Hello! I'm looking to get a time range from two events, one from a standard search, the other from a different search based on a regex derived from a third search and report the difference in times between the events. However I'm struggling to either make the multisearch work with map, or multireport/append work in a panel, even though those searches work just fine in the regular search bar. To give you an idea, I have the failed multisearch (which doesn't work due to me using map): | multisearch [| search index=index1 "First text string"] [| search index=index1 "text string for regex lookup" | rex field=message "^(?<LookUp>\d+)\s" | map search="search index=index1 message = $LookUp$*"] | stats earliest(_time) as time1, latest(_time) as time2 | eval difference=time2-time1 | eval difference=tostring(difference, "duration") | table time1 time2 difference  Obviously this doesn't work due to non-streaming commands, but multireport does, however it does not work in a standard statistics table panel, or any other panel that I've tried, just giving me a "search is waiting for input" message: | multireport [| search index=index1 "First text string"] [| search index=index1 "text string for regex lookup" | rex field=message "^(?<LookUp>\d+)\s" | map search="search index=index1 message = $LookUp$*"] | stats earliest(_time) as time1, latest(_time) as time2 | eval difference=time2-time1 | eval difference=tostring(difference, "duration") | table time1 time2 difference The other option is append which once again works in the regular search but not in the panel search: index=index1 "First text string" | append [ search index=index1 "text string for regex lookup" | rex field=message "^(?<LookUp>\d+)\s" | map search="search index=index1 message = $LookUp$*"] | stats earliest(_time) as time1, latest(_time) as time2 | eval difference=time2-time1 | eval difference=tostring(difference, "duration") | table time1 time2 difference I've been  trying to find a way to do this but with no luck - if anyone has anything they can spot or advise that would be greatly appreciated. Thank you! ... View more

Hi there  We presently have a setup where error codes are extracted and put into their own field.  The way it's been setup is that we extract all instances where it matches a certain regex pattern (e.g. "ERROR-" -> ERROR-1234, ERROR-5869 etc) meaning as the error code is repeated in the event we get multiple instances of the same item in the field (e.g. "ErrorField" = ERROR-1234, ERROR-1234, ERROR-5869). Doing 'stats count by ErrorField' seems to return all items, even the ones that are repeated as we'd get ERROR-1234 = 700 on the stats count, but a simple search where ErrorField=ERROR-1234 returns say 300 events only. I've tried to come up with a way to filter out the duplicates in the search but have so far come up short.  My two possibles are creating a table of field instances, and then using that to launch a second search, or performing a sub search to capture the unique fields that are then used to count the events by field.  What I have so far is as follows: index=index ErrorField="*" | stats count by ErrorField | replace ERROR-X-* with ERROR-X- in ErrorField | where count > 200 AND ErrorField!="ERROR-X-" | table ErrorField In short I've got a search that counts, then does a replace/where to weed out values below a certain threshold/don't match a certain criteria then putting what remains in a table.  It's the results from this table I want to use in the next search and count the total events for each item in that table, but have so far failed to be able to do this. Is this possible to do, and is there a right way to do this, either continuing with the method above or using a subsearch?  Alternately is it possible to remove duplicates in the original field extraction so this isn't necessary?  Although that option may not be possible as the field extraction isn't handled by ourselves and I can't say too much about it. Thank you! ... View more