Hi @dsenapaty, when I have so many values to display in a dropdown list, I don't use a dropdown but a text box, because dropdown is too long to load and unuseful to search as dropdown. There's another solution but not always applicable if you can categorize your list so you can create two dropdowns in cascade. Ciao. Giuseppe ... View more

@gprice this worked for me perfectly. thanks for your answer. ... View more

Lots of ways to make things faster and more efficient. If you're looking to use that ms timing counter as a number, then you should extract it as a field. tstats will not give you data unless you're taking it from a datamodel, in which case, you will no doubt have extract fields by virtue of having passed it through the model. Efficient searching is about taking the minimum amount of data to satisfy the search, so give as many restrictive criteria as possible, then aggregate to reduce the data volume as much as possible. Dashboard efficiency can be achieved by using base searches https://docs.splunk.com/Documentation/Splunk/9.0.1/Viz/Savedsearches Another technique is to have a saved search that runs frequently and performs some aggregation of the large volume of data and then save that aggregated data back to a summary index and then your dashboard can search from the already created aggregations. As for extracing those ms values at search time, here's an example that will extract all the (*_TT:NNms) fields from your example line | makeresults | eval _raw="2022-09-11 22:00:59,998 INFO -(Success:true)-(Validation:true)-(GUID:68D74EBE-CE3B-7508-6028-CBE1DFA90F8A)-(REQ_RCVD:2022-09-11T22:00:59.051)-(RES_SENT:2022-09-11T22:00:59.989)-(SIZE:2 KB)-(RespSent_TT:0ms)-(Actual_TT:938ms)-(DB_TT:9ms)-(Total_TT:947ms)-(AppServer_TT:937ms)" | rex max_match=0 "\((?<fn>\w+)_TT:(?<tt>\d+)ms\)" | foreach 0 1 2 3 4 [ eval f=mvindex(fn, <<FIELD>>), tt_{f}=mvindex(tt, <<FIELD>>) ] | fields - fn tt f The first two lines set up your example and the last 3 lines extract those numbers and create field names tt_XX where XX is the name of the time taken field and the value is the time excluding milliseconds.   ... View more

These articles could help you: https://community.splunk.com/t5/Splunk-Search/Masking-data-using-regex-during-Indexing/m-p/319796 https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata ... View more

@scelikok anyway to generate p99,p95,mean median values with this datasets ? Please help ... View more

The data as you have provided it will unfortunately not play well with PREFIX because after the numbers, there is "ms" which converts the value to a string, so we cannot do "p99"/avg, etc using PREFIX.   What you would have to do is pull out the Total_TT values as strings, using PREFIX, and then use rtrim() to remove the "ms" at the end, and then multiply the uique values of tota_tt by the number of times they come up, before doing the average/p99, etc. Something like the following should work: | tstats count where index=YOURINDEX sourcetype=YOURSOURCETYPE by PREFIX(total_tt:) | rename "total_tt:" as total_tt | eval total_tt=rtrim(total_tt,"ms") | eval total_tt_by_count=total_tt*count | stats avg(total_tt_by_count) as avg_total_tt p99(total_tt_by_count) as p99_total_tt median(total_tt_by_count) as median_total_tt   Let me know if that helps! ... View more

I recommend never putting anything under system/local that doesn't need to be there, because those settings will be out of reach for the deployment server/client. Best practice is to create your org's configuration in apps in a meaningful way and assign those apps to the systems that need it. For example, you'd have a org_fwdr_outputs app that contains all conf files needed for data forwarding to indexers and map that to all your endpoint hosts. You could similarily create an app for your JBoss logs, e.g. org_jboss_logs or sth like that and deploy that to hosts that run JBoss. It is very worthwhile spending some time thinking about groups of things to simplify your serverclass.conf file such that you don't end up with an unmanageable mayhem of host groups and apps. Every app can have it's own set of conf files that will override the system defaults. I strongly recommend studying this part of the documentation until you fully understand how the this conf system works. HTH! ... View more

Hello Dhevasenapathy, I believe this usecase can be achieved through Remediation Action. The following documentation has more information about it. Doc Link : https://docs.appdynamics.com/display/PRO45/Remediation+Actions ... View more

You can use inline field extraction. Add below configuration in props.conf. Fields are extracted whenever you search source=tomcat.txt . You can also use a sourcetype name in place of source name. props.conf [tomcat.txt] EXTRACT-myfields = \(Success:(?<Success>\w+)\)-\(Validation:(?<Validation>\w+)\)-\(F_TAG:(?<F_TAG>\w+)\)-\(CLIENT_ID:(?<CLIENT_ID>\w+)\)-\(Total_TT:(?<Total_TT>\w+)\)-\(AppServer_TT:(?<AppServer_TT>\w+)\) ... View more