Just did a quick and dirty adjustment on my local instance and timestamp started reflecting correctly however we have to understand that a time has three aspects to it: 1) TimeZone in raw logs (Tokyo) 2) TimeZone of Indexer (??) 3) Timezone of User accessing the data (??) I restarted my local laptop Spluk instance with updating my laptop timezone to Tokyo timezone and also changed my Splunk user timezone to Tokyo in the Splunk > Usernmae> EditAccount > TimeZone. After that when I upload your sample data it detected the way you want it. Having said that: This maybe what you want to achieve but is not advisable as Splunk will try to index the data by offsetting timezones depending on which timezones its indexers/users are in so that there are no mismatches and everyone gets a "localized" view. Hope that it helps. ... View more

Thanks if it helped, then please accept or upvote the answer.. Updating it in original answer ... View more

An event "AlertId1,Duration1" if occurred at time T1 and at time T2, then for Splunk it is two different events as it happened at two different times. Keeping that in context a duplicate event will be when "AlertId1, Duration1, T1" occurs twice. This above scenario can be deduplicated by using dedup command as follows: your base query to return fields alertId, duration | dedup _time, alertId, duration | complete your query or if you want to deduplicate the data you are getting irrespective of the time it gets indexed at try your base query to return events | dedup _raw | complete your query ... View more

actually in my rex the value where I stroed was ?<k3Value> hence you should have used that name | stats count by k3Value and not actually the value of key3. Now since you have changed it to ?<key3> so yes this query will work. I think what confused you was I called my extraction as "k3Value" and you assumed it to be the value of key3 rather than using the fieldname which was k3Value. So if it works so please accept the answer and upvote. ... View more

Can you try this query and see if you get results or not as I have put in the regex based on the new json given: | makeresults |eval x="{ \"key1\": \"123456\", \"key2\": \"{\"key21\":\"(123)-456-7890\",\"key22\":\"valueForkey22 \",\"key23\":\"valueForkey23\"}\", \"key3\": \"valueForkey3\", \"key4\": \"11/04/2016 00:00:00 CDT\", \"key5\": \"Thu Nov 03 08:34:19 CDT 2016\" } " | rex field=x "\"key3\"\s*\:\s*\"(?<k3Value>[^\"]+)\"\," | stats count by k3Value and if you do then there shouldn't be any reason why you don't get the results out of yourBase query | rex "\"key3\"\s*\:\s*\"(?<k3Value>[^\"]+)\"\," | stats count by k3Value ... View more

what do u mean by values are dynamic...? you mean this string "key3" is dynamic? Can you please paste some actual samples and highlight the terms you want to do a grouping on? if key3 is already an extracted field where key3=value then your command should have worked. ... View more

use \. to escape your dots. Maybe thatts whats putting it off as dot is a special charater in regex. and try to close off that regex with a pipe after your round bracket grouping (fil|fidc|wc|tr0|asr|[0-9][0-9[0-9]rtr-1.fmr.com|rtr-2.fmr.com)\| ... View more

Extract that value from your json using regex and then count on that extracted field like: yourBaseQuery to return you json | rex "\,\"key3\"\:\"(?<k3Value>[^\"]+)\"\,\".*" | stats count by k3Value Since the term k3Value in extracted field might be confusing so renaming it as per comments and considering updated json yourBaseQuery to return you json | rex "\,\"key3\"\s*:\s*\"(?<k3Field>[^\"]+)\"\,\".*" | stats count by k3Field *Updating based on the comments: * yourBaseQuery to return json | rex max_match=0 "\"(?<key>\w+)\"\s*\:\s*(?<value>[^,]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | table key value If above gets you the table of key and value, in the end of the above query just append below which should give you result stats count by value | where key="key3" ... View more

use the similar regex...in your regex you are extracting only 6 elements whereas your data has 8 elements..can you try to put a .* in the end to allow the remaining fields and see if that works, or extract all 8 fields via regex to match to data coming. ... View more

