Seems like this is much more involved than I initially thought. Before you delve into crevices, maybe check something more obvious: rex or regex autoextract itself does not filter results.  You sill need a filter to do that. index=accounting sourcetype=linux_admin | rex field=_raw "(?<ssh>\bssh\b)"  Have you tried adding a filter after rex, like this? index=accounting sourcetype=linux_admin | rex field=_raw "(?<ssh>\bssh\b)" | where isnotnull(ssh)  This tells Splunk to return only those events in which the regex has a match. If you use autoextraction as your props.conf shows, to apply filter, you need something like index=accounting sourcetype=linux_admin ssh=* But here is another obvious mismatch. props.conf [linux_audit] TRANSFORMS-changesourcetype = change_sourcetype_authentication This stanza applies to sourcetype linux_audit, NOT linux_admin as suggested in your original search.  Is this a typo when you set up the autoextraction? ... View more

I need the same functionality like in Studio  -  "Select matched" . As we have established, there is no feature parity between Dashboard Studio and SimpleXML.  All you can do is to emulate an effect.  Let me repeat: there are a million ways to do this.  Details will depend on your desires, data characteristics, and how token will be used.  In the following sample dashboard, the user can enter a string of text to "match" some element in the list displayed in the upper right box.  The result is used to populate a token named $group_tok$.  This token is then used in search in the bottom "Results" panel. (Again, index=_internal is used as example source data.) <form version="1.1" theme="light"> <label>"Select matches"</label> <description>https://community.splunk.com/t5/Splunk-Search/Multiselect-filter-Select-all-matches-in-classic-dashboard/m-p/745537#M241480, but only use matches</description> <fieldset submitButton="false"></fieldset> <row> <panel> <input type="text" token="group_string" searchWhenChanged="true"> <label>type a string to match group</label> <default></default> </input> </panel> <panel> <table> <search> <query>| tstats count where index=_internal by PREFIX(group=) | search "group=" = "*$group_string$*" | stats values(group=) as matches</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <done> <set token="group_tok">$result.matches$</set> </done> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> <panel> <title>$group_tok$</title> <event> <title>Results</title> <search> <query>index=_internal group IN ($group_tok$)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> </event> </panel> </row> </form> Play with it and adapt to your use case. ... View more

I would go with foreach as @livehybrid does, but the code could be simpler. |foreach * [eval <<FIELD>> = if(match(<<FIELD>>, "(?i)widget") OR "<<FIELD>>" == "my_field_42", <<FIELD>>, null())] Using the same emulation, you get my_field1 my_field_2 my_field_23 my_field_42   AwesomeWidget69   your mom     Widgets are cool Look, a widget!       your widget ... View more

Like I said above, there are a million ways to do this.  But you have to decide the exact behavior.  In the demo dashboard I posted, I used preselect.  You can edit the input to select these 4 as default selection. An alternative behavior could be a special selection that has label "all 4" and the four values as value.  Implementation details will depend on how you use the token and so on.  There are other alternatives.  You need to be clear in describing how you want the UI to behave. ... View more

As @bowesmana diagnoses, default field extraction stops at 50K.  You can change this in limits.conf.  The stanza is [kv], property name is maxchars. I recommend that you fix another problem @livehybrid hinted at: You should extract id field from message field, not from _raw, i.e., | rex field=message "(SENDER|RECEIVER)\[(?<id>\d+)\]"   ... View more

Then, where does the dashboard get those strings? In other words, what is the code in that dashboard that prints those strings? ... View more

Is it possible that your developers made a mistake?  If the mock data accurately reflects the raw event structure, there are two errors: The value of root.var2 is missing a quotation mark at the beginning. (toto" instead of "toto".) The structure is missing the final closing bracket. A corrected structure would be { "root": { "field1": "value1", "message": { "var1":132, "var2":"toto", "var3":{}, "var4":{"A":1,"B":2}, "var5":{"C":{"D":5}} } } } If the raw event has the correct structure, you don't need to do anything and Splunk will automatically extract the following: root.field1 root.message.var1 root.message.var2 root.message.var4.A root.message.var4.B root.message.var5.C.D value1 132 toto 1 2 5 root.message.var3 will not show because it's value is a null JSON. ... View more

