On ES there will also be a ton of automatic lookups. If you look at the search.log you will see lines like CsvDataProvider [2092202 searchOrchestrator] - Reading schema for lookup table= how many of each do you have in each environment. That can change what fields you will see and it certainly can affect performance significantly.  You can see the effect of this behaviour if you upload a private app that has an import = search statement in default.meta and then run your search in that uploaded app's context. The undocumented import statement appears to override which apps are evaluated to give the app its runtime context, so by removing all other apps, you will not get any of the field extractions provided by those TAs or any of the lookups. I have an existing site where I have an app that has an import statement and the searches run several times faster in that app's context compared to any other. ... View more

This is posted in AppDynamics, so probably not SPL  ... View more

@verbal_666 there is a built in way directly in the XML without using CSS to hide those buttons from panels <option name="link.inspectSearch.visible">false</option> I use a token in that and set the token from a config file so I can turn on or off simply.  See the docs here. https://help.splunk.com/en/splunk-enterprise/create-dashboards-and-reports/simple-xml-dashboards/10.0/simple-xml-reference/simple-xml-reference#search-inspect-refresh-and-export-options-0   ... View more

As Rich says, take a look at the monitoring console, search and resource usage tabs to see if that gives any insight. If it does appear to be search related you can start with this search in the audit log to see what searches may be a problem index=_audit host="*" sourcetype=audittrail action=search (info=completed OR info=canceled) | eval user = if(user="n/a", null(), user) | eval search_window=round(search_lt-search_et) | foreach search_lt search_et [ eval <<FIELD>>=strftime(<<FIELD>>, "%F %T") ] | table provenance total_run_time scan_count event_count result_count search_et search_lt search_window savedsearch_name app user | sort - total_run_time This shows run_time, scan_count (an indicator of a heavy search) and other key fields. You can add the "search" field to the table command to show the raw search, but it doesn't always extract the field well for complex searches, but once you find culprits you can dig deeper ... View more

There are many ways to achieve this with streamstats, but my example goes with sorting in ascending time and calculating duration in the streamstats. See this example which creates 10 dummy logon/off events for a single user/host (SPL can demo up to 4 by changing the 'random() mod value from 1 to 4 in user/host eval) | makeresults count=10 | eval EventType=mvindex(split("Logon,Logoff", ","), random() % 2) | eval TargetUserName="USER".mvindex(split("ABCD", ""), random() % 1) | eval host="HOST".mvindex(split("ABCD", ""), random() % 1) | eval _time=_time - random() % 3600 | fields EventType Target* host _time | sort 0 TargetUserName host _time | streamstats range(_time) as SessionDurationSec reset_after="("EventType=\"Logoff\"")" by TargetUserName host | streamstats count(eval(SessionDurationSec=0)) as session by TargetUserName host | eval SessionStart=if(EventType="Logoff", _time - SessionDurationSec, null()) ``` Change this to stats to collapse data ``` | eventstats max(SessionDurationSec) as SessionDurationSec min(SessionStart) as SessionStart count(eval(EventType="Logon")) as LogonCount min(eval(if(EventType="Logon", _time, null()))) as firstLogOn max(eval(if(EventType="Logoff", _time, null()))) as lastLogOff by TargetUserName host session | eval SessionDuration = if(SessionDurationSec=0,"N/A", tostring(SessionDurationSec,"duration")) | eval IsOpenSession = if(isnull(lastLogOff), 1, 0) | eval Notes = case( IsOpenSession=1, "Open session: No logoff found after this logon", isnull(firstLogOn), "No prior login state found in search window", 1==1, "") | foreach SessionStart firstLogOn lastLogOff [ eval <<FIELD>>=if(isnull(<<FIELD>>),null(), strftime(<<FIELD>>,"%F %T")) ] ```| table EventType TargetUserName host firstLogOn lastLogOff SessionStart SessionEnd SessionDuration LogonCount LogoffCount IsOpenSession Notes``` I've used an eventstats rather than stats so you can see the effect of the decisions made in the SPL, but you can change that to stats to get rid of the unwanted events. The example ignores multiple logoff events and treats a logoff with no prior login (since a previous logoff) as a 0 length session. Hope this helps   ... View more

