Hi, I have a written query which would result the details grouped by Month and ordered in the Month manner. Since I using xfields to process one of the columns, the query doesnt return the value in the Month ordered. source=detailed |convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency | eval Month = case(Month==01, "Jan", Month==02, "Feb", Month==3, "Mar", Month==4, "Apr", Month==5, "May", Month==6, "Jun", Month==7, "Jul", Month==8, "Aug", Month==9, "Sep", Month==10, "Oct", Month==11, "Nov", Month==12, "Dec") | sort Year, Month |eval Month=Month + "-" + Year | eval xfields='CONTENT_PARTY_NAME'+":"+'DOCUMENT_TYPE' | chart P90(P90_E2E_Latency) as E2E_Latency by Month, xfields useother=f limit=10000 | transpose 20 header_field=Month, column_name=xfields | rex field=xfields "(?<CONTENT_PARTY_NAME>.+):(?<DOCUMENT_TYPE>.+)" | fields - xfields | table CONTENT_PARTY_NAME, DOCUMENT_TYPE, * Using table or fields doesnt display the columns in chronological order. Rather it displays the columns as CONTENT_PARTY_NAME, DOCUMENT_TYPE, APRIL-2020, FEB-2020 etc. How do i display the result as CONTENT_PARTY_NAME, DOCUMENT_TYPE, JAN-2020, FEB-2020 etc. Chronological order. I dont want to manually specify the column names. Please advise. Thanks ... View more

Below is my event details from two different indexes, Event from index= Query_details SPID="111", LOGIN="USER1",MSG="Sleeping query got killed", STARTTIME="2019-04-11 23:53:38.517", KILLTIME="2019-04-11 23:54:24.083", RUNDURATION ="100", TRANSACTIONID = 123 Event from index = Request_details REQUEST_NAME ="Request1", REQUEST_ID="fkjgper6256f03ba90", RESPONSE_MS="2000", DB_SPID="743,111", DB_TX_ID="123, 439, 695, 3384, 5495", ORGNAME="ORG1" I want to combine these two queries and display the request details along with database query details. How to go about it ? 
The field based on which i am trying to combine is TRANSACTIONID from index=Query_details with DB_TX_ID from index=Request_details Note that TRANSACTIONID from index1 is int (TRANSACTIONID = 123) where in DB_TX_ID from index2 is string containing more than one id (DB_TX_ID="123, 439, 695, 3384, 5495"). I dont think i can do a join here since it is more of contains/like functionality. What other means can i do ? Could you please let me know. End result i want to display below way, SPID | TRANSACTIONID | DB_TX_ID |REQUEST_NAME | LOGIN | KILLTIME | RUNDURATION | RESPONSE_MS I tried something like below (definitely wrong) which results only the first index fields Query Details, not the matching Request Details index="Query_details" TRANSACTIONID = 123 |table SPID, TRANSACTIONID, LOGIN, MSG, KILLTIME, RUNDURATION | append [search index="Request_details" _raw = "*"+ TRANSACTION_ID + "*" | table REQUEST_NAME, RESPONSE_MS, DB_TX_ID ] Could someone help me on this Thanks ... View more

Hi, I have two queries with one field being common to correlate and combine the result. But the problem i am facing is one index field is int value and other field is string with multiple int values comma separated. Here is 1st source index=dbquery_killed, transactionid = 1234 2nd source index=request_info , trans_id ="1234, 569, 890" I want to combine these events and show all the related fields. Something with condition like 2nd source field containing 1st source field value, list all the related metrics from both indexes. How do i write a subquery to get this logic ? Please let me know ... View more

Hi, I have a threshold defined for each request on what is normal it will take to process every 5mins. Below query checks and results the Requests which went beyond the normal threshold (defined in a lookup file) for every 5 mins. This logs an entry for every 5 mins. earliest=-1h index=requestinfo Request=* | bin _time span=5m |stats P95(Response) AS "Response" by Request, _time | lookup RequestThreshold.csv Request OUTPUT NormalResponse |eval Behaviour=case(Response > NormalResponse, "Abnormal", 1=1,"Normal") | search Behaviour="Abnormal" My requirement is to run for past 1 month and also for future on a daily basis to get the continuous duration for which the Request was performing badly 95% of the time for every hour in a day, saying like 11 AM to 12 AM the R was beyond threshold. Again one more entry in saying same day 5:00 PM to 6:00PM it went beyond threshold. How do i achieve this ? Result something like below START_TIME | END_TIME | R | Duration(s) | P95Response | Normal 10-04-2019 11:30 |10-04-2019 12:30 | Request1 | 3600| 35050 | 3000 10-04-2019 11:30 |10-04-2019 12:30 | Request2 |1800 | 590 | 300 10-04-2019 13:30 |10-04-2019 14:30 | Request1 |3600 | 89050 | 3000 Note that the Normal Threshold which is defined is for only 5mins range. So I am really confused on how to achieve this. Is this even possible? ... View more