Try it this way around index=abc | mvexpand records{} |spath input=records{} | table ProcessName, message, severity, Username, Email, as Id ... View more

So why not just count the C's in one day? ... View more

Okay, good point, I must have left my brain somewhere far away... Indeed, max(bytes) is 47KB and avg is 2KB, less than 1MB! Thank you all for your responsiveness. ... View more

Splunk on its own doesn't have the zOS component so your data has to be going through some external stages before it reaches Splunk. We don't know what your ingestion process looks like. If the events are written by some solution to an intermediate file picked up later by forwarder - check the file contents and see if those \xXX codes are there. If the events are pushed by syslog - sniff the traffic with tcpdump and see if they are there. Most probably the response to one of those questions (or a similar one regarding your particular transport channel) will be affirmative. And that will mean that the issue is external to Splunk  - you're ingesting badly formatted data. ... View more

Your search is written in a very strange way for Splunk SPL - so it makes it hard to understand what your data looks like and what you are actually trying to get to. Based on your posted search, this is a more efficient replacement - try this search and see if this comes up with the same output as your basic search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) (repoter.dataloadingintiated) OR (task.dataloadedfromfiles NOT "error" NOT "end_point" NOT "failed_data") OR ("app.mefwebdata - jobintiated") | eval host=if(match(_raw, "(?i)app\.mefwebdata - jobintiated"), case(match(host_ip, "12.234"), "HOP"+substr(host, 120,24), match(host_ip, "10.123"), "HOM"+substr(host, 120,24)) + " - " + host_ip , null()) | eval FilesofDMA=if(match(_raw, "task\.dataloadedfromfiles"), 1, 0) | stats values(host) as "Host Data Details" values(Error) as Error values(local) as "Files created localley on AMP" sum(FilesofDMA) as "File sent to DMA" | appendpipe [ stats dc("Host Data Details") as count | eval Error="Job didn't run today" | where count==0 | table Error]   ... View more

sure . Will take this. Thanks for your feedback ... View more

If you want to monitor your SaaS application from the outside, there are also mechanisms in the observability components (like Real User Monitoring, Synthetic Monitoring, ...) available.  ... View more

You need to use two commands | inputlookup remediation.csv | stats count by knowbe4, solution | rex field=knowbe4 mode=sed "s/<\/?\w+.*?\/?>//g" | rex field=solution mode=sed "s/<\/?\w+.*?\/?>//g" ... View more

OK. Right from the start there are some things that can be improved 🙂 | table host | dedup host While in this particular case it might not make such difference it's worth remembering that the table command moves processing to the search-head layer so it's best avoided untill you really need to transform your data into table for presentation. I'd do | stats values(host) as host | mvexpand host instead. The annotate=t part is also not needed very much as you only want to set one field. I'm not sure what you're trying to do with this line: | eval multiplehost=mvjoin(host, ", ") I suppose you want it to work differently than it does. You can't "reach" to other result lines with the eval command. So you either need to combine your results into a multivalued field or maybe transpose your results and do a foreach. But this one will not work. Also, unless you have one of each host (not just one "dummy") in the appended part you won't detect the failed ones. ... View more

Sweet - nice optimisation ... View more

1) c doesn't exist unless it is a value in WriteType and even then it will contain a count not "test" or "qa" 2) No, you can only have two fields with chart. Perhaps it would be better if you explained what you are trying to do, and share some representative anonymised sample events? (I may have said that before a few times!) ... View more

Hi one old post for same kind of situation. https://community.splunk.com/t5/Splunk-Enterprise/How-to-dynamically-lookup-filename/m-p/645855 r. Ismo ... View more

