I am trying to filter my search results where only a particular subset of the results should be shown. Example suppose if below is the intermediate search result.  MESSAGE: Records::0 MESSAGE: Records::1 MESSAGE: Records::0 MESSAGE: Records::4 Final search results should contain only where the records are greater than 0. Is there any query which can help with this? ... View more

I have a splunk event with below format: { message { DATE: 2023-07-20T11:53:04 } } I want to find all the events that have the above DATE field in a particular range. However below query is not yielding any results. Is something wrong with it? BASE SEARCH | message.DATE >= strftime("2023-07-20T11:50:04","%Y-%m-%dT%H:%M:%S") AND message.DATE <= strftime("2023-07-20T11:56:04","%Y-%m-%dT%H:%M:%S") ... View more

I have a drop/drill down with 3 values namely: All,A,B And there are 2 panels, let's say 1 and 2 which take input in the form of tokenfilter from above drop down. 1 should be displayed and 2 hidden when A is selected. 2 should be displayed and 1 hidden when B is selected. And lastly when All is selected both the panels should be displayed.  Is there a way to achieve this in the panels or dashboard?   Any pointers would be helpful on the same. ... View more

I have below events/messages in my search result. There are 2 fields stack_trace and TYPE like below. I want to group the events and count them as shown below based on a particular text from stack_trace and TYPE field as below. Is it possible to group the messages based on 2 fields (TYPE,stack_trace)? I am using below query but I am stuck as to how to group by 2 fields.  Event 1     { TYPE: ABCD stack_trace : com.abc.xyz.package.ExceptionName: Missing A. at random.package.w(DummyFile1:45) at random.package.x(DummyFile2:64) at random.package.y(DummyFile3:79) }       Event 2     { TYPE: XYZ stack_trace : com.abc.xyz.package.ExceptionName: Missing B. at random.package.w(DummyFile1:45) at random.package.x(DummyFile2:64) at random.package.y(DummyFile3:79) }       Expected Output     TYPE Exception Count ABCD Missing A 3 ABCD Missing B 4 XYZ Missing A 6 XYZ Missing B 1       Query I am using but incomplete      BASE_SEARCH | rex field= _raw "Exception: (?<Exception>[^\.\<]+)" | stats count as Count by "Exception"       Actual Output     Exception Count Missing A 3 Missing B 4 Missing c 6       ... View more

I have json events/messages in my search result. There is a field or property called "stack_trace" in the json like below. I want to group the events and count them as shown below based on the Exception Reason or message. The problem is traces are multi lined and hence below query that I am using is, it seems not able to extract the exact exception message. Is there a way to achieve the expected output?  Event       { MESSAGE : Failed to send stack_trace : com.abc.xyz.package.ExceptionName: Missing A. at random.package.w(DummyFile1:45) at random.package.x(DummyFile2:64) at random.package.y(DummyFile3:79) }         Query I am using       MY_SEARCH | rex field=stack_trace "(?<exceptionclass>\w+): (?<exceptiontext>\w+)." | stats count as Count by "exceptiontext"         Expected Output       Exception Count Missing A 3 Missing B 4 Missing C 1         ... View more

I have below format log messages. At the end I want to group the messages by BID. I tried using the below query but I am not getting any events even though there are events that qualify my query.      { "details" : [ { "BID" : "123" }, { "BID" : "456" } ] }       Expected Output :    BID Count 123 4 456 3     Query I am using :   {my_search} | rex field=MESSAGE "(?<JSON>\{.*\})" | spath input=JSON path=details.BID | stats values(details.BID) as "BID" by CORRID | stats count as Count by "BID"     ... View more

I have the below search results that will consist of 2 different types of log formats or strings. Log 1:  "MESSAGE "(?<JSON>\{.*\})" and Log 2 : "Published Event for txn_id (?<tx_id>\w+)". Both of these formats or logs or messages will be present in the result of the below search_results. I want to filter only those logs with Log 1 format that has the same transactionid as the one in the other Log 2 format. I am trying to run the below query. However its giving zero results even though there are common transactionids between these 2 log formats. Is there any way to achieve this?    {search_results} | rex field=MESSAGE "(?<JSON>\{.*\})" | rex field=MESSAGE "Published Event for txn_id (?<tx_id>\w+)" | spath input=JSON | where transaction_id == tx_id   ... View more

I want to filter the search results based on tx_id that I extract in the 2nd rex. Meaning only those results that have the transaction_id same as the tx_id. I tried the where clause but it doesn't work     {search_results} | rex field= MESSAGE "(?<JSON>\{.*\})" | rex field= MESSAGE "Published Event for txn_id (?<tx_id>\w+)"       I tried this :     {search_results} | rex field= MESSAGE "(?<JSON>\{.*\})" | rex field= MESSAGE "Published Event for txn_id (?<tx_id>\w+)" | where JSON.transaction_id in (tx_id)       ... View more