Hello, I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site It shows I'm extracting the field and value correctly but, when I put the same into the Splunk statement it is not yielding the expected result.  Log:            {"Record: {"ATimeTaken":0, "BTimeTaken":0 ,"totalTimeTaken":4},{anotherFields}}         Query:         | makeresults ns=project* | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(response_time)           Could I know where I'm going wrong? ... View more

Hello, We have been investigating on missing 30% of Splunk logs in our production environment. I'm thinking it maybe due to TIME_FORMAT or due to high volume logs on production. Can you please let me know what should be the key-value for TIME_FORMAT on props.conf file?  Lagsec value is 1.5seconds on source logs and the splunk forwarder log source type where we are checking has 1.13s.  Additionally, source logs have format: 05/Mar/2024 SplunkForwarder logs have format: 2024-03-05 2048kbps on both dev and prod config file. Also, have ignoreOlderThan=1d so, looking to remove this parameter and fix TIME_FORMAT and check out. Can you please help or provide additional information to check? ... View more