First, the regular expression in the rex command must be enclosed in quotation marks. Second, you're being caught by rex's escape trap.  Embedded quotation marks must be escaped, but the multiple levels of parsing in SPL call for 3 escape characters. | rex ", \\\\\"appStatus\\\\\":\\\\\"(?<status>\w+\s\w+)\\\\\"" ... View more

LINE_BREAKER does not extract timestamps.  That's what TIME_FORMAT does. There seems to be two issues here: Lines not breaking correctly when the date is a single digit. Timestamps not extracted correctly when the date is a single digit. There's a separate setting for each. The line breaker is telling Splunk the next event must have a two-digit year so that is what Splunk does.  To make the date 1 or 2 digits, modify the regex: ([\r\n])\[\w{3}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}: or keep it simple with ([\r\n])\[\w{3}\s\w{3} The latter regex has the advantage of handling any time zone. The %d formatting variable accepts both one- and two-digit dates.  I believe the problem with the formatting string is the extra space after "%d". Here's the final set of props.     [sql:logs] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n])\[\w{3}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\w{3}\s\d{4}\] TIME_PREFIX=\{ TIME_FORMAT=%a %b %d %H:%M:%S %Z %Y         ... View more

In your sample logs, it looks like you have a space after the first pipe which does not appear to be accounted for in your LINE_BREAKER pattern. Try something like this LINE_BREAKER=([\r\n]+)\d{4}\-\d{2}\-\d{2}\s\|\s\d{2}:\d{2}:\d{2}.\d{3}\s\| ... View more

When including a results field in an alert, only the first result is included.  There is no way to include anything other than the first result. ... View more

Try adding a limits.conf with the following [kv] maxchars = 40000 ... View more

I don't understand the reply.  Did my answer work or not?  If your problem is resolved, then please click the "Accept as Solution" button to help future readers. ... View more

Hi @tej57 , pls find the xml below. <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="servicecode"> <label>Code</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>service_code</fieldForLabel> <fieldForValue>service_code</fieldForValue> <search> <query> index=application-idx |rename "attribute.app.servicecode" as service_code | eval service_code=if(service_code="NULL","Non-Servicecode",service_code) |stats count by service_code | fields service_code </query> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query> index=application-idx AND attribute.app.servicecode="$servicecode$" source=application.logs |stats count </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form> ... View more

Sweet - nice optimisation ... View more

Hi @mahesh27  As @bowesmana said, this is a classic proving the negative issue and you can find thousands of answers in Community. In this case you have two solutions: if you have a list of hosts to monitor to put in a lookup (called e.g. perimeter.csv with at least one column called host), you could run something like this | tstats count WHERE index=app-logs sourcetype=app-data source=*app.logs* host IN (appdatajs01, appdatajs02, appdatajs03, appdatajs04) BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats sum(count) AS total by host | where total<100 If you don't have a lookup or you don't want to manage it, you could run something like this: | tstats count latest(_time) AS _time WHERE index=app-logs sourcetype=app-data source=*app.logs* host IN (appdatajs01, appdatajs02, appdatajs03, appdatajs04) earliest=-30d@d latest=now BY host | where _time<now()-3600 In this way, you have the hosts that sent logs in the last 30 days but not in the last hour (you eventually can modify the time periods). in addition the command | bin span=1m _time has no sense because you don't use time in your stats. Ciao. Giuseppe ... View more

@bowesmana , thank you for ur inputs. We created queries according to our data working now. Thank you once again. ... View more

Have you compared emulation with real data?  Also, really get rid of that table command which can be in the way. (You can add some formatting after you verify that outputs are satisfactory.)  Is there some real data that you can share? (Anonymize as needed but take care to preserve precise structure.)  Using emulation, the output is not zero.  Clearly, actual data is different from what you posted above. Run this:   | makeresults | eval _raw = "{\"date\": \"1/2/2022 00:12:22,124\", \"DATA\": \"[http:nio-12567-exec-44] DIP: [675478-7655a-56778d-655de45565] Data: [7665-56767ed-5454656] MIM: [483748348-632637f-38648266257d] FLOW: [NEW] { SERVICE: AAP | Applicationid: iis-675456 | ACTION: START | REQ: GET data published/data/ui } DADTA -:TIME:<TIMESTAMP> (0) 1712721546785 to 1712721546885 ms GET /v8/wi/data/*, GET data/ui/wi/load/success\", \"tags\": {\"host\": \"GTU5656\", \"insuranceid\": \"8786578896667\", \"lib\": \"app\"}}" | spath | eval _time = strptime(date, "%d/%m/%Y %H:%M:%S,%f") ``` the above emulates index=test-index (data loaded) OR ("GET data published/data/ui" OR "GET /v8/wi/data/*" OR "GET data/ui/wi/load/success") ``` | rex field=DATA mode=sed "s/ *[\|}\]]/\"/g s/: *\[*/=\"/g" | rename DATA AS _raw | kv |search ACTION= start OR ACTION=done NOT SERVICE="null" |eval split=SERVICE.":".ACTION |timechart span=1d count by split |eval _time=strftime(_time, "%d/%m/%Y") | table _time *START *DONE   Do you get the same results as I did in the previous comment? (I do not encourage use of screenshot to show search or results, but I had already shared them in text previously. So, here you go for a screenshot.) ... View more

