Hi All, I have a dashboard with a dropdown of about 40 choices that come from a search query (not static). Each choice should "unhide" the respective panel on the dashboard.  I do not think I am grasping the <done>, <change>, <finalized>, <condition match>, etc elements I need to figure this out.  I have created a dummy version of my actual dashboard below:       <form> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="dashboard"> <label>Dashboard Selection</label> <fieldForLabel>Picker</fieldForLabel> <fieldForValue>Picker</fieldForValue> <search> <query>| makeresults | eval Picker = "Apple,Orange" | eval Picker = split(Picker,",") | stats count by Picker</query> </search> </input> </fieldset> <row> <panel> <html>DEBUG TOKENS : : : showapple - $showapple$ || dashboard - $dashboard$</html> </panel> </row> <row> <panel depends="$showapple$"> <title>Apple Dashboard</title> <table> <search> <query>| makeresults | eval Events = "10.10.10.10" | table Events</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$showorange$"> <title>Orange Dashboard</title> <table> <search> <query>| makeresults | eval Events = "192.168.1.1" | table Events</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>        You will notice I do not have any code to decipher when showapple or showorange is true.  I basically tried iterations of this code to make it work:       <done> <condition> <eval token="showapple">if($dashboard$="Apple","TRUE",null())</eval> <eval token="showorange">if($dashboard$="Orange","TRUE",null())</eval> </condition> </done>       I have tried using the above in different areas, and I always get null().  I also tried doing <change> instead of <done> so the dashboards would change depending on the dropdown value instantly, but I did not have success there either. ... View more

Most of my operations are based off of saved searches and these are saved a few times weekly or monthly. The columns available should always align. I tried to get the base SPL down so I could have an output with a table showing one column with result from offset=0 (current iteration), and another column with results from offset=1 (1 previous iteration), but I could not get this to work.  I was expecting the below: Available Columns Value from Offset=0 Value from Offset=1 # of hosts 1000 955   As an example, the current query would look like this: | loadjob artifact_offset=0 savedsearch="named_search" ```current week``` | loadjob artifact_offset=1 savedsearch="named_search" ```previous iteration``` Once the table gets figured out, I'm not sure how I could even use the data for a single value visualization, because it would need | timechart count to operate, but my "time" is the value from "artifact_offset" So, 2 things: Any help with the table to visualize differences between 2 jobs based on artifact_offset? With that table, would it even be possible to use the outputs to populate the single value visual? Any help here?  Or any other questions I need to answer? ... View more

Hello, It's possible that I've had too long of a day, but I can't wrap my head around nesting many ifs.  Is anyone willing to help me out?  I am really bad at writing out SPL queries to make it visually understanding with parentheses and commas.  Does anyone have some additional tips on that as well that would be useful for these nested scenarios? For example:           | eval new_field = if(pass_fail="fail", if(importance="0" OR importance="1", case( Days<7 OR State="Online","Gold", Days >=7 AND Days<14,"Orange", Days>=14,"Red"), if(importance="2", case( Days<30 OR State="Online","Gold", Days >=30 AND Days<60,"Orange", Days>=60,"Red"), if(importance="3", case( Days<60 OR State="Online","Gold", Days >=60 AND Days<120,"Orange", Days>=120,"Red"), "importance_3_false"), "importance_2_false"), "importance_1_0_false"), "main_if_fail")         The idea is to break out into a newfield by first looking at only the "fail" items, and then further breaking down the "fail" items by their importance (which can be 0, 1, 2, 3) where 0&1, 2, and 3 have their own case statements.  All the case statements and ifs should be true, and the "importance_3_false" (for example) are more for debugging and should never actually show in my output. I appreciate any help and thank you.         Error in 'eval' command: The arguments to the 'if' function are invalid.           ... View more

Hello, I'm working on showing a panel if the $env:user$ is a match based on a search. The search that I'm using works for this use case:   | rest /services/authentication/current-context splunk_server=local | fields username | rename username AS id   This retrieves the appropriate ID (otherwise, I would just use the $evn:user$ for conditional visibility, but this never works). With the query result, I set a token envid to $result.id$ I then do a condition match where $envid$==uu_33 (uu_33 represents the user ID required to display a panel). The result of the query is always correct with "uu_33", which matches the condition I have written. I have tried following the splunk guides, and I have tried the following condition matches: <condition match="'$envid$'==&quot;uu_33&quot;"> (current) <condition match="$envid$==&quot;uu_33&quot;"> <condition match="'$envid$'==uu_33"> <condition match="$envid$==uu_33"> Nothing makes the panel show. Here is my XML.  Any help would be appreciated.   <dashboard> <label>testenvid</label> <row> <panel> <html> <b>hi. your current id is $env:user$. The current result is $envid$ is set to be equal to $result.id$.</b> </html> </panel> <panel depends="$showpanel$"> <table> <search> <finalized> <set token="envid">$result.id$</set> </finalized> <done> <condition match="'$envid$'==&quot;uu_33&quot;"> <set token="showpanel">TRUE</set> </condition> </done> <query>| rest /services/authentication/current-context splunk_server=local | fields username | rename username AS id</query> <earliest>-60m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </dashboard>     ... View more