Trying to find if at least one value of a multivalue field matches another fieldIn either case if you want to convert "false" to "off" you can use replace command. Macros are prefixed with "MC-" to easily identify and look at manually. For example: | makeresults | eval values_type=split ( "value1,value2,value1,value2,value1,value2,value1,value2,value2,value2,value2,",",") | eval values_count=mvcount (values_type) | eval value1=mvfilter (match. Information about Splunk's directors and executive officers, including their ownership of Splunk securities, is set forth in the proxy statement for Splunk's 2023. BUT, you will want to confirm with data owners the indexes aren't actually being used since, again, this search is not 100%. One method could be adding. Group together related events and correlate across disparate systems. When you untable these results, there will be three columns in the output: The first column lists the category IDs. 1 Found the answer after posting this question, its just using exiting mvfilter function to pull the match resutls. Functions of “match” are very similar to case or if functions but, “match” function deals. Please help me with splunk query. splunk. I guess also want to figure out if this is the correct way to approach this search. Splunk Employee. It's using the newish mvmap command to massage the multivalue and then the min/max statistical function that works with strings using alphabetical order. don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotes What we would like to do now is a: mvdistinctcount (mvfield) -> if the result is bigger than 1 we win. The filldown command replaces null values with the last non-null value for a field or set of fields. substraction: | eval field1=mvfilter(match(field, "OUT$")) <-substract-> | eval field1=mvfilter(match(field, "IN$")) knitz. However, I only want certain values to show. Click Local event log collection. containers{} | mvexpand spec. In Microsoft Sentinel, go to the Configuration > Analytics > Rule templates tab, and create and update each relevant analytics rule. don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotes The mvfilter command LOOKS similar to what I want, but in reverse (the mv variables are the regexes, of which any match is a reason to exit the search). 2. This function is useful for checking for whether or not a field contains a value. Explorer 03-08-2020 04:34 AM. So X will be any multi-value field name. You should see a field count in the left bar. And this is the table when I do a top. I want a single field which will have p. key2. And you will end up with: aName=Field1 aValue=123 Field1=123 aName=Field1 aValue=234 Field1=234 aName=Field2 aValue=345. Description. So, Splunk 8 introduced a group of JSON functions. Doing the mvfield="foo" in the first line of the search will throw-away all events where that individual value is not in the multivalue field. 1) The data is ingested as proper JSON and you should be seeing multivalued field for your array elements (KV_MODE = json) 2) As you said, responseTime is the 2nd element in and it appears only one. E. Thanks in advance. 04-03-2018 03:58 AM. The use of printf ensures alphabetical and numerical order are the same. 156. Usage of Splunk EVAL Function : MVCOUNT. I want to calculate the raw size of an array field in JSON. Prefix $ with another dollar sign. | stats count | fields - count | eval A=split("alpha,alpha,beta,c,d,e,alpha,f",",") | mvexpand AHi, We have a lookup file with some ip addresses. Alternative commands are described in the Search Reference manualDownload topic as PDF. Neither of these appear to work for me: y=mvfilter (isnotnull (x)) y=mvfilter (!isnull (x)) While this does: y=mvfilter (x!="NULL")) Spread our blogUsage of Splunk EVAL Function : MVDEDUP Usage of Splunk EVAL Function : MVDEDUP This function takes single argument ( X ). This function filters a multivalue field based on an arbitrary Boolean expression. . 90. The single value version of the field is a flat string that is separated by a space or by the delimiter that you specify with the delim argument. e. If you reject optional cookies, only cookies necessary to provide you the services will be used. This video shows you both commands in action. No credit card required. You want to create a field which is the URL minus the UserId part, And therefore the stats will be grouped by which url is called. Neither of these appear to work for me: y=mvfilter (isnotnull (x)) y=mvfilter (!isnull (x)) While this does: y=mvfilter (x!="NULL"))Remove mulitple values from a multivalue field. This is part ten of the "Hunting with Splunk: The Basics" series. String mySearch = "search * | head 5"; Job job = service. Data is populated using stats and list () command. The classic method to do this is mvexpand together with spath. 