version : splunk  enterprise 8.1.3 I have a datasource with a field that is either an ip address. The following ip addresses are examples. If i do a search for a ip the response time is quite good. earliest=05/30/2022:00:00:00 earliest=05/30/2022:04:00:00 index=firewall src_ip=1.1.1.1 But, If i do a search for a ip the response time is slow. earliest=05/30/2022:00:00:00 earliest=05/30/2022:04:00:00 index=firewall src_ip=2.2.2.2 Is there a reason for the difference in search speed depending on the IP? 

Similar to https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-all-fields-from-userdata/m-p/596078#M207501 Could you please help me with this I use       source=http:splunk_ecp_IPC2_kafka_logs sourcetype=yo_kafka_logs properties YoRouterLoggingInterceptor | rex "properties=(?\{.*\})" |table chatOriginUrl,firstName,lastName, conversationId,clientSourceId,engagedHandler       The string is       30 May 2022 08:38:20,741 log_level='DEBUG' thread_name='yoRouterExecutor-9' hostName=yo-router-b-deployment-39-gb2hf class_name='com.al.wsgcat.ngsp.yo.logging.YoRouterLoggingInterceptor' app=NGSPYO event_name=YOROUTER correlationId=BLiLDEyd-24052022-070434975 URI=https://yo.al.com/yo/gateway/v1/handleRouting,Method=POST,Headers=[Accept:"application/json", Content-Type:"application/json", Content-Length:"2388"],Request body={"yoMessage":{"messageText":"Representative has disconnected","from":null,"to":"mglueck@ngspchattims.al.com","properties":{"lineOfBusiness":"MYCA","messageCategory":"returningasync","messageCount":"","yoId":"svc.yo7@ngspchattims.al.com/Smack","transferIntentCode":"","experience":"platinum","checkoutStatus":"","customerMemberConnectionId":"44f4d6263627d8267385ea64d8bfc057","requestHandler":"","messageType":"ccpdisconnected","browserVersion":"Chrome 101.0.4951.61","action":"","workGroupName":"Social_Media_Team","chatType":null,"aao_locale":"en-US","microBotIntent":null,"deviceType":"mobile","applicationVersion":"1.0","interactionId":"159MS6U2J6NFHGP4","clientSourceId":"smrt","deviceOS":"Android 12","chatOriginUrl":"https://online.al.com/myca/mycaassist/us/startChat.do?request_type=authreg_home","messageId":"f3b5c925-2ac9-41a5-9917-41b0edb9e065","chatSessionId":"s_675f1a75-94b7-4e02-a240-94ef07b25c6e","masterBotIntent":null,"messageOrigin":"ccp","firstName":"J","userGroups":"","intentCode":"offers_generic","alSession":"","bbv":"6cf84eea-a1270454-e62fd5be-273cb071","smallCustomerArt":"","escalationIndicator":"","customerNumber":"CRPXMSYRO9UK7P3","riskflag":"","queuedTimeStamp":"","toId":"svc.yo24@ngspchattims.al.com/Smack","lastName":"","conversationHeader":"","customerProduct":"137","correlation-id":"f3b5c925-2ac9-41a5-9917-41b0edb9e065","channel-user-id":"44f4d6263627d8267385ea64d8bfc057","locale":"en-US","gatekeeper":"DF25AD3025E28FFB6B6C8701A1DA0DEEF8DA561973401A20FDC35FBFDB68118DEF63E653045C3B52BCDADCE57398C054AEA7B99DCD0FA2B1628E31E96AFE7BC0EC16F04DF6BA0CF2406C14EF3BFC6ECD73F4F8CC155AAD568EB6F44816A8C576667749FA70F9B9F48A99EC3723D2AEABEF11BBC65DB47E317B99BB95CC71D8D03B394999B87CC149618E59061DD0AD06A","historicalChat":"","confidenceScore":"","creditFlag":"N","engagedHandler":"mglueck","botId":"","channelId":"web","productCreatedDate":"","conversationId":"","conversationTopic":null,"languageId":"US","customerMemberId":"","ccpId":"mglueck","sessionId":"itc_9d9907d7-e64d-475f-b9ea-21b26e6b2797","globalCustomerMemberId":"","pegaMessageId":null,"createdDate":"2022-05-30T15:38:18.481Z","customerMemberIPAddress":"192.16.1","waitTime":"1358"}},"routeCode":"CCP","xmppId":"mglueck"}      

