I've been trying to do this myself. Is there any way to do this so that the second instance of the query (or the table itself) uses the results already obtained by the first one? (As opposed to to running the query in full a second time). In my instance, the original query can take up to 20 seconds to run (depending on time range selected). I'd prefer not to double the run time of the panel simply to show the number of records (which have obviously been generated previously upon execution of the first instance of the query). ... View more

The working solution looks like this (note, results may vary, depending on what fields you have extracted) : index=common_index source=source2 param5 param4="*" [ search index=common_index source=source1 param1=value1 param2=value2 |stats values(token) as omg |rename omg as query ] | stats values(param4) by token This thing returns results like so : param4_value1 token1 param4_value2 token2 param4_value2 token3 etc. martin_mueller, thanks one more time for helping 🙂 ... View more

Works thanks 🙂 Finally . All I needed was to add another search option before the regexp, like so my base search "Stuff" | rex field=thefield_to_rex "Stuff\\\"\:\\\"(?<myField>\w+)" | ... It seems like the entire field to regexp followed the same "ID" : "Info" notation, so instead of extract all it did was print 🙂 The rex works like a charm, yet my search was wrong 😄 ... View more

It would work with some fiddling - max and min are very close , so max-min=0 However, it gives leads where to check I have already re-done the search using the old ideas, but will use the version above as a know how for future cases: source="mysource" "url" evttype=INFO | bucket _time span=24h | stats dc(clientip) as uniq, count as total by _time | timechart span=24h per_day(total) as TotalHits, per_day(uniq) as UniqueHits, per_hour(total) as PerHour per_minute(total) as PerMinute | appendcols [search source="mysource" "url" evvtype=INFO | bucket _time span=24h | top clientip limit="N" by _time| sort -count| eval pair=clientip." (".count.")" | stats values(pair) as TOP"N"_IP by _time] It still needs some small fixes but looks a bit neater than the previous and the per_hour/minute is calculated automatically. Same trouble with span<24h, but I will check that 🙂 ... View more

......| rex "(?i).*?->{ "/\w+\d"/ : { "/\w+\d\w+"/ :"/(?P<status_info>\w+\s\w+)(?="/),..."/\w+\s\w+\s\w+"/}}"| stats count by status_info ... View more

Thanks , for the response.I 'll look it up, and if needed, try a workaround. ... View more

You could maybe use the following to break out the individual items in the list field but am having trouble imagining what the rest of your stats command output is - haven't had enough caffeine yet I suppose. | makemv list | mvexpand list At any rate you would then need another stats (+ sort & head) or top command to then get your top X. ... View more

You could say you wrote a separate program for printing out each of the letters in "Hello World!" - the original search had a separate search for each of the values in var2 , and a separate search for each of the result columns 😛 ... View more

Thanks, it worked like a charm, it seems I have to RTFM more often 🙂 ... View more

ok, that's the "workaround". But it looks like a bug to me? Any splunker to shed some light on this behavior? ... View more

Why not like this... index=myindex source="where_we_search.log" "URL Query" field2=* | stats count by IP_Address, field2 | eventstats sum(count) as Total by IP_Address | search Total >20 ... View more