1 Karma. We thought that doing this would accomplish the same:. Find below the skeleton of the usage of the function “mvdedup” with EVAL :. The filldown command replaces null values with the last non-null value for a field or set of fields. This function takes single argument ( X ). Your lookup could look like this: group_name,ShouldExclude group-foo-d-*,Exclude group-bar-t-*,Exclude. The classic method to do this is mvexpand together with spath. you can 'remove' all ip addresses starting with a 10. Hello, I am trying to format multi-value cell data in a dashboard table using mvmap in an eval token before passing it on to a drilldown, however I am unable to figure out how to format the eval function and if this approach would work at all. Thanks! Your worked partially. One of the fields is a comma separated list in the format [a,b,c] or sometimes it is just [d]. Let say I want to count user who have list (data) that contains number less and only less than "3". Partners Accelerate value with our powerful partner ecosystem. Looking for the needle in the haystack is what Splunk excels at. Stream, collect and index any type of data safely and securely. Hello, I need to evaluate my _time against a list of times output from a lookup table and produce a calculated field "nextPeriodTime" which is the next time after _time. You may be able to speed up your search with msearch by including the metric_name in the filter. Search filters are additive. 1. 0. You can use this -. トピック1 – 複数値フィールドの概要. containers {} | mvexpand spec. The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. 0 Karma. Something like values () but limited to one event at a time. Hi @masonmorales Just following up with this question, but did @ramdaspr's answer below help solve your question? If yes, please resolve this post by clicking "Accept" directly below the answer. HI All, How to pass regular expression to the variable to match command? Please help. The fill level shows where the current value is on the value scale. Splunk Cloud Platform translates all that raw data [25 million monthly messages] into transparent, actionable insights that teams across Heineken use to resolve operational issues and improve performance. 1: DO NOT CHANGE ANYTHING ABOUT THE "SUBMIT" checkbox other than cosmetic things (e. Defend against threats with advanced security analytics, machine learning and threat intelligence that focus detection and provide high-fidelity alerts to shorten triage times and raise true positive rates. Contributor. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers. - Ryan Kovar In our last post on parsing, we detailed how you can pass URL Toolbox a fully qualified domain name or URL and receive a nicely parsed set of fields that. In this example we want ony matching values from Names field so we gave a condition and it is. mvexpand breaks the memory usage there so I need some other way to accumulate the results. You must be logged into splunk. i tried with "IN function" , but it is returning me any values inside the function. The documentation states the following: mvfilter (X) This function filters a multivalue field based on an arbitrary Boolean expression X. | gentimes start=1/1/17 end=10/1/18 increment=1d | rename starttime AS _time | stats sparkline (count, 2h) AS sparkline. Any help would be appreciated 🙂. 0. attributes=group,role. I envision something like the following: search. Description: An expression that, when evaluated, returns either TRUE or FALSE. Hello All, i need a help in creating report. (Example file name: knownips. a. I need the ability to dedup a multi-value field on a per event basis. The first template returns the flow information. The first change condition is working fine but the second one I have where I setting a token with a different value is not. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. 1 Karma Reply 1 Solution Solution mw Splunk Employee 05-31-2011 06:53 PM I'm not sure what the deal is with mvfind, but would this work?: search X | eval. You need read access to the file or directory to monitor it. Usage Of Splunk EVAL Function : MVMAP. But in a case that I want the result is a negative number between the start and the end day. Turn on suggestions. For example, if you search for Location!="Calaveras Farms", events that do not have Calaveras Farms as the Location are. Filtering search results with mvfilter - (05-14-2019 02:53 PM) Getting Data In by CaninChristellC on 05-14-2019 02:53 PM Latest post on 05-15-2019 12:15 AM by knielsenHi, We have a lookup file with some ip addresses. 