This is pretty much exactly how I am doing it. The issue though is, when the % is present in the table, I can't perform evaluations on the fields. When I remove the %, it works great, but it doesn't have the % visually. | stats count(tls_host) as tot_hosts, count(eval(column_a_value == "Enabled")) as colum_a_tot, count(eval(column_b_value == "Enabled")) as colum_b_tot | eval perc_col_a = round((column_a_tot / tot_hosts)*100)."%" | eval perc_col_b = round((column_b_tot / tot_hosts)*100)."%" | rename perc_col_a as "Column A" | rename perc_col_b as "Column B" | convert num(perc_col_b) fieldsummary, shows "Column A" as a string value, and "Column B" as an integer value. Column A :: [{"value": "32%", "count" 131}] Column B :: [{"value": "100","count:312}] So essentially, any operations performed in the SPL generating the statistics table defines its type. The table evaluation is performed after the data has been provided. There lays the problem. Adding the "%" will need to be done after the statistics table has been generated, or there needs to be a way to tell the dashboard treat the field as a numeric value instead of a string. ... View more

How broad is your groupBaseFilter set to? userBaseDN? what is your sizelimit set to? ... View more

Ran into this problem myself. Was able to resolve it with the following. Confirmed error and fix on 7.0.5 rpm -i splunk...rpm cd /opt/splunk chown -R splunkserviceacct ./ /opt/splunk/bin/splunk enable boot-start -user splunkserviceacct I believe this to have been occurring when splunk attempts to configure the directory as a different user ( permissions problem ). Splunk installs with account splunk, we use a service account, changed ownership to proper user and ran again, it worked. Hope this helps! ... View more

Wanted to provide some feedback on this process. We never did figure out why it wasn't working in 6.6.3, I suspect it was the way our object permissions were setup. I got this working using the exact same code in 7.0.5. I don't think this is a bug in 6.6.3, there was a lot of funky configuration going on in the environment. Sorry I can't be more specific than this with the configuration settings. But I do want to extend my appreciation to tprzelomiec for his assistance. ... View more

Thank you for the help on this! I am emailing sample data directly. For anyone reading this, I will update the solution once we find one. ... View more

Diving in, I found that Splunk is associating the lookup to the sourcetype and is showing it in the search.log. I'm not sure what this means in terms of why its not working though. $ /opt/splunk/bin/splunk cmd btool props list rfc5424_syslog --debug | grep -i lookup /opt/splunk/etc/apps/XYZ/default/props.conf LOOKUP-check = IP_Ranges ip_range AS host OUTPUT range_name Job Inspector -> search.log 08-30-2018 17:52:18.092 INFO LookupOperator - Using cidr matching for field 'ip_range' in lookup table 'IP_Ranges' 08-30-2018 17:52:18.092 INFO LookupOperator - Loading lookup table='IP_Ranges', file size=82, modtime=1535640790 ... View more

Thanks for the reply. I tried the min_matches and default_match fields; unfortunately, that is not resolving it. What is interesting though is default_match = NONE should fill the field with NONE if their is no CIDR match; but I'm not getting this nor any values back for the ip_range or range_name. This suggests the lookup in transforms.conf is not being executed at all? I appreciate the assistance! ... View more