Hi @anooshac  If you want to run this on a schedule then you might want to look at putting this into a Bash script and running as a cronjob.  Once you have a working CURL command, add this into a bash script, ensure it is executable (chmod +x) and then add to your user's cron (crontab -e) To run hourly you would do something like 1 * * * * which would run at 1 minute past each hour. This assumes you are running a Linux system. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will ... View more

Please share your two searches (in code blocks) ... View more

Hi @anooshac , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Did you add the CSS and also the table ID? Also yes, the mid/min/max is what you set in this statement | eval v=mvappend(v, tostring(case(perc<=10, 1, perc<=20, 2, perc<=100, 3))) So you set your ranges with that setting, so add a 1 for min, 2 for mid and 3 for max and then in the format, decide the colours you want. ... View more

The coalesce will work it is just that if the count is 1 it could be that it only occurs in component1 or component2 and you would have to do something slightly different if you want to distinguish which set the component comes from ... View more

The stats command is counting events not occurrences of status values. You need to use mvexpand to separate out the test cases so you can count the individual status values. | spath suite.case{} output=cases | mvexpand cases | spath input=cases status output=Status | spath input=cases name output=case | spath suite.name output=suite | spath MetaData.jobname output=Job_Name | spath MetaData.buildnumber output=Build_Variant | spath MetaData.JENKINS_URL output=Jenkins_Server | stats count(eval(Status="Execution Failed" OR Status="case_Failed")) AS Failed_cases, count(eval(Status="Passed")) AS Passed_cases, count(eval(Status="Failed" OR Status="case_Error")) AS Execution_Failed_cases, dc(case) as Total_cases dc(suite) as "Total suite" by Job_Name Build_Variant Jenkins_Server ... View more

The most significant memory saving could come with doing | fields - _raw If you already have your fields parsed, there's no need to drag the whole huge raw event along. ... View more

From what you are saying and reading between the lines between the lines, I am guessing that when All is chosen, the value of the token is set to "*". When this is used in a search e.g. field=$token$, the "*" will equate to all non-null values, which is why your search is not dealing with "empty values". To get around this, you may have to change the way the token is set up and the way it is used. For example, if you change the value prefix to be <valuePrefix>field="</valuePrefix> and the value suffix to the <valueSuffix>"</valueSuffix>, then treat the choice of "All" to set an empty token, then your search can use $token$ instead of field=$token$ This is something that is easier to do in Classic/SimpleXML dashboards than Studio. ... View more

Perhaps if you can isolate the event or events which are generating the error, you might be able to determine this. However, my guess is that sometimes you end up with one or more nulls from the rex and this is what mvzip doesn't like. Doing it this way around avoids using mvzip because the mvexpand is done before the fields are split up so the association across the row is maintained and doesn't need to be rebuilt with the mvzip ... View more

@anooshac  Can you please share your full sample code? KV ... View more

| eval test_data_index=mvfind(split("bl01,bl02,bl03,0_Ref_res", ","), Test_Data) | eventstats max(test_data_index) as max_test_data_index by Identity | where test_data_index = max_test_data_index ... View more

You have not shown anything that indicates that the search has the value you are seeking on the first row of your results. Please share your search and follow @bowesmana's suggestion about which token to use to retrieve the results. ... View more

You are on the right lines with streamstats - please share some sample anonymised event for us to work with to find you a solution. ... View more

Hi @ITWhisperer , Thank you so much for the info. I referred the example mentioned above and i was able to get the answer. ... View more

@anooshac  There is 2nd part of this query. In this section based on month selection it will set earliest and latest time in  "start" and "end" token. use these token in respective search. basically these token have earliest and latest time in epoch format for selected month.  PS: I have to use separate sub search because $result.token_name$ only works for 1 entry. <search base="basesearch_time"> <query> | where Month="$month_token$" | table start end </query> <done> <set token="start">$result.start$</set> <set token="end">$result.end$</set> </done> </search>   ... View more

It is true one cannot change the labels.  That means we have to choose between having week numbers in numerical rather than calendar order or having year-week numbers in calendar order. ... View more

Hi @anooshac, You were probably really close to the solution for this - but it looks like using tokens to set the colour on tables only works before the table has loaded. The only workaround out I found was to re-run the search each time you select a new radio button. Here's a working version for you to build from. The radio buttons set the type: Both and Type A => Highlight Columns A and B Type B => Highlight Column B The table has a format for ColumnA and ColumnB that looks for the right Type in the token: <format type="color" field="ColumnB"> <colorPalette type="expression">if(match($field_to_highlight|s$,".*TypeB.*"),"#FF0000", "")</colorPalette> </format> To make the dashboard redraw with the right columns highlighted, I added this to the query: ``` $field_to_highlight$ ``` That won't do anything to the search results, but will force the search to be run again. Here is a working dashboard: <form version="1.1" theme="dark"> <label>Answers for anooshac</label> <fieldset submitButton="false"> <input type="radio" token="field_to_highlight" searchWhenChanged="true"> <label>Option</label> <choice value="TypeA__TypeB">Both</choice> <choice value="TypeA_TypeB">Type A</choice> <choice value="TypeB">Type B</choice> <default>TypeATypeB</default> </input> </fieldset> <row> <panel> <table> <title>Content</title> <search> <query>| gentimes start=-20 | eval type=if(random()%2==0,"Type A","Type B") | appendcols[|windbag] | fields starttime, endtime, sample, lang, type | rename starttime as "ColumnA", endtime as "ColumnB" | head 20 ``` $field_to_highlight$```</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <format type="color" field="ColumnA"> <colorPalette type="expression">if(match($field_to_highlight|s$,".*TypeA.*"),"#FF0000", "")</colorPalette> </format> <format type="color" field="ColumnB"> <colorPalette type="expression">if(match($field_to_highlight|s$,".*TypeB.*"),"#FF0000", "")</colorPalette> </format> </table> </panel> </row> </form>   Hopefully that's close to what you were after. ... View more

Hi @anooshac , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

OK. Assuming that: 1. You always have a drive letter at the beginning 2. You don't have "empty parts" (you don't have consecutive backslashes which are syntactically correct if you want to specify a file path but are typically not returned as a path to existing file) 3. You want to extract the part after the first four components The regex to do so would be like that: [a-zA-Z]:\\\\([^\\]+\\){4}(?<remainder>.*) The "remainder" capture group will capture the path after first four directories. Of course if you want to do it with "rex" command in Splunk, you need to escape all backslashes which makes it something like this: | rex  "[a-zA-Z]:\\\\\\\\([^\\\\]+\\\\){4}(?<remainder>.*)" ... View more

Just add any additional character groupings into the allowed character ranges, i.e. | rex field=Group max_match=0 "'(?<g>[A-Za-z_\.]+)':'" | rex field=Value max_match=0 "'(?<v>[A-Za-z_\.]+)'" ... View more

Hi @anooshac, I don't think that's possible using the Classic Dashboard interface, maybe modifying the dashboard CSS, but I'm not sure. It should be possible in Dashboard Studio. Ciao. Giuseppe ... View more

Yes with custom Javascript, you could possibly do virtually anything on the browser side. ... View more

Assuming each ID has only one status value, then the results should be the same. It depends on your data. ... View more

Thank you so much @ITWhisperer , It is working. ... View more