Log like. message: [22/09/23 10:31:47:935 GMT] [ThreadPoolExecutor-thread-15759] INFO failed.", suspenseAccountNumber="941548131", suspenseAccountBSB="083021", timeCreate as OTHER BUSINESS REASON returned by CBIS.", debtor RoutingType="BBAN", debtor Routing Id="013013", creditor RoutingType="BBA 6899-422f-8162-6911da94e619", transactionTraceIdentification-1311b8a21-6d6c-422b-8 22T10:31:42.8152_00306", instrId="null", interactionId="null", interactionOriginators tx_uid-ANZBAU3L_A_TST01_ClrSttlmve01_2023-09-22T10:31:42.8152 00306, txId-ANZBAU3L priority-NORM, addressingType=noAlias, flow-N5XSuspense.receive]     How extract the transactionTraceIdentification filed    I tried already rex field= message "transactionTraceIdentification=\"(?<transactionTraceIdentification>.*?)\","   Not extraxted the vaule ... View more

Event and Report extract rules Use the payment business events to identify Transactions which have ACCP clearing status (NPP 1012.NPP 1013) with missing Settlement Notification event NPP 1040 "NPP 1033_CR_INBOUND "NPP 1012 CECARING_INBOUND" • "NPP 1013_RETURN_INBOUND" I "NPP 1040 SETTLEMENT RECEIVED" Report should include the following fields Time from NPP 1033 TXID from NPP 1033 Amount from NPP 1012 or NPP 1013   Already i have created query    index-nch_apps_nonprod applications fis-npp source fis-npp-sit4 ((NPP 1012 CLEARING INBOUND OR NPP 1013 RETURN INBOUND) OR NPP 1033 CR INBOUND or rex field-message "eventName=\"(?<eventName> *?)\"." rex field-message "txId\"(?<txId>. *?)\," Κ I rex field-message "amt=\"(?<amt>.2)\"." rex field-message ibm.datetime-(?<ibm_datetime> *)," + Participant 1 eval Participant substr(txId,1,8) stats values(eventName) as eventName, min(ibt datetime) as Time, values(amt) as amt by (eventName, NPP 1840 SETTLEMENT RECEIVED) < 0 table Time eventName Participant amt where mycount (eventName) >= 3 AND mvfind (eventName, npp 1040) but not getting any result  ... View more

Have drop down vaules like below Extual vaul Index =abc source = abc source   Drop down values like prod  lable  Value source =abc source  In query getting like error index=abc source=abc source  i required logic for space between index and source      ... View more

my query below (Index=x source=xtype valid) or (index=y source= ytype  passed) | eval which=if(match(_raw, " valid"),"valid", "passed") | stats values( which) as msg by manid |  stats count(eval(msg=" valid")) as total_ count count(eval(msg= "passed"))    getting  out like total count 54 respons count 58 But i want check this condition too  Eval msgconur = mvcount(msg) | where >1  Need to check duration time > 30 count duration time <30 count    ... View more

I have created my dashboard . I need to created pdf report of dashboard sent to my email daily 2pm ist. ... View more

We have created base serach query but I required to created root search base on that . ... View more

Filed extracted like rex field = msg " student information\" : (?<studentname>.*?),"   Student name getting like below "Stdent570" "55555sdeend" I want data with our double quotes  ... View more

I have two event start event having extracted fields from log  managerid ,branch I'd,empname using index = emp source = empsource " offer letters" End event having extracted field empid,branch id index= manager source= manager source " relieving letters"  I want to get empid who's is taken offer letter and relieving later and duration.   ... View more

Below two events  Start event  Index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | Rex field =log " manid=(?<mandid>.*?)", | Rex field=log "bid=(?<bid>.*"     |  Rex field=  log " state=(?<state>.*" | Table _time bid,mandid,actionid,state   End event  Index=y sourcetype=yytype source=y  "VALIDATION SUCESS" " msg got" | Rex field =msg " manid\:(?<mandid>.*?)", | Rex field=msg "actionid"\:(?<actionid>.*"  | Table _time manid actionid   ... View more

We have two events Start event  Index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | Rex field =log " manid=(?<mandid>.*?)", | Rex field=log "bid=(?<bid>.*"     |  Rex field=  log " state=(?<state>.*" | Table _time bid,mandid,actionid,state   End event  Index=y sourcetype=yytype source=y  "VALIDATION SUCESS" " msg got" | Rex field =msg " manid\:(?<mandid>.*?)", | Rex field=msg "actionid"\:(?<actionid>.*"  | Table _time manid actionid   Calculate different between start event and end event group by manid and count mandates exceeding different above 30sec ... View more