21, the drilldown works fine; Splunk 8 gives the following error: Invalid earliest time. 12-18-2017 12:35 AM. This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter. View solution in original post. If the array is big and events are many, mvexpand risk running out of memory. A person who interns at Splunk and becomes an integral part of the team and our unique culture. Splunk Data Stream Processor. | eval remote_access_port = mvfilter (destination_ports="4135") 1 Karma. Building for the Splunk Platform. The ordering within the mv doesn't matter to me, just that there aren't duplicates. Industry: Software. The single value version of the field is a flat string that is separated by a space or by the delimiter that you specify with the delim argument. A data structure that you use to test whether an element is a member of a set. Update: mvfilter didn't help with the memory. It's using mvzip to zip up the 3 fields and then filter out only those which do NOT have a - sign at the start, then extracting the fields out again. " In general, you can put any predicate in mvfilter, and eval will iterate through all the values of the implied multi-valued field and keep only those that evaluate to "true". There are at least 1000 data. The documentation states the following: mvfilter (X) This function filters a multivalue field based on an arbitrary Boolean expression X. This example uses the pi and pow functions to calculate the area of two circles. . For example: | makeresults | eval values_type=split ( "value1,value2,value1,value2,value1,value2,value1,value2,value2,value2,value2,",",") | eval values_count=mvcount (values_type) | eval value1=mvfilter (match. The split function uses some delimiter, such as commas or dashes, to split a string into multiple values. Browse . Browse . Of course, you can use list in addition to values if your mvzip doesn't work the way you want it to after that. segment_status: SUCCEEDED-1234333 FAILED-34555 I am trying to get the total of segment status and individual count of Succeeded and FAILED for the total count I have done the below query eventtype=abc. Please try to keep this discussion focused on the content covered in this documentation topic. don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotesThe mvfilter command LOOKS similar to what I want, but in reverse (the mv variables are the regexes, of which any match is a reason to exit the search). Description. The classic method to do this is mvexpand together with spath. Administrator,SIEM can help — a lot. Solved: I want to calculate the raw size of an array field in JSON. Maybe I will post this as a separate question cause this is perhaps simpler to explain. token. csv. "NullPointerException") but want to exclude certain matches (e. names. We can also use REGEX expressions to extract values from fields. g. Browse . Hi, As the title says. Using the trasaction command I can correlate the events based on the Flow ID. Browse . Thank you. I am trying to format multi-value cell data in a dashboard table using mvmap in an eval token before passing it on to a drilldown, however I am unable to figure out how to format the eval function and if this approach would work at all. Splunk Administration; Deployment Architecture. This function takes matching “REGEX” and returns true or false or any given string. g. | spath input=spec path=spec. The fillnull command replaces null values in all fields with a zero by default. I want specifically 2 charac. Curly braces (and the dot, actually) are special characters in eval expressions, so you will need to enclose the field name in single quotes: 'hyperlinks{}. Alternatively, add | table _raw count to the end to make it show in the Statistics tab. What I want to do is to change the search query when the value is "All". 1 Karma Reply. Numbers are sorted before letters. OR, you can also study this completely fabricated resultset here. I would appreciate if someone could tell me why this function fails. | datamodel | spath output=modelName modelName | search modelName!=Splunk_CIM_Validation `comment ("mvexpand on the fields value for this model fails with default settings for limits. It takes the index of the IP you want - you can use -1 for the last entry. Given the subject of this post about 'removing' an IP, then mvfilter is also another useful MV function, e. The 3 fields don't consistently have the same count of attributes so the dynamic method recommended certainly helped. The Boolean expression can reference ONLY ONE field at a time. Log in now. BrowseHi, I am building a dashboard where I have an multi-select input called locations, which is populated with a query via the dynamic options. For example, if I want to filter following data I will write AB??-. i'm using splunk 4. See the Data on Splunk Training. See this run anywhere example. Splunk Enterprise. Splunk Development. 05-18-2010 12:57 PM. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. I am trying to figure out when. Using the query above, I am getting result of "3". Try something like this | makeresults | eval mymvfield ="a b c" | makemv mymvfield | eval excludes = mvfilter(NOT [| makeresults | evalCOVID-19 Response SplunkBase Developers Documentation. We can also use REGEX expressions to extract values from fields. Hello Community, I evaluate the values of a single field which comes with values such as: OUT; IN; DENIED and can get counters for each of those values. I am trying to figure out when somebody's account has been phished, because when they are phished, the attacker keeps sending out gobs of spam to gmail and hotmail addresses. . AD_Name_C AD_Name_C AD_Name_B AD_Name_B AD_Name_A AD_Name_A 2. The multivalue version is displayed by default. com in order to post comments. If X is a single value-field , it returns count 1 as a result. Numbers are sorted before letters. We’ve gathered, in a single place, the tutorials, guides, links and even books to help you get started with Splunk. COVID-19 Response SplunkBase Developers Documentation. For that, we try to find events where list (data) has values greater than 3, if it's null (no value is greater than 3) then it'll be counted. Dashboards & Visualizations. we can consider one matching “REGEX” to return true or false or any string. create(mySearch); Can someone help to understand the issue. Something like that:Using variables in mvfilter with match or how to get an mvdistinctcount(var) chris. The reason for that is that Type!=Success implies that the field "Type" exists, but is not equal to "Success". Splunk, Splunk>, Turn Data Into. | search destination_ports=*4135* however that isn't very elegant. match (SUBJECT, REGEX) This function compares the regex string REGEX to the value of SUBJECT and returns a Boolean value; it returns true if the REGEX can find a match against any substring of SUBJECT. spathコマンドを使用して自己記述型データを解釈する. Hello all, Trying to figure out how to search or filter based on the matches in my case statement. Return a string value based on the value of a field. * meaning anything followed by [^$] meaning anything that is not a $ symbol then $ as an anchor meaning that must be the end of the field value. Building for the Splunk Platform. mvfilter(<predicate>) Description. containers {} | where privileged == "true". W hether you are new to Splunk or just needing a refresh, this article can guide you to some of the best resources on the web for using Splunk. Please help me on this, Thanks in advance. This function takes one argument <value> and returns TRUE if <value> is not NULL. can COVID-19 Response SplunkBase Developers Documentation BrowseIn splunk docs I read that mvfilter in combination with isnotnull or !isnull functions can be used when you want to return only values that are not NULL from a multivalue field. g. “ match ” is a Splunk eval function. for example, i have two fields manager and report, report having mv fields. My search query index="nxs_m. Neither of these appear to work for me: y=mvfilter(isnotnull(x)) y=mvfilter(!isnull(x)) While this does:COVID-19 Response SplunkBase Developers Documentation. | eval f1split=split (f1, ""), f2split=split (f2, "") Make multi-value fields (called f1split and f2split) for each target field. I don't know how to create for loop with break in SPL, please suggest how I achieve this. You must be logged into splunk. For information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 evaluation functions . 10)). 02-05-2015 05:47 PM. i've also tried using the mvindex () command with success, however, as the order of the eventtype mv is never the same. com in order to post comments. Splunk Administration; Deployment Architecture1. The Splunk platform uses Bloom filters to decrease the time it requires to retrieve events from the index. Something like that:Great solution. It's a bit hack-y, as it adds two multivalue fields to each event - the holiday name and date. g. In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). For instance: This will retain all values that start with "abc-. index="jenkins_statistics" event_tag=job_event. BrowseRe: mvfilter before using mvexpand to reduce memory usage. Neither of these appear to work for me: y=mvfilter (isnotnull (x)) y=mvfilter (!isnull (x)) While this does: y=mvfilter (x!="NULL")) don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotes Solution. An ingest-time eval is a type of transform that evaluates an expression at index-time. | spath input=spec path=spec. Please try to keep this discussion focused on the content covered in this documentation topic. I am trying to use look behind to target anything before a comma after the first name and look ahead to. 600. Usage of Splunk EVAL Function : MVFILTER . This query might work (i'll suggest a slight build later on), but your biggest issue is you aren't passing "interval" through the stats function in line 11, and since it's a transforming command, Splunk won't have any knowledge of the field "interval" after this. Hi, I would like to count the values of a multivalue field by value. I want to allow the user to specify the hosts to include via a checkbox dashboard input, however I cannot get this to work. </change>" section that unsets BOTH these tokens: {"SUBMIT_CHECKBOX", "form. View solution in original postI have logs that have a keyword "*CLP" repeated multiple times in each event. I am analyzing the mail tracking log for Exchange. Calculate the sum of the areas of two circles. The third column lists the values for each calculation. Log in now. value". My answer will assume following. How about sourcetype=wordcount | dedup string | rex field=string max_match=10000 "(?