When using stats, rather than using values, use list for each field instead: | stats list(FirstName), list(LastName) by Loc ... View more

@mgranger1 it didn't work because the specific element needed to be used.  I started by clicking on the Select an element in the page to inspect it DevTool (F12) feature and clicked on a _time value.  For this example, the element was .table-drilldown>tbody>tr>td:hover { (*Hint* Highlight the field, once the desired hover element appears, right click the field, highlight the element reference, and you'll be able to copy it before disappearing).  Hover color To get it to work, I didn't include the whole reference, but only entered td:hover { (notice #test was added and will be explained below).  Hover color overwritten You would redo the process for the highlighted element to change the cursor. Highlight cursor Here is what both changes looked like after editing the XML (notice the cursor highlighted on the right): Highlight cursor overwritten The text color was changed to black, and the cursor was set to text.  Now that you've seen the element style changes, let's take a look at the code.  First I should mention adding a panel ID to prevent unwanted changes to the dashboard.  Then use this ID along with the mentioned element above, so under <row><panel><html depends="$hiddenForCSS$"><style> I added #test td:hover {.  After that, I added the desired style changes color: #000 and  cursor: text.  To make sure these modifications would take effect, at the end I added !important; to each of the lines.  Finally, I ended the section with } </style></html></panel></row>. XML Code ... View more

For each visualization (table, chart, single, etc.), you'll need to add that code. ... View more

To get it to work, I had to add an unset condition along with a set conditional so that when it did find events, the table would appear:     <table depends="$show_panel$"> <search> <query></query> <progress> <condition match="'job.resultCount'==0"> <unset token="show_panel">true</unset> </condition> <condition> <set token="show_panel"></set> </condition> </progress> </search> </table>     ... View more

Thanks for reminding me that Sed can do this, but was originally curious about the eval way. ... View more

Here's a snippet of what I captured and used for the code: Here's a screenshot of what it looks like before and after: ... View more

You only see the hover code if you place the mouse above the desired field and don't click on it. I had to use the screenshot key to capture the code. Here's another example: <dashboard theme="dark"> <label>Test</label> <row> <panel> <title>Test</title> <table> <search> <query>sourcetype="WinEventLog:Security" | table _time ComputerName Account_Name EventCode</query> <earliest>0</earliest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">all</option> <drilldown> <!--Disables the click function for the defined field, which directs to the search results--> <condition field="ComputerName"></condition> </drilldown> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> /* Add a dependency so that it won't be displayed in the dashboard */ <html depends="$hiddenForCSS$"> <style> td.string.highlighted:hover { /* Change from blue (#006ea) to black */ color: #000 !important; /* Remove underline effect whenever mouse hovers above field */ text-decoration: none !important; /* Change cursor effect from pointer to text */ cursor: text !important; } </style> </html> </panel> </row> </dashboard> ... View more

Sorry replying to an old post. Use the following: <table> <search> <query></query> </search> <option name="drilldown">all</option> <drilldown> <!--Disables the action that brings up the search results for the whole table--> <condition value="unused"></condition> </drilldown> </table> Now you can define specific click functions without worrying about the default action. Just make sure that you place any other conditions above this one. ... View more

First use the answer above to disable a column's field: <table> <search> <query></query> </search> <option name="drilldown">all</option> <drilldown> <!--Disables the click function for the defined field, which directs to the search results--> <condition field="<column_name>"></condition> </drilldown> </table> Then use HTML/CSS code to remove the style. Before modifying the style within the SimpleXML editor for the dashboard (Edit > Edit Source XML): 1. Disable the field by using the example above. 2. Right click on a disabled field value. 3. Click on Inspect/Inspect Element (this should bring up the style for that field) and this should open up Developer Tools. 4. Click on the field that you are inspecting and this should bring up the CSS code that needs to be modified (if you didn't disable the field in step 1, you may be redirected to the search results). 5. Under Rules/Styles you should see something similar to (notice the word hover😞 .element1 .element2:hover { color: #3863a0; text-decoration: underline; cursor: pointer; } 6. Note the elements that are listed because you are going to use them. 7. Add HTML/CSS code to remove the style using the information from step 6. Here's an example to remove the links for time from a list display table: <panel> /* Add a dependency so that it won't be displayed in the dashboard */ <html depends="$hiddenForCSS$"> <style> .shared-eventsviewer .formated-time:hover { /* Change from blue (#3863a0) to black */ color: #000 !important; /* Remove underline effect whenever mouse hovers above field */ text-decoration: none !important; /* Change cursor effect from pointer to text */ cursor: text !important; } </style> </html> </panel> View this answer for making a global change that'll affect every dashboard: https://answers.splunk.com/answers/330361/how-to-apply-custom-css-to-a-dashboard.html ... View more

Definitely better to define things that can't be controlled directly without accessing the backend. ... View more

Thanks for the help @jeffland ... View more

Thanks for the explanation! ... View more

I accepted your answer because there was no way to get my solution to work without the URLs being encoded. I hard-coded a table for the click functions and created a user definable post search panel below that. That way, users can still view the raw events, have click functions, and still have the option for running stats, creating a table, etc. Why is there a period between "ipinfo.io/" and $click.value2$? Also, why does the second click.value2 have no dollar signs, but quotes? ... View more

