I am looking for specific query where I can alter the row values after the final output and create new column with new value.  For example, I have written the below query : index=csv sourcetype="miscprocess:csv" source="D:\\automation\\miscprocess\\output_acd.csv" | rex field=_raw "\"(?<filename>\d*\.\d*)\"\,\"(?<filesize>\d*\.\d*)\"\,\"(?<filelocation>\S*)\"" | search filename="*" filesize="*" filelocation IN ("*cl3*", "*cl1*") | table filename, filesize, filelocation Which gives me the following output: filename filesize filelocation 012624.1230 13253.10546875 E:\totalview\ftp\acd\cl1\backup_modified\012624.1230 012624.1230 2236.3291015625 E:\totalview\ftp\acd\cl3\backup\012624.1230 012624.1200 13338.828125 E:\totalview\ftp\acd\cl1\backup_modified\012624.1200 012624.1200 2172.1640625 E:\totalview\ftp\acd\cl3\backup\012624.1200 012624.1130 13292.32421875 E:\totalview\ftp\acd\cl1\backup_modified\012624.1130 012624.1130 2231.9658203125 E:\totalview\ftp\acd\cl3\backup\012624.1130 012624.1100 13438.65234375 E:\totalview\ftp\acd\cl1\backup_modified\012624.1100   BUT, I like the row values to be replaced by "ACD55" where the file location is cl1 and "ACD85" where the file location is cl3 under filelocation column. So the desire output should be: filename filesize filelocation 012624.1230 13253.10546875 ACD55 012624.1230 2236.3291015625 ACD85 012624.1200 13338.828125 ACD55 012624.1200 2172.1640625 ACD85 012624.1130 13292.32421875 ACD55 012624.1130 2231.9658203125 ACD85 012624.1100 13438.65234375 ACD55     The raw events are like below:   "020424.0100","1164.953125","E:\totalview\ftp\acd\cl3\backup\020424.0100" "020624.0130","1754.49609375","E:\totalview\ftp\acd\cl1\backup_modified\020624.0130"   please suggest : ... View more

I am trying to conver the GMT time to CST time. I am able to get the desire data using below query. Now I am looking for query to convert GMT time to CST.   index=test AcdId="*" AgentId="*" AgentLogon="*" chg="*" seqTimestamp"*" currStateStart="*" currActCodeOid="*" currActStart="*" schedActCodeOid="*" schedActStart="*" nextActCodeOid="*" nextActStart="*" schedDate="*" adherenceStart="*" acdtimediff="*" | eval seqTimestamp=replace(seqTimestamp,"^(.+)T(.+)Z$","\1 \2") | eval currStateStart=replace(currStateStart,"^(.+)T(.+)Z$","\1 \2") | eval currActStart=replace(currActStart,"^(.+)T(.+)Z$","\1 \2") | eval schedActStart=replace(schedActStart,"^(.+)T(.+)Z$","\1 \2") | eval nextActStart=replace(nextActStart,"^(.+)T(.+)Z$","\1 \2") | eval adherenceStart=replace(adherenceStart,"^(.+)T(.+)Z$","\1 \2") | table AcdId, AgentId, AgentLogon, chg, seqTimestamp,seqTimestamp1, currStateStart, currActCodeOid, currActStart, schedActCodeOid, schedActStart, nextActCodeOid, nextActStart, schedDate, adherenceStart, acdtimediff Below are the results I am getting: ... View more

below csv file getting generated which is ingested into splunk. These are the file counts created date wise on different folders. My rex command does not pickup the date, filepath and count. Please help how we can extract these field from below csv raw data.   "Date","Folder","FileCount" "11-07-2023","E:\Intra\I\IE\Processed\Error","381" "11-08-2023","E:\Intra\I\IE\Processed\Error","263" "11-09-2023","E:\Intra\I\IE\Processed\Error","223" "11-10-2023","E:\Intra\I\IE\Processed\Error","133" "11-11-2023","E:\Intra\I\IE\Processed\Error","3" "11-12-2023","E:\Intra\I\IE\Processed\Success","4" "11-13-2023","E:\Intra\I\IE\Processed\Success","4"","218" "11-14-2023","E:\Intra\I\IE\Processed\Success","4"","200" "11-15-2023","E:\Intra\I\IE\Processed\Error","284" ... View more

I am created below query to get the hourly report of certain tasks. I go the final timechart values for four different "connectiontype" below. But I like to rename the column name to something else.   ... View more

  how to extract the node name from the different GC source location: I have below sample three source location and I am looking for rex that can extract node name as "node02, Node03 and "web39". My rex command is not working. source= E:\total\int\ts1\Ddoss\node\node02\data\gc.log source=E:\total\int\ts1\Ddoss\swxx\node03\data\gc.log source=E:\total\int\ts1\Ddoss\web\web39\data\gc.log ... View more

I am able to get the list of URL with top response time using below query. index=xyz earliest=-1hr latest=now | rex field=_raw "^(?\d*\.\d*\.\d*\.\d*)\s\[\w.*\]\s(?\d*)\s\"(?\w*)\s(?\S*)\sHTTP\/1.1\"\s(?\d*)\s(?\d*)\"(?\S*)\"\"\w.*\"\s\S*(?web*\d*)\s\S*" | search sourceLBIP="*" responsetime="*" getorpost="*" uri="*" statuscode="*" responsesize="*" refereralURL="*" node="*" | eval responsetime1=responsetime/1000000 | stats count by responsetime1,node, responsesize, uri, _time, statuscode | sort -responsetime1 | head 1    I am trying to modify this query for more detailed information. I am able to get the top 1 URL which has highest response time. But I need the timechart partner to understand the responsetime trend for that speicifc URL for last 1 hour. Also, like to modify the script in a such a way where it sould provide me the timechart trend of any URL (top responsetime) for 1 hour. URL may not be same every time since it may change. ... View more

I have the below events getting generated which has list of file counts on diffrent directories with date. creating a table format output with headers "Directory" "date" and "Filecount". Need assitance in rex to orginzate this date in table format so that I can setup a dashboard for the same     "Directory","Date","FileCount" "E:\test\IEX\app1\Incoming","7/18/2023","12" "E:\test\IEX\Processed\Success","7/14/2023","11922" "E:\test\IEX\Processed\Success","7/15/2023","319" "E:\test\IEX\Processed\Success","7/16/2023","449" "E:\test\IEX\Processed\Success","7/17/2023","14264" "E:\test\IEX\Processed\Success","7/18/2023","414" "E:\test\IEX\Error","7/13/2023","170" "E:\test\IEX\Error","7/14/2023","176" "E:\test\IEX\Error","7/15/2023","1" "E:\test\IEX\Error","7/17/2023","146" "E:\test\IEX\Error","7/18/2023","3" "E:\test\IEX\Error","7/10/2023","244" "E:\test\IEX\Error","7/11/2023","194" "E:\test\IEX\Error","7/12/2023","189" ... View more

I am trying extract "user20" from rest of "_9a4ab75c_239_process.log".  tried multiple ways but unable to separate the user name from underscore.   /app_5/appname/appanem2/logs/agent-machine4/sre/query/prot/user20_tt65rft67uu87_process.log" ... View more