Hi, Here is a scenario: Step 1 9h30 TradeNumber 13400101 gets created in system 9h32 TradeNumber 13400101 gets sent to market Step 2 9h45 TradeNumber 13400101 gets modified in system 9h50 TradeNumber 13400101 gets sent to market with modification Step 3 9h55 TradeNumber 13400101 gets cancelled in system 9h56 TradeNumber 13400101 gets sent to market as cancelled I need to monitor the Delay for sending the order to market. In the above scenario we have 3 steps for the same TradeNumber and each needs to be calculated separately. Delay for sending new trade Delay for modifying Delay for cancelling The log does not allow to differenciate the steps but the sequence is always in the right order. If I use | stats range(_time) as Delay by TradeNumber | stats max(Delay) For TradeNumber 13400101, it will return 26mins I am looking to have a result of 5mins (gets modified ,9h45 to 9h55) Anyway Splunk can match by sequence (or something else) and TradeNumber to calculate 3 values for the same TradeNumber ? ... View more

I have this search that is working and returning a average Delay value: Search Command | eval epoch_timestamp=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3N%:z") | stats range(epoch_timestamp) as Delay by "logId" | stats avg(Delay) However, I want to display the daily averages in a timechart graph to see the performance evolution by day. Tried the following based on research but It does not return Statistic or Vizualization values (just returning events): Search Command | eval epoch_timestamp=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3N%:z") | stats range(epoch_timestamp) as Delay by "logId" | bucket _time span=1d | stats avg(Delay) as Performance by _time ... View more

Field = 1.123456789 Field = 14.123456 Field = 3.1234567 I need to run a query that will return the number of decimals for each record in Field. Expected Result: 9 6 7 ... View more

I need to round the max(Delay) and avg(Delay) to 3 decimals in the following command: my search | timechart span=5m avg(Delay) max(Delay) by host Thanks ... View more

We have 2 types of orders in the system, some are entered manually by phone and some are processed automatically as they are fed by other systems. The way I can differentiate is by the order timestamps: Phone orders do not contain miliseconds in the order timestamp (2022-09-16T17:07:41Z) Orders filled automatically by other systems contain miliseconds (2022-09-16T16:22:28.573Z) I am calculating the processing delays on these orders but I want to display the results on 2 rows: 1. Phone orders max delays 2. System orders max delays Here is what I am using now: MySearch  | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)" offset_field=_extracted_fields_bounds | rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)" offset_field=_extracted_fields_bounds0 | eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N")) | stats max(Delay) Note: the goal is not to add or remove the miliseconds information     ... View more

Good Day, I need help to calculate the time difference for field "@timestamp" containing time format 2022-07-14T09:05:08.21-04:00 Example: MYSearch | stats range(@timestamp) as Delay by "log_processed.logId" | stats max(Delay) If I do the same with the Splunk _time field, it works perfectly ... View more