Hi.  I am trying to edit a source code of a splunk panel such that, the token should only when the user clicks on a particular column (Not a particular value).  For example:  lets consider the below table.  Column1 Column2 Column3 Column4 Column5 Column6 Column7 value1 value2 value3 value4 value5 value6 value7 value11 value22 value33 value44 value55 value66 value77   I want to make changes such that, the token should work only when the user clicks any value in Column1 and Column2 (It can be value1 or value11 or value2 or value22 ). The token should not work when the user clicks on any value from other columns.    The opened new panel based on token should disappear when user clicks on any value from columns other than column1 and column2.    The source code which I have :    <row> <panel> <table> <title>Stats by user(Click on a value for further info)</title> <search> <query> SOME BUSINESS SPLUNK QUERY)</query> <earliest>$startTime.earliest$</earliest> <latest>$startTime.latest$</latest> <refresh>5m</refresh> <refreshType>delay</refreshType> </search>'<option name="count">20</option> <option name="dataOverlayMode">heatmap</option> <option name="drilldown">cell</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <drilldown> <condition> <set token="value">$click.value2$</set> </condition> </drilldown> </table> </panel> </row> <row depends="$value$"> <panel> <title>Usage of $value$</title> <chart> <search> <query> ANOTHER SPLUNK QUERY</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> <drilldown> <unset token="value"></unset> </drilldown> </chart> </panel> </row>     Please help me to add a condition to unset token based on column. Any help is greatly appreciated.    Thanks in Advance. ... View more

Hi.  I am trying to find max value of p90 over a month for 1 API. The query I use for finding stats:    <basic splunk query>  | search API = API1 | stats p90(processing_time) as 90%_time by API    where processing_time is the time which would display the time used for finding p90.   Can someone help me with the query to find the max value of p90 calculated over a month ?  So that I can use that value to generate some kind of alerts.   Any help is greatly appreciated. Thanks. ... View more

Hi All.  I want to check if there is any means by which I can set up alerts if  the current week's data is more than the avg of last 4 week's data.   I have around 25 customers hitting 3 APIs. I want to compare if first customer has hit the first API more in the current week when compared to the avg number of hits in the previous 4 week's, and then send an alert if it exceeds the avg.    Similarly for all the customers and the 3 APIs.  All the above operation should happen with a single Splunk query. I don't want to write 25*3=75 queries for the alerts.  I have written a query for 1 customer and 1 API index=nameofindex ns=namespace process="end" method!=GET earliest=-30d@d   customer1 | search API="API1" | timechart span=1w count | timewrap w series=short | eval mean=(s1+s2+s3+s4)/4 | where s0 > mean Can anyone please help here ? Any help is greatly appreciated. Thanks! ... View more