All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If you examine and try to understand the solution I posted, you will see there is a not equals condition on the regex. Perhaps you could have figured out for yourself that you could simply change not... See more...
If you examine and try to understand the solution I posted, you will see there is a not equals condition on the regex. Perhaps you could have figured out for yourself that you could simply change not equals to equals! | regex Name="NODATA"
Hi ITWhisperer, Thank you for your response. But the query which you have provided is eliminating the job name that contains NODATA string, but we only need that job name that contains NODATA strin... See more...
Hi ITWhisperer, Thank you for your response. But the query which you have provided is eliminating the job name that contains NODATA string, but we only need that job name that contains NODATA string, rest all jobs, we can eliminate. Kindly help us on this. Thank you
Wait a second. What does it have to do with any events returned from the index? So far you're only operating on the data from the lookup. Also, unless for displaying (but even then it's... a disputa... See more...
Wait a second. What does it have to do with any events returned from the index? So far you're only operating on the data from the lookup. Also, unless for displaying (but even then it's... a disputable practice), you don't want to merge values into multivalued fields this way. You'll effectively get two multivalued fields with no connection between them whatsoever. So if you wanted to sort one of them (for example to list passed exams before failed ones or vice-versa) you can't reorder the other field the same way. They are just two separate fields with multivalued contents but there is no relationship between those contents. (and should any of those values prove to be empty, the whole field will "squash" so you will not have any spaces between values).
You are on the right lines with streamstats - please share some sample anonymised event for us to work with to find you a solution.
Try something like this:  <your search> ... | eval exam_result=mvzip(ExamID, Status, "~") | fields - ExamID Status | mvexpand exam_result | eval ExamID=mvindex(split(exam_result, "~"), 0), Status... See more...
Try something like this:  <your search> ... | eval exam_result=mvzip(ExamID, Status, "~") | fields - ExamID Status | mvexpand exam_result | eval ExamID=mvindex(split(exam_result, "~"), 0), Status=mvindex(split(exam_result, "~"), 1) | eval extra_status = if(ExamID>=120 AND ExamID<=125 AND match(Status, "Pass"), "GOOD", null())
You could try extracting each job as a complete event, before extracting the individual fields. You can then filter out the jobs you don't want (btw, your regex seems to have way too many backslashes... See more...
You could try extracting each job as a complete event, before extracting the individual fields. You can then filter out the jobs you don't want (btw, your regex seems to have way too many backslashes, but you may need them if your actual data is different to the example you shared) | rex max_match=0 "(?<job>\\\\\"jobname\\\\\":\s*\\\\\"[^\\\]+.*?\\\\\"status\\\\\":\s*\\\\\"ENDED OK.*?Timestamp\\\\\": \\\\\"\d+\s*\d+\:\d+\:\d+.*?execution_time_in_seconds\\\\\": \\\\\"[\d\.\-]+)" | mvexpand job | rex field=job "\\\\\"jobname\\\\\":\s*\\\\\"(?<Name>[^\\\]+).*?\\\\\"status\\\\\":\s*\\\\\"(?<State>ENDED OK).*?Timestamp\\\\\": \\\\\"(?<TIME>\d+\s*\d+\:\d+\:\d+).*?execution_time_in_seconds\\\\\": \\\\\"(?<EXECUTION_TIME>[\d\.\-]+)" | regex Name!="NODATA" | table TIME Name State EXECUTION_TIME  
I can find my DBConnect input inside the "/app/splunk/var/log/splunk/splunk_app_db_connect_job_metrics.log" log.  It pretty much runs a "Select * from a table" every 4 hours and sends the results to ... See more...
I can find my DBConnect input inside the "/app/splunk/var/log/splunk/splunk_app_db_connect_job_metrics.log" log.  It pretty much runs a "Select * from a table" every 4 hours and sends the results to an index.  It always runs to completion with a "status=COMPLETED" but at times it finishes with an 'error_count > 0' and we notice that we don't get those log events added to the index for that run.  Where can I see that these errors are and why are they generated?
"Your Splunk license expired". Does it ring a bell?
@dtburrows3 @gcusello @PickleRick @ITWhisperer - Kindly help
I need to do this for multivalues which is not working. 