I have used a technique which can work, depending on data volumes and cardinality. Using append to collect both datasets together, then you can use  | eventstats values(cs_title) as titles | eval titles=if(isnotnull(cs_title), null(), titles) which will collect ALL titles in q1 into every event from q2 - it collects every title to every event then drops the field from q1 events. What this is doing it to push all titles into a field for all q2 events which can then be matched against, a bit like a dynamic runtime lookup.  and then you can follow that with a match, e.g. | eval matching_title=mvmap(titles, if(match(description, "(?i)".titles), titles, null())) | fields - titles which will set a new field matching_title which will be non-null if a match can be found - NB- it will do case insensitive match. This can use a lot of memory if you have lots of titles, but works. Note that there are some other optimisations you should do in your Q1 - ALWAYS limit the fields you want in the expanded events before using mvexpand. Particulary, make sure you exclude _raw as _raw JSON is generally always unnecessary and will be duplicated for every expanded event. You should not need to use mvsort on a field that has come from stats values(), as the output from values is always sorted. ... View more

See here https://help.splunk.com/en/splunk-cloud-platform/manage-knowledge-objects/splunk-app-for-lookup-file-editing/4.0/release-notes/known-issues Seems like there's a known bug Date filed Issue number Description 2025-03-18 LOOKUP-304 Unable to Update KV Store Lookups in Splunk App for Lookup File Editor (v4.0.5)   ... View more

See this statement in the 3rd panel search | search cluster=$tokCluster|s$ it does the filtering and the token setting will set that to the clicked cluster - I will edit the original XML in my post  ... View more

You can't reference a base search from another search like that, but why don't you just calculate the latest time in the base search at the beginning with | eventstats max(_time) as last_ZP_Def by ocp fr el then you will have that field available to every event, then your stats command in your chained search can use that field. I'm not sure why you have the base search, because you are using based searches not in the way intended, i.e. you don't have a transforming search in your base search and you don't specify a fields statement either, so you are simply collecting raw events, so that is quite possibly going to make the dashboard slower, particularly if you have a large dataset. You should at least be doing this (I added the max time calc from above) | fields ocp fr el d_id last_ZP_Def See this https://help.splunk.com/en/splunk-enterprise/create-dashboards-and-reports/dashboard-studio/9.1/use-data-sources/chain-searches-together-with-a-base-search-and-chain-searches Note also that doing an eventstats on raw data can be expensive. ... View more

@SN1 Are you on Splunk Cloud or on Prem? What is the script you are using - is it written by you or someone else. If you edit source, what is the script you are using (see the first line of the dashboard XML script="..." As the others say, check developer tools console to see if any errors occur.   ... View more

@uagraw01 your dashboard code is odd - you don't have a version="1.1" in the <form> element and you have a time picker that is not used because you are hard coding the earliest and latest times in the search. Also, your search is the same in all 3 panels, apart from the final line, so I have moved that out to a single hidden search that is a base search and it is used by all of the 3 panels searches. So, if I understand correctly, you click on the first Faults counter and it closes panel 3 and opens panel 2 where you see the count by cluster - if you click on a cluster it opens panel 3 and shows the cluster details for the clicked cluster name. I have updated your search to do the drilldown based on that. If you want panel 3 to show when you first click the total Faults box, then remove this from the first panel drilldown. <unset token="tokShowCells"></unset> (BTW: is that count(Faults) as Faults correct - should it be sum(Faults)?)    <form version="1.1" stylesheet="common:vanderlande.css, customer_reports=mordc.css" theme="dark"> <label>Daily Performance Dashboard ( Services )</label> <init> <!-- Ensure details are hidden until user clicks the first panel --> <unset token="tokShowDetails"></unset> <set token="tokCluster">*</set> </init> <fieldset submitButton="true"> <input type="time" token="time" searchWhenChanged="false"> <label>Time Selector</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <table depends="$hidden$"> <search id="base_data_search"> <query>(index=si_error source=scada (error_status=CAME_IN OR error_status=WENT_OUT) (_time=Null OR NOT virtual)) earliest=-30d latest=now | fields area zone equipment isc_id error error_status start_time | eval _time=coalesce(start_time, _time) | search error_status=CAME_IN | lookup isc id AS isc_id OUTPUTNEW statistical_subject mark_code | lookup new_ctcl_21_07.csv JoinedAttempt1 AS statistical_subject mis_address AS error OUTPUTNEW description operational_rate technical_rate alarm_severity | lookup internal_cell_cluster.csv isc_id AS isc_id OUTPUTNEW cell cluster | lookup mordc_Av_full_assets.csv Area AS area Zone AS zone Section AS equipment OUTPUT TopoID | lookup mordc_topo ID AS TopoID OUTPUT Description AS Area | where Area="Depalletizing, Decanting" AND technical_rate&gt;0 AND operational_rate&gt;0 AND isnotnull(alarm_severity) AND isnotnull(mark_code) | dedup isc_id error _time | stats count AS scada_count BY cell cluster | eval dda_count = [ search index=internal_statistics_1h earliest=-30d latest=now [ | inputlookup internal_statistics | where report="Throughput" AND level="step" AND measurement="Case" AND (step="Defoil and decanting" OR step="Defoil and depalletising") | fields id | rename id AS statistic_id ] | eval value=coalesce(value, sum_value) | stats sum(value) AS dda_count | return $dda_count ] | eval Faults = (scada_count/dda_count)*1000 | table cell cluster Faults | sort cell cluster </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> </table> <single> <title>Depalletising, Decanting Faults per thousand cases ( Overall )</title> <search base="base_data_search"> <query>| chart count(Faults) as Faults</query> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051","0xf8be34","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">large</option> <option name="useColors">1</option> <drilldown> <set token="tokShowCluster">1</set> <unset token="tokShowCells"></unset> <set token="tokCluster">*</set> </drilldown> </single> <single depends="$tokShowCluster$"> <title>Depalletising, Decanting Faults per thousand cases ( Cluster )</title> <search base="base_data_search"> <query>| chart count(Faults) as Faults BY cluster</query> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,100]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">medium</option> <option name="trellis.splitBy">cluster</option> <option name="useColors">1</option> <!-- Click a cluster tile --> <drilldown> <set token="tokShowCells">1</set> <set token="tokCluster">$trellis.value$</set> </drilldown> </single> </panel> <panel> <single depends="$tokShowCells$"> <title>Depalletising, Decanting Faults per thousand cases ( Per Cell )</title> <search base="base_data_search"> <query> | search cluster=$tokCluster|s$ | chart count(Faults) as Faults BY cell</query> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="rangeColors">["0xf1813f","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[1,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">small</option> <option name="useColors">1</option> </single> </panel> </row> </form>   ... View more

