Hello Friends, I have an interesting query that I would like help on. I have three transactions that we are tracking and I would like to create a graph that has the three transaction time categories and their averages. I am able to graph the three graphs together, and I can do their average individually, but I need help combining them together. My code to show all of the different graphs are: |multisearch [search ( index="a" addinventory InboundInventoryChangeElement ) | eval addTime = if(actionelementname=="AddInventory",strftime(strptime(length,"%H:%M:%S.%f"),"%S.%f") ,length) |where addTime>0 ] [search ( index="a" SWAPinventory InboundInventoryChangeElement ) | eval swapTime = if(actionelementname=="SwapInventory",strftime(strptime(length,"%H:%M:%S.%f"),"%S.%f") ,length) |where swapTime>0 ] [search ( index="a" removeinventory InboundInventoryChangeElement ) | eval removeTime = if(actionelementname=="RemoveInventory",strftime(strptime(length,"%H:%M:%S.%f"),"%S.%f") ,length) |where removeTime>0 ] |table _time, addTime, swapTime, removeTime And here is my search for the averages. index="a" addinventory InboundInventoryChangeElement | eval addTime = strftime(strptime( length,"%H:%M:%S.%f"),"%S.%f") |where addTime>0| table _time, addTime | join [ search index="a" addinventory InboundInventoryChangeElement | eval addTime = strftime(strptime( length,"%H:%M:%S.%f"),"%S.%f") |where addTime>0 |stats avg(addTime) as AverageAddTime] The other two searches are the exact same except it the variables are different for the add, swap, and remove. Any help would be greatly appreciated!  Also, if there is an easier way rather than joins and multisearches, please let me know! Thank you!!!

We have 2 types of orders in the system, some are entered manually by phone and some are processed automatically as they are fed by other systems. The way I can differentiate is by the order timestamps: Phone orders do not contain miliseconds in the order timestamp (2022-09-16T17:07:41Z) Orders filled automatically by other systems contain miliseconds (2022-09-16T16:22:28.573Z) I am calculating the processing delays on these orders but I want to display the results on 2 rows: 1. Phone orders max delays 2. System orders max delays Here is what I am using now: MySearch  | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)" offset_field=_extracted_fields_bounds | rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)" offset_field=_extracted_fields_bounds0 | eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N")) | stats max(Delay) Note: the goal is not to add or remove the miliseconds information    

Hey Team,  I am trying to generate a search which returns a complete set of results from today and then compares it with a search whereby the results only came in between 4-5pm.  I then want to work out the precentage of results which came in between 4-5pm. So far I have:   With the **** being where I think I need to timeframe search? Thanks!

I am running a query where the following fetches the latency above 1000 milliseconds: As you can see the query uses stats and a where clause to yield approximately 60 results  When I try to timechart this data-replacing stats with streamstats: I am now getting 26K+ events. Why is my timechart not reflecting the 60 results I was fetching when using the stats command? 

I am trying to an eval with like to assign priority to certain IPs/hosts and running into an issue where the priority is not being assigned. I am using network data to create my ES asset list and I have a lookup that does IP to cidr range and then returns the zone the IP is associated with. Later in my search I rename zone to bunit and right after that I am testing the eval as follows: | eval priority=if(like(bunit,"%foo%"), "critical" , "TBD") As I am testing the search at the end of my search I have: | table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface | search bunit=*foo* I get a list of all foo related bunit events, but the priority field is set to "TBD"   Would appreciate any help - thx

Hi, I'm trying to use match-pattern - regex inside the app-agent-config.xml in our java microservice, but it does not work properly. E.g.: <sensitive-url-filter delimiter="/" segment="3,4,5,6" match-filter="REGEX" match-pattern=":" param-pattern="myParam|myAnotherParam"/> this should mask selected segments that contains : but it masks everything. If I do match-pattern="=" it works as expected (masking segment that contains "=" in the string) Another examples that do not work (they mask everything): match-pattern=":" match-pattern="\x3A" (3A is ":" in ASCII table) match-pattern="[^a-z¦-]+" (should return true if there is anything other than lower letters and "-") match-pattern=":|=" Thank you Best regards, Alex Oliveira

Considering 2022-06 as starting month,  If month is 2022-07, i should assign 2022-06's corresponding field values " greater_6_mon" to 2022-07's field "prev" , likewise to 2022-08 as well Here are my values : month            prev          greater_6_mon 2022-06                                    26 2022-07                                      2 2022-08                                      1 expected result: (please suggest) month            prev      greater_6_mon 2022-06            0             26 2022-07           26            2 2022-08            2              1