https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269538#M81107 <P>Try this</P> <PRE><CODE>...| rex ":(?&lt;irr&gt;[A-Z]):$" | streamstats current=f window=1 first(irr) as pirr | table _raw irr pirr | where irr=pirr </CODE></PRE> Thu, 10 Dec 2015 21:07:58 GMT sundareshr 2015-12-10T21:07:58Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269537#M81106 <P>Hi,</P> <P>I have created a search to get the order of specified Events from hosts.</P> <PRE><CODE>index=*SC "SPK CONLOC SERVER RECEIVED R" | transaction host </CODE></PRE> <P>10.12.2015 12:02:29 SPK CONLOC SERVER RECEIVED R B:B002: 16: 5: 5137: 2926:2:40:9:<STRONG>P</STRONG>:<BR /> 10.12.2015 12:11:16 SPK CONLOC SERVER RECEIVED R B:ROAD: 1: 1: 6618: 566:1:40:9:<STRONG>D</STRONG>:<BR /> 10.12.2015 12:19:22 SPK CONLOC SERVER RECEIVED R B:B002: 16: 3: 5137: 2799:2:40:9:<STRONG>P</STRONG>:<BR /> 10.12.2015 12:25:13 SPK CONLOC SERVER RECEIVED R B: 6587: 410:1:40:2:<STRONG>D</STRONG>:<BR /> 10.12.2015 12:31:17 SPK CONLOC SERVER RECEIVED R B:A002: 13:15: 5016: 1967:1:40:9:<STRONG>P</STRONG>:<BR /> 10.12.2015 12:38:11 SPK CONLOC SERVER RECEIVED R B: 6175: 166:1:40:9:<STRONG>D</STRONG>:<BR /> 10.12.2015 12:43:59 SPK CONLOC SERVER RECEIVED R B:B002: 20: 9: 5298: 3183:1:40:9:<STRONG>P</STRONG>:<BR /> 10.12.2015 13:16:20 SPK CONLOC SERVER RECEIVED R B: 6130: 445:1:40:9:<STRONG>D</STRONG>:</P> <P>Normally, the order is the P D P D P D P D. When this happens, everything is ok. We are searching for the sequence when it looks like P P D P D P or P D D P D P .</P> <P>Best regards,<BR /> Axel</P> Thu, 10 Dec 2015 14:41:36 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269537#M81106 zhonk 2015-12-10T14:41:36Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269538#M81107 <P>Try this</P> <PRE><CODE>...| rex ":(?&lt;irr&gt;[A-Z]):$" | streamstats current=f window=1 first(irr) as pirr | table _raw irr pirr | where irr=pirr </CODE></PRE> Thu, 10 Dec 2015 21:07:58 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269538#M81107 sundareshr 2015-12-10T21:07:58Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269539#M81108 <P>Hi,<BR /> thanks about your answer, in combination with transaction the streamstats functions will not work. I add at the streamstats command <STRONG>by host</STRONG> and Splunk made a Filter on Host.I have retype the search and get all I need. </P> <P>index=*SC "SPK CONLOC SERVER RECEIVED R" | sort host | rex ":(?<IRR>[A-Z]):$"| streamstats current=f window=1 first(irr) as pirr by host | table _time,host, pirr, irr | where pirr=irr</IRR></P> <P>Best regards<BR /> Axel</P> Fri, 11 Dec 2015 08:26:22 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269539#M81108 zhonk 2015-12-11T08:26:22Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269540#M81109 <P>If this answers your question, please mark it as answered so it can be closed. Thanks</P> Fri, 11 Dec 2015 13:07:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269540#M81109 sundareshr 2015-12-11T13:07:31Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269541#M81110 <P>Is it correct with Accepted Answer? It is my first question.</P> Fri, 11 Dec 2015 13:13:36 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-irregularities-in-the-sequence-of-events/m-p/269541#M81110 zhonk 2015-12-11T13:13:36Z