The first two lines from the above search are just setting up the data that YOU provided in your question. The last two lines are using THAT data to produce the results that you want. You have to ADAPT the search to YOUR instance, it is not a complete solution, but you only provided a fraction of what was needed for a complete solution.

Hi Renjith thanks for your reply. I tried this on the following

FullRunLatency

freq (%): 0 0 0 0 0 0 0 0 0 0 0.1 18.9 15.8 1.8 <0.1 12.6 11.4 2.8 22.9 6.6 1.3 4.0 0.8 0.2 0.1 <0.1 <0.1

count: 0 0 0 0 0 0 0 0 0 0 136 17365 14542 1699 35 11592 10494 2589 21078 6059 1256 3693 806 238 104 67 8]

but unfortunately did not work .

@luckyman80, so the event starts with freq (%) and not count ? Then you need to replace count with freq(%) in the above search. Also what are thoese "<" symbols ? Do you need to consider those as well?

In between @cpetterborg 's answer below is the better one - but you might need to replace count with freq(%) there as well

sorry I think I confused things... I only care about the count line but was showing that there was an additional identifier above (FullRunLatency ) I ran you rex againsnt the above but it doesn't pull out the line correctly. I checked the other example from cpetterborg but that's actually using the numbers from the logs when of course they will be different every time .

Thanks Guys..nearly there

Additional the error I get is Error in 'rex' command: Invalid argument: '2.'

@luckyman80,try @cpetterborg answer below. Use only below part in your search and accept his answer if it helped you.

| rex field=data max_match=0 " (?<val>\d+)"
 | eventstats sum(val) as total