The way I read your premise, this sounds like a transaction logic.  So, let me first clarify your use case. You data look like _time id message state 1969-12-31 16:00:00 101 executed started 1969-12-31 16:00:04 102 activity printed started 1969-12-31 16:00:09 101 null in progress 1969-12-31 16:00:10 102 null in progress 1969-12-31 16:00:18 102 none completed 1969-12-31 16:00:24 101 none completed Note I added some time interleave between 101 and 102 to make the transaction nature more obvious. (Never mind the date is from 1969; that is just for ease of emulation.)  You want to use some results like _time duration eventcount id message state 1969-12-31 16:00:04 14 3 102 activity printed completed<-in progress<-started 1969-12-31 16:00:00 24 3 101 executed completed<-in progress<-started Here, I ignored the format of the expected output in your earlier comment, just want to clarify that "state" goes through "started", "in progress", and "completed" to form a transaction for each unique "id".  Your material requirement is to obtain a single value for "message" that is NEITHER "null" nor "none".  Is this correct?  The result as illustrated here can be obtained with   | transaction id startswith="state=started" endswith="state=completed" | eval message = mvfilter(NOT message IN ("none", "null")) | eval state = mvjoin(state, "<-")   The first two commands literally implements my interpretation of your intentions.  The third line is just a visual element to make state transition obvious for each . In my mind, the above results table is sufficient, and is more representative of the problem.  But if you really want to list each event, like _time id message state 1969-12-31 16:00:00 101 executed started 1969-12-31 16:00:04 102 activity printed started 1969-12-31 16:00:09 101 executed in progress 1969-12-31 16:00:10 102 activity printed in progress 1969-12-31 16:00:18 102 activity printed completed 1969-12-31 16:00:24 101 executed completed You can either use eventstats   | eventstats values(message) as message by id| eval message = mvfilter(NOT message IN ("none", "null")) | eval message = mvfilter(NOT message IN ("none", "null"))   or streamstats as @bowesmana suggested   | streamstats values(message) as message by id| eval message = mvfilter(NOT message IN ("none", "null")) | eval message = mvfilter(NOT message IN ("none", "null"))   To emulate input, I added _time into @bowesmana's formula because it's just simpler.   | makeresults format=csv data="id,message,state,_time 101,executed,started,0 102,activity printed,started,4 101,null,in progress,9 102,null,in progress,10 102,none,completed,18 101,none,completed,24" | eval _raw = "doesn't matter" ``` mock field _raw is important for transaction ``` ``` data mockup above ```         ... View more

Hi @ITWhisperer  First time its coming when i am trying to refresh the same query i am not find any values   Query which i am trying: index="mulesoft" applicationName="scheduler" environment=DEV message="Upcoming Executions for Scheduler :*" [search index="mulesoft" applicationName=" scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |where content.currStatus!="Interface has no entry found in object Store"|stats count by content.currStatus If i use the query in seperate search its showing the latest correlation values: message="Upcoming Executions for Scheduler :*" environment=DEV | stats latest(correlationId) as correlationId | table correlationId         ... View more

It looks like there may be something else going on in your search. Please share the full search (in a code block </>). It would also be helpful (and quicker) if you could share some sample anonymised representative events. ... View more

Set your dropdown to this dynamic data source | makeresults | eval day=mvrange(0,7) | mvexpand day | eval day=relative_time(now(),"@d-".(1+day)."d") | eval suffix=tonumber(trim(strftime(day, "%e"))) | eval suffix=case(suffix%10 == 1, "st", suffix%10 == 2, "nd", suffix%10 == 3, "rd", true(), "th") | eval day=strftime(day,"%e").suffix." ".strftime(day,"%B") | table day ... View more

I owe you a lot of beers! ... View more

so the searchers are   | inputlookup duerr_counters.csv | search category="blsoft_total" | rename "Company Code" as CompanyCode | lookup location_map.csv CompanyCode OUTPUTNEW Lat, Long | rename CompanyCode as "Company Code" | lookup lkp-GlobalIpRange "Company Code" OUTPUTNEW Niederlassung | fields "Company Code" Region category Lat Long Niederlassung | geostats globallimit=93 latfield=Lat longfield=Long count by Niederlassung | inputlookup duerr_counters.csv | search category="blsoft_exceptions" | rename "Company Code" as CompanyCode | lookup location_map.csv CompanyCode OUTPUTNEW Lat, Long | rename CompanyCode as "Company Code" | lookup lkp-GlobalIpRange "Company Code" OUTPUTNEW Niederlassung | fields "Company Code" Region category Lat Long Niederlassung | geostats globallimit=93 latfield=Lat longfield=Long count by Niederlassung only 2 line is different ... View more

Super! Thanks! ... View more

Here is a runanywhere example showing it working | makeresults | eval guid=1 | eval property="start" | eval value="2024-04-30T12:01:04.215Z" | xyseries guid property value | eval start=strftime(strptime(start, "%FT%T.%Q%Z"), "%F %T") Please share some actual examples (anonymised of course) where this technique does not work ... View more

This gives almost the same result, time of succses events. This is useful for the future. For now I wait with this query, because it seems we need a field 'Duration' in message to check the performances of response call ... View more

Try this | rex "\"changes\":(?<changes>\{.*?\}\})" ... View more

This is a different question. Please start a new question with as much detail as possible. ... View more