Firstly, since log seems to contain JSON, why not use spath with input=log to extract the fields. Secondly, there is no need to search for your fields equal to "*" (which presumably you are doing to remove events with null values for these fields?), as the dedup will do this for you. Thirdly, perhaps you should consider just converting the start to an epoch time with strptime() as you have already done, then use timechart span=1d Finally, this might have been easier to answer if you had provided some anonymised sample events so we can see what you are working with. ... View more

Hi @davetyree  - Were you ever able to get any information on this post? Have you setup anything in Splunk to get transitional data or error logs. I'd love to connect with you as I am currently trying create interactive dashboards in Splunk for Epic data. ... View more

Try this | rex "(?ms)\"host\":\s(?<host>[^,]*),.*?\"success\":\s(?<success>[^,]*),.*?\"error\":\s(?<error>[^,]*)," I haven't tested this because I don't have an example to use (which is why I asked for the event to be in a code block, and I am not about to type it all in) 😀 ... View more

| rex field=_raw "%\s(?<ErrorCode>\d+)\s(?<error_msg>.*)\s"   And then you can use  | stats ..... by ErrorCode, error_msg   something like this. Regex could not be valid for all the use cases, I'm just seeing a few examples from the screenshot. ... View more

@Khanu89 - That's what I'm saying you can remove the dropdown you don't need as you are using a pie chart that will show all those values at the same time. ... View more

It's not working as you expect because the ErrorCode field is not being extracted correctly. Regex seems very generic. It would match anything that starts with % (percentage sign) and comes between two spaces (\s). A somewhat better regex would be (still not 100% accurate as logs are not as formated): | rex field=_raw "%\s(?P<ErrorCode>\d+)\s"   ... View more

The data your trying to create the Piechart with ... View more