Hi, I have 2 searches. 1st query: (100 results including duplicate number)     index="abc" message.appName=app1 "Description"="After some string*" | table _time Id number     2nd query:(80 results including duplicate d_number)     index="abc" message.appName=app2 "Description"="After some string2*" | table _time d_Id d_number      both d_number & number are matching How to get result-> only those number which are not matched with d_number I need only 100-80=20 number which may contain duplicate values from 1st query. (eg: query1-query2) Thank you in advance for your answer. ... View more

HI Splunkers, We are getting below value inside one of field "data" in tabular format: Source success Total_Count 0 abc.csv True 200 1 some_string_1 False 34 2 some_string_2 True 12 3 some_string_3 False 4 4 some_string_4 True 63 5 some_string_5 False 2 6 some_string_6 True 108 Can we extract these values in different fields. Thank you in advance for your reply ... View more

Hi,   We have below problem data in lookup:  pan assestId item_deviceId phoneNumber imeID 11023 ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75 ite#0#man76451627ahdgs 8763173699 123456789 11023 ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75  ite#0#man76451627ahd75 8736628187 987654321   Now we require new field "Mobile_DeviceId" from "assestId"  for identical row. As per below splunk table: pan assestId item_deviceId phoneNumber imeID Mobile_DeviceId 11023 ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75 ite#0#man76451627ahdgs 8763173699 123456789 ass#ABC1#man6558962f 11023 ass#ABC1#man6558962f asst#ABC1#man827631e ite#0#man76451627ahdgs ite#0#man76451627ahd75  ite#0#man76451627ahd75 8736628187 987654321 asst#ABC1#man827631e   Is it possible from SPL?? Please help me to create SPL. My query is:     | inputlookp abc.csv | table pan assestId item_deviceId phoneNumber imeID | eval Mobile_DeviceId=split(assestId," ")|mvexpand Mobile_DeviceId| search Mobile_DeviceId=ass#*       ... View more

HI Splunkers,   Requirement: I have to create table for COUNT OF ERRORS based on text search in _raw data. I have created below query:     eventtype=XXX_AC_db ("Transaction (Process ID *) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.*" OR "Rest Api POST error. Database has timed out. (TT-000346)") | rex field=Exception "System(?<m>.*):\s(?<message>.*)\s+at" | eval message=if(like(message,"%Transaction (Process ID %) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.%"),"Transaction (Process ID XX) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.",message) | stats count by message | append [ stats count | where count=0 | eval message="Transaction (Process ID XX) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction."] | append [| search eventtype=XXX_AC_db "Rest Api POST error. Database has timed out. (TT-000346)" | stats count by Message | rename Message as message] | append [ stats count | where count=0 | eval message="Rest Api POST error. Database has timed out. (MG-000346)"] | append [| search eventtype=XXX_AC_db "*Database has timed out. (TT-000346)*" | eval Message=if(like(Message,"%Database has timed out. (TT-000346)%"),"Database has timed out. (TT-000346)",Message) | stats count by Message | rename Message as message] ...................       This query is taking too much time to execute. Is there any other way so that we can include different search and get the result.   Thank you in advance. ... View more