There was a competition recently encouraging people to submit Dashboard designs, showcasing creativity and complex interactions, only it had to be in Dashboard Studio. I tried "porting" my favourite, most interactive dashboard from SimpleXML to Studio, but I was unable to find a way to replicate everything I had done with SimpleXML in Studio. Perhaps I didn't try hard enough; the prize was a .conf pass,, but since I am unable to make it this year, there wasn't so much of an incentive, and I have been busy with other stuff (puzzles in Slack, questions for BORE and SPLing Bee, etc.)! 😎 ... View more

From a personal point of view, SimpleXML is preferred over Studio. Conditional handling is one aspect which Studio does not have which SimpleXML does. I find that token handling in general is still better in SimpleXML. There are also other handlers which are easier to do in SimpleXML, and there is better support for CSS and javascript in SimpleXML. Also, Studio is still being developed so you may find you need to upgrade to the latest version to get some features that you need, whereas they are already in SimpleXML. ... View more

Dashboard Studio is under active development. Do you have another version of Splunk available to you that you could upgrade or downgrade to? It could be that you have discovered a bug. If so, you should contact your support team. Alternatively, switch to Classic which is much more stable. ... View more

You should probably sort that out first. If your search is as simple as you have shown, I can't see any reason why you would get that error. If not, please provide more detail on your actual search which is generating this error. ... View more

If Classic is an option for you, then, yes! It is better at handling tokens, etc. ... View more

The only way I can get this to fail in a manner similar to what you have shown is to use a field name that does not exist in the table results, but this doesn't appear to be the case in your example. Please check that the field names used match completely, bearing in mind that field names are case-sensitive. ... View more

Try using a token filter to ensure that the value is compatible with URL formats "url": "https://google.fr?q=$row.correlationId.value|u$",   ... View more

What have you tried so far? ... View more

That's a shame - worth a try though 😎 ... View more

In the GUI, under messages ... View more

Have you tried this, then upgrade in-situ to 9.2.12? (You might get new version available in the 9.2.1 environment which might get you the links you need.) ... View more

9.2.1 is splunk-9.2.1-78803f08aabb if that helps ... View more

Make the updating search "dependent" on a token which is then unset in the done handler of the search. To make the execution of the search "dependent" rather than just the display of the table, either include an assignment (eval) to a dummy field which you can remove with the fields command, or include the token in a comment (Thanks to @bowesmana for the suggestion here). ... View more

It may depend on which version of Splunk you are running. I recreated your dashboard and added some trace functionality and it appears that the searches are being executed multiple times, which will make it appear slow. However, looking at the source, it is not immediately obvious to me why the searches are running so many times. It may be due to so many references to the base search, but I could be wrong. Rather than using a base search, you could try saving the $job.sid$ in a token, and then use loadjob to retrieve the results. This does have the possibility that the loadjob fails if the results have expired, or are on a different search head in a cluster. This would just mean that the dashboard needs to be reloaded, or you could add some sort of refresh button. ... View more

(By the way, I have renamed your post as it looks like there was a typo and you meant "slow" not "low".) I am assuming (since you mentioned XML), that you are using Classic dashboards, not Dashboard Studio? Given this assumption, it is likely that you have a lot of tokens being used in various searches. These searches will execute whenever a dependent token is changed. Without careful management of these token updates, you may find (and are probably experiencing) that searches run multiple times even when you thought they would only execute once. It is very difficult to advise for your specific usecase without sight of the source, but you may be able to control when searches execute by using additional tokens (I know this sounds counter-intuitive) which are only set when a search completes, using a done handler. In this way, you can enforce the order in which searches are executed. Another check that you may be able to do with your dashboard, is to temporarily introduce a trace function to see when searches are executed so you can figure out which ones might need changing. I have done this sort of thing before by using appendpipe and outputlookup to store the trace in a csv file for later analysis. There may be other ways to achieve this with other browser/js tools. ... View more

It is not clear what is going on here: Is your "custom app" just a place holder for the dashboard and lookup files? Are the lookups csv files or kv stores? Is your processing done entirely in SPL or do you have custom commands (in your app)? What was the nature of the "graphical upgrade", and in what way has it affected your app/dashboard? Can you downgrade/rollback the upgrade to fix the issue? ... View more

Try inserting a positive lookahead (assuming "uicgrupp" is the correct spelling and not "uicgroup") https://regex101.com/r/8BaFP2/2 description\": \"Process .+?(?=uicgrupp)(?<uicgroup>[^\"]+)\" ... View more

https://regex101.com/r/8BaFP2/1 description\": \"Process (?<uicgroup>[^\"]+)\" ... View more

Try expanding the multivalue field `bsod` | stats values(fct_version) as ForticlientVersion | mvexpand ForticlientVersion ... View more

You don't have fields called ERRORS or WARNINGS. Try something like this index=nms-log-idx sourcetype="sea-nms-log" ("ERROR" OR "WARNING") | eval severity=case(searchmatch("ERROR"), "ERRORS", searchmatch("WARNING"), "WARNINGS") | stats count by severity | transpose 0 header_field=severity | fields - column ... View more

Your events do not have values for P1Sender at the same time as values for the other fields you are searching on. You need to find a field that has corresponding values in both sets of events so you can correlate the data. As @PickleRick says, we have no idea what your data looks like! ... View more

Dashboard Studio still does not have some of the capabilities of SimpleXML dashboards. You might have better luck approaching this with Classic SimpleXML. ... View more

What permissions do you have set up for the alert?   ... View more

In what way do they not work? Please can you be more specific about your issue. Having said that, multi-value fields from stats are often truncated to 100 entries. You could try adding limit=128 or even limit=0 ... View more