Totally agree with @bowesmana that there is no benefit of using map in this use case.  I also have a suggestion: Do not bother with rex.  Looking at your regular expression, it is all but certain that the field msg contains JSON.  This would be much simpler: index=xyz ("someString" OR "REQUEST BODY") ``` Extract the traceid fron the DBUG message containing someString and then from the request body ``` | rex field=msg "DEBUG\s+\|\s+(?<debug_traceid>[a-f0-9-]{36})" | rex field=field_containing_traceid_in_request_body "(?<body_traceid>[a-f0-9-]{36})" | eval traceid=coalesce(debug_traceid, body_traceid) | spath input=msg | stats values(debug_traceid) as debug_traceid values(artifact_guid) as artifact_guid values(email_address) as email_address by traceid | where isnotnull(debug_traceid) ... View more

As a versatile alternative, you can use transpose.  Using the same lookup example as @livehybrid does, this is how to transform these extended mock data F1 F2 F3 Hello World Test Some thing else into this form FieldName1Example FieldName2Example FieldName3Example Hello World Test Some thing else | transpose 0 | lookup fieldtest.csv fieldID as column | fields - column | transpose 0 header_field=fieldName | fields - column   ... View more

You didn't answer @bowesmana 's question about whether your sample is from an index or a lookup table.  I will assume that they come from events.  In this case, it is unnecessary to extract _time inline.  You can use latest as @bowesmana and @ITWhisperer suggested, or you can simply use dedup to get the latest events before further processing: | eval day = strftime(_time, "%F") | dedup day Name Given this dataset Name Status _raw _time ABC F ABC,F, 04/25/2025 15:50:00 2025-04-25 15:50:00 ABC R ABC,R, 04/25/2025 15:25:00 2025-04-25 15:25:00 ABC F ABC,F, 04/24/2025 15:30:03 2025-04-24 15:30:03 ABC R ABC,R, 04/24/2025 15:15:01 2025-04-24 15:15:01 The above will give you Name Status _raw _time day ABC F ABC,F, 04/25/2025 15:50:00 2025-04-25 15:50:00 2025-04-25 ABC F ABC,F, 04/24/2025 15:30:03 2025-04-24 15:30:03 2025-04-24 Here is a full emulation of your mock data | makeresults | eval _raw="Name,Status,Datestamp ABC,F, 04/24/2025 15:30:03 ABC,R, 04/24/2025 15:15:01 ABC,F, 04/25/2025 15:50:00 ABC,R, 04/25/2025 15:25:00" | multikv forceheader=1 | eval _time = strptime(Datestamp, "%m/%d/%Y %T") | fields - Datestamp linecount | sort - _time ``` data emulation above ``` ... View more

This is confusing: how do you get those "hard coded" text in the first place? In Splunk, the opposite is harder, rendering system date into English word strings. But if you got those strings in some dataset, you sure can "translate" them back.  Suppose your hard coded input is called hardcoded, this search will turn the string into systemdate: | eval decrement = case( hardcoded == "Today", 0, hardcoded == "Yesterday", 1, true(), replace(hardcoded, "Last (\d+).+", "\1") ) | eval systemdate = strftime(relative_time(now(), "-" . decrement . "day"), "%F") decrement hardcoded systemdate 0 Today 2025-04-24 1 Yesterday 2025-04-23 2 Last 2nd Day 2025-04-22 3 Last 3rd Day 2025-04-21 4 Last 4th Day 2025-04-20 5 Last 5th Day 2025-04-19 Here is a full emulation for you to play with and compare with real data. | makeresults format=csv data="hardcoded Today Yesterday Last 2nd Day Last 3rd Day Last 4th Day Last 5th Day" | eval decrement = case( hardcoded == "Today", 0, hardcoded == "Yesterday", 1, true(), replace(hardcoded, "Last (\d+).+", "\1") ) | eval systemdate = strftime(relative_time(now(), "-" . decrement . "day"), "%F") ... View more