@deepakc  Thank you for reply. _raw data is not static it going to change every minute. could u pls let know how to use "eval" for data which going to be changed.
Try this | inputlookup userinfo | eval fourth_result=if(ExamID>=120 AND ExamID<=125,"GOOD","OTHER")
Greetings, I have just started using splunk and I was trying to montior logs from my files section, And I am getting the following errors while doing so, help me. I am using heavy forwarder for this.... See more...
Greetings, I have just started using splunk and I was trying to montior logs from my files section, And I am getting the following errors while doing so, help me. I am using heavy forwarder for this.   I have added my forwarder port to 192.168.196.51:9997 and also made reciever on port 9997. I dont know where I am making mistake. Please help me with this. Thanks and Regards.  
This is an example using makeresults and rex | makeresults | eval _raw="Test1=101,Test2=102,Test3=103,Test4=104,Test5=105,Test6=106,Test7=107,Test8=108,Test9=109,Test101=110" | makemv _raw delim=",... See more...
This is an example using makeresults and rex | makeresults | eval _raw="Test1=101,Test2=102,Test3=103,Test4=104,Test5=105,Test6=106,Test7=107,Test8=108,Test9=109,Test101=110" | makemv _raw delim="," | rex field=_raw "(?<field>Test7)=(?<value>\d+)" | table field value
Sample "testput.log" file as below: 240418 06:44:53 3543 testput1: ---> TRN: 133c0119a15e407595cd46c89216ca101 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:53 3543 te... See more...
Sample "testput.log" file as below: 240418 06:44:53 3543 testput1: ---> TRN: 133c0119a15e407595cd46c89216ca101 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:53 3543 testput1: <=== TRN@Al10: 133c0119a15e407595cd46c89216ca101 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:44:52 3543 testput1: ---> TRN: b247073ae24443d79be3360de4c1bfec1 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:52 3543 testput1: <=== TRN@Al5: b247073ae24443d79be3360de4c1bfec1 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:44:52 3543 testput1: ---> TRN: f3cf7266d2ad4fa6bf86412441c374991 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:52 3543 testput1: <=== TRN@Al10: f3cf7266d2ad4fa6bf86412441c374991 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:44:52 3543 testput1: ---> TRN: d7de4351d94040a995eb373fe834a0371 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:52 3543 testput1: <=== TRN@Al13: d7de4351d94040a995eb373fe834a0371 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:44:50 3543 testput1: ---> TRN: c36d67d7af5f45f28afe0af2a80c6ea61 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:50 3543 testput1: <=== TRN@Al9: c36d67d7af5f45f28afe0af2a80c6ea61 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:43:31 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800194GN00002-DREn00001A> . Out Status = < > 240418 06:43:31 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800194GN00002-DREn00001A> . In Status = <P> 240418 06:43:31 3543 testput1: ---> TRN: UVW024041800194GN00002-DREn00001A - MP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:43:31 3543 testput1: <=== TRN@mmicntl: UVW024041800194GN00002-DREn00001A - MP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:41:25 3543 testput1: ---> TRN: fbccac1e49bf41b9a66ac87c2e9976691 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:41:25 3543 testput1: <=== TRN@Al9: fbccac1e49bf41b9a66ac87c2e9976691 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:59 3543 testput1: ---> TRN: UVW024041800194GN00013 - MP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:59 3543 testput1: SendResponseToHost : Sending response to the Host 240418 06:39:59 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800194GN00013-DREn0000cA> . Out Status = <P> 240418 06:39:59 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800194GN00013-DREn0000cA> . In Status = <H> 240418 06:39:59 3543 testput1: ---> TRN: UVW024041800194GN00013-DREn0000cA - AH sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:59 3543 testput1: <=== TRN@Al9: UVW024041800194GN00013-DREn0000cA - AH. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:59 3543 testput1: ---> TRN: UVW024041800194GN00007-DREn00006A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:59 3543 testput1: <=== TRN@Al7: UVW024041800194GN00007-DREn00006A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:59 3543 testput1: ---> TRN: UVW024041800194GN00010-DREn00009A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:59 3543 testput1: <=== TRN@Al4: UVW024041800194GN00010-DREn00009A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00008-DREn00007A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:58 3543 testput1: <=== TRN@Al3: UVW024041800194GN00008-DREn00007A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00006-DREn00005A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:58 3543 testput1: <=== TRN@Al1: UVW024041800194GN00006-DREn00005A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00011-DREn0000aA - AP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:58 3543 testput1: <=== TRN@Al11: UVW024041800194GN00011-DREn0000aA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:58 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800194GN00002-DREn00001A> . Out Status = <O> 240418 06:39:58 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800194GN00002-DREn00001A> . In Status = <H> 240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00002-DREn00001A - AH sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:58 3543 testput1: <=== TRN@Al10: UVW024041800194GN00002-DREn00001A - AH. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00012-DREn0000bA - AP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:58 3543 testput1: <=== TRN@Al8: UVW024041800194GN00012-DREn0000bA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00003-DREn00002A - AP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:58 3543 testput1: <=== TRN@Al14: UVW024041800194GN00003-DREn00002A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00001 - MP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:58 3543 testput1: SendResponseToHost : Sending response to the Host 240418 06:39:58 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800194GN00001-DREn00000A> . Out Status = <P> 240418 06:39:58 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800194GN00001-DREn00000A> . In Status = <H> 240418 06:39:58 3543 testput1: ---> TRN: UVW024041800194GN00001-DREn00000A - AH sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:39:58 3543 testput1: <=== TRN@Al13: UVW024041800194GN00001-DREn00000A - AH. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:46 3543 testput1: <=== TRN@Al8: 34e4c77406e647d29859a7c3e0077cab1 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:46 3543 testput1: ---> TRN: 34e4c77406e647d29859a7c3e0077cab1 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:37:40 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <MNCDBC2024041804991213-DREg0000aA> . Out Status = < > 240418 06:37:40 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <MNCDBC2024041804991213-DREg0000aA> . In Status = <P> 240418 06:37:40 3543 testput1: ---> TRN: MNCDBC2024041804991213-DREg0000aA - MP sent to [TEST.SND.TO.CPC@QM.PQRS103]. 240418 06:37:40 3543 testput1: <=== TRN@mmicntl: MNCDBC2024041804991213-DREg0000aA - MP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:28 3543 testput1: ---> TRN: 17bd221de8f14fd09439fc2bb9564bed1 - AP sent to [TEST.SND.TO.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:37:28 3543 testput1: <=== TRN@Al9: 17bd221de8f14fd09439fc2bb9564bed1 - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:23 3543 testput1: <=== TRN@mmicntl: CLG024041800098GN00001-DREh00023A - MP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:23 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <CLG024041800098GN00001-DREh00023A> . Out Status = < > 240418 06:37:23 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <CLG024041800098GN00001-DREh00023A> . In Status = <P> 240418 06:37:23 3543 testput1: ---> TRN: CLG024041800098GN00001-DREh00023A - MP sent to [TEST.SND.TO.CLH@QM.PQRS103]. 240418 06:37:17 3543 testput1: ---> TRN: MNO24041800065GS00077-DREl0004cA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:17 3543 testput1: <=== TRN@Al2: MNO24041800065GS00077-DREl0004cA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:17 3543 testput1: ---> TRN: MNO24041800065GS00079-DREl0004eA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:17 3543 testput1: <=== TRN@Al5: MNO24041800065GS00079-DREl0004eA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:16 3543 testput1: ---> TRN: MNO24041800065GS00081-DREl00050A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:16 3543 testput1: <=== TRN@Al1: MNO24041800065GS00081-DREl00050A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:16 3543 testput1: ---> TRN: MNO24041800065GS00075-DREl0004aA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:15 3543 testput1: <=== TRN@Al1: MNO24041800065GS00064-DREl0003fA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:15 3543 testput1: ---> TRN: MNO24041800065GS00063-DREl0003eA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:15 3543 testput1: <=== TRN@Al13: MNO24041800065GS00063-DREl0003eA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:15 3543 testput1: ---> TRN: MNO24041800065GS00066-DREl00041A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:15 3543 testput1: <=== TRN@Al3: MNO24041800065GS00066-DREl00041A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:15 3543 testput1: ---> TRN: