I apologize for my wording. All the above queries execute and display events, its just that when you click on the statistics or visualization tabs nothing is displayed. I also tried removing the source type and the following string, and I get the same results - events are displaying but not statistics. ... View more

index=doccloud_main sourcetype=doccloud_catalina "Document workspace" | rex ".*Category:(?<Category>\d+), subCategory:(?<subCategory>\d+)" I tried all of the above after the regex and nothing works past the regex and i'm not sure why. Pretty much the above code is the only thing that executes correctly. ... View more

I have added in more info into the query and tried to execute: index=doccloud_main sourcetype=doccloud_catalina "Document workspace" | rex ".*Category:(?<Category>\d+), subCategory:(?<subCategory>\d+)" | top limit=5 subCategory by Category and still got the same result as before ... View more

Hey woodcock thanks for your anwser. So i created a query based off some of the info you gave me and came out with : index=doccloud_main sourcetype=doccloud_catalina "Document workspace" | stats count by Category,subCategory | sort - count | head 5 But when I click on the statistics tab, it displays " no results found". Can you please help ... View more

Yup! That was the last leg! Thanks alot ... View more

So it is displaying getDocument and getDocument PDF, but it is not listing listDocuments. Here is the code: index=doccloud_main sourcetype="doccloud-dit_sb" | rex "(?P&lt;service&gt;EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P&lt;elapsedTime&gt;[\d\.]+)\]" | timechart values(elapsedTime) by service ... View more

I have tried doing : index=mobile_app sourcetype=apache_status_log "requests_per_second=" | timechart span=1d limit=5 count by host But that is not correct. I want it to display all the requests per second over an hour span for each of the hosts. ... View more

So I tried entering in the same which you just told me about, and got the same results as before. The results in a table going from 1-53 and not displaying anything after that. The search is : index=doccloud_main sourcetype="doccloud-dit_sb" | rex "(?P&lt;service&gt;EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P&lt;elapsedTime&gt;[\d\.]+)\]"| chart avg(elapsedTime) by service ... View more

So I tried to do as you said and this is my search : index=Doccloud_main sourcetype="doccloud-dit_sb" | rex "(?P&lt;service&gt;EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?)\(.* Elapsed time:\s+-\s\[(?P&lt;elapsedTime&gt;[\d\.]+)\]" | table service elapsedTime It works, but it only disp;lays getDocument and getDocument PDF in a weird format. I was wondering if i could convert this data to display into a graph as I wanted to include it into the dashboard. I also want to include a search for EmployeeDocumentServceImp.listDocuments(). ... View more

Hi Rich and thanks for your anwser. I tried to execute that search and got back an error message. The message is as follows: Error in 'search' command: Unable to parse the search: Comparator '<' has an invalid term on the left hand side. ... View more

Yes please! ... View more

No, in this query! Sideview has it partially right, except I only want for the five most active OOID's actions as opposed to displaying each OOID's action ... View more

Thanks for your answer but I wanted what I had before exactly the way it is, and in addition, to display those same results for the past 7 days. This search does not include the five most active OOID's. It instead shows what action each OOID performed day by day for the past 7 days. ... View more

Thanks for your answer but I wanted it to display inside the time chart! Would that be possible? ... View more

Thanks alot guys! Works like a dream! ... View more

Hi and thanks for your reply. I am trying to run : | rex "(?<action>created|updated|deleted) for OOID:(?<OOID>\S+?) I am trying to get "deleted/moved" from the below log: 4/13/15 11:26:13.215 AM 2015-04-13 11:26:13,215 DEBUG [actions.logging.DocumentLoggingAction] [http-apr-8080-exec-4] ADP Portal Document workspace://SpacesStore/0e13591d-ebcc-478b-a429-71d27af861ff is deleted/moved out from OOID:G356YP8WRCC3GTQK, AOID:G36H1Z9E4E0QZ562, with Category: 2200001275, subCategory: 2200001311 I tried just entering in as you said with the "deleted/moved" and it does not pick up that up in Splunk ... View more

Please keep me updated! ... View more

Ok I want to put it all together now! I want : sourcetype=doccloud_catalina "Document workspace" | rex "(?<action>created|updated|deleted|removed) for OOID:(?<OOID>\S+?)," | chart count by OOID action | addtotals | sort 5 -Total But to also take those same results and only display the past 7 day activity. It's my last question I promise ! 🙂 ... View more

One more thing, to display the results for the past 7 days...would I just add the timechart span to the end or where would i put that? I really appreciate your brilliant mind! ... View more

Thanks for your anwser, it works beautifully! I was wondering how to simply the command further to only display the 5 most active OOID's categorized by their actions to update, add, delete ... View more