It is not clear what you are trying to do with your sub-search. Please clarify in non-SPL terms, what it is that you are trying to achieve. ... View more

Yes you can use tokens from a dropdown as you suggested to limit the indexes searched. ... View more

Index access is controlled by role so if your separate groups of users as assigned different roles, with each role only able to access the indexes associated with their app then they can use a common search which list all the indexes and they will each only be able to see the data from the indexes they have access to. ... View more

Assuming your events follow the pattern shown, you could try something like this | rex "[^\|]+\|(?<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{4})\|" | streamstats count(time) as eventnumber | stats values(time) as time list(_raw) as event by eventnumber | eval _time=strptime(time,"%F %T.%4N") This will also reset the _time timestamp to the same as found in the event data ... View more

Are these separate events? Do you already have any fields extracted? Please share your raw event data in code blocks using the </> button above to preserve formatting in the event. ... View more

The events will have a value for _time. If you sort by this, are these events in the order you showed? Your events which do have timestamps in the event seem to have the same timestamp for the events either side of the events without timestamps. Is this always the case? For the events without timestamps, is each line in a different event of multiple events? Please provide more detail so we can see what needs to be done and work out a solution for you. ... View more

And here it is working Please share your search and dashboard source (preferably in a code block </>) to see if there is something else going on ... View more

It depends on what you  mean by "network traffic". If you can define the events, you could look at the eventgen tool to create your own data sets. Alternatively, if it is web traffic (which comes from a network), you could look at the tutorial dataset. ... View more

Another possible way is to use a refreshing search to set up some tokens and use the depends attribute on the panels the display them in turn. ... View more

Assuming you mean you have used a cron schedule for your alert, this means it will execute on that schedule, you just need to configure the alert to trigger when it finds a result worth reporting. This is up to you to decide how to construct your search so that it only triggers when something interesting has happened. ... View more

Everybody's "best" time is likely to be different depending on their needs, tolerances, reaction time, email infrastructure, network capacity, etc., etc.  The more frequently you check, the more load you put on your system which will impact other services and users. You probably should discuss with your stakeholders what would be the maximum time between an event happening and someone being notified about it. Then you have to factor in, how long does it take to get the event into Splunk, how long does it take to get the email out, how long does it take for someone to notice that an email has arrived, how long does it take for them to get into Splunk or reporting system to see the event, etc. Once you have some of these answers, pick a schedule that comes close without overloading your systems and try it out, and be prepared to tweak it. To be honest, it will probably never be right for everyone, but you will probably have to make some compromises. ... View more

What is your search/SPL for this? ... View more

Make sure that you reopen the modified dashboard in a new tab/window otherwise existing token values may get carried forward ... View more

You seem to have removed the parsing of the slot - also, try using epoch times and not converting them to strings (as this is unnecessary) index="index1" | search "slot" | rex field=msg "VF\s+slot\s+(?<slot_number>\d+)" | rex field=msg "(?<action>added|removed)" | eval added_epoch=if(action="added",_time,null()) | eval removed_epoch=if(action="removed",_time,null()) | sort 0 _time | streamstats max(added_epoch) as added_epoch latest(removed_epoch) as removed_epoch by host, slot_number | eval downtime=if(isnotnull(added_epoch) AND isnotnull(removed_epoch), removed_epoch - added_epoch, 0)   ... View more

Change your default value to be the value not the label "defaultValue": "*", ... View more

Asterisks are wild cards - are you really using wildcards or are you just obfuscating your search for the purposes of posting here? It would also be very helpful if you could share some sample raw events, anonymised appropriately; please share them in a code block using the </> button to create an area to place them in so that formatting is preserved ... View more

What have you tried so far? ... View more

Generally speaking, Splunk is not good at reporting on something that doesn't exist, so if a transaction in not in ABC nor in XYZ, then Splunk doesn't know about it so can't report that it is missing from both - unless you have a list of transactions from somewhere else. ... View more

This is your data - you should understand what you are working with or find someone in your organisation who does! ... View more

Try something like this (assuming JSESSIONID and severity are already extracted) | timechart dc(JSESSIONID) by severity ... View more

Try something along these lines (I have used _internal/splunkd but you can easily modify it to your requirements) index=_internal sourcetype=splunkd earliest=@d-7d latest=now | bin span=1d _time | stats count by _time component | eventstats sum(count) as total by component | where _time = relative_time(now(), "@d") | eval 7day_average=(total - count) / 7 ... View more