Below should work. It pulls in both data sets by putting an OR between the two strings to search for. Then performs the 2 rex commands, either of which only applies to the event type it matches. Then we want to take all the events from the first log type plus the events from the second type that match field6 = "direct" . index=* host=* "LOG_RESPONSE" OR "LOG_QUERY" | rex ".*LOG_RESPONSE \|\| (?<id>.+) \|\| (?<sequence>.+) \|\| (?<field1>.+) \|\| (?<field2>.+) \|\| (?<field3>.+) \|\| (?<field4>.+) \|\| (?<result>.+).*" | rex ".*QUERY \|\| (?<id>.+) \|\| (?<sequence>.+) \|\| (?<field1>.+) \|\| (?<field2>.+) \|\| (?<field3>.+) \|\| (?<field4>.+) \|\| (?<field5>.+) \|\| (?<field6>.+)\|\| (?<result>.+).*" | search "LOG_RESPONSE" OR field6 = "direct" If there are nicer ways to recognize the "LOG_RESPONSE" events, rather than from that string, you can change the | search ... part accordingly. ... View more

But this will give the top 20 overall while I want the top 10 or 20 for each timespan of the 1 month period. ... View more

@AshimaE, can you please test and confirm whether the suggested change works for you? ... View more

@AshimaE, can you please test and confirm whether the suggested change worked for you? ... View more

Glad it worked!!! 🙂 ... View more

@AshimaE, please confirm whether this helps with your issue or not. Provide us with more details if this is not useful. ... View more

Thanks for the help. This works perfectly fine for all the cases now. Except 1 case wherein neither of the three columns had any events in the chosen time duration. Even if there is 1 event in any 1 it is working. Any way to handle this corner case more gracefully so that the visualization/table is easier to use. Thanks ... View more

If you want to average the samples in every 15m interval ... | bin _time span=15m | stats avg(Value) as Value by _time host If you want the first event out of every 15 minute interval and you know there will always be one... ... | bin _time as Time span=15m | stats earliest(Value) as Value by Time host ... View more

Hi @AshimaE, I have converted my comment to Answer, please Accept if it helped. In the Regular Expression you can handle decimal as well (if you want to perform floating number validation). ... View more

Okay, there are a couple of different potential sources of issues. The first, as pointed out by @jplumsdaine22, is the misspelling of _time. The second potential issue is if any records have null du. (By the way, for form's sake, if nothing else, I'd include quotes around "disk./.used") Just as an efficiency thing, I'd also drop all unneeded fields before the sort. If you expect to receive a record every 15 minutes, then I would probably bin the time into 15m increments in order to align all the hosts. That allows you to drop in records to calculate and pick up any missing chunks (see the appendpipe ). index=foo ... | table _time host "disk./.used" | rename "disk./.used" as du | bin _time span=15m | appendpipe [| stats values(host) as host values(_time) as _time | eval du = -1.00] | stats max(du) as du by host _time | eval du=if(du<0,null(),du) | streamstats current=f last(du) as prevdu by host | eval du=coalesce(du,prevdu) | where isnotnull(prevdu) | eval useddu = du - prevdu | eval velo = useddu/15 | table host _time du prevdu useddiff velo You'll notice we're using last instead of values - that allows us not to set a window . We're setting a negative default and using max so that, if any record was received for a _time bucket, then that value will be used, otherwise we will null it out and eventually use whatever the last value we had was. Now, this version won't have the holes coming out of it that your prior version did, and if the du was null, it will get filled in, but if there is something in your system that is spitting bad data, we've wallpapered over it and hidden it from view. It might be best to work incrementally on your code in order to identify exactly what caused the problem, before implementing something like this. ... View more

