Is this now fixed? (I am not sure what @PickleRick 's test commands (head 1000 etc.) are doing here though!) ... View more

Remove the dedup NB! This is reducing your events to one event per NB which is why you are only getting half your data! ... View more

Please share the search you are using for these results (my mind-reading abilities have been dulled by over-indulgence!) ... View more

Try replacing the table command with fields ... View more

As has been said here many times, it is best to avoid using join - this is a classic case of why join should be avoided. Try something like this index=sky sourcetype=sky_trade_murex_timestamp OR sourcetype=mx_to_sky ``` Parse sky_trade_murex_timestamp events (note that trade_id is put directly into the NB field) ``` | rex field=_raw "trade_id=\"(?<NB>\d+)\"" | rex field=_raw "mx_status=\"(?<mx_status>[^\"]+)\"" | rex field=_raw "sky_id=\"(?<sky_id>\d+)\"" | rex field=_raw "event_id=\"(?<event_id>\d+)\"" | rex field=_raw "operation=\"(?<operation>[^\"]+)\"" | rex field=_raw "action=\"(?<action>[^\"]+)\"" | rex field=_raw "tradebooking_sgp=\"(?<tradebooking_sgp>[^\"]+)\"" | rex field=_raw "portfolio_name=\"(?<portfolio_name>[^\"]+)\"" | rex field=_raw "portfolio_entity=\"(?<portfolio_entity>[^\"]+)\"" | rex field=_raw "trade_type=\"(?<trade_type>[^\"]+)\"" ``` Parse mx_to_sky events ``` | rex field=_raw "(?<NB>[^;]+);(?<TRN_STATUS>[^;]+);(?<NOMINAL>[^;]+);(?<CURRENCY>[^;]+);(?<TRN_FMLY>[^;]+);(?<TRN_GRP>[^;]+);(?<TRN_TYPE>[^;]*);(?<BPFOLIO>[^;]*);(?<SPFOLIO>[^;]*)" ``` Reduce to just the fields of interest ``` | table sky_id, NB, event_id, mx_status, operation, action, tradebooking_sgp, portfolio_name, portfolio_entity, trade_type, TRN_STATUS, NOMINAL, CURRENCY, TRN_FMLY, TRN_GRP, TRN_TYPE, BPFOLIO, SPFOLIO ``` "Join" events by NB using stats ``` | stats values(*) as * by NB ... View more

Subsearches are limited to 50,000 events which could account for the missing matches - try reducing the timeframes - do the matches appear then? ... View more

If there are results for the trade_id/NB in both searches, then it is possible that the rex has not extracted the fields as you expect. Please share the two events which don't match ... View more

Sorry I miscounted, it does look right - the issue here is that the trade_id does not match the first field in the mx_to_sky event ... View more

Your regex assumes (insists!) that the event has 9 fields separated by (8) semi-colons - your sample data has only 8 fields separated by 7 semi-colons. ... View more

Since the first part is just determining values for earliest and latest, you might be able to avoid map like this index=edwapp sourcetype=ygttest is_cont_sens_acct="是" [search index=edwapp sourcetype=ygttest is_cont_sens_acct="是" | stats earliest(_time) as earliest_time latest(_time) as latest_time | addinfo | table info_min_time info_max_time earliest_time latest_time | eval earliest_time=strftime(earliest_time,"%F 00:00:00") | eval earliest_time=strptime(earliest_time,"%F %T") | eval earliest_time=round(earliest_time) | eval searchEarliestTime2=if(info_min_time == "0.000", earliest_time, info_min_time) | eval searchLatestTime2=if(info_max_time="+Infinity", relative_time(latest_time,"+1d"), info_max_time) | eval earliest=mvrange(searchEarliestTime2,searchLatestTime2, "1d") | mvexpand earliest | eval latest=relative_time(earliest,"+7d") | where latest <=searchLatestTime2 | eval latest=round(latest) | fields earliest latest] | dedup day oprt_user_name blng_dept_name oprt_user_acct | stats count as "fwcishu" by day oprt_user_name blng_dept_name oprt_user_acct | eval a=$a$ | eval b=$b$ | stats count as "day_count",values(day) as "qdate",max(day) as "alert_date" by a b oprt_user_name,oprt_user_acct " maxsearches=500000 | where day_count > 2 | eval alert_date=strptime(alert_date,"%F") | eval alert_date=relative_time(alert_date,"+1d") | eval alert_date=strftime(alert_date, "%F") | table a b oprt_user_name oprt_user_acct day_count qdate alert_date   ... View more

Try this expression ("|)Rule:\s*(?P<Rule>.*?)\1,\d ... View more

Try something like this (I am not sure if you need click.value2, value, name or name2 though, you would need to experiment <drilldown> <condition match="$click.value2$=&quot;AAA&quot;"> <set token="ModuleA">true</set> <unset token="ModuleOther"></unset> </condition> <condition> <unset token="ModuleA"></unset> <set token="ModuleOther">$trellis.value$</set> </condition> </drilldown> ... <!-- panel A is opened --> <panel depends="$ModuleA$"> ... </panel> <!-- panel Other is opened --> <panel depends="$ModuleOther$"> ... </panel> ... View more

Assuming your event are as you have shown, you could do this | spath | table _time *.pct2ResTime | untable _time transaction pct2ResTime | eval "Transaction Name"=mvindex(split(transaction,"."),0) | table "Transaction Name" pct2ResTime If not, please share a more accurate representation of your events, preferably in a code block (as above) to preserve the formatting of the data. ... View more

Have you tried using spath? ... View more

OK, so what information do you have in Splunk? ... View more

What information do you have in Splunk? Which system is the user locked out of? ... View more

Please share your two searches (in code blocks) ... View more

What information do you have available to you to help you determine this? ... View more

Sounds like the file names don't completely match or perhaps the TargetLocation event doesn't have it in? Is it always the same file or at least file position e.g. always the last in the list? Or possibly files after a particular point in the XML message. Without being able to see your data, it is a bit difficult to determine what might be wrong. ... View more

Assuming you already have filenames extracted, then try something like this | eval file_name=coalesce('FileTransfer.FileName', file_name) | stats values(eval(if(sourcetype="filecopy",_time,null()))) as FileCopyLocation values(eval(if(sourcetype="transfer",_time,null()))) as TargetLocation by file_name | eval FileCopyLocation=strftime(FileCopyLocation,"%F %T") | eval TargetLocation=strftime(TargetLocation, "%F %T") | fillnull TargetLocation value="Pending" ... View more

| eval Device=Device_name.":".src_ip | table Device state_to count primarycolor secondarycolor info_min_time info_max_time ... View more

You could change the name of the script so that the browser sees it as a different file. ... View more