Hello,  I have a dashboard with couple of pie charts and a summary table. First Pie chart sets token 1, second token 2 and so on. I was wondering if there is any way in which I can refresh the summary table with the token values selected? In other words, if token 1 is set but token 2 is unset, then BASE SEARCH | search token1=$token1$, token2=* (since token 2 is not set yet) If token 1 and token 2 is set, then  BASE SEARCH | search token1=$token1$, token2=$token2$ (as both tokens are set. Eventually what I am trying to do is keep refreshing the dashboard based on user clicks, but if at the moment, unless user sets the token1 and token2, my dashboard panel is not showing anything. It is stuck at "waiting for user input".   ... View more

Hello All,   I have a multivalue field which contains domain names (for this case, say it is in field named emailDomains and it contains 5 values). I have a lookup named whitelistdomains which contains 2000+ domains names. Now, what I want is to look for these multivalue domains names field and check if that domain name is present in my lookup. Is that possible. Example and expected output is below. I did tried doing this using mvexpand but sometimes I end up with memory issues on splunk cloud and hence want to avoid this. I tried using map, mvmap to see somehow I can pass one value at a time in inputlookup command and get the output. But so far, I am not able to figure it out properly. I did achived this via a very dirty method of using appendpipe to get list of values in lookup and then eventstats to create that variable against each event for comparison. But this made search very clunky and I am sure there are better ways of doing this? So, if you can please sugesst a better way, that would be amazing.   emailDomains field: test.com sample.com example.com   whitelistdomains Lookup data: whitelist.com sample.com something.com example.com ......and so on..   Expected output: whitelistedDomains (this is a new field after looking up all multifield values against lookup) sample.com example.com   ... View more

Hello All, I have a use case where in need to compare two json objects and highlight their key value differences. This is just to ensure that we can let OSC know only about the changes that has been made rather than sending both old and new json as as alert. Is that doable? I tried using foreach, spath, mvexpand but not able to figure out a proper working solution. Any help on this is much appreciated. Json1: { "id": "XXXXX", "displayName": "ANY DISPLAY NAME", "createdDateTime": "2021-10-05T07:01:58.275401+00:00", "modifiedDateTime": "2025-02-05T10:30:40.0351794+00:00", "state": "enabled", "conditions": { "applications": { "includeApplications": [ "YYYYY" ], "excludeApplications": [], "includeUserActions": [], "includeAuthenticationContextClassReferences": [], "applicationFilter": null }, "users": { "includeUsers": [], "excludeUsers": [], "includeGroups": [ "USERGROUP1", "USERGROUP2" ], "excludeGroups": [], "includeRoles": [], "excludeRoles": [] }, "userRiskLevels": [], "signInRiskLevels": [], "clientAppTypes": [ "all" ], "servicePrincipalRiskLevels": [] }, "grantControls": { "operator": "OR", "builtInControls": [ "mfa" ], "customAuthenticationFactors": [], "termsOfUse": [] }, "sessionControls": { "cloudAppSecurity": { "cloudAppSecurityType": "monitor", "isEnabled": true }, "signInFrequency": { "value": 1, "type": "hours", "authenticationType": "primaryAndSecondaryAuthentication", "frequencyInterval": "timeBased", "isEnabled": true } } }   json2: { "id": "XXXXX", "displayName": "ANY DISPLAY NAME 1", "createdDateTime": "2021-10-05T07:01:58.275401+00:00", "modifiedDateTime": "2025-02-06T10:30:40.0351794+00:00", "state": "enabled", "conditions": { "applications": { "includeApplications": [ "YYYYY" ], "excludeApplications": [], "includeUserActions": [], "includeAuthenticationContextClassReferences": [], "applicationFilter": null }, "users": { "includeUsers": [], "excludeUsers": [], "includeGroups": [ "USERGROUP1", "USERGROUP2", "USERGROUP3" ], "excludeGroups": [ "USERGROUP4" ], "includeRoles": [], "excludeRoles": [] }, "userRiskLevels": [], "signInRiskLevels": [], "clientAppTypes": [ "all" ], "servicePrincipalRiskLevels": [] }, "grantControls": { "operator": "OR", "builtInControls": [ "mfa" ], "customAuthenticationFactors": [], "termsOfUse": [] }, "sessionControls": { "cloudAppSecurity": { "cloudAppSecurityType": "block", "isEnabled": true }, "signInFrequency": { "value": 2, "type": "hours", "authenticationType": "primaryAndSecondaryAuthentication", "frequencyInterval": "timeBased", "isEnabled": true } } }   Output expected (Based on above sample jsons): KeyName , Old Value, New Value displayName, "ANY DISPLAY NAME", "ANY DISPLAY NAME 1" modifiedDateTime, "2025-02-05T10:30:40.0351794+00:00", "2025-02-06T10:30:40.0351794+00:00" users."includeGroups", ["USERGROUP1","USERGROUP2"], ["USERGROUP1","USERGROUP2", "USERGROUP3"] "excludeGroups",[],["USERGROUP4"] sessionControls."cloudAppSecurityType","moitor","block" signInFrequency."value",1,2   Thanks   ... View more