First, can you confirm that transaction grouped the correct events? Second, do you mean to say that even though one of the events in a transaction is 2024-06-13 09:22:49,101 INFO [com.mysite.core.repo.BaseWebScript] [http-nio-8080-exec-43] ****** NEW WEBSCRIPT REQUEST ****** Server Path: http://repo.mysite.com:80 Service Path: /repo/service/company/upload Query String: center=pc&contentType=reqDocExt&location=\\myloc\CoreTmp\app\pc\in\gwpc5799838158526007183.tmp&name=wagnac%20%20slide%20coverage%20b&description=20% rule&contentCreator=JOSEY FALCON&mimeType=application/pdf&accountNum=09693720&policyNum=13068616 Splunk does not give you  location with value \\myloc\CoreTmp\app\pc\in\gwpc5799838158526007183.tmp?  This is nearly impossible but you can try add extract command after index search.  If you look at the emulation I listed above, I used extract to emulate Splunk's default action. ... View more

Now we are deep into the weeds of actual data.  The number of rows is dependent only on how many unique claimNumber regex "(?i) claim # *(?<claimNumber>\S+)" extracts from both source filters.  A meaningful test would be (index="myindex" "/app1/service/site/upload failed" AND "source=Web" AND "confirmationNumber=ND_*") | rex "(?i) claim # *(?<claimNumber>\S+)" | stats dc(clmNumber) as clmCount dc(claimNumber)claimCount Do they give 23?  75?  one give 75, one 23? (According to your description, claimCount should be 23.)  If the two counts are equal, there is nothing to change. If you get different counts for clmNumber and claimNumber, you can do another test (index="myindex" "/app1/service/site/upload failed" AND "source=Web" AND "confirmationNumber=ND_*") | rex "(?i) claim # *(?<claimNumber>\S+)" | table _time clmNumber claimNumber _raw Then, you need to refine the regex.  Post sample data for which claimNumber is not extracted if you need help with regex. ... View more

You need to accurately describe your raw data (anonymize as needed) and any relevant characteristics. (As a general rule, always describe data when asking data analytics questions.)  Which field name gives you "account"?  Based on your description, "account" is NOT the top level path in the JSON data; additionally, this path to "account" is inside an array according to your partial reveal.  Is it second level?  Third level? Suppose your top level path is "events", i.e., raw data looks like {"events" : [{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC5"}]} {"events" : [{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC6","account":"verified"}]} {"events" : [{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC7","account":"unverified"}]} {"events" : [{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC8","account":"verified"}]} {"events" : [{xxxx},{"GUID":"5561859B8D624FFC8FF0B87219060DC9"}]} Splunk would have given you flattened field names like events{}.GUID, events{}.account, etc.  If you know that every array events{} contains only a single event{}.account, you can just substitute "account" in solutions with event{}.account.  But as an array, events{}.account could be multivalued.  In that case, you need to make them single-valued first, i.e., | spath path=events{} ``` events{} should be the actual path of that array ``` | mvexpand events{} | spath input=events{} | eval account=if(account=="verified","verified","unverified") | stats count by account Alternatively, use fillnull | spath path=events{} ``` events{} should be the actual path of that array ``` | mvexpand events{} | spath input=events{} | fillnull account value="unverified" | stats count by account If "account" is not second level, or it is not really inside an array as your original description implied, you need to give accurate description of your data. ... View more

I tried to run the following query. Although it runs with 20K events but its not generating output in the table. index=yourinndex "OTPViewController" | rex "(?ms)OTPViewController:(?<session>http-nio-8080-exec-\d+).*?Policy Number\. (?<PolicyNumber>[^\n]+)\n.*?Email\. (?<Email>[^\n]+)\n.*?Address\. (?<Address>[^\n]+)\n.*?Amount Number \. (?<AmountNumber>[^\n]+)\n.*?Pmt Amount \. (?<PmtAmount>[^\n]+)\n" | stats values(*) as * by session | table PolicyNumber, Email, Address, AmountNumber, PmtAmount Can you tell what can be the issue here?   ... View more

You didn't explain why Splunk does not give you SubID automatically.  The illustrated logs are conformant JSON.  If they are the raw events, there should be no reason that you don't have both fields submitterType and SubID. If the illustrated log is one of fields that Splunk extracts for you, say "log", spath is the command to extract JSON nodes.   | spath input=log   Your sample data will give SubID submitterType App_4-45887-02232023 Others App_5-45892-02232023 Others ... View more