<abc>abc)" | eval abc=mvcount(abc) | table abc - this does the count of abc in the string (since abc does not contain itself, it is an easy calculation). Re: mvfilter before using mvexpand to reduce memory usage. David. Splunk Coalesce command solves the issue by normalizing field names. It does not showed index like _fishbucket, _audit , _blocksignature , _introspection and user created indexesI need to be able to identify duplicates in a multivalue field. M. I want to deal the multivalue field to get the counts whch is satisfied the conditions I set. As a result, it will create an MV field containing all the Exceptions like this: From here, you can just easily filter out the ones you don't like using the | where command: | where mvcount (exception_type) > 1 OR exception_type != "Default". You can learn anytime, from anywhere about a range of topics so you can become a Splunk platform pro. 0 Karma. I need the ability to dedup a multi-value field on a per event basis. BrowseIt's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card! Review: SOAR (f. JSONデータがSplunkでどのように処理されるかを理解する. 01-13-2022 05:00 AM. We could even take action against the event in Splunk by copying it, redacting the password in the src_user field, and placing it in a summary index for further investigation. On Splunk 7. . HttpException: HTTP 400 -- Unknown search command 'source' But the same code works with the below simple search command. log" "Model*" OR "Response*" | transaction traceId startswith="Model" endswith="R. len() command works fine to calculate size of JSON object field, but len()Same fields with different values in one event. So argument may be any multi-value field or any single value field. | eval NEW_FIELD=mvdedup(X) […] トピック1 – 複数値フィールドの概要. I need to be able to return the data sources in the panel EVEN if they return 0 events per data source. The mvcombine command creates a multivalue version of the field you specify, as well as a single value version of the field. Check "Advanced options", scroll down to "Match type", enter CIDR (clientip), clientip being the. This example uses the pi and pow functions to calculate the area of two circles. Splunk Tutorial: Getting Started Using Splunk. When you use the untable command to convert the tabular results, you must specify the categoryId field first. You must be logged into splunk. I want to use the case statement to achieve the following conditional judgments. This function filters a multivalue field based on an arbitrary Boolean expression. Let's assume you are using a pair of colons ( :: ) to make your list and your input files look something like this (notice the delimiter on both ends of the strings, too): lookup_wild_folder folder_lookup,s. When working with data in the Splunk platform, each event field typically has a single value. Click the links below to see the other blog. . That's why I use the mvfilter and mvdedup commands below. Remove mulitple values from a multivalue field. Assuming you have a mutivalue field called status the below (untested) code might work. Here's what I am trying to achieve. newvalue=superuser,null. If X is a multi-value field, it returns the count of all values within the field. Note that the example uses ^ and $ to perform a full. com is my is our internal email domain name, recipient field is the recipient of the email, either a single-valued field or a multi-valued field. Phantom) >> Enterprise Security >> Splunk Enterprise or Cloud for Security >> Observability >> Or Learn More in Our Blog >>This does not seem to be documented anywhere, but you can use the curly braces to create fields that are based on field values. Use the TZ attribute set in props. The documentation states the following: mvfilter (X) This function filters a multivalue field based on an arbitrary Boolean expression X. mvfilter(<predicate>) Description. If the first argument to the sort command is a number, then at most that many results are returned, in order. Then I do lookup from the following csv file. eval txKV = mvfilter (match (kvPair, "tx_success")) | eval txCount = mvcount (txKV) | eval txTime = mvindex (txKV, txCount-1) |. Click New to add an input. if type = 3 then desc = "post". uses optional first-party and third-party cookies, including session replay cookies, to improve your experience on our websites, for analytics and for advertisement purposes only with your consent. Mvfilter: Eg: mvfilter (eval (x!