https://community.splunk.com/t5/Splunk-Search/Missing-settlement-notification/m-p/658721#M227517 <P>Please edit your query to use code blocks</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bowesmana_0-1695714501872.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27329i2D767A3AA21BC37F/image-size/medium?v=v2&amp;px=400" role="button" title="bowesmana_0-1695714501872.png" alt="bowesmana_0-1695714501872.png" /></span></P><P>&lt;/&gt; to format it - as it stands is almost impossible to work out what is your query - plenty of strange things in there, including a random <STRONG>K</STRONG> and a <STRONG>plus sign</STRONG> and seemingly missing <STRONG>pipe</STRONG> symbols as well as missing double quotes where they would be expected and stats clauses that don't make a lot of sense.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 26 Sep 2023 07:50:47 GMT bowesmana 2023-09-26T07:50:47Z https://community.splunk.com/t5/Splunk-Search/Missing-settlement-notification/m-p/658707#M227515 <P>Event and Report extract rules</P><P>Use the payment business events to identify Transactions which have ACCP clearing status (NPP 1012.NPP 1013) with missing Settlement Notification event NPP 1040</P><P>"NPP 1033_CR_INBOUND "NPP 1012 CECARING_INBOUND"</P><P>• "NPP 1013_RETURN_INBOUND" I</P><P>"NPP 1040 SETTLEMENT RECEIVED" Report should include the following fields</P><P>Time from NPP 1033</P><P>TXID from NPP 1033 Amount from NPP 1012 or NPP 1013</P><P>&nbsp;</P><P>Already i have created query&nbsp;</P><P>&nbsp;</P><P>index-nch_apps_nonprod applications fis-npp source fis-npp-sit4 ((NPP 1012 CLEARING INBOUND OR NPP 1013 RETURN INBOUND) OR NPP 1033 CR INBOUND or</P><P>rex field-message "eventName=\"(?&lt;eventName&gt; *?)\"."</P><P>rex field-message "txId\"(?&lt;txId&gt;. *?)\,"</P><P>Κ</P><P>I rex field-message "amt=\"(?&lt;amt&gt;.2)\"." rex field-message ibm.datetime-(?&lt;ibm_datetime&gt; *),"</P><P>+</P><P>Participant</P><P>1 eval Participant substr(txId,1,8)</P><P>stats values(eventName) as eventName, min(ibt datetime) as Time, values(amt) as amt by (eventName, NPP 1840 SETTLEMENT RECEIVED) &lt; 0 table Time eventName Participant amt</P><P>where mycount (eventName)</P><P>&gt;= 3 AND mvfind (eventName, npp 1040) but not getting any result&nbsp;</P> Tue, 26 Sep 2023 04:41:43 GMT https://community.splunk.com/t5/Splunk-Search/Missing-settlement-notification/m-p/658707#M227515 Sekhar 2023-09-26T04:41:43Z https://community.splunk.com/t5/Splunk-Search/Missing-settlement-notification/m-p/658721#M227517 <P>Please edit your query to use code blocks</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bowesmana_0-1695714501872.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27329i2D767A3AA21BC37F/image-size/medium?v=v2&amp;px=400" role="button" title="bowesmana_0-1695714501872.png" alt="bowesmana_0-1695714501872.png" /></span></P><P>&lt;/&gt; to format it - as it stands is almost impossible to work out what is your query - plenty of strange things in there, including a random <STRONG>K</STRONG> and a <STRONG>plus sign</STRONG> and seemingly missing <STRONG>pipe</STRONG> symbols as well as missing double quotes where they would be expected and stats clauses that don't make a lot of sense.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 26 Sep 2023 07:50:47 GMT https://community.splunk.com/t5/Splunk-Search/Missing-settlement-notification/m-p/658721#M227517 bowesmana 2023-09-26T07:50:47Z