However, when I try to use the text_search_escaped variable inside search, I get no results. Splunk's search command can only use field name like text_search_escaped on the left-hand side.  If you want to use a field's value, where is your friend.  For example, you can say | eval text_search="%\\Test\abc\test\abc\xxx\OUT\%" | eval text_search_escaped=replace(text_search, "\\\\", "\\\\\\\\") | where FileSource LIKE text_search_escaped ... View more

This is a fantastic case study of how Splunk handles major breaker tokens. Splunk is representing the field, jobName as containing "(W6)" truncating the remainder of the value. I don't believe it is terminating because of the ") " in the value. After examining how other fields are extracted in this sample, I am convinced that it terminates the string exactly because the ")" closes the opening "(".   I'm sure this is described in some linguistic documents but I don't know how to find them. So here's a series of tests  to observe. The simplest case: | makeresults | eval _raw = "no_separator=abcdef, quote1 = \"abc\"def, quote2 = 'abc'def, bracket1=(abc)def, bracket2=[abc]def, bracket3 = {abc}def, white_space=abc def" | extract kvdelim="=" pairdelim=, Here, I'm explicitly prescribing kvdelim and pairdelim to avoid additional weirdness. bracket1 bracket2 bracket3 no_separator quote1 quote2 white_space (abc) [abc] {abc} abcdef abc 'abc' abc The second one is perhaps trivial except I added a trailing comma after whitespace entry: | makeresults | eval _raw = "quote1a = abc\"def\", quote2a = abc'def', bracket1a=abc(def), bracket2a=abc[def], bracket3a = abc{def}, white_space1=abc def," | extract kvdelim="=" pairdelim=, bracket1a bracket2a bracket3a quote1a quote2a white_space1 abc(def) abc[def] abc{def} abc"def" abc'def' abc def By adding a trailing comma, white_space1 now includes the part after white space. Among these, white space behaviors are the most intriguing.  So, the following is dedicated to its weirdness: | makeresults | eval _raw = "white_space2=abc def, white_space3 =abc def, white_space4= abc def, white_space5 = abc def, white_space6 = abc def, white_space7 = abc def," | extract kvdelim="=" pairdelim=, white_space2 white_space3 white_space5 white_space6 white_space7 abc def abc def abc def abc abc def Here, you see some dynamics between white space(s) before and after "="; white space(s) before and after the first consequential non-space string also have some dynamics. White space dynamics also affects other brackets.  Double quote is perhaps the best protection of intention: | makeresults | eval _raw = "quote1b=\"abc\" def, quote1c =\"abc\" def, quote1d= \"abc\" def, quote1e = \"abc\" def, quote1f = \"abc\" def, quote1g = \"abc\" def," | extract kvdelim="=" pairdelim=, quote1b quote1c quote1e quote1f quote1g abc abc abc abc abc   The takeaway from all these is that developers need to express their intention by properly quote values and, like @PickleRick suggests, judiciously use white spaces.  Unprotected strings are subject to wild guesses by Splunk - or any other language. To joggle Mark's memory: Pierre had launched an initiative to encourage/beg developers to standardize logging practice so logs are more Splunk-friendly. (I would qualify this as "machine-friendly", not just for Splunk.)  Any treatment after logs are written - such as the workaround @livehybrid proposes, is bound to be broken again when careless developers make random decisions.  Your best bet is to carry on the torch and give developers a good whip. ... View more

