Hi @livehybrid  The windbag command worked just fine, but the collect command did not work. How do I use collect command in the Splunk report that appended |summaryindex automatically? Perhaps screenshot below will explain better. Thank you for your help I have a Splunk report that generates summary index daily The search query will be index=summary report=json_test When the report run daily, the search will be appended with "| summary index" command below: | windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}" | summaryindex spool=t uselb=t addtime=t index="summary" file="RMD[random characters].stash_new" name="json_test" marker="hostname=\"https://aa.test.com/\",report=\"json_test\"     ... View more

Hi @ITWhisperer  Will a JSON format with a tree structure be supported if I create a summary index using a Splunk report? The Splunk report automatically generated  summary index using the "summaryindex" command , rather than  the "collect" command.  According to the documentation you sent, using output_format=hec to get JSON-formatted output. Thank you ... View more

Hello @livehybrid  If I literally used your query, I got no result, but if I changed the index name to one of my existing indexes, I got the same output. 1. Should I use one of my existing indexes for testing?  (As I am not an admin, I don't have the ability to import JSON and create an index) 2. How do I create a summary index in JSON format with a tree structure? Thank you so much for your help   ... View more

Hi, My understanding is the data is there somewhere, Splunk decided to not display 0 when using stats count. Thanks ... View more

Hello, Is there any other way to do this? The data is dynamic. If I am doing this way, I have to have another process to dump a CSV file. Thanks ... View more

@johnhuang  Changing the wrap results to Yes fix the problem. Thank you so much for your help   ... View more

@PickleRick @yuanliu @yuanliu  So, I did the following tests: 1) User A logged in to Splunk with his user ID using Google Chrome on User A's PC. The result was that Splunk displayed extra spaces correctly using Google Chrome on User A's PC. 2) I login to Splunk with my userID using Google Chrome on my PC. The result was that Splunk does not display extra space correctly using Google Chrome on my PC. 3) User A logged in to Splunk with his user ID using Google Chrome on my PC. The result was that Splunk displayed extra spaces correctly using Google Chrome on my PC. So, it is not an issue with Google Chrome on my PC. 4) I login to Splunk with my userID using Google Chrome on User A's PC. The result was that Splunk does not display extra space correctly using Google Chrome on User A's PC. So, the issue follows my User ID. The conclusion is: The problem follows my User ID, and it is not an issue with my Google Chrome or my PC.  I am following up with Splunk. Assuming I am User B, the issue follows User B: User Splunk Browser PC Result User A User A User A User A No Space issue User B User B User B User B Space issue User A User B user B User B No Space issue User B User A User A User A Space issue Thanks ... View more

Hi @PickleRick  Thank you for your response. I checked the developer tools, and it did show extra spaces on the browser. The PC support asked me this question "if this is a browser issue, then why did the issue also occur on a different browser?  So, no chance it's a Splunk profile issue? I already cleared, my cache and it's the same issue.     The next step is that I will test it using a different PC used by Splunk user that doesn't have this issue   ... View more

Hi @yuanliu  Could it be an issue with my Splunk profile? I am using Splunk Enterprise Version:9.0.4. My browser is Google Chrome Version 130.0.6723.117 (Official Build) (64-bit) and Microsoft Edge Version 130.0.2849.68 (Official build) (64-bit) If it's a browser issue, why is it not working on another browser like Microsoft Edge? Thank you for your help ... View more

@jawahir007  I don't have any pending updates.  If it's a browser issue, then why is it displaying text correctly in the search box, but not on the statistical table in Splunk?    Thanks ... View more

@yuanliu  Good to know.   If I may ask again, how did you know the cost associated for each SPL command? Thanks!! ... View more

@yuanliu  Thank you for your help. I accepted your suggestion as solution with the following note: - sendemail didn't work because I wasn't an admin - Using alert worked just fine Can you clarify what you meant "join" will get me nowhere?  😊 The result using JOIN worked just fine My intention is to "join" the data, not to "append". When I  used APPEND, the data was appended to the original data and I had to use "stats command" to merge the data.   Thanks ... View more

Hi @inventsekar  I got this error when using the send email command, that's probably because I am not an admin error: command="sendemail", 'rootCAPath' while sending mail to: Thanks ... View more

Hi @inventsekar , If I uncheck open in new tab, it will not open a new tab and use the current tab. My goal is to open a new tab, but only one, not two.   Thank you   ... View more

Hi @ITWhisperer  Here's the code:    Thank you so much { "type": "splunk.singlevalueicon", "options": { "showValue": false, "icon": "splunk-enterprise-kvstore://12345abcdefg" }, "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "/splunk/app/test_app/second_dashboard?form.student_token=$student_token$", "newTab": true } } ], "context": {}, "showProgressBar": false, "showLastUpdated": false }     ... View more

@ITWhisperer @gcusello  Do you have any ideas on how to fix this?  Thanks ... View more

Hi @PickleRick  The data is actually also available in Splunk using an index=contact, but it's a time based combined with other data, it makes the data even larger. It is derived from the original DB, so it's better off obtain the data directly from DB. Either way, both cases (data pulling dbxquery and index) will face the same problem  (see below) We are aware that permanent solution is to join the data in the backend, but for now as a workaround I need to pull the data using SPL join subsearch. I only need to find a way to alert me if it exceeds 50k. Thanks Same problem 50k: | search1 | join [search index=contact | ip="10.0.0.0/16" | eval source=search2] | join [search index=contact | ip="10.1.0.0/16" | eval source=search3] | join [search index=contact | ip="10.2.0.0/16" | eval source=search4] | join [search index=contact | ip="10.3.0.0/16" | eval source=search5]   ... View more

