https://community.splunk.com/t5/Splunk-Search/Why-are-similar-rows-not-grouping-together/m-p/609092#M211788 <P>This is probably a result of trailing spaces on your split by fields.</P><P>Your rex statement for serviceTicketId is greedy, in that it grabs everything</P><LI-CODE lang="markup">| rex field=serviceTicketId "\[(?&lt;omsServiceTicketId&gt;.*)\]</LI-CODE><P>If you do a final</P><LI-CODE lang="markup">| eval serviceTicketId=":".serviceTicketId.":"</LI-CODE><P>and the same with orderId you will see if there's a leading/trailing space.</P><P>Couple of other points - dc(_time) will count unique times, but if you have two events at the same time, you will only get 1. Should you use 'count' instead.</P><P>Also elapsedTime calculation will not work for the multivalue eventTime field.</P><P>You could do this&nbsp;</P><LI-CODE lang="markup">... | stats count AS eventCount min(_time) as firstEvent values(_time) AS eventTime values(appId) AS app BY serviceTicketId orderId | eval timeElapsed = now() - firstEvent</LI-CODE><P>or if you want to do elapsed time between first and last event of the particular ticket, do</P><LI-CODE lang="markup">... | stats count AS eventCount range(_time) as timeElapsed values(_time) AS eventTime values(appId) AS app BY serviceTicketId orderId</LI-CODE><P>Hope this helps</P><P>&nbsp;</P> Thu, 11 Aug 2022 00:10:15 GMT bowesmana 2022-08-11T00:10:15Z https://community.splunk.com/t5/Splunk-Search/Why-are-similar-rows-not-grouping-together/m-p/609087#M211784 <P>For some reason there are entries that are not grouped together, but obviously look like they should be. In the following table, 2 rows with serviceTicketId =&nbsp;<SPAN>00dcfe68-25d8-4c58-9228-5fc8f7ddb9d1 are on separate rows, other serviceTicketIds such as&nbsp;00c093f4fc527e5ff7006566b1a0fd90 have one row, but multiple event times.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2022-08-10 at 3.59.11 PM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20994i681D11C53F9AFF9C/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2022-08-10 at 3.59.11 PM.png" alt="Screen Shot 2022-08-10 at 3.59.11 PM.png" /></span><BR /><BR /></SPAN></P> <P>Here is my query:</P> <PRE><BR />(index=k8s_main "*Published successfully event=[com.nordstrom.customer.event.OrderLineReturnReceived*") OR (index="k8s_main" cluster="nsk-oak-prod" "namespace"=app04096 "*doPost - RequestId*") OR (index=k8s_main container_name=fraud-single-proxy-listener message="Successfully sent payload to kafka topic=order-events-avro*" contextMap.eventType="OrderLineReturnReceived")<BR />| rename contextMap.orderId AS nefiOrderId contextMap.serviceTicketId AS nefiServiceTicketId<BR />| rex field=eventKey "\[(?&lt;omsOrderId&gt;.*)\]"<BR />| rex field=serviceTicketId "\[(?&lt;omsServiceTicketId&gt;.*)\]"<BR />| rex "RequestId:(?&lt;omniServiceTicketId&gt;.*? )"<BR />| rex "\"orderNumber\":\"(?&lt;omniOrderId&gt;.*?)\""<BR />| eval appId = mvappend(container_name, app)<BR />| eval orderId = mvappend(nefiOrderId, omsOrderId, omniOrderId)<BR />| eval serviceTicketId = mvappend(nefiServiceTicketId, omsServiceTicketId, omniServiceTicketId) <BR />| stats dc(_time) AS eventCount values(_time) AS eventTime values(appId) AS app BY serviceTicketId orderId<BR />| eval timeElapsed = now() - eventTime</PRE> <P>&nbsp;</P> Wed, 10 Aug 2022 22:03:04 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-similar-rows-not-grouping-together/m-p/609087#M211784 scaparelli 2022-08-10T22:03:04Z https://community.splunk.com/t5/Splunk-Search/Why-are-similar-rows-not-grouping-together/m-p/609092#M211788 <P>This is probably a result of trailing spaces on your split by fields.</P><P>Your rex statement for serviceTicketId is greedy, in that it grabs everything</P><LI-CODE lang="markup">| rex field=serviceTicketId "\[(?&lt;omsServiceTicketId&gt;.*)\]</LI-CODE><P>If you do a final</P><LI-CODE lang="markup">| eval serviceTicketId=":".serviceTicketId.":"</LI-CODE><P>and the same with orderId you will see if there's a leading/trailing space.</P><P>Couple of other points - dc(_time) will count unique times, but if you have two events at the same time, you will only get 1. Should you use 'count' instead.</P><P>Also elapsedTime calculation will not work for the multivalue eventTime field.</P><P>You could do this&nbsp;</P><LI-CODE lang="markup">... | stats count AS eventCount min(_time) as firstEvent values(_time) AS eventTime values(appId) AS app BY serviceTicketId orderId | eval timeElapsed = now() - firstEvent</LI-CODE><P>or if you want to do elapsed time between first and last event of the particular ticket, do</P><LI-CODE lang="markup">... | stats count AS eventCount range(_time) as timeElapsed values(_time) AS eventTime values(appId) AS app BY serviceTicketId orderId</LI-CODE><P>Hope this helps</P><P>&nbsp;</P> Thu, 11 Aug 2022 00:10:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-similar-rows-not-grouping-together/m-p/609092#M211788 bowesmana 2022-08-11T00:10:15Z https://community.splunk.com/t5/Splunk-Search/Why-are-similar-rows-not-grouping-together/m-p/609411#M211910 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;...</P><P>&gt;&gt; Your rex statement for serviceTicketId is greedy, in that it grabs everything</P><LI-CODE lang="markup">| rex field=serviceTicketId "\[(?&lt;omsServiceTicketId&gt;.*)\]</LI-CODE><P>&nbsp;</P><P>yes, that is true, ... one should almost never use the greedy grep(".*" )..</P><P>now, then, whats ur suggestion about how we should modify this rex?.. (i think we may need the logs to modify the rex, right)</P> Sat, 13 Aug 2022 17:18:30 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-similar-rows-not-grouping-together/m-p/609411#M211910 inventsekar 2022-08-13T17:18:30Z