Hi @Shan , are you using a visualization from an add-on or the standard charts? if a visualization, which one? For my knowledge, you can have the value of the chart section where the mouse is moving on but not localized in the center. Maybe if there's some visualization that I don't know. Ciao. Giuseppe ... View more

Yes, that is very odd that it just removes fields if the viz space is not big enough and certainly not intuitive! ... View more

@Shan I have the same doubt, did you get it in the end? If so, could you tell me what steps you did? Thank in advance ... View more

Hi there,   I know this post is old but maybe it will help someone else - I am using: | eval breach_date=strftime(breach_date,"%d/%m/%y")     ... View more

The gentimes searches just generate some data. This is repeated in the filter search but this is just to get find all the fields which match *_Employeestatus. These are then transposed so column has all these field names. For each field name, create a mv-field with all the values you want to match on, mvexpand this to create a row for each *_Employeestatus field crossed with each value. Then return a field for each *_Employeestatus field with the value to be searched. This becomes your search filter. | gentimes start=-1 increment=1h | rename starttime as _time | fields _time | eval initial_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | eval current_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | eval future_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | search [| gentimes start=-1 increment=1h | rename starttime as _time | fields _time | eval initial_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | eval current_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | eval future_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | stats values(*_Employeestatus) as *_Employeestatus | transpose 0 | eval status=split("exit,,relocated",",") | fields column status | mvexpand status | eval {column}=status | fields - column status] ... View more

Update: "sendemail" does not work for default users with default user-role capability. The issue was reported back to me to be solved in 8.1.3,  unfortunately it is not. ... View more

Hi All, Does anyone have idea about achieving it. Thanks ... ... View more

Hi, Based on your requirement could you please try the below. |makeresults |eval _raw= "input_field DATA_ACE_CHE_Team FdTest@Labcatr DATA_ACE_CADD_Team DATA_ACE_CAM_Team DATA_ACE DATA_ACE_CSS_Team FG_sam Check@#$values checkme Data D&*fuse Data*now" |multikv forceheader=1 |table input_field |rex field=input_field "(?P<extracted_field>.*)(?:\_.+\_)" Also, could you please give expected input and output fields if this is not your requirement? ... View more

There is no one query to do that. You'll have to search all saved searches, dashboards, and eventtypes (each is a different REST call) for instances of the macro. | rest /servicesNS/-/-/saved/searches | search search="*macroName*" | rest /servicesNS/-/-/ui/views | search eai:data="*macroName*" | rest /servicesNS/-/-/saved/eventtypes| search search="*macroName*" ... View more

Hi @davidirvine - Could you please elaborate comparison? What kind of comparison you are looking for? As don't think so |set diff will work in your case. ... View more

@sarit_s I far as I know there is no app/tool to do the performance testing. Thanks ... View more

Most welcome, use the tstats when trying to access metadata and display a count by index, host or even sourcetype. Let me know if you're getting faster results with this search 🙂 ... View more

yes it worked:) thanks ... View more

So now the i have updated the query and it seems issue was due to dedup. sourcetype=xyz OR sourcetype=abc | eval Date=strftime(_time,"%d") | stats avg(cpu) as Infrastructure, avg(iowait) as Application, avg(.ram) as Database, values(Date) as Date by source.store_num | rename source.store_num as Store_Number | eval State=case(Infrastructure>90,"Severe",Application>90,"Severe",Database>90,"Severe") | stats values(Infrastructure) as Infrastructure,values(Application) as Application,values(Database) as Database, sum(eval(if(Infrastructure>90 OR Application>90 OR Database>90, Date,0))) as Total_Days, values(State) as State by Store_Number | stats if(Total_Days==0,0,count(Total_Days)) | table Store_Number,Infrastructure,Application,Database, State,Total_Days Using this is am getting all the store but the Total_Days column is adding all the dates i.e. if date is 9th and 10th June so its adding and displaying 19. ... View more

I converted the relevant comment to an answer, you should be able to accept that now 🙂 ... View more

Please check out my answer below for something much simpler. ... View more

Friends, any update on it .. ... View more

@shankarananth agree to @martin_mueller 's approach. Your 2nd row will have first <panel> with only <single> and remaining three <panels> with four <table> elements. In order to align <single> value to the center of panel you may have to use CSS override like position: relative; top: 30% !important; ... View more

@shankarananth if your issue is resolved please accept the answer to mark this question as accepted. If not please let us know what is not working as expected! ... View more

@ renjith.nair, Thank you .. It's working.. ... View more

You keep coming up with new sample patterns. You'll really need to come up with a clear definition of what you want to extract, in order for anyone to come up with a working regex. For starters: please be more clear than "its not working". What results do you get and which of those are correct and which are not? From your earlier explanations, it seemed as if you want to capture the last 'field' in the line, but apparently that is not entirely the case? If you just want to check for the presence of one of those words you now mentioned (cup_used,CUP_Used,Splunk,splunk1,working), then try this: | rex "(?<hard>cup_used|CUP_Used|Splunk|splunk1|working)" https://regex101.com/r/tFmL38/1 ... View more

@shankarananth Can you please share your sample dashboard and macro definitions? Make sure you are not sharing original index names and other details. ... View more