Something like this: | makeresults | eval host="sender" | eval raw = mvappend("2024-12-18 17:02:50 , file_name=XYZ.csv, file copy success", "2024-12-18 17:02:58, file_name=ABC.zip, file copy success", "2024-12-18 17:03:38, file_name=123.docx, file copy success", "2024-12-18 18:06:19, file_name=143.docx, file copy success") | append [ | makeresults | eval host="receiver" | eval raw = "2024-12-18 17:30:10 <FileTransfer status=success> <FileName>XYZ.csv</FileName> <FileName>ABC.zip</FileName> <FileName>123.docx</FileName> </FileTransfer>" ] | mvexpand raw | rename raw AS _raw | rex "^(?<_time>\S+\s+\S+)" | eval _time = strptime(_time, "%Y-%m-%d %H:%M:%S") | rex max_match=0 "(?ms)(\<FileName\>|file_name=)(?<FileName>.*?)(\<|,)" | rex "(<FileTransfer status=\"?|file copy )(?<status>[^\"\>]+)" | stats list(status) AS status_list list(host) AS host_list dc(host) AS hosts values(status) AS status BY FileName | where hosts==1 OR status="fail*" ... View more

Filenames match exactly. Targetlocation has the file name. Like I have it in my example the file names are different. It is not related to position. When  modify the stats to  values(file_name) i get results but it is so weird results   ... View more

I think the addition of a few evals can account for the error line as well. Maybe something like this? <base_search> | rex field=_raw "Processing\s+(?<process>[^\-]+)\-" | rex field=_raw "Person\s+Name\:\s+(?<person_name>[^\,]+)\," | sort 0 +_time | streamstats reset_before="("isnotnull(process)")" values(process) as current_process | streamstats window=2 first(_raw) as previous_log | rex field=previous_log "Person\s+Name\:\s+(?<previous_log_person_name>[^\,]+)\," | eval checked_person_name=if( match(previous_log, "\-Check\s+for\s+Person\-"), 'person_name', null() ), status_error_person=if( match(previous_log, "Person\s+Name:\s+") AND match(_raw, "\-error\s+in\s+checking\s+status"), 'previous_log_person_name', null() ) | stats min(_time) as _time by current_process, status_error_person | fields + _time, current_process, status_error_person ... View more

| rex field=fullfilename "(?<filename>[^\.\s]+)(?<event>\.pdf|\-success\.csv)$" You could also add | fillnull value="Pending" receivedTime fileReceived ... View more

Hi, You can configure your requirements in a query. You have to manage your query in such a way that when a search of alert runs holidays it should return 0 events. You can use addinfo and lookup commands. If you are satisfied with a comment then please upvote it. Thanks, Bhavik ... View more

Yes!! No doubt you are an Expert! Thank you! ... View more

It cannot be. You do fields _time trackingStr and then you do BY number and because you dropped the number field, your search will have no events from that point on. You really need to get your story straight on this. Every time you add a requirement, I have addressed it only to see you add another requirement. Now you have several different answers that have evolved way into the weeds and still nothing that works. Take a step back and add a comment to your Question that completely restated your actual requirements. Ideally this will include both sample events and a mockup of the desired outcome (with sample events that are well-constructed to demonstrate the shortfalls of the some of the partial solutions). At this point, I cannot really continue without a full reset. ... View more