Either your table is misaligned or you're trying to do something very non-obvious. I don't understand what is the relation beetween this: service errorNumber errortype Failed aaca 0 fail 8 aaca 10 pass 1000 aaca 25 fail 290 aaca 120 fail 8 aaca 80 pass 800 aaca 200 fail 400 aaca 210 pass 22 aaca 500 fail 10 And this: service errorNumber errortype Failed aaca 0 fail 2538 10 pass 25 fail 120 fail 80 pass 200 fail 210 pass 500 fail   Also remember that Splunk is not Excel so you can't merge cells ... View more

Hi @yuanliu , thank you so much, it worked ... View more

Hi @richgalloway @isoutamo , thank you for the information and help. ... View more

Something like | rex "<<<\s*(?<LogType>[^\s]*)\s*:[^:]*:[^:]*:[^:]*:(?<Class>[^:]*).*REQS REQUID\s*::\s*(?<ReqsRequid>[^:]*).*SUB REQUID::\s*(?<SubRequid>[^:]*).*Application\s*:(?<Application>[^:]*::\s*Org\s*:\s*(?<Org>[^:]*)" ... View more

You can make panels dependent on the existence of a token. You do this with a <change> block on the input and setting or unsetting the tokens that a panel requires to display. You can be as fine or as coarse as you like, i.e. you could make a token for each panel and set/unset the panels as needed and then each panel definition will "depend" on its own token. You will also need an <init> section at the start of your XML to set the default state of the tokens if you want the panels to display immediately when the dashboard is loaded.   <change> <condition value="Pass_srvc"> <set token="show_panels_1">true</set> <unset token="show_panels_2">true</unset> </condition> <condition> <set token="show_panels_1">true</set> <set token="show_panels_2">true</set> </condition> </change> ... <panel depends="$show_panels_1$">... .. <panel depends="$show_panels_2$">... ..     ... View more

It was so simple, Thank you so much it worked 😊 ... View more

Below is the complete xml. here i am not getting how to add the token values to the other panels in the dashboard. Can you help me on that <dashboard> <label> Dashboard title</label> <row> <panel> <table depends="$hide$"> <title>$Time_Period_Start$ $Time_Period_End$</title> <search> <query>| makeresults | addinfo | eval SearchStart = strftime(info_min_time, "%Y-%m-%d %H:%M:%S"), SearchEnd = strftime(info_max_time, "%Y-%m-%d %H:%M:%S") | table SearchStart, SearchEnd</query> <earliest>-7d@d</earliest> <latest>@d</latest> <done> <set token="Time_Period_Start">$result.SearchStart$</set> <set token="Time_Period_End">$result.SearchEnd$</set> </done> </search> </table> </panel> </row> <row> <panel> <title>first panel</title> <single> <search> <query>|tstats count as internal_logs where index=_internal </query> <earliest>-7d@d</earliest> <latest>@d</latest> <sampleRatio>1<sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> <row> <panel> <title>second panel</title> <single> <search> <query>|tstats count as audit_logs where index=_audit </query> <earliest>-7d@d</earliest> <latest>@d</latest> <sampleRatio>1<sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> <row> <panel> <title>Third panel</title> <single> <search> <query>|tstats count as main_logs where index=main </query> <earliest>-7d@d</earliest> <latest>@d</latest> <sampleRatio>1<sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> </dashboard> ... View more

If you haven't figured this out: There is no way for volunteers in this forum to troubleshoot your issue - we used call this "giving a haircut via the telephone", unless you can explain what your data look like, what your mstats looks like, what your results look like, and why you think some results are not correct.  And, importantly, only you (and your colleagues) know what changes may have occurred, so that's important information, too. ... View more

Hi @mahesh27  with my solution, you have a different count for application1 and application2. the issue should be on the regexes, could you share some samples from application1 and application2? Ciao. Giuseppe ... View more

I don't quite follow, to be honest. Of course you could go through a list of terms to match  over event by event and set a field in case it matched but it will be way way way worse performance-wise. ... View more

If it is valid JSON and you want to use INDEXED_EXTRACTIONS then this is all that is needed. [sourcetype] INDEXED_EXTRACTIONS=json Note the implications of using this setting though. https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Propsconf#Structured_Data_Header_Extraction_and_configuration     ... View more

Hi @mahesh27 ...should be possible i think.. please update us your present dashboard xml query.. so that we can fine-tune it for your requirement, thanks.  ... View more

Thankyou @richgalloway  if worked   ... View more

Apart from @VatsalJagani already pointed out, each of your searches works differently. The "raw" search extracts fields from events, then does stats count. The tstats search counts splitting by different values of the cod-data field. So even if your extractions matched in both of your searches, if cod-data field had always the same value, your "raw" search would extract and count all occurrences of that field but tstats would only give you one value at the beginning. And then you'd count that value (not sum!) so you'd end up with just 1 as the result. ... View more