I didn't consider that but you are right that the query needs to consider the edge cases. I am not an expert in Splunk, how do I write those fitlers?  ... View more

Thanks for the response.  I was trying to see the accuracy of both the queries as I see difference in the counts, the one that you provided and the one from accepted answer. I edit the query to use some mock data. I am not able to use the mock data with the query in accepted answer, I would appreciate if you can help me fix that so that I can compare the results. | makeresults format=csv data="interactionid,_time,elapsed,msgsource 1,2025-07-31,00:00.756,retrieveAPI 2,2025-07-31,00:00.556,createAPI 3,2025-07-31,00:00.156,createAPI 4,2025-07-31,00:00.256,updateAPI 5,2025-07-31,00:00.356,retrieveAPI 6,2025-07-31,00:00.156,retrieveAPI 7,2025-07-31,00:01.056,createAPI 8,2025-07-31,00:00.256,retrieveAPI 9,2025-07-31,00:06.256,updateAPI 10,2025-07-31,00:10.256,createAPI" | rex field=elapsed "^(?<minutes>\\d+):(?<seconds>\\d+)\\.(?<milliseconds>\\d+)" | eval TimeMilliseconds = (tonumber(minutes) * 60 * 1000) + (tonumber(seconds) * 1000) + (tonumber(milliseconds)) | timechart span=1d count as AllTransactions, avg(TimeMilliseconds) as AvgDuration count(eval(TimeMilliseconds<=1000)) as "TXN_1000", count(eval(TimeMilliseconds>1000 AND TimeMilliseconds<=2000)) as "1sec-2sec" count(eval(TimeMilliseconds>2000 AND TimeMilliseconds<=5000)) as "2sec-5sec", by msgsource | untable _time msgsource count | eval group=mvindex(split(msgsource,": "),0) | eval msgsource=mvindex(split(msgsource,": "),1) | eval _time=_time.":".msgsource | xyseries _time group count | eval msgsource=mvindex(split(_time,":"),1) | eval _time=mvindex(split(_time,":"),0) | table _time msgsource AllTransactions AvgDuration TXN_1000 "1sec-2sec" "2sec-5sec" This query created the table but the counts are all 0s. And, here is the edited query  that you shared that shows the results: | makeresults format=csv data="interactionid,_time,elapsed,msgsource 1,2025-07-31,00:00.756,retrieveAPI 2,2025-07-31,00:00.556,createAPI 3,2025-07-31,00:00.156,createAPI 4,2025-07-31,00:00.256,updateAPI 5,2025-07-31,00:00.356,retrieveAPI 6,2025-07-31,00:00.156,retrieveAPI 7,2025-07-31,00:01.056,createAPI 8,2025-07-31,00:00.256,retrieveAPI 9,2025-07-31,00:06.256,updateAPI 10,2025-07-31,00:10.256,createAPI" | eval total_milliseconds = 1000 * (strptime("00:" . elapsed, "%T.%N") - relative_time(now(), "-0d@d")) | eval timebucket = case(total_milliseconds <= 1000, "TXN_1000", total_milliseconds <= 2000, "1sec-2sec", total_milliseconds <= 5000, "2sec-5sec", true(), "5sec+") | rename msgsource as API | bucket _time span=1d | eventstats avg(total_milliseconds) as AvgDur by _time API | stats count by AvgDur _time API timebucket | tojson output_field=api_time _time API AvgDur | chart values(count) over api_time by timebucket | addtotals | spath input=api_time | rename time as _time | fields - api_time You query shows the correct result but the fields are not in a order how I want to display. Any help to fix both queries would be appreciated. ... View more

Sorry, I know very basics of Splunk. I don't think I was able formulate the query you suggested as it return no output. Here is the query I ran: my query | rex field=_raw "Time=(?<NewTime>\d{4}\.\d+)" | eval TimeMilliseconds=(NewTime*1000) | eval timeperiod=case(TimeMilliseconds<1,"<1s",TimeMilliseconds>=1 AND TimeMilliseconds<2,"1-2s",TimeMilliseconds>=2 AND TimeMilliseconds<5,"2-5s",1=1,">5s") | untable _time msgsource count | eval group=mvindex(split(msgsource,": "),0) | eval msgsource=mvindex(split(msgsource,": "),1) | eval _time=_time.":".msgsource | xyseries _time group count | eval msgsource=mvindex(split(_time,":"),1) | eval _time=mvindex(split(_time,":"),0) | table _time msgsource total * ... View more

