Not totally sure I understand, but if you're trying to get the 3rd array element of target which corresponds to the Workflow admin, then this little snippet will get the JSON for that array element | eval workflow_admin=spath(_raw, "target{}") | eval workflow_admin=mvmap(workflow_admin, if(tostring(spath('workflow_admin', "displayName"))="Workflows Administrator", 'workflow_admin', null())) There are probably a number of ways of getting at the JSON, but this works. Here's another way | eval workflow_admin=json_array_to_mv(json_extract(_raw, "target{}")) | eval workflow_admin=mvmap(workflow_admin, if(tostring(spath('workflow_admin', "displayName"))="Workflows Administrator", 'workflow_admin', null())) Once you have workflow_admin, you can manipulate/extract the fields as needed  ... View more

What should happen if the data is my_field_1 = "hello world" my_field_23 = "goodbye my friend" ... my_field_42 = "Look, a widget!" i.e. widget ONLY appears in the field you want to ignore ... View more

You didn't answer how long your search is running for - I didn't mean the time range, I mean the amount of time the search takes to run. Also, see the other questions. I'm suggesting you split out the searches just to experiment if both are giving the correct count when run individually in the dashboard AND in a manual search. If you shorten the time window do the results then work. You will need to provide more detail. Look at the search job properties and look at result count and scanCount.     ... View more

How long is your search taking - you are searching a 61 minute window in your outer search and a 5 hour window in your append. Is the search in your dashboard part of a base search? How long do each of the individual searches take and if you put both of those individual searches into a dashboard as individual searches, so they give the correct result counts vs. running it as a search directly. ... View more

Do NOT use eval for anything to set any value to "StandardizedAddressService bla bla bla" That is data that I understand is coming from your event - when you make that eval statement you are setting a field called msgTxt (in your example) to the value you give it. What is the name of your field that contains that phrase in your index=... search  You should extract the "event" field using the rex statement specifying the field you want to extract from, e.g | rex field=msgTxt blablabla and then just use the original SPL I posted at the beginning | spath input=event | rename AddressDetails{}.* as *, WarningMessages{} as WarningMessages | table Latitude Longitude WarningMessages after that. If you get something unexpected, add some more fields to the table statement at the end to show what those fields are ... View more

Can you post your exact search ... View more

Note: The 10 result limit for map is a soft limit, you can go more with the maxsearches=X setting, but again, map is rarely useful. Glad you got a working solution.   ... View more

Is your data JSON? If so, Splunk will only extract the first 5K of the JSON object in an event. I'm not totally sure if it has that 5k limit for other auto kv field extraction.   ... View more

transaction can silently ignore data, depending on data volume, time between start and end and you will not get any indication that data has been discarded. It's far better to use stats to group by id - which you appear to have. At the simplest level you can replace transaction with stats like this index=... ("SENDER[" OR ("RECEIVER[" AND "POST /my-end-point*")) | rex "\[(?<id>\d+)\]" | stats list(_raw) as _raw list(message) as message min(_time) as start_time max(_time) as end_time by id | eval duration=end_time - start_time, eventcount=mvcount(_raw) | eval request=mvindex(message, 0) | eval response=mvindex(message, 1) | table id, duration, count, request, response, _raw   ... View more

Why are you using wildcards if they are not necessary. Your data and your comments say the msg values are defined as  gemini:streaming:info:product:data:responseTime gemini:streaming:info:amaz:search:response:time (The data shows a slight difference in responseTime vs. response:time compared to your comment) Just use this type of search ... msg IN ("gemini:streaming:info:product:data:responseTime","gemini:streaming:info:amaz:search:response:time") ... View more

@onthakur  OK, got it, so you only want the events from dataset 2 where there is a matching event from dataset 1. In that case, you can do the stats and retain the X_App_ID using stats values(X_App_ID). I assume there is only ONE X_App_ID per correlation Id. Then you just filter out the unwanted correlation Ids from dataset 2 where there are no X_App_ID events joined. index=masapi (X_App_ID=ScamShield API_NAME=COMBINED_FEATURES NOT externalURL) OR (napResponseMapping) ``` The values(X_App_ID) retains the app id for those events in dataset 1 - which will only include ScamShield ``` | stats values(X_App_ID) as X_App_ID values(accountType) as accountType values(accountSubType) as accountSubType by X_Correlation_ID ``` and this will remove all the correlation ids that did not have a corresponding X_App_ID event in dataset 1 ``` | where isnotnull(X_App_ID)  Hope this helps ... View more

