ok thanks, how about is there a way to increase gap between two input boxes?   How can i add more space between Source IP and DestIP Condition as shown below ?    ... View more

Thanks for responding but the solution given there is different use case. The query and tokens mentioned in the XML code are very confusing to understand.  ... View more

Thanks, i tried that it  works .    However,  it ends up looking this because as we are using 2 separate input types so there is a huge gap between the radiobox input and the Text box where user enters the IP.  The classic dashboard doesn't let me shrink the size of these boxes .  Is there any way to merge/ bring them closer under one Title / Header - "Destination IP"  ?   Below is my code   <form version="1.1" theme="light"> <label>test</label> <fieldset submitButton="false"></fieldset> <row> <panel> <title>Destination IP</title> <input type="radio" token="condition" searchWhenChanged="true"> <label></label> <choice value="=">EQUAL</choice> <choice value="!=">NOT EQUAL</choice> <search> <query/> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="dest_ip" searchWhenChanged="true"> <label>dest_ip</label> <default></default> </input> <table> <title>dest_ip_graph</title> <search> <query>index=aws_vpc_flow_logs aws_account_id="*60036" dest_ip$condition$$dest_ip$ | stats count(vpcflow_action) as flowCount sum(packets) as pktCount sum(bytes) as sumBytes by aws_account_id instance_id src_ip src_port dest_ip dest_port action flow_direction interface_id vpc_id | eval pkt(million)=round((pktCount)/10000) | eval bytes(GB)=round((sumBytes)/1024/1024/1024) | iplocation src_ip | table aws_account_id instance_id src_ip src_port dest_ip dest_port action flow_direction interface_id vpc_id City Country flowCount pkt(million) bytes(GB) | sort - bytes(GB)</query> <earliest>-15m@m</earliest> <latest>now</latest> </search> </table> </panel> </row> </form>     ... View more

Thank you ... View more

Thanks, didn't realize we could do a by clause with tstats as well. ... View more

Hi @KendallW  Does the coalesce or rename command treat the hostnames differently if they are different in cases? One is lower case in one index and other index has the same hostname in Upper case. Is the merge case sensitive ?  For example,  HOST01 which is one of the values in host field of index=windows, is actually  host01 in index=cmdb ( under the dv_name) field.   That explains why the consolidation via coalesce or rename ain't working. ... View more

That didn't work. Query does not show any results if we rename the dv_name to host. That is because host is a default field  and for index=cmdb, the host field originally contains the name of the Log source (ServiceNow) sending over the asset information to splunk. Renaming it overwrites the default field. thanks for replying though. ... View more

Never mind, i figured out. Just moved the |eval statement to the end after the table command, it worked. ... View more

Quick followup question, is there a way to include another field ( as in column ) as part of the final output? For example, if i have something like below where there is another field "Priority" calculated using eval, how to include it in the final output?   As of now,  using the below query,  Priority doesn't show any data and thats expected because Priority is not part of our chart command.  I tried all different combos to add Priority in the chart command but couldn't figure out how to.   | eval Priorty = case(Alert like "001","P1",Alert like "002","P2") | chart count by Alert status | addtotals col=t fieldname=Count label=Total labelfield=Alert | table rule_name Count status Priority     ... View more

Awesome. So often forget the "chart" command to use for such scenarios.   Thank you ... View more

Hi, I am myself a sysadmin and  if you read my entire post with open eyes ,  i myself wrote that this information is available in /bash_history to check but that is manually after ssh into the server. If i wasn't aware how to check this, i wouldn't have mentioned about checking user's history. It doesn't matter which ever flavor of Linux you take be it Ubuntu or RHEL family anybody who is familiar with user deletion activity will know this issue because its same for any linux flavor. We are on RHEL 7.9 and under /var/log/secure  all we see is following type of messages when someone runs userdel command:  There is no further message or record in /var/log/secure of who ran this command. That's my use case and that is why i drew parallel with Windows Event Viewer logs to see how others are doing for similar use cases.    ... View more

For JSON data, use spath command.  Reference: https://community.splunk.com/t5/Splunk-Search/How-to-parse-my-JSON-data-with-spath-and-table-the-data/m-p/250462 https://kinneygroup.com/blog/splunk-spath-command/ ... View more

Thanks for responding. Unfortunately i don't see any such Closed by status option under "Threats Table"   ... View more