MNO24041800065GS00058-DREl00039A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:15 3543 testput1: <=== TRN@Al2: MNO24041800065GS00058-DREl00039A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:15 3543 testput1: ---> TRN: MNO24041800065GS00061-DREl0003cA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:15 3543 testput1: <=== TRN@Al12: MNO24041800065GS00061-DREl0003cA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:12 3543 testput1: <=== TRN@Al4: MNO24041800065GS00035-DREl00022A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00033-DREl00020A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:12 3543 testput1: <=== TRN@Al5: MNO24041800065GS00033-DREl00020A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00039-DREl00026A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:12 3543 testput1: <=== TRN@Al3: MNO24041800065GS00039-DREl00026A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00044-DREl0002bA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:12 3543 testput1: <=== TRN@Al14: MNO24041800065GS00044-DREl0002bA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00038-DREl00025A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:12 3543 testput1: <=== TRN@Al1: MNO24041800065GS00038-DREl00025A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:12 3543 testput1: ---> TRN: MNO24041800065GS00036-DREl00023A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:11 3543 testput1: <=== TRN@Al9: MNO24041800065GS00026-DREl00019A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00019-DREl00012A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:11 3543 testput1: <=== TRN@Al1: MNO24041800065GS00019-DREl00012A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00025-DREl00018A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:11 3543 testput1: <=== TRN@Al5: MNO24041800065GS00025-DREl00018A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00016-DREl0000fA - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:11 3543 testput1: <=== TRN@Al4: MNO24041800065GS00016-DREl0000fA - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:11 3543 testput1: vlog: Current log size is 3497994 bytes 240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00024-DREl00017A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:11 3543 testput1: <=== TRN@Al3: MNO24041800065GS00024-DREl00017A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00017-DREl00010A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:11 3543 testput1: <=== TRN@Al12: MNO24041800065GS00017-DREl00010A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00022-DREl00015A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:11 3543 testput1: <=== TRN@Al13: MNO24041800065GS00022-DREl00015A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00023 - MP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:11 3543 testput1: SendResponseToHost : Sending response to the Host 240418 06:37:11 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <MNO24041800065GS00023-DREl00016A> . Out Status = <P> 240418 06:37:11 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <MNO24041800065GS00023-DREl00016A> . In Status = <H> 240418 06:37:11 3543 testput1: ---> TRN: MNO24041800065GS00023-DREl00016A - AH sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:11 3543 testput1: <=== TRN@Al10: MNO24041800065GS00023-DREl00016A - AH. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:09 3543 testput1: ---> TRN: MNO24041800065GS00007-DREl00006A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:09 3543 testput1: <=== TRN@Al14: MNO24041800065GS00007-DREl00006A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:09 3543 testput1: ---> TRN: MNO24041800065GS00004-DREl00003A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:37:09 3543 testput1: <=== TRN@Al8: MNO24041800065GS00004-DREl00003A - AP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1. 240418 06:37:09 3543 testput1: ---> TRN: MNO24041800065GS00001-DREl00000A - AP sent to [TEST.SND.TO.XYZ@QM.PQRS103]. 240418 06:35:10 3543 testput1: HS135255 InvokeIDRModule: << IDR TRN <UVW024041800193GN00003-DREh0002dA> . Out Status = < > 240418 06:35:10 3543 testput1: HS135254 InvokeIDRModule: >> IDR TRN <UVW024041800193GN00003-DREh0002dA> . In Status = <P> 240418 06:35:10 3543 testput1: ---> TRN: UVW024041800193GN00003-DREh0002dA - MP sent to [TEST.SND.TO.PQR@QM.PQRS103]. 240418 06:35:10 3543 testput1: <=== TRN@mmicntl: UVW024041800193GN00003-DREh0002dA - MP. DestHost=[MQ] from RESPONSE_Q1=instance_abc.RS1.  
Hi  try using kvform (https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Kvform ) Ciao. Giuseppe
Refer below sample log file - there are 2 log files "testget.log" & "testput.log" Sample "testget.log" file as below: 240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: 133c0119a15e4075... See more...
