10-29-2022 I stumbled upon this splunk answer from a google search as I was also curious how to do this in splunk. It's quite unfortunate i'm having the same issue as mentioned as above about the white panel. I'm on Splunk version 9.0.1. Is this really a bug in splunk or does the panel not like some of the syntax we are offering? It's odd either way as I'd expect an error if there was bad syntax or for splunk to recognized and fix the bug giving it's been so long. I want to take time out and thank @niketn For his hard work/ provided solution on this problem. I  think what he's mentioned has been shadowed due to the bug or whatever this is. I'm unsure if he is still active, or if any of you have been successful in finding a work around. i'd be curious to know what it is? I'd like to use in production but cannot if we have to click edit, cancel each time. I'm hoping there's a trick or workaround to get by as the provided answer works beautifully when it works. When I got it working i was so happy, but much like most of you came back to notice it suddenly stopped working. Such a let down because i struggled for hours thinking i must of fat fingered some syntax.  Thanks for the feedback ... View more

Works great 🙂 Just had to filter out the other unrelated fields from the event. Thanks a lot! ... View more

What a trick! Well done.... ... View more