Example logs 2022-08-19 08:10:53.0593|**Starting** 2022-08-19 08:10:53.5905|fff 2022-08-19 08:10:53.6061|dd 2022-08-19 08:10:53.6218|Shutting down 2022-08-19 08:10:53.6218|**Starting** 2022-08-19 08:10:53.6374|fffff 2022-08-19 08:10:53.6686|ddd 2022-08-19 08:10:53.6843|**Starting** 2022-08-19 08:10:54.1530|aa 2022-08-19 08:10:54.1530|vv   From this I have created three columns Devicenumber,  _time ,Description If ** Starting ** message has followed by "Shutting down" mean, it should classify as good and if Starting message has not Shutting down mean, it should classify as bad.   From the above example, there should be 2 bad and one good.   If there is only one row which has only Starting and no shutting down recorded, in that case also , it should classify as bad ... View more

When I create report and enable summary index, the results are getting in the below format.   Table: id    _time 1      2022-06-01 12:01:30.802 1      2022-06-01 12:11:47.069   But when I call this summary index using spl query, milliseconds are missing in _time column.   Query I have used, index="summary" report="yy" |eventstats max(search_now) as latestsearch by id, report |where search_now = latestsearch   This query is to fetch latest run result ... View more

I have the following table Timestamp  2021-08-09 12:26:55.7852 2021-08-09 12:26:56.2278 2021-08-09 12:26:56.2278 2021-08-09 12:26:56.3939 2021-08-09 12:26:39.2861 2021-08-09 12:26:40.3430 2021-08-09 12:26:41.3482 2021-08-09 12:26:41.4832 2021-08-09 12:26:56.8794 2021-08-09 12:26:57.8846 2021-08-09 12:26:58.9398 2021-08-09 12:26:59.9450 2021-08-09 12:26:59.9700 2021-08-09 12:26:59.9700 2021-08-09 12:27:00.8201 2021-08-09 12:27:00.8401 2021-08-09 12:27:01.0352 2022-03-30 10:09:25.6406 2022-03-30 10:09:25.8007 2022-03-30 10:09:26.8109 2022-03-30 10:09:27.5961 2022-03-30 10:09:27.5961 I have extracted timestamp manually using regex instead of default timestamp. I have different device_ids. Each device_id will have logfile. I have the following macro query, to remove the events which is decreasing(seconds value are decreasing for the same date marked as bold) index="xxxx" source="*$Device_ID$*xxxx*" | eval Device_ID=mvindex(split(source,"/"),5) | rex field=_raw "(?<timestamp>[^|]+)" | table Device_ID timestamp | streamstats count as s_no by Device_ID | sort 0 - s_no | table Device_ID s_no timestamp | streamstats current=f last(timestamp) as last_timestamp by Device_ID | eval last_timestamp_h=last_timestamp, timestamp_h=timestamp | eval last_timestamp=strptime(last_timestamp,"%Y-%m-%d %H:%M:%S.%4N") | eval timestamp=strptime(timestamp,"%Y-%m-%d %H:%M:%S.%4N") | eval diff=timestamp-last_timestamp | eval ref=if(diff<0,last_timestamp,null) | filldown ref | eval ref_diff=timestamp-ref | fillnull ref_diff value=0 | search ref_diff>=0 | fields Device_ID s_no timestamp_h But when i try to run for all devices, some values are missing and got messed. How can i run for each device_id separately and store the result   ... View more

I have 3 panels. Each panels have the same query except 2nd line which contains patterns. Eg. index="index_name" source="input.txt" some regex pattern line ( only this line will be different in all three panels) table id Action All remaining lines will be same in all three panels.   How to create one summary index and implement as base search for all three panels   ... View more

Count error_manager 1 System 2 System 3 System 4 System 5 System 6 System   How to delete last row in a table?  ... View more

  Device_ID Handset_ID 1 Serial Number 1 Started 1 1420 1 1420 1 1420 1 Serial Number 1 Started 1 1420 1 Serial Number 1 Started 1 1420 1 1420 1 1420 1 Serial Number 1 Started 1 Serial Number 1 Started 2 1420 2 1420 2 Serial Number 2 Started 2 Serial Number 2 Started 2 Serial Number 2 Started 2 20 2 Serial Number 2 Started 2 Serial Number 2 Started   Expected Output: Count should be based on keyword "Serial Number"  followed by Handset_ID to another "Serial Number". If there is no Handset_ID between , it should skip the rows. Eg.last 4 rows Handset_ID Total Count 1420 4 20 1 ... View more