Though most of the time it is desirable to have multiple hosts on the same chart, I do see occasional urge for individual charts - on a dashboard. (Especially when you have many hosts. Same goes with some other metrics.) In fact I had proposed this for my previous group who wanted such a separation-aggregation. I didn't implement this but here's my proposed solution: Compose the XML elements for each of the charts you want to produce using tstats , then incorporate the output into your dashboard source. Obviously this will have severe limitations if the number of hosts grows very fast and you'll have to update your dashboard constantly. But for many environments, this should suffice. | tstats count by host where index=abc sourcetype=def | eval Panel=" <row> <panel> <chart> <title>Chart for " + host + ": avg(cpuUse)</title> <search> <query> index=abc sourcetype=def host=" + host + " earliest=-6h |timechart avg(cpuUse) </query> </search> </chart> </panel> </row>" | table Panel Output would look like these: <row> <panel> <chart> <title>Chart for host1: avg(cpuUse)</title> <search> <query> index=abc sourcetype=def host=host1 earliest=-6h |timechart avg(cpuUse) </query> </search> </chart> </panel> </row> <row> <panel> <chart> <title>Chart for host2: avg(cpuUse)</title> <search> <query> index=abc sourcetype=def host=host2 earliest=-6h |timechart avg(cpuUse) </query> </search> </chart> </panel> </row> <row> <panel> <chart> <title>Chart for host3: avg(cpuUse)</title> <search> <query> index=abc sourcetype=def host=host3 earliest=-6h |timechart avg(cpuUse) </query> </search> </chart> </panel> </row> Note the output is "flattened" in terms of line breaks and indentations so you may want to employ some pretty-print for readability in the final dashboard source. (You can still use the output as is, just not as pretty.) ... View more

Hi @AshimaE, sorry but I'm not too sure what you are asking for here. What is it exactly that you are trying to achieve? Can you give me an example? ... View more

@somesoni2 I tried a similar thing. On using two evals it is giving the error Error in 'eval' command: Regex: quantifier does not follow a repeatable item I need to need to replace two different original character sequences with the same replacement character. ... View more

@AshimaE - This code assumes that message IDs are relatively unique across the time you will be running the query: index=myindex "searchQuery" ("<messageId>" OR "<refToMessageId>") [search index=myindex "searchQuery" "<messageId>" | rex "\<messageId\>(?<myMsgId>[^\<]+)" | where isnotnull(myMsgId) | rex field=_raw "(?<fldDay>[\d-]{10}).*\s[\s[a-zA-Z0-9-\:.]" | dedup 5 fldDay | table myMsgId | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/myMsgId=//g" ] | rename COMMENT as "The above subsearch checks only one type of record and grabs the first five MsgIds for each day." | rename COMMENT as "then only records with that MsgId somewhere in them will be returned from the main search." | stats earliest(_time) AS startTime, latest(_time) AS endTime, count as TotalEvents by fldDay, myMsgId | where TotalEvents = 2 | eval responseTime=endTime-startTime | stats avg(responseTime) as avgResponseTime by fldDay However, if you are going to be running this kind of search across any great span of time, then you probably should consider creating a summary index. Sampling the first five events for each day -- which in practice will be the LAST five events, since splunk retrieves in reverse chron order -- is a VERY blunt instrument, not at all valid statistically. At the very least, I'd consider some kind of sampling protocol, like this. The number 769 can be just any reasonably large number, less than abut 15% of your expected daily volume if you want 5 samples, but I happen to prefer odd primes... [search index=myindex "searchQuery" "<messageId>" | eval my1in769sample= random()%769 | where my1in769sample==0 | rex "\<messageId\>(?<myMsgId>[^\<]+)" | where isnotnull(myMsgId) | rex field=_raw "(?<fldDay>[\d-]{10}).*\s[\s[a-zA-Z0-9-\:.]" | dedup 5 fldDay | table myMsgId | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/myMsgId=//g" ] ... View more

Nice! Worked well! ... View more

Could you explain what current=f is used for here. Also last(x) takes us to the oldest entry for that s isn't it. so how is it being used here exactly. sorry for the naive doubts. im still a newbie. ... View more