In addition to the problems @PickleRick points out, the SPL ignored a fundamental design in the dataset.  The use of stats without group by mr_batchId begs the question: What is the logic to say which values should form ONE line as opposed to another?  In fact, whenever you find yourself "needing" to use stats by _time in Splunk, you ought to tell yourself that some logic is probably wrong. The first troublesome command is | spath resourceSpans{}.scopeSpans{}.spans{}.attributes{} output=attributes .  Here, you bypass several arrays of arrays to only focus on resourceSpans{}.scopeSpans{}.spans{}.attributes{}.  Unless you are absolutely certain about the uniqueness of this path, the prudent strategy is to fully process handle each array.  In your case, the next command, | dedup attributes, indicates that there is no such certainty.  But uniqueness is not the big problem here.  The real problem is: the path resourceSpans{}.scopeSpans{}.spans{} is the key to your developer/vendor's data design.  Each value of resourceSpans{}.scopeSpans{}.spans{} contains a unique mr_batchId that is key to distinguish dataset.  If you want to perform stats, perform stats against resourceSpans{}.scopeSpans{}.spans{}. So, step one is to fully mvexpand into this path: host="MARKET_RISK_PDT_V2" index="murex_logs" sourcetype="Market_Risk_DT" "**mr_strategy**" "typo_Collar" "resourceSpans{}.resource.attributes{}.value.stringValue"="*" | fields - resourceSpans{}.* | spath path=resourceSpans{} | mvexpand resourceSpans{} | spath input=resourceSpans{} path=scopeSpans{} | fields - resourceSpans{} | mvexpand scopeSpans{} | spath input=scopeSpans{} path=spans{} | fields - scopeSpans{} | mvexpand spans{} The above does not address the efficiency problem with **mr_strategy**, but collapses search of  "resourceSpans{}.resource.attributes{}.value.stringValue"="*" into index search, which also improves efficiency. Using your sample data, the above will give 96 spans{} values for a single event.  Among the 96, only two are relevant to your final results.  So, I would recommend adding | where match('spans{}', "mr_batchId") This would give two rows like spans{} {"traceId":"e0d25217dd28e57d2db07e06d690428f","spanId":"d6c133764c7891c3","parentSpanId":"dbd5a3ed4854e73f","name":"fullreval_task","kind":1,"startTimeUnixNano":"1744296121513194653","endTimeUnixNano":"1744296126583212823","attributes":[{"key":"market_risk_span","value":{"stringValue":"true"}},{"key":"mr_batchId","value":{"stringValue":"37"}},{"key":"mr_batchType","value":{"stringValue":"Full Revaluation"}},{"key":"mr_bucketName","value":{"stringValue":""}},{"key":"mr_jobDomain","value":{"stringValue":"Market Risk"}},{"key":"mr_jobId","value":{"stringValue":"CONSO_ABAQ | 31/03/2016 | 12"}},{"key":"mr_strategy","value":{"stringValue":"typo_Collar