Hi @runiyal, in this case. you have to add a regex extraction to your search: with transaction: index=your_index 1. (SUCCESS OR "from input stream" OR "from input stream") | rex "(?<DocID>\d+)$" | transaction DocID | rename duration AS "Time Taken" | table DocID "Time Taken" or with stats (better): index=your_index 1. (SUCCESS OR "from input stream" OR "from input stream") | rex "(?<DocID>\d+)$" | stats earliest(_time) AS earliest latest(_time) AS latest BY DocID | eval Time_Take=latest-earliest | table DocID Time_Taken | rename Time_Taken AS "Time Taken" You can test the regex at https://regex101.com/r/TgQtHA/1 Ciao. Giuseppe ... View more

must be missing our something in the syntax but if I just use the OR between two searches like below I am getting Error in 'search' command: Unable to parse the search: unbalanced parentheses. (<my search 1> OR <my search 2>)  I have provided the complete search command above in reply to Renjith. ... View more

Thanks a lot, it worked! ... View more

Your suggestion of using multiple rex commands like below worked. | rex "source=(?<Source>[^,]+)." | rex "col1=(?<Col1>[^,]+)," | rex "col2=(?<Col2>[^,]+)," | rex "col3=(?<Col3>[^}]+)" Thanks! ... View more

Yes, the FileName field is intended to be the file name part of the location field. The lack of results could be because one of the inputs to the stats command is empty. Try running the query without "stats" and "table". ... View more

Be sure to come back here and click Accept when you do. ... View more

Thanks Mary! ... View more

Thank tiagofbmm and what if I need to give another name to each index. Like instead of "abc", if I want to show custom name like "Indexer1" and so on? ... View more

(index=abc host="server-abc*" "upload succeeded" env=prd) OR (index=klm host="server-klm*" "index file" "*_prd.xml") OR (index=xyz host="server-xyz*" "file uploaded" "Status code : {}200") | stats count by index ... View more

Sure, just add | where isnotnull(name) ... View more

Give this a try index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST" AND "source=vendor") OR "Bill Uploaded successfully" | eval counter=if(searchmatch("NEW WEBSCRIPT REQUEST"),1,0) | eval isVendor=if(searchmatch("source=vendor"),1,0)| accum counter | stats sum(isVender) as vendorBill by counter | where vendorBill=1 | stats count OR index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST") OR "Bill Uploaded successfully" | transaction startswith="NEW WEBSCRIPT REQUEST" endswith="Bill Uploaded successfully" | where searchmatch("source=vendor") | stats count ... View more

Yes, so it looks like you are using a rex that looks for a string "name=" followed by characters that aren't commas. "name=(?<MyFileName>[^,]*)" So if given an event like age=23,name=billy,height=tall It would pull a field MyFileName of "billy". I know the example ended up silly, but that's OK. 🙂 But your initial pasting of events shows they look like age=23&name=billy&height=tall So you need to make sure you are looking for the string "name=" then characters up to but not including an ampersand. Like "name=(?<MyFileName>[^&]*)" . Unless the initial pastes were of the wrong data or got funged up during pasting. So in either way, if you have further problems if you could paste in new event samples that would be great. Of course, we'll just hope it all works! BTW, I put this stuff up into regex101.com so you can see how it determined what was matching, and this is off the original data way up in the question. ... View more

Thanks a lot Rich. Works like a charm! ... View more

How slow is "very slow"? If you're searching a large amount of data then you should expect it to be slow. An entire course could be taught on tuning queries (not by me)but here are some tips. Try to make your base search as specific as possible so unneeded events are ignored. Avoid "all time" and "index=*" searches. Click on "Inspect Job" after your search completes to see where it is spending the most time. ... View more

There is no way for Splunk to know all the possible sets of errors. However, you could supply a lookup table that contains the list. Assume that you have loaded a CSV into a lookup called error_list error_category,eventtype "Failed connection",failedConnection "Bad user id",Error1 etc. Now you can do this: eventtype="Error1" OR "Error2" OR "Error3" | stats count by eventtype | append [ inputlookup error_list | eval count = 0 ] | stats sum(count) as Total by error_category |rename error_category AS "Error Type" | sort - "Total" The "error_category" field in the lookup is not really necessary, but it allows you to give a "nice name" for the error, and even to group eventtypes if you like. ... View more

Assuming you have no existing extractions, something like this should get you started. index = foo | rex "(?P<Activity>\w+) Completed successfully in (?P<secs>\d+\.\d+) seconds" | stats count(secs) as Count min(secs) as Min max(secs) as Max avg(secs) as Avg by Activity | table Activity Count Min Max Avg ... View more

Hello, Logfile got updated so that we get the dureation in milliseconds. So now the log file shows - Search Completed successfully in 0.698 seconds Upload Completed successfully in 2.529 seconds How to incorporate this in the report? Thanks! ... View more

With little information provided, try something like this (runs for today time range) your base search earliest=@d | eval Hour=strftime(_time,"%H:00") | chart count over Error_Description by Hour ... View more