It is a bit difficult to figure out what might be going on without some sample data. Please post some anonymised raw (unformatted) events in a code block using the </> format button above so we can see what you are dealing with. ... View more

This looks like it might be JSON data? If so, please post some sample data (anonymised appropriately) in raw format in a code block using the </> option, to preserve the formatting of your event. ... View more

Try something like this | untable _time msgsource count | eval group=mvindex(split(msgsource,": "),0) | eval msgsource=mvindex(split(msgsource,": "),1) | eval _time=_time.":".msgsource | xyseries _time group count | eval msgsource=mvindex(split(_time,":"),1) | eval _time=mvindex(split(_time,":"),0) | table _time msgsource total * ... View more

| foreach mode=multivalue Field2 [| eval new=if(<<ITEM>>!=Field1,mvappend(new,<<ITEM>>),new)] ... View more

Dashboard Studio is still immature when it comes to some sophisticated features that are easy to do in Classic SimpleXML dashboards. If you are already hitting the limitations of DS, you should consider reimplementing in Classic (although you will lose some of the layout options which DS provides). There is a lot of support from the community and elsewhere for using some of the sophisticated techniques available to Classic dashboards. Unfortunately, there is not an easy migration path back from DS to Classic (and to be fair, there is only a limited migration from Classic to DS), so, beyond simple dashboards, you have to make a choice between dashboard types based on which features are most important to you and which you can live without. (Probably not the answer you wanted!) ... View more

Do you have any sample logs which show the expiry date of the certificates used? ... View more

Try removing lines from th end of the search, one at a time, until the results appear, then you will know which line is causing the problem. If that doesn't work, try sharing some events from the index and the summary index to show us what you are dealing with. ... View more

Firstly, try to avoid joins they are limited and slow. Secondly, the most productive way of getting an answer to your question is to provide sample events (in raw form in a code block using the </> button) which demonstrate your issue, e.g. event which have matching event ids and events which don't. It would also be useful to know what fields you already have extracted (so we don't have duplicate any extractions you already have set up). ... View more

Please provide further detail of what you have and what you are trying to achieve ... View more

Splunk is not good at reporting on things that don't exist. To get around this, you need to provide a list (of the hosts you are interested in) and compare that to the number of event you have for each host, and then just keep those where the number of events is less than 1. This is often done using a lookup file, for example (if the hosts are "new"), or some historic data (if the hosts are "old"). ... View more

Have you considered using a summary index to hold the extracted field(s)? ... View more

Hi @RanjiRaje  Rather than trying to piggyback on someone else's issue, please start a new topic in Answers with details of your specific usecase, what you have tried so far, and the issues you are facing. ... View more

Here is an enhanced version of the dashboard which performs the actions you described (more or less). <form version="1.1" theme="light"> <label>Token-driven repetition save</label> <row> <panel> <table> <search> <query>| makeresults format=csv data="field value_1 value_2" | stats count as counter</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <condition match="$result.counter$ &gt; 1"> <eval token="current">if($result.counter$ &gt; 0,$result.counter$,null())</eval> <set token="trace"></set> </condition> <condition> <set token="trace"></set> <unset token="current"/> </condition> </done> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table> <search> <query>| makeresults format=csv data="field value_1 value_2" | eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv", field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row> <panel> <table> <title>$current$</title> <search> <query>| makeresults format=csv data="field value_1 value_2" | eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv", field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv") | eval counter=$current$ | tail $current$ | reverse</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <condition match="$result.counter$ &gt; 1"> <set token="spl">$result.spl$</set> <eval token="current">if($result.counter$ &gt; 1,$result.counter$-1,null())</eval> </condition> <condition> <eval token="spl">if($result.counter$ &gt; 0,$result.spl$,null())</eval> <unset token="current"/> </condition> </done> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table> <search> <query>$spl$</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <unset token="spl"></unset> </done> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> ... View more

