Hi, can you try this : index="sample_idx" $serialnumber$ log_level=info | regex message="(?:Unit[\s]+state[\s]+update[\s]+from[\s]+cook[\s]+client[\s]+target)" this try to filter data that contains the bold text with words separated by one or more space. is that what you are looking for ? i'm sorry if i misunderstand   ... View more

This is a JSON object (except you should add quotes to those bare XXXX).  Do not use regex on structured data.  See the other thread you started.  Your search is inefficient because you use wildcard at the beginning of a term.  And there's a solution to that. ... View more

this worked like a charm!  thank you! ... View more

Splunk uses different colors for different numeric fields.  Your stats command results in only one, count.  There are many ways to make a field named Pass and another named Fail.  As your output only contains a 2x2, the easiest is probably just transpose the output. index="sampleindex" source="samplesource" test_name="IR Test" serial_number="TC-7" | stats count by result | transpose header_field=result Additional tips: Do not use screenshot to share text data.  Share raw text. Do not cascade filters that can be performed in initial index search. Format Splunk searches with pipe sign at beginning of line, not end.  You can enable "Search auto-format" in preferences to help you create readable searches. ... View more

Hi @nkavouris , you can use a subsearch to filter results in the main search passing the fields with the same name and putting attention to pass only the fields to use for filtering, in your case: keystone_time, serial_number, message, after but not model that isn't used in the main search. The problem is the message field because you need to use it as a part of the search, ib this case you have to rename it in "query": search index="june_analytics_logs_prod" [[search index="june_analytics_logs_prod" (message=* new_state: Diagnostic, old_state: Home*) | spath serial output=serial_number | spath message output=message | spath model_number output=model | eval keystone_time=strftime(_time,"%Y-%m-%d %H:%M:%S.%Q"), before=keystone_time-10, after=_time+10, eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S.%Q") | rename message AS query | fields keystone_time serial_number query after ] the renaming of message AS query permits to search in full text search mode. I didn't use it with other fields, only by itself, but it should run. Ciao. Giuseppe ... View more

Apart from your main question there are three issues with your search 1. You're using spath on the whole event which would mean that the fields are not auto-extracted. Where do you have your fields from then? It's a bit unclear to me. 2. Are you aware what is the difference between (message!=something) and (NOT message=something)? 3. The search term with a wildcard  at the beginning is gonna be very costly performance-wise. OK. Having gone past that... You can use streamstats to "copy" values from an event to subsequent events. It's not clear what your search for event A is but the general idea would be: <base search matching both eventA and eventB conditions> | eval firsteventid=if(<criteria matching event A>) | eval secondeventid=if(<criteria matching event B>) | streamstats time_window=30s values(firsteventid) as previousfirsteventid ```here we do the copy-over``` | where secondeventid=previousfirsteventid ```if you can expect multiple firsteventids you might need to do some multivalue matching```   ... View more

What would be a better method to find events where the message field contains " new_state: Diagnostic, old_state: Home" as opposed to wildcards? I am looking for the events directly chronologically after the keystone event. that is a time stamp more recent than the keystone event? How would I structure this streamstats command in the rest of my query? That is, there is separate criteria which the data events must meet in order to be viable ... View more

Please illustrate full message.  The look of the fragment suggest your source is actually JSON, something like   {"message":"journey::cook_client: fan: 0, auger: 0, glow_v: 36, glow: false, fuel: 0, cavity_temp: 257", "foo":"bar"}   Is this correct?  Using regex directly on structured data is strongly discouraged as any regex is doomed to be fragile. If the JSON is raw event, Splunk would have already extracted a field called "message".  Start from this field instead.  This field also is structured as KV pairs.  Use kv aka extract instead of regex.   | rename _raw as temp, message as _raw | kv kvdelim=": " pairdelim="," | rename _raw as message, temp as _raw | fields fuel   Your sample data would have given fuel _raw _time 0 {"message":"journey::cook_client: fan: 0, auger: 0, glow_v: 36, glow: false, fuel: 0, cavity_temp: 257", "foo":"bar"} 2024-07-17 09:06:35 Here is an emulation for you to play with and compare with real data   | makeresults | eval _raw = "{\"message\":\"journey::cook_client: fan: 0, auger: 0, glow_v: 36, glow: false, fuel: 0, cavity_temp: 257\", \"foo\":\"bar\"}" | spath ``` data emulation above ```     ... View more

serial_number would have already been extracted, too.  You do whatever is needed.  But I do not see a chart of two values() function useful in this case.  Maybe you mean to have something like _time E21 E25 2024-07-15 51A81FC 51A86FC   2024-07-16   51A81FC In other words, get serial_numbers according to error_code?  All you need is something like   <your search> "ErrorCode(*)" | rex field=message "ErrorCode\((?<error_code>[^\)]+)" | timechart span=1d values(serial_number) by error_code   Here, I propose that you restrict events to those containing error code in index search rather than in another search line. Or, if you want to group error_codes on individual serial_number, like _time 51A81FC 51A86FC 2024-07-15 E21 E21 2024-07-16 E25   For this, do   <your search> "ErrorCode(*)" | rex field=message "ErrorCode\((?<error_code>[^\)]+)" | timechart span=1d values(error_code) by serial_number   Does this make sense? Here is an emulation to get the above results.  Play with it and compare with real data   | makeresults | eval data = mvappend("{\"time\": \"2024-07-15\", \"message\":\"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}\", \"serial_number\": \"51A86FC\"}", "{\"time\": \"2024-07-15\", \"message\":\"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}\", \"serial_number\": \"51A81FC\"}", "{\"time\": \"2024-07-16\", \"message\":\"gimlet::someotherstuff: State { target: whatever, state: whaever, some other messages, errors: ErrorCode(E25)}\", \"serial_number\": \"51A81FC\"}") | mvexpand data | rename data as _raw | spath | eval _time = strptime(time, "%F") ``` the above emulates <your search> "ErrorCode(*)" ```   ... View more

The extraction gives you the values for the fields for each event. Each event will have an _time field with the time of the event. You have all the information you need to plot the values against time. Is it simply that you want to restrict the fields that are plotted? | table _time target state cavity The first field will be the x-axis on the chart (when you select a line chart as your visualisation), the other fields will be the series in the chart, each of which will be a line on the chart. What more do you need? ... View more

No, outer result is not important as i am looking to create pass/fail charts with the inner results of each corresponding test   ... View more

Adding a by-field of "serial_number" in you final stats will display you chart like this. Similarly, instead of the stats you could do a    | chart count as count over serial_number by result    and this should give you results ver similar. For an overall Pass/Fail visual across all serial number you can do a stats like this   | stats count as count by result   and the resulting chart shows something like this     ... View more

Should be able to fit both conditions into one if() logic statement if((spath(logs, "test_name")=="Motor" OR spath(logs, "test_name")=="Pass"), 'logs', null()) or maybe even something like this. if(spath(logs, "test_name") IN ("Motor", "Pass"), 'logs', null()) ... View more

The problem is Splunk always flattens arrays.  The trick is to preserve logs{} as a vector before mvexpand. index="factory_mtp_events" | spath path=logs{} ``` alternative syntax: | spath logs{} ``` | mvexpand logs{} | search test_name="Sample Test1" ... View more