Understood.  When I say to use Splunk's mature/robust solution, it doesn't mean it has to happen inside Splunk.  All you need is to use the regex that Splunk has QA tested for you.  The regex in Splunk's transformation url is this: (?<url>[[alphas:proto]]://(?<domain>[a-zA-Z0-9\-.:]++)(?<uri>/[^\s"]*)?) Here is the same test, except I substitute  the transform with the above regex. | makeresults format=csv data="_raw http://www.google.com/search?q=what%20about%20bob https://yahoo.com:443/ ftp://localhost:23/ ssh://1234:abcd:::21/" | rex "(?<url>[[alphas:proto]]://(?<domain>[a-zA-Z0-9\-.:]++)(?<uri>/[^\s\"]*)?)" | rex field=domain "(?<domain>.+)(?::(?<port>\d+))$" | rename proto as scheme (Because rex command requires double quote, I have to escape the double quote inside the uri group.)  It gives the exact same valid results that you want: _raw domain port schema uri url http://www.google.com/search?q=what%20about%20bob www.google.com   http /search?q=what%20about%20bob http://www.google.com/search?q=what%20about%20bob https://yahoo.com:443/ yahoo.com 443 https / https://yahoo.com:443/ ftp://localhost:23/ localhost 23 ftp / ftp://localhost:23/ ssh://1234:abcd:::21/ 1234:abcd:: 21 ssh / ssh://1234:abcd:::21/ ... View more

| inputlookup append=t myhosts.csv Good suggestion.  I always forget the append option🙂 ... View more

Tried this, but I get a new row in table3.csv That is exactly what appendpipe is supposed to do.  If this is not acceptable, do not use appendpipe.  Have you tried fillnull @gcusello and I have suggested? ... View more

Make sure to apply fillnull before table | inputlookup table3.csv | fillnull field1,field2,comment3 value=- | table field1,field2,comment3 | outputlookup table3.csv   ... View more

Use spath and mvexpand | spath path=audit_details.audit.details.detail{} | mvexpand audit_details.audit.details.detail{} | spath input=audit_details.audit.details.detail{} | fields - audit_details.audit.details.detail{}* Your would give app_name audit_details.audit.name audit_details.audit.responseContentLength messageId ordinal time my_app app_name -1 -4 0 1752065281146 my_app app_name -1 7103 1 1752065281146 my_app app_name -1 7101 2 1752065281146 Here is an emulation for you to play with and compare with real data | makeresults | fields - _time | eval _raw = "{ \"app_name\": \"my_app\", \"audit_details\": { \"audit\": { \"responseContentLength\": \"-1\", \"name\": \"app_name\", \"details\": { \"detail\": [{ \"messageId\": \"-4\", \"time\": \"1752065281146\", \"ordinal\": \"0\" }, { \"messageId\": \"7103\", \"time\": \"1752065281146\", \"ordinal\": \"1\" }, { \"messageId\": \"7101\", \"time\": \"1752065281146\", \"ordinal\": \"2\" } ] } } } }" | spath ``` data emulation above ``` ... View more

Suppose you have a lookup called myhosts.csv; it has a field called host.  You use this as primary input, then find which host has zero count compared with index search. | inputlookup myhosts.csv | append [search index=sw tag=MemberServers sourcetype="windows PFirewall Log" | stats count by sourcetype,host] | stats values(sourcetype) as not_missing by host | where isnull(not_missing)   ... View more