Refer below sample log file - there are 2 log files "testget.log" & "testput.log" Sample "testget.log" file as below: 240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: 133c0119a15e407595cd46c89216ca101 [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:44:51 37787 testget1: <--- TRN: 133c0119a15e407595cd46c89216ca101 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: b247073ae24443d79be3360de4c1bfec1 [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: f3cf7266d2ad4fa6bf86412441c374991 [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:44:51 37787 testget1: <--- TRN: b247073ae24443d79be3360de4c1bfec1 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:51 37787 testget1: <--- TRN: f3cf7266d2ad4fa6bf86412441c374991 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:51 37787 testget1: ===> TRN@instance_abc.RQ1: d7de4351d94040a995eb373fe834a0371 [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:44:50 37787 testget1: <--- TRN: d7de4351d94040a995eb373fe834a0371 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:44:49 37787 testget1: ===> TRN@instance_abc.RQ1: c36d67d7af5f45f28afe0af2a80c6ea61 [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:44:49 37787 testget1: <--- TRN: c36d67d7af5f45f28afe0af2a80c6ea61 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:41:24 37787 testget1: ===> TRN@instance_abc.RQ1: fbccac1e49bf41b9a66ac87c2e9976691 [Priority=Medium,ScanPriority=4, Rule: LOC=HK2; Cur=USD; Amt≥0; Srv=ALL; Recv@1565936557:00 00-00-0000]. 240418 06:41:24 37787 testget1: <--- TRN: fbccac1e49bf41b9a66ac87c2e9976691 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00013-DREn0000cA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00012-DREn0000bA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00011-DREn0000aA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00010-DREn00009A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00009-DREn00008A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00008-DREn00007A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00007-DREn00006A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00006-DREn00005A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00005-DREn00004A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00004-DREn00003A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00003-DREn00002A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00002-DREn00001A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00013-DREn0000cA - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00012-DREn0000bA - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00011-DREn0000aA - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00010-DREn00009A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00009-DREn00008A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00008-DREn00007A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00007-DREn00006A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: vlog: Current log size is 2441342 bytes 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00006-DREn00005A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00005-DREn00004A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00004-DREn00003A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00003-DREn00002A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:57 37787 testget1: <--- TRN: UVW024041800194GN00002-DREn00001A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:39:56 37787 testget1: ===> TRN@instance_abc.RQ1: UVW024041800194GN00001-DREn00000A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:39:56 37787 testget1: <--- TRN: UVW024041800194GN00001-DREn00000A - S from [TEST.RCV.FROM.PQR@QM.PQRS103]. 240418 06:37:45 37787 testget1: ===> TRN@instance_abc.RQ1: 34e4c77406e647d29859a7c3e0077cab1 [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:45 37787 testget1: <--- TRN: 34e4c77406e647d29859a7c3e0077cab1 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:37:28 37787 testget1: ===> TRN@instance_abc.RQ1: 17bd221de8f14fd09439fc2bb9564bed1 [Priority=Medium,ScanPriority=4, Rule: LOC=HK2; Cur=USD; Amt≥0; Srv=ALL; Recv@1565936557:00 00-00-0000]. 240418 06:37:28 37787 testget1: <--- TRN: 17bd221de8f14fd09439fc2bb9564bed1 - S from [TEST.RCV.FROM.ABC.PQRST.Q1@QM.PQRS102]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00081-DREl00050A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00080-DREl0004fA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00079-DREl0004eA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00078-DREl0004dA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00077-DREl0004cA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00076-DREl0004bA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00059-DREl0003aA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00058-DREl00039A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00057-DREl00038A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00056-DREl00037A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00055-DREl00036A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00054-DREl00035A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00053-DREl00034A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00052-DREl00033A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00081-DREl00050A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00080-DREl0004fA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00079-DREl0004eA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00078-DREl0004dA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00077-DREl0004cA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00076-DREl0004bA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00071-DREl00046A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00057-DREl00038A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00056-DREl00037A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00055-DREl00036A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00054-DREl00035A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00053-DREl00034A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00052-DREl00033A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00051-DREl00032A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00050-DREl00031A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00049-DREl00030A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00048-DREl0002fA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00047-DREl0002eA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00031-DREl0001eA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00030-DREl0001dA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00029-DREl0001cA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00028-DREl0001bA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00027-DREl0001aA [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00026-DREl00019A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00025-DREl00018A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00024-DREl00017A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: vlog: Current log size is 2427949 bytes 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00023-DREl00016A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00022-DREl00015A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00021-DREl00014A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00020-DREl00013A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00009-DREl00008A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00008-DREl00007A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00007-DREl00006A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00006-DREl00005A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00005-DREl00004A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00004-DREl00003A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00003-DREl00002A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00002-DREl00001A [Priority=Low,ScanPriority=0, Rule: Default Rule]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00051-DREl00032A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00050-DREl00031A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00049-DREl00030A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00048-DREl0002fA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00047-DREl0002eA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00046-DREl0002dA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00045-DREl0002cA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00044-DREl0002bA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00043-DREl0002aA - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00042-DREl00029A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00036-DREl00023A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:08 37787 testget1: <--- TRN: MNO24041800065GS00035-DREl00022A - S from [TEST.RCV.FROM.XYZ@QM.PQRS103]. 240418 06:37:07 37787 testget1: ===> TRN@instance_abc.RQ1: MNO24041800065GS00001-DREl00000A [Priority=Low,ScanPriority=0, Rule: Default Rule].        
