Thanks @isoutamo  But my problem is if I use stats then that value isn't get dynamically passed to the macro.  search index = index_name source = source_name | fields + bio, _time | stats  earliest_time(_time) as eTime latest_time(_time) as lTime | eval Proj_Name = "my big project" | `my_Macro(Proj_name, eTime, lTime)` |table proj_value , proj_date In the above case the macro doesn't get invoked. However if I change something like below then the macro works and I get the desired result.  search index = index_name source = source_name | fields + bio, _time | eval eTime=6735475120.999 |eval lTime=6542213344.976 | eval Proj_Name = "my big project" | `my_Macro(Proj_name, eTime, lTime)` |table proj_value , proj_date It works with eval statement But I cannot hard-code the earliest and latest time. It has to to be dynamic based on the latest_event time and earliest event time. In the macro eTime and lTime values gets passed as earliest and latest values of a dashboard URL, and the Macro outputs that URL along with few other values. ... View more

@richgalloway It gives me search_starttime as 0 and search_endtime as+infinity.   😞 Sorry , for the confusion. But what I meant is, how do I get  the _time value for the earliest event and the _time value of my latest event of my search result. ... View more

Thanks @rrovers  Would this work if I have 4 fields . example :-  Vehicle   Grocery    Tax      Education 120           23              5           45 and to make it Vehicle  120 Grocery  23 Tax            5 Education 45 | untable Vehicle Grocery Tax Education  | XYseries Vehice Grocery TAx Education like this ? ... View more

Thanks for trying it out. I have this huge json field whose field length is easily couple thousands. Now while using stats  on it, like stats values(myHugeJsonField) by something, I see error like 'stats' command: limit for values of field 'myHugeJsonField' reached. Some values may have been truncated or ignored. Now when I use spath and break it down and then use stats values(with individual key value pair) I don't see the above 'stats' command error. IS it the 'json' format that is creating problem ?   ... View more

Thanks @niketn  for your response. I do have an extracted field called splunk_server that tells me the server name envrionment details. I was hoping to use that. OR, if I can leverage this command  <view source="all" match="error"/>  and able to use <view source=" a specific source name" ........    instead of <view source="all" ....... ... View more

Hello @jethrop  May I request you an example of this. (a pseudo code perhaps) Say if I have the value of a field "X" = "Prod"  then only show me the menu dashboard , else ignore. ... View more

Hi @whrg  - Thanks, I looked into it. It helps One question though, -> Lets say, I implemented it, and while clicking the "dashboard" in the main menu a drop-down comes up with list of other dashboards. Can I restrict the view of these dashboards based on some condition? (My condition is, if field "field_4" has value "show_dashboard_prod" then  only the dashboard drop down should come or become visible). FYI "field_4" is something that is always extracted automatically during event indexing itself. so this field will always be there? I just want to be able to use the value of this field as a condition while populating the menu-dashboard.  Thank you. ... View more

@richgalloway  If I change field="price" to field="car" , then it is changing the colour of the "car" field , not the "price" field. What I am looking is to change the colour of "price" depending on the values present in "car". ... View more

Thanks @niketn . I have to use the simpleXML way, However I am a bit confused with the solution and I could use some help in understanding. The solution is becoming something like this <format type="color" field="price"> <colorPalette type="map">{"2999":#D93F3C,"4999":#6DB7C6}</colorPalette> </format> then again it is looking at the "price" field for determining the colour of "price" cell. It ain't checking the field "car" . Based on field "car" it is supposed to change the "price" colour. Sorry If I misunderstood the simpleXML solution. ... View more

Thank you. it helped. I actually have more than 2 columns ... and Is it possible to configure so that if I click on that row (on any cell I choose), it would redirect me to the Address value ? Currently I have to click on "Address" column's cell to be able to re-direct to the page. ... View more

Team A doesn't use the data that Team B wants. Team A has set up their UF to get data from webserver that are different than Team B. The data that Team B's splunk instnce want is present in Team A's webservers, and they are thinking if they can get it using Team A's splunk UF that is already installed there. ... View more

I'm not getting the expected result. I am not getting the subtracted time. index="bayseian" source="/apps/runner/mahem/logs/sachin.out" | rex field=_raw "(?ms)^(?P<boot_end>\\d+\\-\\w+\\-\\d+\\s+\\d+:\\d+)(?:[^ \\n]* ){7}(?P<boot_time>\\d+)" offset_field=_extracted_fields_bounds | eval serv_time = boot_time | eval epoch_time = _time | eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N") | eval sub_time = epoch_time - (boot_time/1000) | eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N") | eval sub_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N") | table human_time sub_time ... View more