Is there any specific reason why you must use your own regex to extract domain?  There are much more mature/robust algorithms, including Splunk's built-in transforms, e.g., url: | extract url | rex field=domain "(?<domain>.+)(?::(?<port>\d+))$" | rename proto as scheme (The url transform results in a field named "domain" that contains both domain and port. This is why I add a second extraction to separate port from domain. It also gives a field "proto" which you call scheme.) Here are some mock data for you to play with and compare with real data | makeresults format=csv data="_raw http://www.google.com/search?q=what%20about%20bob https://yahoo.com:443/ ftp://localhost:23/ ssh://1234:abcd:::21/" ``` data emulation above ``` They should give _raw domain port q scheme uri url http://www.google.com/search?q=what%20about%20bob www.google.com   what%20about%20bob http /search?q=what%20about%20bob http://www.google.com/search?q=what%20about%20bob https://yahoo.com:443/ yahoo.com 443   https / https://yahoo.com:443/ ftp://localhost:23/ localhost 23   ftp / ftp://localhost:23/ ssh://1234:abcd:::21/ 1234:abcd:: 21   ssh / ssh://1234:abcd:::21/ ... View more

Agree with @PickleRick that you need to clearly demonstrate raw data because the I don't think your raw log looks like what you show.  Is it more like the following? name|fname|desc|group|cat|exp|set|in abc|abc||Administrators;Users|S||1|1 bbb|bbb|Internal||N||2|2 ccc|ccc|MFT Service ID|Administrators;Users|S||3|3 In other words, it is multiline pipe (|) delimited text with a header line. (Like default table list from many SQL DBMS's.) The format shown in your original description cannot be reliably processed. If my speculation about your raw data is correct, you first change delimiter to comma, then use multikv to extract from the table, like this: | rex mode=sed "s/\|/,/g" | multikv forceheader=1 | table name fname desc group cat exp set in  Here is an emulation for you to play with and compare with real data: | makeresults | fields - _time | eval _raw = "name|fname|desc|group|cat|exp|set|in abc|abc||Administrators;Users|S||1|1 bbb|bbb|Internal||N||2|2 ccc|ccc|MFT Service ID|Administrators;Users|S||3|3" ``` data emulation above ``` Output from this emulation is name fname desc group cat exp set in abc abc   Administrators;Users S   1 1 bbb bbb Internal   N   2 2 ccc ccc MFT Service ID Administrators;Users S   3 3 ... View more

The OP is quite old.  It is possible that there was a bug in 9.2.3 that caused selectFirstSearchResult to not take effect.  I can confirm @tej57 's observation that the sample code behaves exactly as you asked in 9.4, too.       ... View more

Indeed lookups often end up with multivalue.  You need to make sure that every field to include have equal number of values. Usually I am in favor of JSON like in @livehybrid 's suggestion, although it should not be that complex; especially, one should not compose JSON with string.  More on JSON later.  There is an even simpler approach if you can enumerate fields to include: multikv.  No mvexpand needed.  Here is how: | eval _raw = mvappend("FunctionGroup,MsgNr,alarm_severity,area,equipment", mvzip(mvzip(mvzip(mvzip(FunctionGroup,MsgNr, ","), alarm_severity, ","), area), equipment, ",") ) | multikv forceheader=1 | fields - _raw linecount The idea is to compose a CSV table with mvzip, then extract from this table.  If composing nested mvzip is too much, or if you cannot easily enumerate fields to include, you can add foreach to your arsenal: | rename FunctionGroup as _raw | eval header = "FunctionGroup" | foreach MsgNr,alarm_severity,area,equipment [ eval _raw = mvzip(_raw, <<FIELD>>, ","), header = header . "," . "<<FIELD>>"] | eval _raw = mvappend(header, _raw) | multikv forceheader=1 | fields - _raw header linecount  Now, back to JSON - in this use case, it is more involved than multikv.  Again, with help of foreach and provided that your Splunk version is 8.1 or later, this is a semantic way to do it: | eval jcombo = json_object() | eval idx = mvrange(0, mvcount(FunctionGroup)) | foreach FunctionGroup MsgNr alarm_severity area equipment [ eval jcombo = json_set(jcombo, "<<FIELD>>", mvindex(<<FIELD>>, idx))] | fields - FunctionGroup MsgNr alarm_severity area equipment | mvexpand jcombo | fields - idx jcombo Of course, you can also do this without foreach. ... View more