Hi @yuanliu  1) a)  I got this when using sendemail.  I think the reason is I am not an admin command="sendemail", 'rootCAPath' while sending mail to:       b)   This is the search, correct? | search1 | join [search2 | stats count | where count > 50000 | eval this = "search 2"] | sendemail [email protected]   2)  I found another option is to use "alerts" I did some tests, but it didn't work.  I have total counts about 40k Under "Trigger Conditions", I set Trigger alert when number of results is greater than 30,000.   Please suggest. Thanks ... View more

Hi @PickleRick  Thanks for your help 1.  Like I mentioned, the DB is on a different connection, if it's possible it will take a while until the DB team work on this. So, as a workaround I will need to do this at least to get the data now. 2. Yes 50k is for the join 3. Thanks. Let me look into _internal. The alerting that I am looking for is not only for a case where certain data hits a Splunk's internal threshold, but I also need it for other cases (non-Splunk's internal threshold), for example, if my scheduled report contains empty data or if data hits a certain threshold (max/min). 4.  Sorry, perhaps my explanation in the example is not clear enough because it's difficult to lay it out without a real example in SPL. Both tables (host table and contact table) in the example have been in Splunk and can be accessible via a DBX query. Like I mentioned before, the problem is that we cannot join in the DB; both are on different connections; the table host is in Connection A, and the table contact is in Connection B.  | dbxquery connection ="connectionA" query="select ip, host from table host" | dbxquery connection ="connectionB" query="select ip, contact from table contact" I did not search remotely on every search, but instead I ran this command for each subnet to find the number of rows. For example 10.0.1.0/16 => 20k rows and so on.   | dbxquery connection ="connectionB" query="select ip, contact from table contact where ip::inet<'10.0.0.0/16'" | dbxquery connection ="connectionB" query="select ip, contact from table contact where ip::inet<'10.1.0.0/16'" | dbxquery connection ="connectionB" query="select ip, contact from table contact where ip::inet<'10.2.0.0/16'" | dbxquery connection ="connectionB" query="select ip, contact from table contact where ip::inet<'10.3.0.0/16'" Once I figure the number of rows, then I group them until it hits right below 50k, so I am saving subsearches.  If one subnet above 50k, I will need to split them.   I hope this makes sense.  Note that this is only workaround. join max=0 type=left ip [| dbxquery connection ="connectionB" query="select ip, contact from table contact where ip::inet<'10.0.0.0/16' OR ip::inet<'10.1.0.0/16'" |eval source="group1" ] ... View more

I can make it wider by reducing the time frame, but last 7 days is usually the default. Are you sure we can't do it on the CSS part? Thanks ... View more

Hi @yuanliu  First, I would like to thank you for your help. This is "partly" related to my previous post that you solved, but I will describe it better here https://community.splunk.com/t5/Splunk-Search/How-do-I-quot-Left-join-quot-by-appending-CSV-to-an-index-in/m-p/697794#M237015 This is just an example: I have a host table containing IP and hostname, approximately 100k rows with unique IPs I have a contact table containing IP and contact, approximately 1> million rows with unique IPs Both can be accessed with DBX query,  but unfortunately they are both located in different DB connections, so it's not possible to join them at the backend. So, the workaround is to filter out subnet on the contact DB and use subsearches to join the contact DB with the Host DB Due to 50k rows limit using subsearch, I ran a separate query on the contact DB to find out the number of rows for each subnet, then I grouped them together to make sure the number of rows is below 50k. (Please see the diagram below) Group 1 = 40 rows, Group 2 = 45k rows,  and Group 3 = 30k rows. After that, I used left join for each group on the contact DB with the Host DB. Since I don't control the growth of data in the Contact DB,  I am trying to figure out a way to get an email alert if one of the groups exceeded 50k limit. I think I am able to create a scheduled report to produce the stats of each subnet in the group, but going back to my original question: I simply want to know if it's possible for Splunk to send me an email alert only if it meets certain thresholds. The subsearch is only one of my cases. Another case is  I have multiple reports that run daily, I intend to read the reports only if there is a problem, such as empty data, meeting certain thresholds, etc.       Input: Host table ip host 10.0.0.1 host1 10.0.0.2 host2 10.0.0.3 host3 10.1.0.1 host4 10.1.0.2 host5 10.1.0.3 host6 10.2.0.1 host7 10.2.0.2 host8 10.2.0.3 host9 Contact table ip contact 10.0.0.1 person1 10.0.0.2 person2 10.0.0.3 person3 10.1.0.1 person4 10.1.0.2 person5 10.1.0.3 person6 10.2.0.1 person7 10.2.0.2 person8 10.2.0.3 person9 Output:  Join host and contact DB ip host contact 10.0.0.1 host1 person1 10.0.0.2 host2 person2 10.0.0.3 host3 person3 10.1.0.1 host4 person4 10.1.0.2 host5 person5 10.1.0.3 host6 person6 10.2.0.1 host7 person7 10.2.0.2 host8 person8 10.2.0.3 host9 person9 ... View more