I encounter with strange issue when i use transaction and at the end sort by duration it show highest duration is 15000 but when i remove transaction it show 17000 as highest duration!!! FYI1:correct value is 17000 and there is no special filter exist here! FYI2:duration directly print in log i just use transaction to aggregate two lines.   Here is with transaction command: | rex "actionName.*\.(?\w+\.\w+)\]" | rex "duration\[(?\d+)" | rex "transactionId\[(?\w+-\w+-\w+-\w+-\w+)" |transaction transactionId | sort - duration | table duration actionName username   Here is without transaction: | rex "actionName.*\.(?\w+\.\w+)\]" | rex "duration\[(?\d+)" | rex "transactionId\[(?\w+-\w+-\w+-\w+-\w+)" | sort - duration | table duration actionName username   Here is the log: 2022-05-30 12:39:34,262 INFO  [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] parameters[] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] username[ABC] startTime[1653898174262] 2022-05-30 12:42:26,109 INFO  [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] duration[171847] status[done]   any idea? Thanks

Hi try to use transaction command, but actionName is empty!   Here is my SPL | rex "actionName.*\.(?<actionName>\w+\.\w+)\]" | rex "duration\[(?<duration>\d+)" | rex "transactionId\[(?<transactionId>\w+-\w+-\w+-\w+-\w+)" |transaction transactionId | table duration actionName username Here is the current result: duration    actionName    username   171847                                           ABC      Here is the expected result: duration            actionName           username   171847    QueryOnData.Allow     ABC       Here is the log: 2022-05-30 12:39:34,262 INFO  [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] parameters[] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] username[ABC] startTime[1653898174262] 2022-05-30 12:42:26,109 INFO  [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] duration[171847] status[done]

I received this image from support and I would like to create a panel in my dashboard to mimic this information.  How would I go about doing that?  I was trying with the current query, but am not having luck.       index=_introspection data.normalized_pct_cpu=* sourcetype=splunk_resource_usage host=idx* | stats avg(data.normalized_pct_cpu) AS cpu_usage BY host | table host cpu_usage         I am using data.normalized_pct_cpu as the docs state that it is Percentage of CPU usage across all cores. 100% is equivalent to all CPU resources on the machine, which seems to be what I want but not sure if that is the best way to go about this.

Hi All, I referred the following https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-the-page-last-updated-time-in-the-dashboard/m-p/599698#M49203 to display the last refreshed/updated date-time on the dashboard. In my case, it uses my local system's timezone to display the result. I changed the timezone in Splunk from default to EST, but it still takes and displays time as per local timezone. Can anybody please share a way to display the date time for a specific timezone irrespective of the local timezone on which the dashboard is being accessed?  Thank you

Hi I have a string like below, how can I extract all key value between brackets (keys vary)? Arg[2]: NetworkPacket{trace='0'errCode=''dateTimeLocalTransaction='Mon May 30 00:00:00 IRDT 2022'dateTimeLocalTransactionTo='Mon May 30 23:59:59 USDT 2022'selectedTerminalTypes='[]'UDPApproveTermID='', dateEnd=null', referenceID='', selectedFlowTypeMaps=[]}   for above string out put like this: trace=0 errCode= dateTimeLocalTransaction=Mon May 30 00:00:00 USDT 2022 dateTimeLocalTransactionTo=Mon May 30 23:59:59 USDT 2022 selectedTerminalTypes= UDPApproveTermID= dateEnd=null referenceID= selectedFlowTypeMaps=   Thanks,