I very much doubt there is any kind of documentation - I know this issue has been discussed here and on Splunk Slack channels and there is more than one way to achieve this. This site is a good resource for this type of question. ... View more

I have a feeling that using tokens in the count part of the XML config was broken at some point. It used to work, then it stopped working, but now I tested again, it does work - what version are you on?   ... View more

Without knowing what you're trying to do, I couldn't answer that - if you managed to upload the app, then I would guess there might be some issues with your JS, but there may also be some sandbox restrictions around what you can do. ... View more

In Simple XML dashboards you can display things  https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#dashboard_or_form See the hide* attributes there In practice, though, the user can in fact just add /edit or /editxml to the dashboard if they have rights to edit it, so it's only at the UI layer.   ... View more

You mean you uploaded the app OK, but your JS is throwing errors or the AppInspect process failed and you could not upload the app? ... View more

It's actually easy enough with a bit of inline CSS - see this simple XML dashboard example, which hides the colour dropdown and sets the colour to black. If you select A, C or D then the colour dropdown is re-shown. <form version="1.1" theme="light"> <label>ddl</label> <fieldset submitButton="false"> <input type="dropdown" token="component" searchWhenChanged="true"> <label>Component</label> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <choice value="D">D</choice> <change> <eval token="display_colour">if($component$="B", "display:none", "")</eval> <eval token="colour_name">if($component$="B", "No Colour", $colour_name$)</eval> <eval token="form.colour">if($component$="B", "#000000", $form.colour$)</eval> <eval token="colour">if($component$="B", "#000000", $colour$)</eval> </change> </input> <input type="dropdown" token="severity" searchWhenChanged="true"> <label>Severity</label> <choice value="Info">Info</choice> <choice value="Warning">Warning</choice> </input> <input id="colour_dropdown" type="dropdown" token="colour" searchWhenChanged="true"> <label>Colour Dropdown</label> <choice value="#000000">Black</choice> <choice value="#ff0000">Red</choice> <choice value="#00ff00">Green</choice> <choice value="#0000ff">Blue</choice> <change> <set token="colour_name">$label$</set> </change> </input> </fieldset> <row depends="$AlwaysHideCSS$"> <panel> <html> <style> #colour_dropdown { $display_colour$ } </style> </html> </panel> </row> <row> <panel> <html> <h1 style="color:$colour$">Component $component$, Severity Level $severity$, Colour $colour_name$</h1> </html> </panel> </row> </form>   ... View more

As @gcusello , don't use join, that's the wrong way to do this, however, you are using the wrong field. Your rex statement is extracting the field called clients but your join is using client (singular). Please use the lookup way to do this, not join.   ... View more

I would suggest a slightly optimal version that does not use the subsearch index=abc | stats count by source | inputlookup append=t my_source_lookup.csv | fillnull count | stats sum(count) AS total BY source   ... View more

You can upload your own app with custom JS and css in it, as long as you are on Victoria experience in the Cloud and the JS will pass the AppInspect when you upload the app. We do this all the time and have a set of JS functions that we use for our applications that are bundled with every app we created. ... View more

Your SPL has "tick" marks round the macro drop_dm_object_name that are single quotes ('), whereas you need to use the backtick character (`) | `drop_dm_object_name("All_Traffic")`   ... View more

Your sed command is wrong for your example data. The space is before the colon in your example. but your sed is replacing the space after the colon. Your example data as posted seems to have two spaces before the colon, at least if I copy/paste your data there are two spaces. Note also that you could do the fixup and strptime once, e.g. | makeresults format=csv data="ClintReqRcvdTime Wed 4 Jun 2025 17:16:02 :161 EDT Mon 2 Jun 2025 02:52:50 :298 EDT Mon 9 Jun 2025 16:11:05 :860 EDT" ``` This is what you want - above is just constructing an example dataset ``` | eval t=strptime(replace(ClintReqRcvdTime, "\s*:\s*", ":"), "%a %d %b %Y %H:%M:%S:%Q %Z") | eval date_only=strftime(t, "%m/%d/%Y") | eval year_only=strftime(t, "%Y") | eval month_only=strftime(t, "%b") | eval week_only=floor(tonumber(strftime(t, "%d"))/7+1) ... View more

So, this is a common pattern and the solution is to work your logic like this ```search indexes to get list of servers``` ... | stats max(_time_) as latest count by System | rename System_Name as System ``` At this point all Systems found will have a count > 0 ``` ``` So now add in your control group to the end of the list ``` | inputlookup append=t system_info.csv ``` Now this will "join" the two possible sets of 'System' together ``` | stats values(*) as * max(count) as count by System ``` And any of those with count = 0 are those that came from your lookup control and this gives you the ones not found in your data ``` | where count=0 The final where clause will cause only the missing items to show, but you can of course do what you need there with any time calculations based on the latest value from the top search. You can if you want use the lookup as a subsearch contstraint on the outer search so that it finds ONLY those in the lookup, as opposed to all systems, e.g. index=servers sourcetype=logs [ | inputlookup system_info.csv | fields System | rename System as System_Name ] ... Note that this assumes your data contains a field called System_Name, but your field in the lookup is System.   ... View more

