Hi @runiyal, in this case. you have to add a regex extraction to your search: with transaction: index=your_index 1. (SUCCESS OR "from input stream" OR "from input stream") | rex "(?<DocID>\d+)$" | transaction DocID | rename duration AS "Time Taken" | table DocID "Time Taken" or with stats (better): index=your_index 1. (SUCCESS OR "from input stream" OR "from input stream") | rex "(?<DocID>\d+)$" | stats earliest(_time) AS earliest latest(_time) AS latest BY DocID | eval Time_Take=latest-earliest | table DocID Time_Taken | rename Time_Taken AS "Time Taken" You can test the regex at https://regex101.com/r/TgQtHA/1 Ciao. Giuseppe ... View more

must be missing our something in the syntax but if I just use the OR between two searches like below I am getting Error in 'search' command: Unable to parse the search: unbalanced parentheses. (<my search 1> OR <my search 2>)  I have provided the complete search command above in reply to Renjith. ... View more

Thanks a lot, it worked! ... View more

Your suggestion of using multiple rex commands like below worked. | rex "source=(?<Source>[^,]+)." | rex "col1=(?<Col1>[^,]+)," | rex "col2=(?<Col2>[^,]+)," | rex "col3=(?<Col3>[^}]+)" Thanks! ... View more

Yes, the FileName field is intended to be the file name part of the location field. The lack of results could be because one of the inputs to the stats command is empty. Try running the query without "stats" and "table". ... View more

Be sure to come back here and click Accept when you do. ... View more

Thanks Mary! ... View more

Thank tiagofbmm and what if I need to give another name to each index. Like instead of "abc", if I want to show custom name like "Indexer1" and so on? ... View more

(index=abc host="server-abc*" "upload succeeded" env=prd) OR (index=klm host="server-klm*" "index file" "*_prd.xml") OR (index=xyz host="server-xyz*" "file uploaded" "Status code : {}200") | stats count by index ... View more

Sure, just add | where isnotnull(name) ... View more

Give this a try index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST" AND "source=vendor") OR "Bill Uploaded successfully" | eval counter=if(searchmatch("NEW WEBSCRIPT REQUEST"),1,0) | eval isVendor=if(searchmatch("source=vendor"),1,0)| accum counter | stats sum(isVender) as vendorBill by counter | where vendorBill=1 | stats count OR index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST") OR "Bill Uploaded successfully" | transaction startswith="NEW WEBSCRIPT REQUEST" endswith="Bill Uploaded successfully" | where searchmatch("source=vendor") | stats count ... View more

Yes, so it looks like you are using a rex that looks for a string "name=" followed by characters that aren't commas. "name=(?<MyFileName>[^,]*)" So if given an event like age=23,name=billy,height=tall It would pull a field MyFileName of "billy". I know the example ended up silly, but that's OK. 🙂 But your initial pasting of events shows they look like age=23&name=billy&height=tall So you need to make sure you are looking for the string "name=" then characters up to but not including an ampersand. Like "name=(?<MyFileName>[^&]*)" . Unless the initial pastes were of the wrong data or got funged up during pasting. So in either way, if you have further problems if you could paste in new event samples that would be great. Of course, we'll just hope it all works! BTW, I put this stuff up into regex101.com so you can see how it determined what was matching, and this is off the original data way up in the question. ... View more

Thanks a lot Rich. Works like a charm! ... View more

How slow is "very slow"? If you're searching a large amount of data then you should expect it to be slow. An entire course could be taught on tuning queries (not by me)but here are some tips. Try to make your base search as specific as possible so unneeded events are ignored. Avoid "all time" and "index=*" searches. Click on "Inspect Job" after your search completes to see where it is spending the most time. ... View more

There is no way for Splunk to know all the possible sets of errors. However, you could supply a lookup table that contains the list. Assume that you have loaded a CSV into a lookup called error_list error_category,eventtype "Failed connection",failedConnection "Bad user id",Error1 etc. Now you can do this: eventtype="Error1" OR "Error2" OR "Error3" | stats count by eventtype | append [ inputlookup error_list | eval count = 0 ] | stats sum(count) as Total by error_category |rename error_category AS "Error Type" | sort - "Total" The "error_category" field in the lookup is not really necessary, but it allows you to give a "nice name" for the error, and even to group eventtypes if you like. ... View more

Assuming you have no existing extractions, something like this should get you started. index = foo | rex "(?P<Activity>\w+) Completed successfully in (?P<secs>\d+\.\d+) seconds" | stats count(secs) as Count min(secs) as Min max(secs) as Max avg(secs) as Avg by Activity | table Activity Count Min Max Avg ... View more

Hello, Logfile got updated so that we get the dureation in milliseconds. So now the log file shows - Search Completed successfully in 0.698 seconds Upload Completed successfully in 2.529 seconds How to incorporate this in the report? Thanks! ... View more

With little information provided, try something like this (runs for today time range) your base search earliest=@d | eval Hour=strftime(_time,"%H:00") | chart count over Error_Description by Hour ... View more