I need to create a dashboard panel merging two different search queries. I have below two queries: Kindly help on this request.   index=test_index source=/applications/test/*instance_abc* ("<--- T... See more...
I need to create a dashboard panel merging two different search queries. I have below two queries: Kindly help on this request.   index=test_index source=/applications/test/*instance_abc* ("<--- TRN:" OR "Priority" OR "---> TRN:" OR "AP sent to" OR "AH sent to" OR "MP sent to") | rex field=_raw "Priority\=(?<Priority>[^\,]+)" | rex "(?:\={3}\>|\<\-{3})\s+TRN[^\:]*\:\s+(?<trn>[^\s]+)" | rex "TEST\.RCV\.FROM\.(?<TestMQ>.*)\@" | stats count(eval(Priority=="Low")) as Low, count(eval(Priority=="Medium")) as Medium, count(eval(Priority=="High")) as High, values(TestMQ) as TestMQ by trn | stats sum(Low) as Low, sum(Medium) as Medium, sum(High) as High by TestMQ | addtotals fieldname="TotalCount" | sort by TotalCount desc     This gives me output as below: TestMQ | Low | Medium | High | TotalCount The 2nd query is below:     index=test_index source=/applications/test/*instance_abc* ("<--- TRN:" OR "Priority" OR "---> TRN:" OR "AP sent to" OR "AH sent to" OR "MP sent to") | eval field=split(source,"/") | eval Instance=mvindex(field,4) | chart count(eval(searchmatch("from"))) as Testget count(eval(searchmatch("sent to"))) as Testput count(eval(searchmatch("AP sent to"))) as AP count(eval(searchmatch("AH sent to"))) as AH count(eval(searchmatch("MP sent to"))) as MP by Instance | eval Pending = Testget - (AP + AH) | sort Testget desc     This gives me output as below: Instance | Testget | Testput | AP | AH | MP | Pending I am looking for merging both the queries together and get the final output based on Pending volume for Low, Medium and High priority counts.   Select: Low, Medium, High (From the Dashboard dropdown) Output Expected: TestMQ| Low-Testget | Low-Testput | Low-AP | Low-AH | Low-MP | Low-Pending TestMQ | Medium-Testget | Medium-Testput | Medium-AP | Medium-AH | Medium-MP | Medium-Pending TestMQ | High-Testget | High-Testput | High-AP | High-AH | High-MP | High-Pending
I have a lookup like this  Name Status ExamID John Pass 123 Bob Pass 345 John Fail 234 Bob Pass 235 Smith Fail 231   My Events are having Name alone as the unique ... See more...
I have a lookup like this  Name Status ExamID John Pass 123 Bob Pass 345 John Fail 234 Bob Pass 235 Smith Fail 231   My Events are having Name alone as the unique identifier.   I wrote my query like this  index=userdata [ inputlookup userinfo.csv | fields Name]  | lookup userinfo.csv Name as Name OUTPUT Status as Status ExamID as Identifier  Via first subsearch I extracted the events only belong to names present in the table and then i tried to ouput the status and examid for those Names. On combination of these 3 in the event i need to evaluate fourth result.  John - Pass - 123 ->> In this if ExamID falls between 120 and 125 I need to print value for fourth field as "GOOD"  However while am printing output from lookup i got multivalues like this. Then i tried to do mvappend and that did not work correctly.  So how to do this correctly John Pass Fail 123 234
Hi Team, Good day! We have extracted the set of job names from the event using the below rex query. index=app_events_dwh2_de_uat _raw=*jobname* | rex max_match=0 "\\\\\\\\\\\\\"jobname\\\\\\\\\\\\... See more...