The _raw=... line is OUR example based on your data to demonstrate the solution. You MUST not include that in YOUR search, as it makes every event equal to that _raw value. ... View more

stats is always the way to join datasets together, please remove join from your toolkit, it can always be replaced with a better option and is not the Splunk way to do things. It has numerous side effects that can result in unexpected results, as you are seeing. @kamlesh_vaghela gives you an example of how to "join" using stats, but one other observation on your example is that you are using table which is a transforming Splunk command, so you should try to use this as late as possible in your SPL as this has consequences on where the data is maniuplated. If you are just looking to restrict the fields before an operation, use the fields command instead and note that in the stats example, you can still rename theX_Correlation_ID to ID after the stats command, which is a minor optimisation.   ... View more

Can you show your search, it seems that those numbers and warnings are the same as the example you gave - if that is what it is showing, then that is likely what the data contains. Can you show an example of a couple of messages and your search because the search will work - note that you should not include the eval _raw part, as that is just setting up example test data to show you how the rest of the search can work ... View more

You have made a number of errors with your field naming - you are mixing Logs and logs - to Splunk these are different fields, so in your first example you do | eval logs=case(count>0, "1", count=0, "2") | eval Status=case(Logs=1, "Green", Logs=2, "Red") where you are testing Logs in the second statement, but set logs in the first and in your latest post you do | fillnull logs which will create a lower case logs field with a value of 0, which you then immediately follow with a fillnull for Logs. So, take care with field names.  ... View more

Your event is a heading, followed by a JSON object, so one approach is to simply create a field extraction to extract the JSON object and then you have access to all the fields directly. This example shows what that would look like - the rex statement extracts the JSON inline, but you could do that as a calculated field. The spath parses the JSON | makeresults | eval _raw="StandardizedAddres SUCCEEDED - FROM: {\"StandardizedAddres\":\"SUCCEEDED\",\"FROM\":{\"Address1\":\"123 NAANNA SAND RD\",\"Address2\":\"\",\"City\":\"GREEN\",\"County\":null,\"State\":\"WY\",\"ZipCode\":\"44444-9360\",\"Latitude\":null,\"Longitude\":null,\"IsStandardized\":true,\"AddressStatus\":1,\"AddressStandardizationType\":0},\"RESULT\":1,\"AddressDetails\":[{\"AssociatedName\":\"\",\"HouseNumber\":\"123\",\"Predirection\":\"\",\"StreetName\":\"NAANNA SAND RD\",\"Suffix\":\"RD\",\"Postdirection\":\"\",\"SuiteName\":\"\",\"SuiteRange\":\"\",\"City\":\"GREEN\",\"CityAbbreviation\":\"GREEN\",\"State\":\"WY\",\"ZipCode\":\"44444\",\"Zip4\":\"9360\",\"County\":\"Warren\",\"CountyFips\":\"27\",\"CoastalCounty\":0,\"Latitude\":77.0999,\"Longitude\":-99.999,\"Fulladdress1\":\"123 NAANNA SAND RD\",\"Fulladdress2\":\"\",\"HighRiseDefault\":false}],\"WarningMessages\":[\"This mail requires a number or Apartment number.\"],\"ErrorMessages\":[],\"GeoErrorMessages\":[],\"Succeeded\":true,\"ErrorMessage\":null}" | rex "StandardizedAddres SUCCEEDED - FROM: (?<event>.*)" | spath input=event | rename AddressDetails{}.* as *, WarningMessages{} as WarningMessages | table Latitude Longitude WarningMessages Note that your AddressDetails is actually a JSON array, so in theory it could contain multiple results, so doing this with the JSON extraction will handle any possible case where you get more than one result in the address array. ... View more

I think you have your answer in other posts, but this is a good indication of asking the right question - including the "by day" also is an important point 🙂 ... View more

I am guessing this is data in a lookup file rather than event data - if you have event data you would already have a time stamp in the event which may or may not be the same as Timestamp. However, in your specific example, assuming no _time field, the just parse the Timstamp field and use stats latest to get the latest, i.e. | makeresults format=csv data="Name,Status,Timestamp ABC,F, 04/24/2025 15:30:03 ABC, R, 04/24/2025 15:15:01" | eval _time = strptime(Timestamp, "%m/%d/%Y %T") | stats latest(*) as * by Name ... View more

That doesn't sound right - are you referring to a multi-value field? | makeresults | fields - _time | eval value=split("ABC","") | search value=A AND value=C This search above will find a result for A and C, but if you change it to A and D it does not find results. Can you give an example of your results in the OR case ... View more

Note that this means when you select "All" it removes the other options if selected and vice versa, if you have All selected and choose one of the other options, it removes "All" from the list of selections. ... View more

To handle an 'All' static option in the multiselect, add this change element <change> <condition match="$form.webuser=&quot;*&quot;"> <set token="webuser"></set> </condition> <condition> <eval token="form.webuser">case(mvcount($form.webuser$)="2" AND mvindex($form.webuser$,0)="*", mvindex($form.webuser$,1), mvfind($form.webuser$,"^\\*$$")=mvcount($form.webuser$)-1, "*", true(), $form.webuser$)</eval> </condition> </change> ... View more