Hi, I have a dataset like below: Date             Rsource status  10:00:00     A                Success 10:00:00     B                Success 10:00:01     A                Failure 10:00:02     A                Failure 10:00:02    C                Failure 10:00:02     B               Failure 10:00:02     A                Success 10:00:03     B                Success 10:00:03     A                Failure 10:00:04     A                Failure 10:00:04    C                Failure 10:00:04     B               Failure I am working on metric where by if we have more than n number of consecutive errors in 30s then those need to be recorded. output in formart like below: lets say in the above example we need it for more than 2 consecutive errors it should look something like this Min_Time Max_time resource status count 10:00:01 10:00:02  A    2 10:00:03 10:00:04  A    2 I am trying to use combination of streamstats/eventstats nothing seems working. any help would be much appreciated. one of the examples I tried below mysearch | eval OccurenceDate=strftime(_time,"%Y-%m-%d %H:%M:%S") | streamstats time_window=30s global=true min(OccurenceDate) as start max(OccurenceDate) as end count as numberofstatus BY status,resource_id reset_on_change=true|table start,end,start,resource,numberofstatus |streamstats first(start) as f_start last(end) as l_end max(numberofstatus) AS max_numberofstatus by code reset_on_change=true| table f_start,l_end,max_numberofstatus,code,resource ... View more

Hi Team, I am looking to extract the last value or last but one or both values from the field which looks like below(eeee fffff or {eeeee}/fffffff: "field":"aaaaa-bbbbb-cccc:v1.1-d1:ggg:/dddd/{eeeee}/fffffff" please help me with the regular expression for it. I tried something like rex field=_raw "\"field\":\"././(?\w+)." but it is not working. regards, Sreedhar.A ... View more