I have a log stream in this format: level=info request.elapsed=100 request.method=GET request.path=/orders/123456 request_id=2ca011b5-ad34-4f32-a95c-78e8b5b1a270 response.status=500 I have extracted the fields using regex: | rex field=message "level=info request.elapsed=(?<duration>.*) request.method=(?<method>.*) request.path=(?<path>.*) request_id=(?<request_id>.*) response.status=(?<statusCode>.*)" I want to manually build a new field called route based on the extracted field path. For example, for "path=/order/123456", I want to create new field "route=/order/{orderID}", so I can grouping by route not by path, the path contains real parameter which I cannot group on path.  How can I achieve this? Thanks. ... View more

Hi folks, I am creating a Splunk dashboard and have some questions regarding the multiselect input. 1. I want to add a special option `all`, when user selects it, means all options are selected. So I added a static option `all`, but I can select both `all` and any other options, makes it looks odd, so my first question is how to make `all` option either exclusive of other options, or when i select `all`, all options will be selected automatically (except `all`)? 2. For the multiselect input, I am currently using is int a `WHERE` clause: `| where $multiselect_roles$`, currently the configuration of multiselect is: it means the interpolated clause looks like: `| where role_name="value1" OR role_name="value2"`, my second question is when `all` is selected, how can I either emit the whole `WHERE` clause, or make it trivial, means the `WHERE` clause is there but actually it doesn’t filter anything? I tried to give the `all` option an empty string, or a `*` but both don’t work.  3. When populating the dynamic options of multiselect from query, I want to reference other inputs as query parameters. For example, I already added an input whose token name is `environment` and another time range input, I want to only get distinct values of a column from the given environment and time range, like this: `from_index_distapps` sourcetype="xyz" "request=" earliest=$time_range$ | rex field=message "request=\"(?[^}]+})" | eval arjson=replace(arjson, "\\\\\"", "\"") | spath input=arjson | where environment=$environment$ | table role_name | dedup role_name How to correctly reference other inputs here?  ... View more

Hi folks, my dataset looks like this: timestamp id userMail reason t1 id1 a@example.com test t2 id1 a@example.com test t3 id1 a@example.com  test t2 id2 b@example.com testtest t4 id2 b@example.com ttt   I want to group by id and userMail, then find the last (latest) record in each group. From the help document on latest/earliest function, it uses metadata field _time to find the latest row, how can I let latest function to use timestamp field in my case?  I know I can use something like eval _time = timestamp to overwrite the _time field, but want to know if there are better ways to achieve. My second question is how to write the query, can i do in this way: | eval _time=timestamp/pow(10,3) | chart latest(*) by id, userEmail Thanks! ... View more