Is this the result you are looking for? ID billing_date code latest(cost) _time 10001 2025-05-01 product2 135.75 2025-05-02 10:15:00 10001 2025-05-01 product3 155.00 2025-05-02 13:30:00 10001 2025-06-01 product1 102.50 2025-06-01 08:10:00 10001 2025-06-01 product2 130.75 2025-06-02 10:15:00 10001 2025-06-01 product3 150.00 2025-06-02 13:30:00 dedup with perfect sort as @PickleRick suggests should work.  Another way is to simply use stats as I originally suggested: | stats latest(cost) max(_time) as _time by ID billing_date code   ... View more

First, the mock data doesn't seem to agree with "update cost daily".  Wouldn't the following make more sense? bill_date ID Cost _time 6/1/25 1 1.24 2025-06-16 09:42:41.282 6/1/25 1 1.4 2025-06-06 09:00:41.282 5/1/25 1 2.5 2025-05-25 09:42:41.282 5/1/25 1 2.2 2025-05-15 09:00:41.282 5/1/25 2 3.2 2025-05-14 09:42:41.282 5/1/25 2 3.3 2025-05-04 09:00:41.282 3/1/25 1 4.4 2025-03-23 09:42:41.282 3/1/25 1 5 2025-03-18 09:00:41.282 3/1/25 2 6 2025-03-13 09:42:41.282 3/1/25 2 6.3 2025-03-03 08:00:41.282 Secondly, when you say latest event "of the month", I assume "month" can be represented by bill_date.  Is this correct? This is the search you need: | stats latest(Cost) as Cost by bill_date ID ... View more

You need to clarify a fundamental gap in your problem: What determines that it is instance3.com that is missing Search execution time, and not instance1.com, instance2.com, or any other Instance name?  Without a definitive condition, your task is an impossible one. ... View more

As I always say, do not treat structured data like text.  split is not the tool for this job.  @gcusello suggests INDEXED_EXTRACTION and a way to set up extraction in props.conf.  Short of these, you can also use multikv | multikv   ... View more

As @bowesmana points out, join is not the correct approach.  @livehybrid gives a logic that implements your requirements.  But the implementation inherits some convoluted logic in your original attempt. (The use of tstats requires that field System_Name is the same as host or is otherwise extracted at index time.  But your original SPL seems to imply the opposite.  I will not make such assumption below.) Your original expression | eval MISSING = if(isnull(last_seen_ago_in_seconds) OR last_seen_ago_in_seconds>7200,"MISSING","GOOD") really just says a System contained in system_info.csv is MISSING if no matching System_Name appears in sourcetype log, or a matching System_name appears in sourcetype log but is more than 2 hours ago. Is this correct?  There should be no need to even evaluate last_seen_ago_in_seconds if you simply filter search with earliest=-2h which is more efficient, too.  Additionally, the field MISSING is unnecessary in the table because it will always have value "MISSING" according to your logic. Here is a much simplified logic: index=servers sourcetype=logs earliest=-2h | stats latest(_time) as Time by System_Name sourcetype | append [inputlookup system_info.csv | fields System Location Responsible ``` ^^^ only necessary if there are more than these three fields ``` | rename System as System_Name] | stats values(sourcetype) as _last2hours values(Location) as Location values(Responsible) as Responsible by System_Name | where isnull(_last2hours)   ... View more

It shows that you think like SQL.  The API version in your examples is the easiest to extract in Splunk. (In fact, in any modern language other than SQL.) And using case function is about the most complicated method.  @livehybrid and @richgalloway suggested regex.  There is an even simpler and perhaps cheaper method: | eval version = mvindex(split(API_RESOURCE, "/"), 1)   ... View more