Another way to possibility achieve this goal, albeit slowly, is to use tokens in a Classic SimpleXML dashboard to execute a series of searches. <form version="1.1" theme="light"> <label>Token-driven repetition</label> <init> <set token="trace"/> </init> <fieldset submitButton="false"> <input type="dropdown" token="limit"> <label>Loop count</label> <choice value="0">0</choice> <default>0</default> <initialValue>0</initialValue> <fieldForLabel>count</fieldForLabel> <fieldForValue>count</fieldForValue> <search> <query>| makeresults count=5 | streamstats count</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <eval token="current">if($value$&gt;0,$value$,null())</eval> <set token="trace"/> </change> </input> </fieldset> <row> <panel> <html> $trace$ </html> </panel> </row> <row> <panel> <table> <search> <query>| makeresults | fields - _time | eval counter=$current$</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <condition match="$result.counter$ &gt; 0"> <eval token="trace">if($result.counter$&gt;0,$trace$." ".$result.counter$,$trace$)</eval> <eval token="current">$result.counter$-1</eval> </condition> <condition match="$current$=0"> <unset token="current"/> </condition> </done> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> The idea being that the input (in this case, but you could use a row count from your initial field list) is used to limit the number of times the "loop" is executed. The panel executes a search and reduces the counter by one. There is a panel which essentially shows a trace to show that the search has been executed. Updated due to the way the null() function now operates with respect to unsetting tokens! ... View more

Please provide more examples of the events you are dealing with, and include your desired results, and what you are getting (and why it is not correct)? ... View more

Another thing to consider with summary indexes is idempotent updates, that is, how to avoid double counting; for example, in your instance, if you created summaries for each day in your summary index, what do you do if you get events which arrive late (for whatever reason), how do you make sure they are included in the summary without double-counting the events which have already been summarised. I did a presentation on this a couple of years ago for the B-Sides program. https://github.com/bsidessplunk/2022/blob/main/Summary%20Index%20Idempotency/Bsides%20Spl22%20Summary%20Index%20Idempotency.pptx ... View more

You can have multiple "summary" indexes - perhaps one for each "primary" index and then apply RBAC to those summary indexes as well. ... View more

What would be the expected result from your sample data? 8 events and 52044 total bags or something else? | bin span=1d TIME | stats count latest("TOTAL DAILY BAGS") as TOTAL_DAILY_BAGS by TIME | stats sum(count) as total_events sum(TOTAL_DAILY_BAGS) as total_daily_bags If your TIME field is not already the date (as shown in your sample), you may need to bin it first ... View more

It is not so much the copy paste, it is the value used for All, this needs to be "All" not "*" (similarly with the initialValue) <form version="1.1" theme="light"> <label>All handling</label> <search id="base_search"> <query>| makeresults format=csv data="categories A B C" | table categories</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fieldset submitButton="false"> <input type="multiselect" token="categories"> <label>Categories</label> <choice value="All">All</choice> <default>All</default> <initialValue>All</initialValue> <fieldForLabel>categories</fieldForLabel> <fieldForValue>categories</fieldForValue> <search base="base_search"> <query> |stats count by categories </query> </search> <valuePrefix>testCategories="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> AND </delimiter> <change> <eval token="form.categories">case(mvcount('form.categories')=0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")&gt;0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")=0,mvfilter('form.categories'!="All"),1==1,'form.categories')</eval> <eval token="categories_choice">if('form.categories'=="All","categories=\"*\"",'categories')</eval> </change> </input> </fieldset> <row> <panel> <html> Categories: $categories_choice$ </html> </panel> </row> </form> ... View more

You don't have any specific drilldown action configured which means you will just get a basic search. If you want something more tailored, you should define a panel or other dashboard with the search that you want executed when the drilldown is triggered, and then configure the drilldown to activate this panel. ... View more

Please provide the raw event (not the formatted version e.g. {"AdditionalData": { "buildId":291, ... View more

Please provide some anonymised sample events which demonstrate the issue you are facing. Ideally, place these in a code block (using the </> formatting option). ... View more