The use of variables does not work everywhere, but you can achieve this with a subsearch. If you wrap the eval statement as a subsearch to the lookup command it will work, i.e. | lookup [ | makeresults | eval list2=case(like(llist, "%option1%"), "list_number_1", like(risklist, "%option2%"), "list_number_2") | return $list2 ] Name as value ... View more

What sort of chart do you mean - this is an example of a column and line chart, the column with the legend on the right, as you can see it has an arrow to scroll to the non-visible items and if the legend is at the bottom it shows all 26 items just by compressing the chart height. Where are you seeing it not shown?   ... View more

You can do it like this example - I have simulated your data - the final panel is the filtered one. Hope this helps <form version="1.1" theme="light"> <label>Demo2</label> <fieldset submitButton="false"> <input type="dropdown" token="cluster" searchWhenChanged="true"> <label>Cluster</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>cluster</fieldForLabel> <fieldForValue>cluster</fieldForValue> <search base="data"> <query>| stats count by cluster</query> </search> </input> </fieldset> <row> <panel> <table> <search id="data"> <query>| makeresults | fields - _time | eval data=split("GTP:2:8,North:7:10,South:7:1", ",") | mvexpand data | rex field=data "(?&lt;cluster&gt;\w+):(?&lt;num&gt;\d+):(?&lt;start&gt;\d+)" | eval cell=mvrange(start, start+num, 1) | fields cluster cell | mvexpand cell | stats count by cluster cell</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="drilldown">none</option> </table> </panel> <panel> <single> <search base="data"> <query> | stats count by cluster </query> </search> <option name="drilldown">all</option> <option name="colorMode">block</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="trellis.enabled">1</option> <option name="trellis.size">medium</option> <option name="useColors">1</option> <drilldown> <set token="cluster">$trellis.value$</set> <set token="form.cluster">$trellis.value$</set> </drilldown> </single> </panel> <panel> <single> <title>Showing cells for cluster $cluster$</title> <search base="data"> <query> | search cluster=$cluster$ | stats sum(count) as count by cell </query> </search> <option name="colorMode">block</option> <option name="rangeColors">["0xf1813f","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,100]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.size">small</option> <option name="useColors">1</option> </single> </panel> </row> </form>   ... View more

Maybe you missed the point in his posting that click.value does NOT work with that visualisation... ... View more