Hi Team, Good day! We have extracted the set of job names from the event using the below rex query. index=app_events_dwh2_de_uat _raw=*jobname* | rex max_match=0 "\\\\\\\\\\\\\"jobname\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?<Name>[^\\\]+).*?\\\\\\\\\\\\\"status\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?<State>ENDED OK).*?Timestamp\\\\\\\\\\\\\": \\\\\\\\\\\\\"(?<TIME>\d+\s*\d+\:\d+\:\d+).*?execution_time_in_seconds\\\\\\\\\\\\\": \\\\\\\\\\\\\"(?<EXECUTION_TIME>[\d\.\-]+)" | table "TIME", "Name", "State", "EXECUTION_TIME" | mvexpand TIME | dedup TIME After using the above query we have obtained the result in the table format like below. 20240417 21:13:23 CONTROL_M_REPORT ENDED OK 73.14 DWHEAP_FW_BHW ENDED OK 80.66 DWHEAP_FW_TALANX ENDED OK 80.18 DWHEAP_TALANX_LSP_FW_NODATA ENDED OK 3.25 SALES_EVENT_TRANSACTION_RDV ENDED OK 141.41   Is it possible to extract only the jobs with name consists of string NODATA from the above set of job names.  Below is the sample event for the above one. Dataframe row : {"_c0":{"0":"{","1":" \"0\": {","2":" \"jobname\": \"CONTROL_M_REPORT\"","3":" \"status\": \"ENDED OK\"","4":" \"execution_time_in_seconds\": \"46.39\"","5":" \"Timestamp\": \"20240418 12:13:23\"","6":" }","7":" \"1\": {","8":" \"jobname\": \"DWHEAP_FW_AIMA_001\"","9":" \"status\": \"ENDED OK\"","10":" \"execution_time_in_seconds\": \"73.14\"","11":" \"Timestamp\": \"20240418 12:13:23\"","12":" }","13":" \"2\": {","14":" \"jobname\": \"DWHEAP_FW_BHW\"","15":" \"status\": \"ENDED OK\"","16":" \"execution_time_in_seconds\": \"71.19\"","17":" \"Timestamp\": \"20240418 12:13:23\"","18":" }","19":" \"3\": {","20":" \"jobname\": \"DWHEAP_FW_NODATA\"","21":" \"status\": \"ENDED OK\"","22":" \"execution_time_in_seconds\": \"80.63\"","23":" \"Timestamp\": \"20240418 12:13:23\"","24":" }","25":" \"4\": {","26":" \"jobname\": \"DWHEAP_FW_TALANX\"","27":" \"status\": \"ENDED OK\"","28":" \"execution_time_in_seconds\": \"80.20\"","29":" \"Timestamp\": \"20240418 12:13:23\"","30":" }","31":" \"5\": {","32":" \"jobname\": \"DWHEAP_FW_UC4_001\"","33":" \"status\": \"ENDED OK\"","34":" \"execution_time_in_seconds\": \"80.13\"","35":" \"Timestamp\": \"20240418 12:13:23\"","36":" }","37":" \"6\": {","38":" \"jobname\": \"DWHEAP_TALANX_LSP_FW_NODATA\"","39":" \"status\": \"ENDED NOTOK\"","40":" \"execution_time_in_seconds\": \"120.12\"","41":" \"Timestamp\": \"20240418 12:13:23\"","42":" }","43":" \"7\": {","44":" \"jobname\": \"RDV_INFRASTRUCTURE_DETAILS\"","45":" \"status\": \"ENDED OK\"","46":" \"execution_time_in_seconds\": \"81.16\"","47":" \"Timestamp\": \"20240418 12:13:23\"","48":" }","49":" \"8\": {","50":" \"jobname\": \"VIPASNEU_STG\"","51":" \"status\": \"ENDED OK\"","52":" \"execution_time_in_seconds\": \"45.04\"","53":" \"Timestamp\": \"20240418 12:13:23\"","54":" }","55":"}"}} Please look into this and kindly help us in extraction of the job which contains string NODATA from the above set of job names that has been extracted