Sorry I didn't mention before that I know very basic of Splunk, so I couldn't follow everything you said. Here is the query that I tried and the result: | rex field=_raw "Time=(?<NewTime>\d{4}\.\d+)" | eval TimeMilliseconds=(NewTime*1000) | eval timeperiod=case(TimeMilliseconds<1,"<1",TimeMilliseconds<2,"1<2",TimeMilliseconds<5,"<5",TimeMilliseconds<48,"5<48",1=1,">48") | bin _time span=1d | stats count by _time timeperiod msgsource | eval timesource=_time . "|" . msgsource | xyseries timesource timeperiod count | eval _time=mvindex(split(timesource,"|"),0),msgsource=mvindex(split(timesource,"|"),1) | fields - timesource output looks like this which is not what is expected. 5<48 >48 _time msgsource 1 439 2025-07-20 createAPI 1 1943 2025-07-20 RetrieveAPI   I was expecting an output something _time msgsource total <1s 1-2s 2-5s >5s     ... View more

It says `No results found.` ... View more

Time Event 4/27/245:30:37.182 AM { "Client":"ClientA", "Msgtype":"WebService", "Priority":2, "Interactionid":"1DD6AA27-6517-4D62-84C1-C58CA124516C", "Seq":15831, "Threadid":23, "message":"TimeMarker: MyClient: Result=Success Time=0000.05s Message=No payments found. (RetrievePaymentsXY - ID1:123131 ID2:Site|12313 ID3:05/14/2024-07/12/2024 1|12313", "Userid":"Unknown" }   I just want to make sure that I state it right, when I run the following query, I get an output already, so json and fields are all correct. It is just my json was messed up when I massaged it (please ignore) : index=application_na sourcetype=my_logs:hec source=my_Logger_PROD retrievePayments* returncode=Error | rex field=message "Message=.* \((?<apiName>\w+?) -" | lookup My_Client_Mapping Client OUTPUT ClientID ClientName Region | chart count over ClientName by apiName where `chart count over` is at the end. But, when I move the `lookup` statement after `chart`, I don't get any data back. If I remove the `lookup` the query won't work as `ClientName` is stored in lookup mapping file. ... View more

My bad, sorry that while I was removing the sensitive data, I messed up the event. Here is the actual one that I used: { Client:ClientA, Msgtype:WebService, Priority:2, Interactionid:1DD6AA27-6517-4D62-84C1-C58CA124516C, Seq:15831, Threadid:23, message: TimeMarker: MyClient: Result=Success Time=0000.05s Message=No payments found. (RetrievePaymentsXY - ID1:123131 ID2:Site|12313 ID3:05/14/2024-07/12/2024 1|12313), Userid:Unknown } And, the regex works too, here is the working example that would extract the apiName: https://regex101.com/r/7f9Cnb/1   ... View more

I have moved the lookup statement to the end after chart. Here is the latest query that I used. After I move the lookup at the end, I see no data. index=application_na sourcetype=my_logs:hec source=my_Logger_PROD retrievePayments* | rex field=message "Message=.* \((?<apiName>\w+?) -" | chart count over client by apiName | lookup My_Client_Mapping client OUTPUT ClientID ClientName Region Here is the sample events that I am working with, if that helps: Time Event 4/27/24 5:30:37.182 AM { "client":"ClientA", "msgtype":"WebService", "priority":2, "interactionid":"1DD6AA27-6517-4D62-84C1-C58CA124516C", "seq":15831, "threadid":23, "message":"TimeMarker: WebService: Sending result @110ms. (retrievePaymentsXY - ID1:123 ID2:ClientId|1 ID3:01/27/2024-04/27/2024)", "userid":"Unknown" }   My_Client_Mapping lookup table has details of my clients like Client ClientId ClientName Region ClientA 1 Client A Eastern ClientB 2 Client B Eastern ClientC 3 Client C Western     ... View more

Moving lookup after chart fetch nothing. ... View more