This worked for a test to detect when the string "404" exists in a web log, but not when it only exists in the status field. sourcetype=access_combined 404 | rex "(?<myterm>\b404\b)" max_match=0 | eval mycount=mvcount(myterm) | where mycount==1 AND status!=404 OR mycount>1 Adjust as needed. /k ... View more

To expand on the explanation given by somesoni2 (assuming that the first timestamp (writeTime) is extracted into the _time field, i.e. the splunk timestamp for the event); sourcetype=IDS | rex "at\s(?<eventTime>(\S+\s){5}\S+)$" | eval eventTime = strptime(eventTime, "%a %b %e %H:%M:%S %Y %Z") | eval timeDiff = _time - eventTime | stats avg(timeDiff) as avg_diff This will give you the average timeDiff in seconds (avg_diff = 6). If you want to you make avg_diff "look nicer", you add this to the end; | eval avg_diff = tostring(avg_diff, "duration") Now, avg_diff = 00:00:06 Hope this helps, K ... View more

What do you mean by 'CallFlow'? The string that includes the substring CallFlow, i.e. VoiceCallFlow, SpecialCallFlow etc? Or is it whatever comes between the call_id_ivr and the path to some .vox file, i.e. it does not necessarily contain the string 'CallFlow' at all? Is it only interesting to extract this piece of information for the first line of the three that make up the transaction? Here is an example (second rex ) that will extract what comes between the call_id_ivr and something that ends in .vox, so it will only be extracted for the first event in the transaction, as it's the only one containing ".vox"; host=*prod-ivr* | rex "FYI|(?<call_id_ivr>\S+)\" | rex "\s(?<CallFlow>\S+)\s\S+\.vox"| transaction call_id_ivr maxevents=3 startswith=vox endswith=GCEV_DISCONNECTED | rex field=_raw "(?<Prompt>(?i)[\w\s\(\)]*\.vox)" | top 40 Prompt Adjust your search as needed. /K ... View more