Thank you.  In the above case, what would be the exact command to extract prefix:field1, prefix:field2, prefix:field3 in tabular fashion .  What needs to be added to the below?  spath input=conformant thank you ... View more

 I was trying the below, but its not helping much as in its not extracting all the data. 😞 *| rex field=_raw "prefix:(?<from>\w+)" | dedup from | table from ... View more

Yes, part of the data is JSON and not the entire _raw. Isn't there a way to look for String matching "prefix:.*" criteria and extract the complete matched string? thank you ... View more

Its not always in this pattern("prefix:field1":"value1","prefix:field2":value2,"prefix:field3":value3,) and rather be  more complex structure as well(could be "prefix:field1":"ABC","TxnMsg":{"prefix:field2":XYZ,"prefix:field3":123},).  Is there any other way? thank you   ... View more

Lovely thank you.  Just now figured out that even the below works | rename transactionid as search   Source: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults The following search looks for a value in the clID field that is associated with a name token or field value. The clID value is then used to search for several sources. index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID ] The subsearch returns the field and value in the format: ( (clID="0050834ja") ) To return only the value, 0050834ja, rename the clID field to search in the subsearch. For example: index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID | rename clID as search ] When the field is named search or query, the field name is dropped and the implicit | format command at the end of the subsearch returns only the value. If you return multiple values, such as specifying ...| top limit=3, the subsearch returns each of the values with the boolean OR operator between the values. For example, if the previous search example used ...| top limit=3, the values returned from the subsearch are ( ( value1 ) OR ( value2 ) OR ( value3 ) ).   ... View more

@gcusello , its pretty close but not exact.  index=app1 "order1"| stats count by id index=app1 [ search index=app1 "orderid" | addinfo | rename info_max_time AS latest info_min_time AS earliest | fields id earliest latest ]|stats count by id Comparing the output of the above command, while most of the ID's matched based on the above but not all. ... View more

@bowesmana , sorry its not working me The results of both doesnt match since the ID's are different index=app1 "order1" | stats count by id index=app1 [ search index=app1 "order1" | stats latest(_time) as latest earliest(_time) as earliest values(id) | fields id earliest latest ] | stats count by id ... View more

see the below error Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments.   ... View more

@PickleRick , sorry, I am a normal user and have access to only specific index. Running the above command is failing. Error in 'tstats' command: Invalid argument: 'index=indexname   ... View more

@bowesmana , lovely thanks a lot! ... View more

Thank you very much @bowesmana for timely help.  Sure, will make the index name as explicit instead of using *. Thanks again. ... View more

@bowesmana , can you please give one example?  The below doesnt work. index=* id IN [index=* "985be6370637"| fields id] ... View more

Wow. Amazing. Thanks a lot! ... View more

Sorry, I cant be using dedup, since that doesn't solve my purpose. ... View more

Since I wanted to know the flow of data from one sourcetype to another sourcetype.  Apparently, in my case, the data after existing a sourcetype can re enter the sourcetype at a later point of time. Thank you ... View more

@SanjayReddy  Can you please clarify as how do I use  values(fieldname1) by fieldname2?   My original query is  index=*|table sourcetype   Thank you ... View more