I have a dashboard with multiple inputs. These inputs are like filters on top of basic search. I want 1. if phone mdn and both devicemdn is provided then its a OR between them on top of the base search base search | search phonemdn=<value> OR devicemdn=<value> 2. if only phone mdn is provided then should be base search | search phonemdn=<value> 3. if only device mdn is provided then should be base search | search devicemdn=<value>   Here is my dashboard xml:   <form> <label>Dashboard</label> <fieldset submitButton="true" autoRun="true"> <input type="text" token="phonemdn" searchWhenChanged="false"> <label>PHONE MDN</label> <default></default> <change> <condition> <eval token="phonemdn_exp">if(len(trim($value$)) == 0,"","| search phonemdn=".$value$)</eval> </condition> </change> </input> <input type="text" token="devicemdn"> <label>DEVICE MDN</label> <default></default> <change> <condition> <eval token="devicemdn_exp">if(len(trim($value$)) == 0, "" , if(len(trim($phonemdn$)) == 0, "| search devicemdn=".$value$, "OR devicemdn=".$value$))</eval> </condition> </change> </input> <input type="dropdown" token="logtype" searchWhenChanged="true"> <label>LOG TYPE</label> <choice value="*">ALL</choice> <choice value="server">Watch</choice> <choice value="application">Application</choice> <change> <condition value="server"> <set token="filter_search_base">| search index=new | spath app | search app=newapp </set> <set token="logtype_lab">logtype=server</set> <set token="logtype_exp">| search source=Band | eval source="Band"</set> </condition> <condition value="application"> <set token="filter_search_base">| search index=main | spath app | search app!=simulator</set> <set token="logtype_lab">logtype=Application</set> <set token="logtype_exp">| search source=Application</set> </condition> <condition value="*"> <set token="filter_search_base">|multisearch [search index=new | spath app | search app=newapp] [search index=main | spath app | search app!=simulator]</set> <set token="logtype_lab">All Source</set> <set token="logtype_exp"></set> </condition> </change> </input> </fieldset> <row> <panel> <title>SEARCHING: $logtype_lab$ $phonemdn_exp$ $devicemdn_exp$</title> <search> <query>$filter_search_base$ $phonemdn_exp$ $devicemdn_exp$</query> <earliest>$timefield.earliest$</earliest> <latest>$timefield.latest$</latest> </search> </panel> </row> </form>     So my first query always works but later I feel like the input value for phonemdn and devicemdn is getting cached and future query didn't work as expected. if I have input both phonemdn and devicemdn : query is base search | search phonemdn=<value> OR devicemdn=<value> then if I delete value from phone mdn and only keep devicemdn then,  actual query : base search OR devicemdn=<value> expected query : base search | search devicemdn=<value> I feel like somehow the phonemdn value from the first query is getting cached somehow. Please help me to resolve this issue. let me know if you need more information. thanks!! ... View more

Our event log has request and response. Request and response body can either be a json object or json array. I need to extract resquest.body and response.body to construct a field "httpdetails" which is a string . How can i achieve this using single spath function. example of log events :     { "message": { "request": { "body": {} }, "response": { "body": [ { "id": "85118db6-2d5c-6bb0-ff67-5bc9ef5d4a1f", "createdon": "2021-07-08T00:37:02.512Z" } ] } } }         { "message": { "request": { "body": { "$limitafter": "2021-07-08T20:08:29.983Z" } }, "response": { "statuscode": 200, "body": { "count": "22" } } } }     Splunk query : | spath output=response_data message.response.body | spath output=request_data message.request.body | eval request_data=if(isnull(request_data) , NULL , request_data) | eval response_data=if(isnull(response_data),  NULL, response_data) | eval httpdetails="\n"+request_data+"\n-----------------Response---------------\n"+response_data, httpdetails = split(httpdetails,"\n") | eval details=if(isnotnull(httpdetails), httpdetails, details)  After running this query "httpdetails" is shown below. Here response_data for first log event is coming as NULL instead of object array. How can I fix this??   ... View more