Hi all, would love help with this one.  I currently have a query where I have 4 different processing times by sessionId. I want the ability to remove/ delete any sessionId from the results that has a blank/ null value. If any one of the four processing times,  has a blank or null value, remove the sessionId from the stats.  After that, I would like the ability to add those four processing times into one processing time by _time and take the perc95.  Any assistance is appreciated. Let me know if more clarification is needed. Thank you!! index= [...] | bucket _time span=1h | eval apiIdentifier=coalesce(msg.apiIdentifier,apiIdentifier) | eval apiName=coalesce(msg.apiName,apiName) | eval apiVersion=coalesce(msg.apiVersion,apiVersion) | eval clientRequestId=coalesce(msg.clientRequestId,clientRequestId) | eval companyId=coalesce(msg.companyId,companyId) | eval contentType=coalesce(msg.contentType,contentType) | eval datacenter=coalesce(msg.datacenter,datacenter) | eval entityId=coalesce(msg.entityId,entityId) | eval logType=coalesce(msg.logType,logType) | eval processingTime=coalesce(msg.processingTime,processingTime) | eval responseCode=coalesce(msg.responseCode,responseCode) | eval serverId=coalesce(msg.serverId,serverId) | eval sessionId=coalesce(msg.sessionId,sessionId) | eval timestamp=coalesce(msg.timestamp,timestamp) | eval totalResponseTime=coalesce(msg.totalResponseTime,totalResponseTime) | eval session-id=coalesce(a_session_id, sessionId) | eval AM2JSRT = if(a_log_type=="Response" AND isNum(a_req_process_time), a_req_process_time,0) ,JS2ISRT = if(logType=="JS2IS", processingTime, 0), JS2AMRT = if(logType=="JS2AM", processingTime, 0), AM2DPRT = if(a_log_type=="Response" AND isNum(a_res_process_time), a_res_process_time,0) | stats SUM(AM2JSRT) as AM2JSRespTime, SUM(JS2ISRT) as JS2ISRespTime, SUM(JS2AMRT) as JS2AMRespTime, SUM(AM2DPRT) as AM2DPRespTime by sessionId | eval gw_processingTime=(AM2JSRespTime+JS2ISRespTime+JS2AMRespTime+AM2DPRespTime   ... View more

Hello, I have the below SPL with the two mvindex functions. mvindex position '6' in the array is supposed to apply http statuses for /developers.  mvindex position '10' in the array is supposed to apply http statuses for /apps.  Currently position 6 and 10 are crossing events. Applying to both APIs. Is there anyway I can have one mvindex apply to one command?    (index=wf_pvsi_virt OR index=wf_pvsi_tmps) (sourcetype="wf:wca:access:txt" OR sourcetype="wf:devp1:access:txt") wf_env=PROD | eval temp=split(_raw," ") | eval API=mvindex(temp,4,8) | eval http_status=mvindex(temp,6,10) | search ( "/services/protected/v1/developers" OR "/wcaapi/userReg/wgt/apps" ) | search NOT "Mozilla" | eval API = if(match(API,"/services/protected/v1/developers"), "DEVP1: Developers", API) | eval API = if(match(API,"/wcaapi/userReg/wgt/apps"), "User Registration Enhanced Login", API)   ... View more

Hello, apologies if this was stated previously. I have multiple calls - each RequestID with a RequestReceive and ResponseTransmit. I am trying to find the difference between the two timestamps below. The difference of ResponseTransmit timestamp and RequestReceive timestamp. Then put that into a stats command ordered by clientPathURI and then the difference between the timestamps. Any assistance is much appreciated!   { [-]    RequestID: b74fab20-9a7b-11ed-bd70-c503548afa99    clientPathURI: signup    level: Info    logEventType: ResponseTransmit    timestamp: 2023-01-22T12:43:57.547-05:00 }   { [-]    RequestID: b74fab20-9a7b-11ed-bd70-c503548afa99    clientPathURI: signup    }    level: Info    logEventType: RequestReceive    timestamp: 2023-01-22T12:43:57.496-05:00 } ... View more

Hello, I am trying to extract the below 201 text highlighted in red below as one separate field from two separate events. How may I do this? I attempted the field extraction feature in Splunk but had no luck. Any assistance is appreciated! Event 1: 106.51.86.25 [22/Dec/2022:07:48:10 -0500] POST /services/public/v1/signup HTTP/1.1 201 5 539   Event 2: 23.197.194.86 - - [22/Dec/2022:07:48:09 -0500] "POST /services/public/v1/signup HTTP/1.1" 201 - ... View more

Hello, I am very new to Splunk. I am wondering how to split these two values into separate rows. The "API_Name" values are grouped but I need them separated by date. Any assistance is appreciated! SPL:     index=... | fields source, timestamp, a_timestamp, transaction_id, a_session_id, a_api_name, api_name, API_ID | convert timeformat="%Y-%m-%d" ctime(_time) AS date | eval sessionID=coalesce(a_session_id, transaction_id) | stats values(date) as date dc(source) as cnt values(timestamp) as start_time values(a_timestamp) as end_time values(api_name) as API_Name by sessionID | where cnt>1 | eval start=strptime(start_time, "%F %T.%Q") | eval end=strptime(end_time, "%FT%T.%Q") | eval duration(ms)=abs((end-start)*1000) | stats count, perc95(duration(ms)) as 95thPercentileRespTime(ms) values(API_Name) as API_Name by date     ... View more

I have two events where in order to get a response time, I need to subtract the two timestamps. However, this needs to be grouped by "a_session_id" / "transaction_id." The two events I need are circled in red in the screenshot attached. I need those two events out of the three events. Every "a_session_id" has these three logs. source="/apps/logs/event-aggregator/gateway_aggregator_events.log" is always after source="/logs/apigee/edge-message-processor/messagelogging/gateway-prod/production/Common-Log-V1/14/log_message/gateway.json" Please let me know if you need more information. Such as snippets on the SPL. Any assistance is much appreciated! ... View more