = relative_time(new_time,"@w1") | eval ReportKey = "LASTYEAR" | append [ search index=prod_service_now sourcetype=snow:incident number=INC* | fields opened_at dv_assignment_group sys_id | dedup sys_id | search dv_assignment_group=ITSOCS* NOT dv_assignment_group="ITSOCS Logistics" | eval now = now() | eval now = relative_time(now,"@w1") | eval earliest= relative_time(now, "-52w") | eval _time = strptime(opened_at,"%Y-%m-%d%H:%M:%S") | where _time >= earliest AND _time < now | eval _time = relative_time(strptime(opened_at,"%Y-%m-%d%H:%M:%S"), "@w1") | eval ReportKey = "CURRENTYEAR"] | chart count by _time, ReportKey       Thanks ... View more

  Hi, new member so apologies if I miss any forum etiquette!  I'm trying to query Service Now incident data to show number of tickets opened over the last 52 weeks and compare it to the previous 52 week period. I had a bit of help from a third party company to build some queries but now they have gone I can see a few issues with the numbers. The query is as follows:     index=prod_service_now sourcetype=snow:incident earliest=-52w@w1 latest=@w1 number=INC* |dedup sys_id| search dv_assignment_group=ITSOCS* NOT dv_assignment_group="ITSOCS Logistics" | eval _time = strptime(opened_at,"%Y-%m-%d%H:%M:%S") | eval now = now() | eval now = relative_time(now,"@w1") | eval earliest = now() | eval earliest = relative_time(earliest,"@w1") | eval earliest= relative_time(earliest, "-52w@w1") | where _time >= earliest AND _time <= now | eval _time = relative_time(_time,"@w1") | timechart span="1w@w1" dc(number) as current_incident_count | rename VALUE as NULL * as "* - CURRENT YEAR" | rename "_time - CURRENT YEAR" as _time | fields - "_span - CURRENT YEAR", "_spandays - CURRENT YEAR" | appendcols [ |search index=prod_service_now sourcetype=snow:incident earliest=-104w@w1 latest=-52w@w1 number=INC* | dedup sys_id |search dv_assignment_group=ITSOCS* NOT dv_assignment_group="ITSOCS Logistics"| eval _time = strptime(opened_at,"%Y-%m-%d%H:%M:%S") | eval now = now() | eval now = relative_time(now,"@w1") | eval now = relative_time(now,"-52w@w1") | eval earliest = now() | eval earliest = relative_time(earliest,"@w1") | eval earliest= relative_time(earliest, "-104w@w1") | where _time >= earliest AND _time <= now | eval _time = relative_time(_time,"@w1") | timechart span="1w@w1" dc(number) as historical_incident_count | rename VALUE as NULL * as "* - LAST YEAR" | rename "_time - LAST YEAR" as _time | fields - "_span - LAST YEAR", "_spandays - LAST YEAR"]       One obvious issue is the query limits the base search to blocks of 52 weeks based on _time which in this case is the last updated field. So, I could have tickets that will be missed if they were opened in that period but updated outside of that period. If I remove the earliest and latest parameters then the search is painfully slow and also the lines on the graph are no longer overlaid but instead they run sequentially.   Can anyone suggest a better way to do this? What I need is a line graph with 52 weeks and then the 2 series need to be on top of one another.   Hopefully I have given enough info, please shout if anything isn't clear! Thanks for reading 🙂 ... View more