tag=autoexpress_prod level=debug mdc.InvocationName=calculatePremiumAutoProcessc "serviceRequestName" | rex field=message "\<DECFirstName\>(?<Message>.*)\</DECFirstName\>" | rex field=message "\<FirstName\>(?<Fname>\w+)" | rex field=message "\<LastName\>(?<Lname>\w+)" | rex field=message "\<MaritalStatus\>(?<Married>\w+)" | dedup Married Fname Lname mdc.QuoteID | join mdc.QuoteID [search tag=autoexpress_prod level=debug mdc.InvocationName=recordBillingAccount "webservice request XML" | rex field=message "\<bil:externalPolicyNum\>(?<PolicyNumber>.{0,12})"] | rename mdc.State as State, mdc.QuoteID as QuoteID | table _time, PolicyNumber, State, Fname, Lname, Married, Message | sort 0 Fname Lname | streamstats count by Fname Lname QuoteID | eventstats max(count) as keep by Fname Lname | search keep=2 Here, sorry about that. I tried the fix, and it seemed to work, But i think the issue appears when i add the sorting function to it. For some reason the DECFirstName field makes the code drop results. ... View more

2017-06-16 11:30:51.210 DE 99999999 JONATHAN Snow Single 2017-06-16 11:30:39.948 AL 99999999 Kevin SMITH Single 2017-06-16 11:30:30.482 VA 99999999 AMANDA Bynes Divorced 2017-06-16 11:30:29.844 IL 99999999 Good MORALES Divorced Here are a few examples ... View more

Thanks for the input! Seems to be working just fine for your data, still doesnt seem to be filtering out the customers that didnt change their marital status on my end unfortunately. Idealy we want it to detect and display customers info if they changed their marital status from what they previously had it, like your's does. ... View more