I'm really bad when it comes to join searches, though I've been doing this for years.  I'm able to find the list of orphaned searches using:   | rest /servicesNS/-/-/admin/directory count=0 splunk_server=<splunkserver> | rename eai:* as *, acl.* as * | eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y")) | sort type | eval sAMAccountName=owner | stats count by title orphaned sAMAccountName sharing type owner updated app disabled | search orphaned=1   and we have a summary index containing our LDAP users & managers for those users. Using the following search returns users and their managers:   index=metrics_summary source="LDAP*" source IN("LDAP GROUP USER DIVISION Summary Index Search" "LDAP_GROUP_USER_DIVISION_Summary_Index_Search" lookup_ldap_group_user_division) sAMAccountName=e* OR sAMAccountName=v* |table sAMAccountName displayName mail department division manager   But I haven't been able to join the two searches together to give me the manager name of the user w/ the orphan search. I've tried variations of the following:   | rest /servicesNS/-/-/admin/directory count=0 splunk_server=<splunkserver> | rename eai:* as *, acl.* as * | eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y")) | sort type | eval sAMAccountName=owner | stats count by title orphaned sAMAccountName sharing type owner updated app disabled | search orphaned=1 | join sAMAccountName type=outer max=0 [|search index=metrics_summary source="LDAP*" source IN("LDAP GROUP USER DIVISION Summary Index Search" "LDAP_GROUP_USER_DIVISION_Summary_Index_Search" lookup_ldap_group_user_division) | stats latest(_time) AS latest values(displayName) values(mail) values(distinguishedName) values(department) values(division) latest(userAccountControl) values(manager) by sAMAccountName | rename values(*) AS *, latest(*) AS *]   but this only comes back w/ results from the rest call.  I know I get results using the summary index search. How do I merge these?   Thanks ... View more

I know I can change the color of a .panel-title, but I haven't found the code to change the .input-label color. This works:       <panel id="panel2"> <title>title</title> <input type="text" token="commentpicker"> <label>Add any additional comments below</label> <default></default> </input> <html> <style> #panel2 .dashboard-panel .panel-title { color: #EC102B; } </style>       But this won't       <input type="multiselect" token="newenabledpicker" searchWhenChanged="false" id="input1"> <label>Modify or Disable (REQUIRED)?</label> <choice value="modify">Modify</choice> <choice value="disable">Disable</choice> <delimiter> </delimiter> </input> <html> <style> #input1 .dashboard-panel .input-label { color: #EC102B; } </style> </html>       ... View more

I'm really overthinking this, but am lost. I need to show when new correlation searches are introduced into the environment. I have a lookup with the current correlation searches, along w/ relevant data, and last time updated. How do I compare current rest call results with the lookup and show the most recently created searches? Any help would be appreciated. ... View more

We've gotten a search to work that shows the delta between the number of messages in an inbox for a period of time:   <basesearch> | bin _time span=5m | stats max(Items) AS Max by _time | delta Max as Delta | fields _time Delta | where Delta>=10   But I want to do this based on multiple inboxes, and delta is merging the inboxes together, so the values of each inbox are interfering with each other.   <basesearch multiple mailboxes> | bin _time span=5m | stats max(Items) AS Max by _time User | delta Max as Delta | fields _time Delta User   returns: _time User Max Delta 09:15 user1 103   09:15 user2 251 148 09:15 user3 17 -234 and I want the users to be treated as individual accounts, not merged with each other.  I assume I need to use streamstats for this, but so far I've been unable to work out how. ... View more

We're trying to gather a list of servers, both linux and windows that are missing specific software packages. It's easy enough to get the list of servers that has the software installed.   search software IN ("CrowdStrike")   I was hoping I could search against the software package, like   search NOT software in ("CrowdStrike")   but that still displays hosts with Crowdstrike installed, just not that particular event showing that Crowdstrike is indeed installed.  I thought of making an eval    |eval cs_win_installed=if(match(software, "CrowdStrike"),1,0)   and then searching for 0 or 1 depending on what I care about, but can I do that with all the software that I'm searching on? Running that eval for multiple pieces of software   | eval cs_lin_is_installed=if(match(software, "falcon-sensor"),1,0) | eval cs_win_is_installed=if(match(software, "CrowdStrike Windows Sensor"),1,0) | eval q_is_installed=if(match(software, "Qualys*"),1,0) | eval f_is_installed=if(match(software, "SecureConnector*"),1,0)   only returns with the event showing that 1 piece of software on the machine. Am I overthinking this? How should I go about displaying hosts with missing software? Thanks much. ... View more

Loving this viz and the Number Display viz. However, I'm having a problem getting drilldowns to work. If I set the drilldown to Link to Search, on clicking a value, it runs the basic search and selects the value clicked on. I haven't been able to create a working token to send to a search on the same dashboard. There's a setting in General / Click action : set tokens to $sunburst_viz_{field}$ and I've assigned that to a form.field_name , but on clicking the field value in the Sunburst, the search will search on the literal variable set in the token. How is the drilldown supposed to work with Sunburst and Number Display? Thank you! ... View more