Use $row.src$ instead of $click.value$. You can see that $row.src$ is set, as well as click.name and click.name2 The documentation in the details tab does talk about using $row.xxx$ https://splunkbase.splunk.com/app/4611 <dashboard version="1.1" theme="light"> <label>3dGraph</label> <row> <panel> <viz type="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz"> <search base="base"> <query/> </search> <option name="drilldown">all</option> <option name="height">650</option> <option name="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz.bgColor">#000011</option> <option name="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz.cameraController">trackball</option> <option name="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz.dagMode">null</option> <option name="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz.enable3D">0</option> <option name="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz.lkColor">#ffffff</option> <option name="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz.ndColor">#EDCBB1</option> <option name="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz.showAnimationBar">0</option> <option name="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz.showLinkArrows">0</option> <option name="splunk-3D-graph-network-topology-viz.3d_graph_network_topology_viz.showNodeLabels">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <drilldown> <set token="click_dest">$row.dest$</set> <set token="click_src">$row.src$</set> <set token="click_CV">$click.value$</set> <set token="click_CN">$click.name$</set> <set token="click_CV2">$click.value2$</set> <set token="click_CN2">$click.name2$</set> </drilldown> </viz> </panel> <panel> <html> <h1>Tokens</h1> <ul> <li>src=$click_src$</li> <li>Dest = $click_dest$</li> <li>CV = $click_CV$</li> <li>CN = $click_CN$</li> <li>CV2 = $click_CV2$</li> <li>CN2 = $click_CN2$</li> </ul> </html> <table> <search id="base"> <query>| makeresults count=100 | eval nodes=split("ABCDDEFGHIJ","") | eval src=mvindex(nodes, random() % mvcount(nodes)) | eval dest=mvindex(mvmap(nodes, if(nodes=src, null(), nodes)), random() % (mvcount(nodes) - 1)) | stats count by src dest </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> </table> </panel> </row> </dashboard>     ... View more

Just use a couple of stats, first count the user numbers then create a new field with the user and count then re-stats with the values, e.g. | makeresults format=csv data="_time,user,src_ip 2025-08-11,ronald,192.168.2.5 2025-08-11,jasmine,192.168.2.5 2025-08-11,tim,192.168.2.6 2025-08-11,ronald,192.168.2.5" ``` Like this ``` | stats count by user src_ip | eval user_count=user.":".count | stats values(user*) as values_user* by src_ip ... View more

@SN1  There is some other stuff going on in your search that is odd - 3 times the same lookup and the renaming of code and CC is unnecessary. You can distill this down and optimise it by doing the stats latest early in the piece instead of dedup, which is not a command that should be used unless it's really needed, then doing the remainder of rex/eval/lookup tasks on the small subset of data.  Your device type search should be done up top - The other searches are looking at latest state so are in the right place. But even this example doesn't deal with your "Company Code" field, which you've used OUTPUTNEW for, but then do not use, so you can probably junk the coalesce there, but without knowing your data, it's hard to say... index=endpoint_defender source="AdvancedHunting-DeviceInfo" DeviceType IN ("Workstation","Server") ``` These are the fields you want ``` | fields DeviceType DeviceName SensorHealthState Timestamp DeviceDynamicTags ``` So get the latest of each field for the device ``` | stats latest(*) as * by DeviceName ``` Extract the fields you want ``` | rex field=DeviceDynamicTags "\"(?<CC>(?!/LINUX)[A-Z]+)\"" | rex field=Timestamp "(?<timeval>\d{4}-\d{2}-\d{2})" | rex field=DeviceName "^(?<Hostname>[^.]+)" ``` Only a single lookup is needed ``` | lookup lkp-GlobalIpRange.csv 3-Letter-Code as CC OUTPUT "Company Code" as 4LetCode Region ``` Your use of OUTPUTNEW is handled this way ``` | eval "Company Code"=coalesce('Company Code', 4LetCode) | eval Region=mvindex('Region',0) , "4LetCode"=mvindex('4LetCode',0) | search DeviceName="bie-n1690.emea.duerr.int" | search SensorHealthState = "active" OR SensorHealthState = "Inactive" OR SensorHealthState = "Misconfigured" OR SensorHealthState = "Impaired communications" OR SensorHealthState = "No sensor data" | table Hostname CC 4LetCode DeviceName timeval Region SensorHealthState   ... View more

The old Splunk dashboard examples app https://classic.splunkbase.splunk.com/app/1603/ which although no longer supported, can be downloaded and you can get an idea of how to write some extensions that would, for example, give you a tooltip on hover over the URL, depending on your level of css/javascript skills.   ... View more

If the solution works, please mark it as a solution, so others can benefit.   ... View more

Are you saying if you run that second search in a different app context, the behaviour is different. Note that your SPL logic to do stats earliest(_time) as min_time will not tell you the actual search range, just the time of the earliest event it found. Try the SPL  ... | stats min(_time) as min_time max(_time) as max_time by index | convert ctime(min_time) ctime(max_time) | addinfo The addinfo command will show you the actual search range used by the search irrespective of any events found. ... View more