Two problems with your regex. \d represents a digit 0-9.  Unless your "string" only includes digits, \d+ will not match. As @livehybrid notes, your original string includes a pair of square brackets. A usable code to extract "apple" from "This is my [apple]" would be | rex "This is my \[(?<string>[^\]]+)\]" | stats count by string Note: _raw is the default field for rex command. .* at beginning and end of a regex serves no purpose except adding cost. ... View more

Do you know your application path always starts with /experience?  If so, @livehybrid 's method should work, just replace url with uri. index="my_index" uri="*/experience/*" | rex field=uri "(?<uniqueURI>/experience/.*)" | stats count as hits by uniqueURI | sort -hits | head 20  If not, you can enumerate, or use some other methods to determine the beginning of application path. ... View more

You will need some compromise one way or another.  Any specific reason why array_field{} is unacceptable?  If anything, you can use field alias to allow use of array_field.  Alternatively you can use calculated field to alter a key-value entry ("classic"), e.g., comma_delimited_field="1,2", then use split to calculate array_field. ... View more

In addition to @Prewin27's breakdown method, I can suggest relative_time to take advantage of Splunk's format strings. | eval offset = replace('Time', "Ended: (\d+d)(\d+h)(\d+m)(\d+s)", "+\1+\2+\3") | eval time_sec = relative_time(0, offset) relative_time's offset requires a + or a - before every time unit.  So, we transform 0d1h55m0s to +0d+1h+55m. ... View more

There are several ways to do this.  A traditional method is to backfill every day. index IN (index1, index2, index3, index4) | bin span=1d _time | chart count _time over index | append [ makeresults | timechart span=1d@d count | fields - count] | stats values(*) as * by _time | fillnull Note I replaced your last line with fillnull. (This command is worth learning.) Another somewhat sneaky way to do this depends on the real stats you perform.  If it is simple stats such as count, you can just "sneak in" something that always have some value, such as index _internal. index IN (index1, index2, index3, index4, _internal) | bin span=1d _time | chart count _time over index | fields - VALUE_internal | fillnull ... View more

Instead of computing month before xyseries, it's better to carry _time into xyseries and use transpose to get your final layout.  Unlike xyseries, transpose preserves row order into column order. But then, given that you only have one prescribed "source", I wonder if xyseries and streamstats are a waste.  How about | tstats summariesonly=false dc(Message_Log.msg.header.message-id) as Blocked from datamodel=pps_ondemand where (Message_Log.filter.routeDirection="inbound") AND (Message_Log.filter.disposition="discard" OR Message_Log.filter.disposition="reject" OR Message_Log.filter.quarantine.folder="Spam*") earliest=-6mon@mon latest=now by _time span=1month@month | eval Month=strftime(_time, "%b") | transpose header_field=month column_name=Source | eval Source = "Email" | fillnull value=0 | addtotals Here, I removed the first stats sum because by using span=1mon@mon in tstats, that calculation is already done.  I also removed eventstats and streamstats because total on row is more easily performed with addtotals. ... View more

@bowesmana and @Prewin27 give you two different approaches.  I will put a different spin on Prewin27's append method. (BTW, there should be no need to sort by _time after timechart.)  To avoid searching the same data multiple times, I use map. In the following example, I simplify interval split by restricting total search window to -1d@d - -0d@d. | tstats count where index=_internal earliest=-1d@d latest=-0d@d | addinfo ``` just to extract boundaries ``` | eval point1 = relative_time(info_min_time, "+7h"), point2 = relative_time(info_min_time, "+17h") | eval interval = mvappend(json_object("earliest", info_min_time, "latest", point1), json_object("earliest", point1, "latest", point2), json_object("earliest", point2, "latest", info_max_time)) | mvexpand interval | spath input=interval | eval span = if(earliest == point1, "10m", "1h") ``` the above uses prior knowledge about point1 and point2 ``` | map search="search index=_internal earliest=$earliest$ latest=$latest$ | timechart span=$span$ count" Obviously if your search window is not one 24-hour period, interval split becomes more complex.  But the same logic can apply to any window. ... View more