Cap"}},{"key":"mr_uuid","value":{"stringValue":"4405ed87-fbc0-4751-b5b2-41836f1181cc"}},{"key":"mrb_batch_affinity","value":{"stringValue":"CONSO_ABAQ_run_Batch|CONSO_ABAQ|2016/03/31|12_FullReval0_00037"}},{"key":"mr_batch_compute_cpu_time","value":{"doubleValue":2.042433}},{"key":"mr_batch_compute_time","value":{"doubleValue":2.138}},{"key":"mr_batch_load_cpu_time","value":{"doubleValue":2.154398}},{"key":"mr_batch_load_time","value":{"doubleValue":2.852}},{"key":"mr_batch_status","value":{"stringValue":"WARNING"}},{"key":"mr_batch_total_cpu_time","value":{"doubleValue":4.265003}},{"key":"mr_batch_total_time","value":{"doubleValue":5.069}}],"status":{}} {"traceId":"e0d25217dd28e57d2db07e06d690428f","spanId":"4c8da45757b1ea2a","parentSpanId":"dbd5a3ed4854e73f","name":"fullreval_task","kind":1,"startTimeUnixNano":"1744296126596384480","endTimeUnixNano":"1744296130515095708","attributes":[{"key":"market_risk_span","value":{"stringValue":"true"}},{"key":"mr_batchId","value":{"stringValue":"58"}},{"key":"mr_batchType","value":{"stringValue":"Full Revaluation"}},{"key":"mr_bucketName","value":{"stringValue":""}},{"key":"mr_jobDomain","value":{"stringValue":"Market Risk"}},{"key":"mr_jobId","value":{"stringValue":"CONSO_ABAQ | 31/03/2016 | 12"}},{"key":"mr_strategy","value":{"stringValue":"typo_Non Deliv. Xccy Swap"}},{"key":"mr_uuid","value":{"stringValue":"f6035cef-e661-49bd-8b4c-d8d09da06822"}},{"key":"mrb_batch_affinity","value":{"stringValue":"CONSO_ABAQ_run_Batch|CONSO_ABAQ|2016/03/31|12_FullReval0_00058"}},{"key":"mr_batch_compute_cpu_time","value":{"doubleValue":0.8687239999999999}},{"key":"mr_batch_compute_time","value":{"doubleValue":0.907}},{"key":"mr_batch_load_cpu_time","value":{"doubleValue":2.257638}},{"key":"mr_batch_load_time","value":{"doubleValue":2.955}},{"key":"mr_batch_status","value":{"stringValue":"OK"}},{"key":"mr_batch_total_cpu_time","value":{"doubleValue":3.1801}},{"key":"mr_batch_total_time","value":{"doubleValue":3.917}}],"status":{}} But for flexibility, I consider this optional. From here, there are many ways to get to your desired output.  Given that you only need mr_batch_compute_cpu_time, mr_batch_compute_time, mr_batch_load_cpu_time, mr_batch_load_time, and mr_strategy, I recommend to directly extract them; however, I strongly recommend adding mr_batchId to the list because that's a critical piece of information for you to corroborate data and validate your calculations. ``` the following line is optional - improves efficiency if these are the only attributes of interest | where match('spans{}', "mr_batchId") ``` | spath input=spans{} path=attributes{} output=attributes | foreach mr_batchId mr_batch_compute_cpu_time mr_batch_compute_time mr_batch_load_cpu_time mr_batch_load_time mr_strategy [eval <<FIELD>> = mvappend(<<FIELD>>, mvmap(attributes, if(spath(attributes, "key") != "<<FIELD>>", null(), spath(attributes, "value")))), <<FIELD>> = coalesce(spath(<<FIELD>>, "doubleValue"), spath(<<FIELD>>, "stringValue"))] | dedup _time mr_batchId ``` the above is key logic. If there is any doubt, you can also use | dedup _time mr_batchId mr_batch_compute_cpu_time mr_batch_compute_time ``` | table _time mr_batchId mr_batch_compute_cpu_time mr_batch_compute_time mr_batch_load_cpu_time mr_batch_load_time mr_strategy With this, the output will be _time mr_batchId mr_batch_compute_cpu_time mr_batch_compute_time mr_batch_load_cpu_time mr_batch_load_time mr_strategy 2025-04-12 23:55:21 37 2.042433 2.138 2.154398 2.852 typo_Collar Cap 2025-04-12 23:55:21 58 0.8687239999999999 0.907 2.257638 2.955 typo_Non Deliv. Xccy Swap There is no need to perform stats against _time. ... View more