Firstly, join is not a good way to do things in Splunk - it has limitations and can almost always be avoided by using stats and your search pattern is not how you would combine search and lookup elements. You are discarding Location and Responsible from the lookup because of your table statements line 3. Anyway, try this (I removed the unused elements in your search and the double sort in your join). index=servers sourcetype=logs | stats latest(_time) as Time by System_Name ``` Calculate time differences ``` | eval last_seen_ago_in_seconds = now() - Time | eval MISSING = if(isnull(last_seen_ago_in_seconds) OR last_seen_ago_in_seconds>7200,"MISSING","GOOD") | where MISSING=="MISSING" ``` Find the Location and Responsible ``` | lookup system_info.csv System as System_Name ``` Now render the results ``` | table System_Name Location Responsible MISSING | sort -last_seen_ago_in_seconds     ... View more

In addition to the other comments, you don't need the .* at the start and end of the regex ... View more

Do you have any base searches? Are any of the panels driven by saved searches?   ... View more

How did you figure out that the problem was with that firewall search? You are doing lots of appends, which is always going to slow down any search, as you are pushing everything to the search head, but also you are doing an unbounded 6 month transaction statement, which again is going to be pretty slow and potentially unpredictable. What are your data volumes for each individual search? The separate times for your 6 individual searches will not sum up to give you the expected cost of the overall search and I would not actually expect the tstats searches per se to be the source of any performance problem. If you are searching summaries only from accelerated datamodels, they should be the least of your worries. Your CrowdStrike search is getting ALL the data for 6 months and running transaction on that, which if you have any kind of volume there, is unlikely to be reliable, because transaction will silently drop results when it hits limits.   ... View more

bit nerdy here, but @PickleRick if you know in advance what you want to do and can figure out the maths, then you can do others, e.g. post aggregation of average is simply sum/count index=_audit | eval r=random() % 100 | timechart span=10m avg(r) as avg_r sum(r) as s_r count | eval h=strftime(_time, "%H"), d=strftime(_time, "%d"), m=strftime(_time, "%M") | eventstats sum(count) as count_1_hour sum(s_r) as sum_r_1_hour by d h | where (h>=7 AND h<19 OR m=0) | eval avg_r = if(h<7 OR h>=19, sum_r_1_hour / count_1_hour, avg_r) | fields - d h m sum_r_1_hour count_1_hour s_r percentiles on the other hand are a little more complicated. I suspect using the sitimechart function will do a lot of the work for the first pass and then it's a bit of post_processing of the psrsvd_rd* variables. I'm not totally sure how the si_* values are aggregated for percentiles, I did play around with it some years ago and got lost in the weeds, but it was a somewhat interesting exercise ... View more

You can technically achieve this through post processing of the timechart data. All you do is create your timechart in the smaller span, then add up the 6 X 10 minute blocks outside your time range and remove the unnecessary ones.  Here's an example using streamstats/eventstats - there are probably other ways, but this works  index=_audit | timechart span=10m count | eval t=strftime(_time, "%H") | streamstats window=6 sum(eval(if(t>=7 AND t<19, null(), count))) as hourly by t | eventstats max(hourly) as hourly_max min(hourly) as hourly_min by t | where hourly=hourly_min OR isnull(hourly) | eval hourly=hourly_max | fields - hourly* t You could make it simpler depending on your total search time range. You will see the X axis will not change, but you will only have hourly data points in the 19-07 hours. ... View more

Can you share your dashboard XML for the panel that is not visible. ... View more

See this example dashboard - this uses a <change> block on the input to change the token <form version="1.1" theme="light"> <label>Backslash escaped input</label> <fieldset submitButton="false"> <input type="text" token="Get_Process_Path" searchWhenChanged="true"> <label>Enter Path</label> <prefix>process_path="*</prefix> <suffix>*"</suffix> <change> <eval token="escaped_path">replace($Get_Process_Path$, "\\\\", "\\\\")</eval> </change> </input> </fieldset> <row> <panel> <html>Token created from the user's input is <b style="color:blue">[$Get_Process_Path$]</b> and the up[dated search token applied is <b style="color:red">[$escaped_path$]</b></html> <table> <search> <query>index=_audit $escaped_path$</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> ... View more

The OS in your first result has OS has "Microsoft Windows 11 Enterprise", whereas your OperatingSystems field in your OS_Outdated.csv lookup does not appear to have "Microsoft" in the name, so naturally it will not match. You will either have to make your OperatingSystems field a wildcarded lookup or massage your data so the two fields contain similar data. You also have a small issue with your use of fillnull - you specify a field name "outdated" which is lower case, whereas your field from the lookup is Outdated (capital O) You can try this search index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceName) | lookup snow_os.csv DeviceName output OS BuildNumber Version ``` Remove the word Microsoft and any following spaces ``` | eval OperatinsSystems=replace(OS, "Microsoft\s*", "") ``` Now use this modified field as the lookup field ``` | lookup OS_Outdated.csv OperatingSystems BuildNumber Version OUTPUT Outdated | fillnull value=false Outdated | table DeviceName OS BuildNumber Version Outdated   ... View more