Looking at these lines of your output it makes me believe time being returned is already seconds and we do not need to divide anything (That is if you divided by 60 in | eval timeDiff=if(ip=newIp,(_time - newTime)/60, 0) 😞 1 10.60.0.8 2016-11-03 00:03:28 0 2 10.60.0.8 2016-11-03 00:03:28 0 10.60.0.8 3 10.60.0.8 2016-11-03 00:03:29 0.016667 10.60.0.8 4 10.60.0.8 2016-11-03 00:03:29 0 10.60.0.8 5 10.60.0.8 2016-11-03 00:03:35 0.100000 10.60.0.8 I would suggest change the following line in the query: | eval timeDiff=if(ip=newIp,(_time - newTime)/60, 0) Replace above line in query with this one if you wanna use floor: | eval timeDiff=if(ip=newIp, floor(_time - newTime), 0) or with this if u wanna use the strptime to make it seconds friendly | eval timeDiff=if(ip=newIp, (strptime(_time, %Y-%m-%d %H:%M:%S) - strptime(newTime, %Y-%m-%d %H:%M:%S)), 0) and then complete the search with | table ip, _time , timeDiff, newIp | where timeDiff=125 ... View more

If all you need is a range comparison on "10.10.10.xxx" what you could do is extract the range and compare on it as: 10.10.10.32 - 10.10.10.96 yourBaseQuery to give you ips | rex "10\.10\.10\.(?<range>\d{1,3})" | where range >=32 AND range<=96 | complete your Query or similarly for 1-128 If you want more dynamic ips then that can be regexed too like below as long as you keep track of those range numbers yourBaseQuery to give you ips | rex "\d{1,3}\.\d{1,3}\.\d{1,3}\.(?<range>\d{1,3})" | where range >=32 AND range<=96 | complete your Query ... View more

🙂 wow... your search to return field1 | regex field1="(.*(^|\s)foo(\s|\n).*)" | complete your search see this please ... View more

Try regex to your rescue your search to return field1 | regex field1=".*\sfoo\s.*" | complete your search ... View more

that should be easy, try (foo) in search term so that it only searches whole word "foo", nothing more or less. ... View more

Did you try *foo* , as that shall return foos and xfoo in events. Updating as per comment, to search exactly "foo", try (foo) as a search term including the round brackets ... View more

If the "tag" element is always having four parts, can you try this at search time or use the regex while extracting in field extractor: yourBaseQuery | rex "\"tag\"\:\"(?<image>([^\/]+\/){2})(?<service>[^\/]+)\/(?<id>[^\"]+)" | complete your query See resulting extraction here ... View more

Assuming you have field host (which has host values) and field Value (which has Servicebus/ResponseTime) , please try this: index=perfmon collection=ServiceBus counter="Response Time" instance="Service" | sort host | fields host, Value | dedup host, Value consecutive=true | stats avg(Value) by host ... View more

I am assuming when you are comparing greater than or less than you mean epochNumber of _time is greater/less than epoch number of "2016-01-01". Give this a try please and adjust greater than or less than according to your like in eval status1 command: yourBaseSearch to get the _time |eval myNewTime=strptime("2016-01-01", "%Y-%m-%d") | eval time1=strftime(_time, "%Y-%m-%d") | eval epoch_time=strptime( time1, "%Y-%m-%d") | eval status1=case( epoch_time < myNewTime, "Yes", 1=1, "No" ) | table _time, epoch_time, myNewTime, status1, Name, Rank ... View more

Can you try and see if you can edit the data model. You need to go to the data model "abc" and see the element which uses the transaction command. In the edit search section of the element with the transaction command you just have to append keepevicted=true . For example in abc data model if childElementA had the constraint search as transaction sessionId then the constraint search should change as transaction sessionId keepevicted=true . Save the element and the data model and try to run the search again to see it work. ... View more

I did fields to ensure that out of sum and store_name fields we only get store_name field values and not the sum values. In general table <fieldA> and fields <fieldA> would work the same way. ... View more