=userId))I'm not sure what the deal is with mvfind, but would this work?: search X | eval a=mvfilter(eventtype LIKE "network_%") | search a=* | COVID-19 Response SplunkBase Developers Documentation BrowseDoes Splunk support regex look behind and look ahead? Specifically, I have a log that has the following: CN=LastName, FirstName. A new field called sum_of_areas is created to store the sum of the areas of the two circles. I create a MV field for just the value I am interested in, determine the total count, and then return the value at the index of count-1. Community; Community; Splunk Answers. X can take only one multivalue field at a time. Hi All, I want to eliminate TruestedLocation = Zscaler in my splunk search result. Use the mvcount, mvindex, and mvfilter eval functions to evaluate Topic 4 – Analymultivalue fieldsze Multivalue Data Use the mvsort, mvzip, mvjoin, mvmap, and mvappend eval functions and the mvexpand command to analyze multivalue data AboutSplunk Education Splunk classes are designed for specific roles such as Splunkcount events in multivalue field. BrowseEvaluating content of a list of JSON key/value pairs in search. len() command works fine to calculate size of JSON object field, but len() command doesn't work for array field. column2=mvfilter (match (column1,"test")) Share. This function takes maximum two ( X,Y) arguments. csv) Define lookup in "Looksup -> Lookup definitions -> Add new". Splunk Administration; Deployment ArchitectureLeft Outer Join in Splunk. The important part here is that the second column is an mv field. Use the mvfilter () function to filter a multivalue field using an arbitrary Boolean expression. Any help is greatly appreciated. In splunk docs I read that mvfilter in combination with isnotnull or !isnull functions can be used when you want to return only values that are not NULL from a multivalue field. This is the most powerful feature of Splunk that other visualisation tools like Kibana, Tableau lacks. View solution in original post. This is in regards to email querying. Likei. How to use mvfilter to get list of data that contain less and only less than the specific data?Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. We help security teams around the globe strengthen operations by providing. Announcements; Welcome; IntrosI would like to create a new string field in my search based on that value. Reply. 201. You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions. We could even take action against the event in Splunk by copying it, redacting the password in the src_user field, and placing it in a summary index for further investigation. mvfilter(<predicate>) Description. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you. I have this panel display the sum of login failed events from a search string. In Splunk, it is possible to filter/process on the results of first splunk query and then further filter/process results to get desired output. @abc. Splunk Threat Research Team. The Boolean expression can reference ONLY ONE field at a time. Neither of these appear to work for me: y=mvfilter (isnotnull (x)) y=mvfilter (!isnull (x)) While this does: y=mvfilter (x!="NULL")) Remove mulitple values from a multivalue field. This example uses the pi and pow functions to calculate the area of two circles. com 123@wf. Note that using msearch returns a sample of the metric values, not all of them, unless you specify target_per. | msearch index=my_metrics filter="metric_name=data. i have a mv field called "report", i want to search for values so they return me the result. containers{} | spath input=spec. , 'query_z'] , 'property_name_1' : ['query_1','query_1_a',. url' @yuanliu - Yeah, mvfilter can reference only one field, the rest should be only string/pattens. 自己記述型データの定義. We can't use mvfilter here because you cannot reference multiple fields in mvfilter. The container appears empty for a value lower than the minimum and full for a value higher than the maximum. I tried using eval and mvfilter but I cannot seem. Also, I include a static option called "ANY" with a value * I have also a token prefix and suffix of double quotes (") and the delimiter of a coma ( , )HI All, How to pass regular expression to the variable to match command? Please help. When I did the search to get dnsinfo_hostname=etsiunjour. I am trying to add a column to my current chart which has "Customers" as one column and "Users" as another. don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotesComparison and Conditional functions. containers {} | where privileged == "true".