How can we put that SPL query into a dynamic dropdown? My project is looking for if the query spits out 1X, splunk gets all the events with the Business as 1X. If query is looking for 2X, gets all the events with Business as 2X. Then, I have dashboard panels that are doing counts etc depending on the dropdown. ... View more

Can we put that into a static function of a dropdown? If so, how should we go about it?  I am building dashboard where we are counting the business ... View more

index=csmp OR index=aws-business-map OR index=sim OR index=guardduty | eval BindleNew = case(sourcetype="sim_csmp", AWSAccountName, sourcetype="csv", BindleName, sourcetype="sim_prod", WAWT2-BindleName, sourcetype="sim_prod", CloudTrail-AWSAccountName, sourcetype="sim_gd", AWSAccountId) | stats values(IssueUrl), values(AWSAccountName) as AWSAccountName, values(BindleName), values(WAWT2-BindleName), values(CloudTrail-AWSAccountName), values(AWSAccountId), values(Business) as Business by BindleNew | search AWSAccountName!="" Business="XP" This is what I have for combination so far. Something to note is that CloudTrail-AWSAccountName, WAWT2-BindleName, BindleName, AWSAccountName are all the same data. Can we normalize them using Match? ... View more

I got up to this: index=csmp | rex field=Title "^CSMP\s-\s(?<BindleName>\w+)\s-\s([a-zA-Z0-9 ]*)$" | eval BindleName=Title | lookup CostCentersandAWSAccounts.csv Business BindleName I am confused why it is not returning the BindleName which is what I am parsing and comparing to the Lookup table's column named BindleName. Once the comparison is made, I want the search to return the related row of the Business column from the Lookup table. I feel like I am missing something big here... ... View more