Thanks for the solution, but users would mostly view the events without adding tables or regex. I could hard code a solution, but the focus is more towards quick views. It's supposed to be a threat hunting panel to identify malicious events and pivot to other surrounding events that are related. I'm just adding features to help automate the process. Also, I'm using Splunk 6.3.1, so $token|n$ would not work. Finally, I currently don't have permissions to add JavaScript. ... View more

You can easily assign different targets to a single event if there are tokenized fields to work off of. This niche case seems harder because it requires assigning different click.value2 targets to raw events with undefined fields. It didn't matter if there were other conditions to follow. The target would always direct to the first link associated with the click.value2 based on previous trials. Maybe you can answer a semi-related question. Why does a query that was assigned through a text input process searches differently than actually running it within the search app? While searching through the search app, there are default fields that could be used as targets, but they are missing when trying to query off a text input. ... View more

The solution I posted below has sample raw data, but it didn't use regex. An event can have values for both VirusTotal and IPInfo. ... View more

I was able to get around this by creating an input that set a token based on conditional values. <input type="dropdown" token="url" searchWhenChanged="false"> <label>Select URL Direction</label> <choice value="hash">VirusTotal</choice> <choice value="ip">IPInfo</choice> <default>hash</default> <change> <condition value="hash"> <set token="url">virustotal.com/en/search/?query=</set> </condition> <condition value="ip"> <set token="url">ipinfo.io/</set> </condition> </change> </input> The input aided in changing the drilldown link, but had to prefix it with https:// or else Splunk would throw an error. <drilldown target="blank"> <condition> <set token="test">$url|u$$click.value2$</set> <link>https://$test|u$</link> </condition> </drilldown> This solution works, but the links get URL encoded. Tried adding < ! [ CDATA [ ] ] > and using the token filter $token_name|u$, but neither worked. The anonymized sample data looks like this: 5/23/18 7:39:58.966 AM 1306043181.135030 JcL2rzS48o0Wmb08a 10.000.31.45 16.001.57.000 QNAswt1Y3tPbDg4X0 HTTP 0 MD5,YIR0 text/html - 0.000000 T F 303 303 0 0 F - 26101e1x451k0p1o19nrd0l2500321uc z66444o02e12h53235r25j1u6xmzz028230cb062 - - - - 5/23/18 7:39:58.965 AM 1306043181.454101 QNAswt1Y3tPbDg4X0 16.001.57.000 08750 10.000.31.45 70 1 GET 52.001.121.00 / - 1.1 TxmYQJ/7.41.0 aundrea/7.11.0 HscAWU/3.4.10 dong/1.2.8 lavera/1.31 marilee/2.3 0 303 404 Not Found - - (empty) - - - - - - JcL2rzS48o0Wmb08a - text/html 5/23/18 7:39:58.615 AM 1306043181.404021 Eo20Hm2gm0xW6uFKZe 16.001.57.000 16450 10.000.31.45 70 1 HEAD 52.001.121.00 / - 1.1 TxmYQJ/7.41.0 aundrea/7.11.0 HscAWU/3.4.10 dong/1.2.8 lavera/1.31 marilee/2.3 0 0 404 Not Found - - (empty) - - - - - - - - - VirusTotal's click.value2 would consume the hash 26101e1x451k0p1o19nrd0l2500321uc and direct to https://virustotal.com%252fen%252fsearch%252f%253fquery%253d26101e1x451k0p1o19nrd0l2500321uc/ rather than virustotal.com/en/search/?query=26101e1x451k0p1o19nrd0l2500321uc IPInfo's click.value2 would ingest the external IP address 52.001.121.00 and direct to https://ipinfo.io%252f52.001.121.00/ rather than ipinfo.io/52.001.121.00 If I can fix the URL encoding issue, then I would also add a click.value2 for URLs. It would direct to another link I had in mind. ... View more

I have a post processing text input so that users can create tables, but they will probably want a quick view of the raw events. I already created a dashboard with tables of our most used indices. I may share them with this dashboard, but I'm trying to keep this one more focused. Unfortunately, I don't have access to add JavaScript. If only we could use JS within the XML. ... View more

I think you meant chown, but setting permissions for /IndexedData worked for me. ... View more

I was able to install Splunk through WSL several times successfully. The last installation yielded a similar error. If you receive an "unusable filesystem" error or similar, try the following: $ echo -e "\nOPTIMISTIC_ABOUT_FILE_LOCKING = 1" >> /opt/splunk/etc/splunk-launch.conf" This answer was from @naisanza and had the following warning: Proceed with caution, and at your own risk. Irrevocable data loss can still occur. We have already had one report in this thread of problems that have occurred after enabling this setting. ... View more

Good to know thanks again for the knowledge. ... View more

Thanks for the update! I would've thought the wildcard would've covered all the bases. ... View more

Thanks for the solution! Since I had _time as part of the table, I had to add an eval statement to wipe its value. The suggested code wiped all of the fields except _time for some reason. I used the following code: <search> | appendpipe [| head 1 | foreach * [eval <<FIELD>>=""] | eval _time=""] | append [<search>] This allowed me to separate results for the initial search from the appended search. ... View more