Hi, Not sure if I got all your cases, can you try this? rex field=line "([^,\?]*(?:\?.[^,\?]*)*,){11}(?<field1>[^,\?]*(?:\?.[^,\?]*)*)," I tried it like this to test it out: | makeresults | eval line="1,2,3?,? ,4,5,6,7,8,9,10,11,this is ?,interesting,x,y,z" | rex field=line "([^,\?]*(?:\?.[^,\?]*)*,){11}(?<field1>[^,\?]*(?:\?.[^,\?]*)*)," Don't ask me how I got there. I once had a similar problem with escaped \" in logs that had fields delimited by actual ". ... View more

I don't see a problem with the numbers you posted. Whenever Field is reused after one hour, it will be contributing to the distinct count for each hour, but you only get it once when looking at the full two hours. ... View more

I'll feel probably stupid when someone posts a pretty solution, but you get the correct result with this: | makeresults | eval field1="I want to buy a book may be now" | eval field2="I want to buy a phone may be tomorrow" | makemv delim=" " field1 |makemv delim=" " field2| eval comb=mvzip(field1, field2) | mvexpand comb | rex field=comb "(?[^,]+),(?.+)" | where NOT field1=field2 | stats list(field1) as field1 list(field2) as field2 | eval field1=mvjoin(field1, ",") | eval field2=mvjoin(field2, ",") 🙂 ... View more

actually, the solution for your exact expected result would be achieved with eventstats instead of stats. I tried it out like that: | makeresults | eval input="ATM1,INQ-ATM2,CWD-ATM1,INQ-ATM1,INQ-ATM2,CWD-ATM1,INQ-ATM2,INQ-ATM1,CWD-ATM3,INQ-ATM3,INQ-ATM1,CWD-ATM3,INQ" | makemv delim="-" input | mvexpand input | rex field=input "(?<terminal_id>[^,]+),(?<tran_type>.+)$" | eventstats count by terminal_id, tran_type | where count >= 3| table terminal_id, tran_type ... View more

Do you really need the events listed out, or do you want to know which combinations match your limit? The latter could easily be done with | stats count by terminal_id, tran_type | where count>=3 which will give you a table with terminal_id, tran_type and the respective count. ... View more

Hi, This should do it: <default>$current_month_year$</default> ... View more

that should be exactly what the addition of this in your input definition should make possible: <change> <set token="labelstring">$label$</set> </change> whenever you change the dropdown, the token "labelstring" gets set to the label of the selected value. ... View more

Happens to everyone, to oversee the obvious. 🙂 Accessing the Label should be possible as well. Something in the spirit of <label>field1</label> <default>1001</default> <fieldForLabel>Meaning</fieldForLabel> <fieldForValue>OperationCode</fieldForValue> <search> <query>| inputlookup otcs_remote_cache_lookup.csv | table Meaning, OperationCode <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <set token="labelstring">$label$</set> </change> <initialValue>1001</initialValue> </input>` and then reference $labelstring$ later on. ... View more

Why do you care wether rex is executed? It doesn't change anything in Web.uri. You can do without rex as well, looks interesting: | makeresults | eval landing_page="Any" | eval Web.uri="/landing_page/contentA/contentB.html" | eval landing_page=if(landing_page=="Any","/"+mvindex(split('Web.uri',"/"),1)+"/",'Web.uri') gives back "/landing_page/" | makeresults | eval landing_page="bla" | eval Web.uri="/landing_page/contentA/contentB.html" | eval landing_page=if(landing_page=="Any","/"+mvindex(split('Web.uri',"/"),1)+"/",'Web.uri') gives back "/landing_page/contentA/contentB.html" in field landing_page ... View more

If I understood correctly, try it like this: rex field=Web.uri "^(?<any>/[^/]+/)" | eval landing_page=if(landing_page=="Any", any, 'Web.uri') ... View more

Try this: sourcetype=sourcetype1 OR sourcetype=sourcetype2 | stats count by tradeID,sourcetype | xyseries tradeID sourcetype count | fillnull sourcetype1 sourcetype 2 | search sourcetype1>0 sourcetype2=0 | fields tradeID ... View more

Try: index=something event_name="some other thing" event_type="yet another thing" [search index=something event_name="some other thing" event_type="yet another thing" role="*DB" | stats count by prsnl_name | fields prsnl_name ] | table prsnl_name, role, event_name, event_type, _time | sort prsnl_name Or for something different: index=something event_name="some other thing" event_type="yet another thing" | eval relevant=if(like(role,"%DB%),1,null()) | stats values(relevant) as relevant values(role) as role, values(_time) as _time by prsnl_name | where isnotnull(relevant) | fields - relevant ... View more

Maybe <change> <eval token="TPS_ON_ALL_PANELS">if(value="*",true,false)</eval> </change> ... View more

Maybe you want to look at multikv as well. So something like <yoursearch> | multikv | stats values(*) as * by PID ... View more

Yeah, I will. And now I am digging into "does access count=0 really means it is never used?". From 146 accelerated searches in our system, 98 have access count 0, many of those with a load factor > 0.5. That seems brutal if I understand the docs correctly. 🙂 ... View more

Actually, it did point me to looking at rest interface, and coming up with a solution. So the endpoint I want to use seems to be | rest servicesNS/-/-/admin/summarization . For whatever reason, that doesn't give me back the names of the searches, but puts the name into a constructed field ending with .name, that has the name of the saved search into it. Since the output is a table, all 146 rows of the output had 146 *.name fields, where only one had the name with some other info I needed to strip into them. I ended up with this query now, i may get some additional fields into it, but this is basically it: | rest servicesNS/-/-/admin/summarization |fields author eai:acl.app eai:acl.owner summary.access_count summary.load_factor *.name | foreach *.name [eval searchname=coalesce(replace('<<FIELD>>',"([^;]+;[^;]+;)(.+)","\2"),searchname)] | fields - *.name | sort summary.access_count Should I mark yours as accepted answer now, because it made me look in the right direction? ... View more

is eval total_polulation copied from your actual query? If so, then your problem is the typo in it. I just tried what you did with some other data/fields, and it works for me. ... View more

It seems you cannot overwrite time_tok.latest. If I try that, there is no change, I have to calculate the end time of the search into another field eg "latest", and use that field in the xml instead of "time_tok.latest". I tried to abstract from only limiting to @d when latest=now, because it could also be that a user searches up to -1h@h or something. So I came up with some logic, but my problem with this is, that using eval within the dashboard seems to use my local time, instead of the server time. Since I am in UTC+2 and our server is on UTC, I end up not searching until 00:00 today, but 22:00 yesterday. But maybe this will help you to get a solution: <input type="time" token="time_tok"> <label>Time Range</label> <default> <earliest>-60d@d</earliest> <latest>@d</latest> </default> <change> <eval token="upto">case(isnum("$time_tok.latest$"), $time_tok.latest$, $time_tok.latest$="now", now(), 1=1, relative_time(now(), "$time_tok.latest$"))</eval> <eval token="today">relative_time(now(),"@d")</eval> <eval token="latest">if($upto$ > $today$, $today$, $upto$)</eval> </change> </input> ... <search> <query> whatever</query> <earliest>$time_tok.earliest$</earliest> <latest>$latest$</latest> ... View more

Maybe a combination of tail and delta? Assuming the fieldname of the column was "val": | inputlookup test.csv | tail 2 | delta val as delta | eval output=case(delta<0,"GREATER",delta>0,"LESSER",true(),"EQUAL") | fields output | tail 1 Hth, Kai. edit: damn, 32secs late... 😉 ... View more