If all you want is to remove those extra messageID's, you can simply remove those with null request_time, like | search request_time = * ... View more

In addition to everybody's speculations, the biggest problem in the SPL in my opinion is that the whole search will only return one field: User; the entire exercise/homework is to simply restrict which User values are allowed.  No inner join or stats is needed for this task because plain old subsearch is designed for this. There are a million ways to do this.  Given the original SPL lavishes dedup with rest command outputs, I assume that 12k_line.csv is the largest dataset.  So, I am using that as the lead search. (Any command can be used as lead search; corresponding subsearches justed need to be adjusted.) | inputlookup 12k_line.csv where [rest /services/authentication/users splunk_server=local | search type=SAML | fields title | rename title AS User] [rest /servicesNS/-/-/directory | fields author | dedup author | rename author AS User ] | fields User   ... View more

If I read your context correctly, you want to use values of "name" in parameters as key, and those of "value" as value, like the following based on your sample data. storedProcedureName DocumentFileTypeId DocumentId DocumentTypeId DocumentVersionId IncludeInactive RETURN_VALUE DocumentFileTypeGetById 7         0 DocumentAttributeGetByDocumentTypeId     00   false 0 DocumentDetailGetByParentId   000000       0 DocumentStatusHistoryGetByFK       000000   0 DocumentVersionGetByFK   000000       0 DocumentLinkGetByFK   000000       0 DocumentGetById   000000       0 DocumentFileTypeGetById 7         0 DocumentStatusHistoryGetByFK       000000   0 DocumentVersionGetByFK   000000       0 DocumentLinkGetByFK   000000       0 DocumentGetById   000000       0 Here, I preserved storedProcedureName as reference.  Also note that when you sanitize sample data, any fake value with multiple zeros (0s) must be quoted in order to be valid JSON. To return the above, use JSON functions introduced in 8.1: | eval kvparams = json_object() | foreach parameters mode=json_array [eval kvparams = json_set(kvparams, json_extract(<<ITEM>>, "name"), json_extract(<<ITEM>>, "value"))] | spath input=kvparams | rename @* as * Here is a full emulation using the 12 events (with corrected JSON syntax) for you to play with and compare with real data. | makeresults format=json data="[ {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentFileTypeGetById\",\"commandText\":\"ref.DocumentFileTypeGetById\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentFileTypeId\",\"value\":7}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentAttributeGetByDocumentTypeId\",\"commandText\":\"ref.DocumentAttributeGetByDocumentTypeId\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentTypeId\",\"value\":\"00\"},{\"name\":\"@IncludeInactive\",\"value\":false}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentDetailGetByParentId\",\"commandText\":\"ref.DocumentDetailGetByParentId\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentStatusHistoryGetByFK\",\"commandText\":\"ref.DocumentStatusHistoryGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentVersionId\",\"value\":\"000000\"},{\"name\":\"@IncludeInactive\",\"value\":\"\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentVersionGetByFK\",\"commandText\":\"ref.DocumentVersionGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentLinkGetByFK\",\"commandText\":\"ref.DocumentLinkGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentGetById\",\"commandText\":\"ref.DocumentGetById\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8457543-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentFileTypeGetById\",\"commandText\":\"ref.DocumentFileTypeGetById\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentFileTypeId\",\"value\":7}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentStatusHistoryGetByFK\",\"commandText\":\"ref.DocumentStatusHistoryGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentVersionId\",\"value\":\"000000\"},{\"name\":\"@IncludeInactive\",\"value\":\"\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentVersionGetByFK\",\"commandText\":\"ref.DocumentVersionGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentLinkGetByFK\",\"commandText\":\"ref.DocumentLinkGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]}, {\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentGetById\",\"commandText\":\"ref.DocumentGetById\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]} ]" | fields parameters storedProcedureName | eval kvparams = json_object() | foreach parameters mode=json_array [eval kvparams = json_set(kvparams, json_extract(<<ITEM>>, "name"), json_extract(<<ITEM>>, "value"))] | spath input=kvparams | rename @* as * | fields - _* parameters kvparams   ... View more

Do you mean something like this? index=np source IN ("/aws/lambda/api-data-test-*") "responseTime" | eval source = if(match(source, "/aws/lambda/api-data-test-(.*)"), replace(source, "/aws/lambda/api-data-test-(.*)", "data/\\1"), source) | timechart span=1m count by source   ... View more

This is a very confusing search.  Is this some sort of homework?  The reason why I ask is because it is always better to describe what you are trying to achieve, what the data looks like, what is the desired results based on sample input, what is the logic between input and desired output.  This, as opposed to make volunteers read your mind based on some SPL snippets. ... View more

It is rare that I, or anyone here, recommends map command but this seems to be an appropriate use case if errors are rare and far in between. index=project1 sourcetype=pc1 log_data="*error*" | eval early = _time - 60, late = _time + 60 | map search="search index=project1 sourcetype=pc1 earliest=$early$ latest=$late$"   ... View more

You need to describe the logic from the input to the desired output.  There are at least two possible ways to match hostname1 and hostname2: Match by position.  This is the route @ITWhisperer takes. Match by hostname. If the requirement is to match by name, this is one way to do it. | foreach hostname1 hostname2 [eval matchhost = if(isnull(matchhost) OR mvcount(<<FIELD>>) > mvcount(matchhost), <<FIELD>>, matchhost)] | mvexpand matchhost | foreach hostname1 hostname2 [eval <<FIELD>> = mvindex(<<FIELD>>, mvfind(<<FIELD>>, matchhost))] | fields - matchhost ... View more