In your first 2 queries, you are removing fields where distinct count is 1, but you don't appear to be doing this in the last query. Would this not account for the "missing" fields? ... View more

How about something along these lines: index=_internal | head 1 | eval _raw="<BLAdets> <Bladetsmeta> <Metadata><Key>FIELD_1</Key><Label>FIELD 1 test</Label><Value>this is the value of field 1</Value></Metadata> <Metadata><Key>FIELD_2</Key><Label>FIELD 2 test</Label><Value>this is the value of field 2</Value></Metadata> <Metadata><Key>FIELD_3</Key><Label>FIELD 3 test </Label><Value>this is the value of field 3</Value></Metadata> </Bladetsmeta> </BLAdets>" | spath BLAdets.Bladetsmeta.Metadata output=Metadata | rex field=Metadata "\<Key>(?<key>[^\<]*)\</Key>.*\<Value>(?<value>[^\<]*)\</Value>" | eval meta=mvzip(mvzip(key,value,">"),key,"</") | eval meta=mvmap(meta,"<"+meta+">") | spath input=meta ... View more

It looks like you need to replace "/n" with "\n" or perhaps "\n\t" ... View more

Just take it back to 1 spath ... | spath certificates{} output=certificates | mvexpand certificates | table certificates ... View more

Something like set your span to 8h and then trigger the alert on custom condition of "search TradeCount < 2000" ... View more

How are the URLs delimited in FieldA? it looks like in some instances there is a space but not others. Try: | rex max_match=0 field=FieldA "\/(?<FieldB>[^\/]*)( |$)" | mvexpand FieldB If there is no space between in some instances, use: | rex max_match=0 field=FieldA "\/(?<FieldB>[^\/]*)(https:| |$)" | mvexpand FieldB   ... View more

I am not sure what your base data is but let's assume it is a log of logins with timestamps. So, something like: ... base search ... | bin _time span=1h | stats count by _time | sort -count | where count >= 200 | head 5 That is, bucket events into 1h bins, count events in those bins, sort counts descending, only take counts above 200, just take the top 5 ... View more

Try limiting the number of events with head index="cx_aws" source="notification-service" | head 1 | spath ... I am not sure if this is the right query but it seems to be the one from your image. The point is that head will reduce the number of events from the base search, in this case to 1 i.e. the latest event ... View more

Have you looked at this answer from the archives? Essentially, the escaping is removed from the escaped double quotes, and the embedded field is unquoted, before parsing with spath, allowing the whole log to be parsed as you were hoping for. ... View more

Sorry, there was a mistake in this line | rex field=xy "(?<x>[^,]),(?<y>.*)" It should have been: | rex field=xy "(?<x>[^,]*),(?<y>.*)"  This picks up values of x greater than 9 i.e. more than 1 digit ... View more

... | head 1 ... View more

It looks like the script name is the 11th field assuming "|" is the delimiter so something like this might work ... base search ... | eval logmessage=_raw | makemv delim="|" logmessage | eval script=mvindex(logmessage,10) | stats count by script Indexes start at zero so index 10 for the 11th field  ... View more

Can you use spath to get your two mv arrays (displayName and result), then mvzip them to a new array, mvexpand that array to get new events, and do your stats on those events (perhaps splitting up the values in the new array to get displayName and result in separate columns again)? ... View more

Don't you just need to move FlagSC outside of stats, and add it to your BY clause? ...base search... | eval FlagSC=if(sc_status==200,"OK","Other") | stats avg(eval(time_taken)) AS avg_tt, avg(eval(sc_bytes)) AS avg_bytes, count(eval(source)) AS NumTransactions, BY cs_uri_stem, FlagSC | table cs_uri_stem, FlagSC, avg_tt, avg_bytes, NumTransactions | rename avg_bytes AS "Average Bytes Returned" avg_tt AS "Average Time in Milliseconds" NumTransactions AS "# of Transactions"   ... View more

Hi @vinod0313  An additional requirement to your previous question! here  and not a great leap to this: | rex field=_raw "FEATURES_USING=\[(?<feature>.*)\]" | makemv delim=", " feature | mvexpand feature | rex field=feature "(?<Column1>[^=]*)=(?<column2>.*)" | fields Column1,column2     ... View more

In order to get a line for each event, you can add an additional field for the row number and chart by that | makeresults | eval event="y=1,2,3,4,5,6,7,8,9,10|y=2,3,4,5,6,7,8,9,10,11|y=3,4,5,6,7,8,9,10,11,12|y=4,5,6,7,8,9,10,11,12,13" | makemv delim="|" event | mvexpand event | streamstats count as row | fields row, event | rex field=event "y=(?<y>.*)" | makemv delim="," y | eval size=mvcount(y) | eval index=mvrange(0, size, 1) | eval xy=mvzip(index, y) | mvexpand xy | rex field=xy "(?<x>[^,]),(?<y>.*)" | fields x,y,row | chart values(y) as y by x, row To explain what is going on: Create some dummy data (obviously, you don't need to do this) | makeresults | eval event="y=1,2,3,4,5,6,7,8,9,10|y=2,3,4,5,6,7,8,9,10,11|y=3,4,5,6,7,8,9,10,11,12|y=4,5,6,7,8,9,10,11,12,13" | makemv delim="|" event | mvexpand event event is a field that represents your data. Add a row number: | streamstats count as row | fields row, event  Create an array from the event data: | rex field=event "y=(?<y>.*)" | makemv delim="," y Create an array of indexes (based on the size of array y): | eval size=mvcount(y) | eval index=mvrange(0, size, 1) Zip the index and value together, and create an event for each: | eval xy=mvzip(index, y) | mvexpand xy  Split the index and value again and keep just the index, value and original row number | rex field=xy "(?<x>[^,]),(?<y>.*)" | fields x,y,row Now, visualise y(x) for each row | chart values(y) as y by x, row   ... View more

It is not clear what visualisation you want - do you want a line for each original row of your data? does each row have a unique timestamp or some other way of identifying it? ... View more

The first 3 lines just create a result that I can work with (I don't have your data!) Assuming you haven't already parsed your log into fields, you need to apply the rex to the _raw field | rex field=_raw "y=(?<y>.*)" ... View more

Not sure if y is your data or your index - assuming it is data, then you need to split your data into a multi-value field and combine it with the index of the element, and split that into your x and y e.g. | makeresults | eval log="y=1,2,3,4,5,6,7,8,9,10" | rex field=log "y=(?<y>.*)" | makemv delim="," y | eval size=mvcount(y) | eval index=mvrange(0, size, 1) | eval xy=mvzip(index, y) | mvexpand xy | rex field=xy "(?<x>[^,]),(?<y>.*)" | fields x,y There is probably a more elegant way of doing this! ... View more

OK you took my solution too literally! The rex has to be applied to your _raw not my made up log field: | rex field=_raw "FEATURES_USING=\[(?<feature>.*)\]" Unless you have already extract FEATURES_USING into its own field  ... View more

Yes, the events don't change - you need to look at the results - try adding | table feature Then look at the statistics tab  ... View more