Hi All -  I need help with a fairly complex search i am being asked to build by a user. The ask is that the below fields are extracted from this XML sample: [2024-09-10 07:27:46.424 (TID:14567876)] <subMerchantData> [2024-09-10 07:27:46.424 (TID:dad4d2e725854048)] <pfId>499072</pfId> [2024-09-10 07:27:46.424 (TID:145767627)] <subName>testname</subName> [2024-09-10 07:27:46.424 (TID:dad4d2e725854048)] <subId>123456</subId> [2024-09-10 07:27:46.424 (TID:145767627)] <subStreet>1 TEST LANE</subStreet> [2024-09-10 07:27:46.424 (TID:145767627)] <subCity>HongKong</subCity> [2024-09-10 07:27:46.424 (TID:145767627)] <subState>HK</subState> [2024-09-10 07:27:46.424 (TID:dad4d2e725854048)] <subCountryCode>344</subCountryCode> [2024-09-10 07:27:46.424 (TID:dad4d2e725854048)] <subPostalCode>1556677</subPostalCode> [2024-09-10 07:27:46.424 (TID:dad4d2e725854048)] <subTaxId>-15566777</subTaxId> [2024-09-10 07:27:46.424 (TID:14567876)] </subMerchantData> This search doesn't pull anything back, i believe because they are not extracted fields index=test merchantCode=MERCHANTCODE1 subCountryCode=* subState=* orderCode=* | stats count by merchantCode subCountryCode subState orderCode In addition to these fields SubState, SubCountryCode, SubCity, PFID, SubName, SubID, SubPostalCode, SubTaxID However i'm not sure how this can be fulfilled, could anyone support with writing a search that would allow me to extract this info within a stats count? Thanks, Tom ... View more

Hi -  I have a quick props question. I need to write a props for a particular sourcetype, and the messages always start with before the timestamp starts: ukdc2-pc-sfn122.test.local - OR ukdc2-pc-sfn121.test.local -  When writing the TIME_PREFIX can a regex be written to account for this, is it just a basic one if so can someone provide this? Thanks   ... View more

Hi -  We have a requirement to join the below eval statement searches, would it be possible if someone could assist with the solution please? eval search 1 = index="wpg" host=*pz-pay* OrderSummary | stats count AS "Total" eval search 2 = index="wpg" host=*pz-pay* OrderSummary AND "Address is invalid, it might contain a card number") | stats count AS "Failure" eval result =( search 1/search 2)*100 Thanks, Tom ... View more

Hi -  I am looking to optimise this search by removing dedup, the idea of the search is to remove duplicate paymentId fields & create a table with the fields specified under the stats count. The search currently takes 300+ seconds to run for 4hrs worth of data. AND card_issuer_stats AND acqRespCode!="0" AND acqRespCode!=85 AND acqRespCode!=100 AND gwyCode="test123" |dedup paymentId |stats count by acqCode,acqRespCode,mainBrand |sort -count Any help would be greatly appreciated, thanks ... View more

Hi -   I am currently looking to optimise the search below as it is using a lot of search head resource: index=idem attrs.GW2_ENV_CLASS=preprod http_status=5* http_status!=503 NOT "mon-tx-" Sample JSON result set:     @timestamp: 2024-07-31T12:41:20+00:00 attrs.AWS_AMI_ID: attrs.AWS_AZ: eu-west-1c attrs.AWS_INSTANCE_ID: i-0591d93b5e5881da9 attrs.AWS_REGION: eu-west-1 attrs.GW2_APP_VERSION: attrs.GW2_ENV_CLASS: preprod attrs.GW2_ENV_NUMBER: 0 attrs.GW2_SERVICE: idem body_bytes: 1620 bytes_sent: 2060 client_cert_expire_in_days: 272 client_cert_expiry_date: Apr 30 10:11:07 2025 GMT client_cert_issuer_dn: CN=******* PROD SUB CA2,O=Fidelity National Information Services,L=Jacksonville,ST=Florida,C=US client_cert_verification: SUCCESS client_dn: CN=idem-semantic-monitoring-preprod,OU=Gateway2Cloudops,O=Fidelity National Information Services,L=London,C=GB container_id: 17b7167ec5f2d20ec10704550fc8f2c2b9daedc835ce5fe0828ac86651983517 container_name: /idem-kong-1 correlationId: hostname: 17b7167ec5f2 http_content_type: application/vnd.*******.idempotency-v1.0+json http_referer: http_status: 200 http_user_agent: curl/8.5.0 log: {"@timestamp": "2024-07-31T12:41:20+00:00", "correlationId": "", "request_method": "POST", "hostname": "17b7167ec5f2", "http_status": 200, "bytes_sent": 2060, "body_bytes": 1620, "request_length": 1689, "request": "POST /idempotency/entries/update HTTP/2.0", "http_user_agent": "curl/8.5.0", "http_referer": "", "body_bytes": 1620, "remote_addr": "10.140.49.156", "remote_user": "", "response_time_s": 0.007, "client_dn": "CN=idem-semantic-monitoring-preprod,OU=Gateway2Cloudops,O=Fidelity National Information Services,L=London,C=GB", "client_cert_issuer_dn": "CN=******* RSA PROD SUB CA2,O=Fidelity National Information Services,L=Jacksonville,ST=Florida,C=US", "client_cert_expiry_date": "Apr 30 10:11:07 2025 GMT", "client_cert_expire_in_days": "272", "client_cert_verification": "SUCCESS", "wpg_correlation_id": "mon-tx-ecs-1722429678-idem-pp-2.preprod.euw1.gw2.*******.io", "http_content_type": "application/vnd.******.idempotency-v1.0+json", "uri_path": "/idempotency/entries/update"} parser: json remote_addr: 10.140.49.156 remote_user: request: POST /idempotency/entries/update HTTP/2.0 request_length: 1689 request_method: POST response_time_s: 0.007 source: stdout uri_path: /idempotency/entries/update wpg_correlation_id: mon-tx-ecs-1722429678-idem-pp-2.preprod.euw1.gw2.*******.io   I have tried adding additional filtering on particular fields, but it is not having the desired effect. Please note, the wildcards in the JSON are where i have masked this for the purposes of this community case. Thanks, ... View more