Hi, I wonder whether someone can help me please. I've put together the query below using the foreach command, which, although I've read a lot of posts, I've not really used, or if truth be known understood a great deal. | multisearch [ search `gateway_wmf(ClientRequest)` path=*vat*] [ search `wso2_wmf(RequestCompleted)` "request.detail.apiContext"=*test] | eval RequestID=coalesce('request.tags.X-Request-ID','requestID') | dedup eventId | rename request.detail.applicationProductionClientId as ClientID response.detail.statusCode AS statusCode | foreach clientHeaders.test* [eval header='<<FIELD>>'] | stats count(header) by RequestID The query runs, but there is no new field called "header" created and hence I don't receive my stats count at the end of the query. Could someone perhaps have a look a this please and offer some guidance on where I've gone wrong and a brief explanation of the 'foreach' command. Many thanks and kind regards Chris ... View more

Hi, I wonder whether someone could help me please. I'm using a query which interrogates a Summary Index containing two fields called Epoch_STime and Epoch_ETime. I'm then using the query in a dashboard panel which includes a timepicker called "timerange". What I'm trying to do is set the earliest time from the timepicker to the Epoch_STime and the latest date of the timepicker to Epoch_ETime. I've tried earliest=$Epoch_Stime$ and the same for the latest time , but I can't get this to work. Could someone possibly look at this please and let me know where I've gone wrong? Many thanks and kind regards Chris ... View more

Hi, I wonder whether someone can help me please. I'm using number the following as part of a query to extract data from a summary Index | stats count(eval(repayments_submit="1")) as repyaments_submit count(eval(forms_ChB="1")) as forms_ChB The code works find, except that where the null value is null, it's shown as a zero and I'd like it to be blank. I've tried count(eval(if(signout="1", ""))) , but I receive the following error: Error in 'stats' command: The eval expression for dynamic field 'eval(if(signout="1", ""))' is invalid. Error='The arguments to the 'if' function are invalid.' Could someone look at this please and let me know where I've gone wrong? Many thanks and kind regards Chris ... View more

Hi, I wonder whether someone may be able to help me please. I'm using the following query: (`company_wmf(Login)` authentication=Success) OR (`login-frontend_wmf(Login)` authentication=Success) OR | eval "X-sessionId"=coalesce('tags.X-Session-ID', sessionId) | eval time=strftime(earliest_time, "%d/%m/%Y %H:%M:%S") | eval endtime=strftime(_time, "%d/%m/%Y %H:%M:%S") | eval PTA=if('tags.path'="/account",1,"") | stats earliest(time) as time latest(endtime) as endtime values(test) as test by X-sessionId | search login=PTA login=G test!="" I'm now wanting to incorporate this into extracting the data into a summary Index. I've read a lot of documentation and posts, which do seem to contradict each other, so could someone tell me please, would I need to change the query so I can then use the stats portion of the query in a dashboard panel, but pulling the data from the SI? Many thanks and kind regards Chris ... View more