HI, I have events in splunk, where two fields description and msg denotes error messages. When I try to use to below. I tried renaming msg and description to same values but I am not getting an count. index=work  status=failure | stats count by description |appendcols [search index=work tag=error | stats count by msg] I  see below result: Description   Count          msg                            10              Account locked Login failed    20 How can I get below? Error                  Count Account Locked 10 Login failed           20 ... View more

Id=xyz id=ABC id=EDC Id=FIS index=* event=*| eval id = case(id = "xyz" , "one", id = "ABC", "Two")|eval index=case(index="work_prod","PROD",index="work_qa","QA")|table id, index, status |stats count(eval(status ="success")) AS Success, count(eval(status ="failure")) AS Failure BY id, index |rename index as Env, id as Application_name I am using above query to get Application name and count of failures and success. Result I am seeing: Application_name Env Success Failure one                              Prod  100   2 Two                             QA      20    10   I have more than 2 id's but since I am eval only two id's  it is giving only two id's as output. How can I get the rest?  Expecting result: Application_name Env Success Failure one                              Prod  100   2 Two                             QA      20    10 EDC                            QA      20    10 FIS                               PROD      20    10     ... View more

How to extract values from below log file using rex? Log: {Attribute(name=xyz, values={'1'}), Attribute(name=attempts, values={'2'}), Attribute(name=Count, values={'0'}), Attribute(name=MemberNumber, values={'31234'})}   Result in table: 1 2 0 31234 ... View more