Unfortunately, when I enclose map with [ ] as you suggested, it fails to work. Pls see my dashboard xml in main comment ... View more

Pls see my dashboard xml in main comment ... View more

Here is my dashboard and I am showing relevant queries only. With this queries with map, my problem is solved: <query> | makeresults | addinfo | eval orders_index = "$Trading$" | eval beginTimeFromMinTime=relative_time(info_min_time, "@d") | map search="search earliest=$$beginTimeFromMinTime$$ index=$$orders_index$$ AND (sourcetype=\"NeonConnect:Proxy\" OR sourcetype=\"neonconnect:orderpusher\") AND OrderStatus AND User AND Account" </query> <earliest>$orderTime.earliest$</earliest> <latest>$orderTime.latest$</latest> <sampleRatio>1</sampleRatio> </search> ........................................................................................ Below query is to show Users in drop down ....................................................................................... <input type="dropdown" token="tokFilterUser" searchWhenChanged="true"> <label>Filter on User</label> <search base="baseProxySearch"> <query> | where NOT isnull(User) | dedup User | eval User=lower(User) | dedup User | table User | sort User </query> </search> <fieldForLabel>User</fieldForLabel> <fieldForValue>User</fieldForValue> <choice value="*">All Users</choice> <default>*</default> </input> ........................................................................................ Below query is to show Accounts in drop down ....................................................................................... Filter on Account | where NOT isnull(Account) AND (User="$tokFilterUser$" OR "$tokFilterUser$"="") | dedup Account | eval Account=lower(Account) | dedup Account | table Account | sort Account Account Account <choice value="">All Account Names * ... View more

I want that all accounts are shown in my dasboard's drop down menu. Without map it doesnt work. Not sure why. I am 1 day old kid in splunk 😞 ... View more

Sadly it doesnt work. Pls see my main comment and I got result when I changed query and still need answers why changing my query works ... View more

Problem solved but still want answer: My input source (which is log file) contains a lot of unnecessary data like: 2019-12-06 20:26:54,753 UTC : INFO PC=I, PM=0, PI=0, PR=3 2019-12-06 20:27:24,770 UTC : INFO PC=I, PM=0, PI=0, PR=3 And my log files are kept on updating with these data which DO NOT contain "Account" info which I am looking for. I changed the query to limit the data in index by adding "AND OrderStatus AND User AND Account" which makes sure that the data contains Account info like: 2019-12-04 17:05:59,026 UTC : INFO User=ASHAH, Account=AShah, AccountId=2, OrderStatus=Unknown, Status=Pending Old failed query: | map search="search earliest=$$beginTimeFromMinTime$$ index=$$orders_index$$ AND (sourcetype="NeonConnect:Proxy" OR sourcetype="neonconnect:orderpusher") " New successful query: | map search="search earliest=$$beginTimeFromMinTime$$ index=$$orders_index$$ AND (sourcetype="NeonConnect:Proxy" OR sourcetype="neonconnect:orderpusher") AND OrderStatus AND User AND Account" My question is, how limiting data in Splunk Index solved the problem? Is a lot of data in Splunk Index cause unreliable result? ... View more

Sadly it doesnt work. Pls see my main comment and I got result when I changed query and still need answers why changing my query works ... View more

Correction: In both above queries I use same Index and SourceType (though it seems different in my question) ... View more