Hi @slearntrain, yes, sorry: I forgot the second part of the if statements, but now it's correct. what's the format you would for the results? With this earch you have in the same row: appid flowname endNBflow endPayload diff if you want to have in different rows endNBflow and endPayload, where do you want to put the difference? Could you indicate how would you have the results? Ciao. Giuseppe

@ITWhisperer I have modified the changes as per your suggestion in the macros. But now I am seeing issue persist with the data. When I select for 7 days, data is visible in a dashboard. Query and dashboard screenshot is attached below. index="tput_summary" sourcetype="tput_summary_1h" | bin _time span=h | table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count | where like(LocationQualifiedName, "%/Aisle%Entry%") | strcat "raw" "," location group_name | search LocationQualifiedName="*/Aisle*Entry*" OR LocationQualifiedName="*/Aisle*Exit*" | strcat "raw" "," location group_name | timechart sum(count) as cnt by location When I have select for 30 days . There is no data visible in a dashboard. You can see query also. index="tput_summary" sourcetype="tput_summary_1d" | bin _time span="h" | table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count | where like(LocationQualifiedName, "%/Aisle%Entry%") | strcat "raw" "," location group_name | search LocationQualifiedName="*/Aisle*Entry*" OR LocationQualifiedName="*/Aisle*Exit*" | strcat "raw" "," location group_name | timechart sum(count) as cnt by location    

Have there been any updates on methodologies for extacting multiple metrics in a single mstats call?  I can do the work with a join across _time and dimensions held in common, but after about 2 metrics, the method gets a bit tedious.

Hi gcusello,  Thank you for responding. unfortunately, I didn't quite get what I was looking for. Initially, when I ran your query, I got the error that if command does not meet the requirement. So I had to add the true/false parameters. As I am looking for infotime for each of the steptypes, I added in the true section. -- "latest(eval(if(steptype="endNBflow", infotime,0)))" Now, I need to find the "diff" (responseTime) in the table equivalent to the appid as that is the response time for the message. I have modified your query based on the time formats that I want:   index="xyz" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd-35tr-6s9i4ewlp6h3" | rex field=_raw "\"APPID\"\:\s\"(?<appid>.*?)\"" | rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\"" | rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\"" | rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" | stats latest(eval(if(steptype="endNBflow", infotime,0))) AS endNBflow latest(eval(if(steptype="end payload",max(infotime),0))) AS endPayload BY appid flowname|eval endNBflowtime=strptime(endNBflow,"%Y-%m-%d %H:%M:%S,%3N")| eval endPayLoadtime=strptime(endPayLoad,"%Y-%m-%d %H:%M:%S,%3N")|eval diff=endpayloadtime-endNBflowtime|eval responseTime=strftime(diff,"%Y-%m-%d %H:%M:%S,%3N") But now how to bring the response time in the table format corresponding to the appid?  

Try using where and like() instead of search index="tput_summary" sourcetype="tput_summary_1d" | bin _time span="h" | table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count | where like(LocationQualifiedName, "%/Aisle%Entry%") | strcat "raw" "," location group_name

How about this search index="tput_summary" sourcetype="tput_summary_1d" | bin _time span="h" | table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count

What does this search return? index="tput_summary" sourcetype="tput_summary_1d" | bin _time span="h" | table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count | search LocationQualifiedName="*/Aisle*Entry*" | strcat "raw" "," location group_name

It should work. Here is how I have it set up: log sample: (at /tmp/hashlogs) ##start_string ##time = 1711292017 ##Field2 = 12 ##Field3 = field_value ##Field4 = somethingelse ##Field8 = 1 ##Field7 = 12 ##Field6 = 1 ##Field5 = ##end_string ##start_string ##time = 1711291017 ##Field2 = 12 ##Field3 = field_value2 ##Field4 = somethingelse3 ##Field8 = 14 ##Field7 = 12 ##Field6 = 15 ##Field5 = ##end_string ##start_string ##time = 1711282017 ##Field2 = 12 ##Field3 = asrsar ##Field4 = somethingelsec ##Field8 = 1 ##Field7 = 12 ##end_string   inputs.conf (on forwarder machine) [monitor:///tmp/hashlogs] index=main sourcetype=hashlogs props.conf (on indexer machine) [hashlogs] SHOULD_LINEMERGE = false LINE_BREAKER = ([\n\r]+)##start_string   Result: (search is index=* sourcetype=hashlogs)    

@ITWhisperer While expanding macros I am getting below search : index="tput_summary" sourcetype="tput_summary_1d" | bin _time span="h" | table + _time LocationQualifiedName location date_hour date_mday date_minute date_month date_month date_second date_wday date_year count | search LocationQualifiedName="*/Aisle*Entry*" | strcat "raw" "," location group_name | timechart sum(count) as cnt by location Above search is not producing any results.  

It seems like this is an issue with the scheduled task settings. To make the process run in the background, you could set it to "Run whether user is logged in or not", or you could set it to run as the SYSTEM user. You could also try using powershell to run a bat file containing your command(s): powershell "start <executable path> -WindowStyle Hidden"  

Hi why you want keep kvstore running on your HFs? Usually it’s not needed there! Only reason why you need it, is some modular input which keep its checkpoint there. Usually this means that you have wrote it by yourself. If you really need it, then add HF as indexer on your MC and use it for monitoring. r. Ismo