I have two separate queries that I am presenting as unique pie charts on a dashboard, the second being a further breakdown of one of the categories of the first search.  Is it possible, as in Excel, to have a pie of pie chart where the further breakdown of one category is present within the same chart, or do they have to be two independent charts as I'm doing currently?  No code sample to demonstrate as I have no idea of the feasibility.   ... View more

I've got logs that contain a timestamp in 24 hour YYYY-MM-DD HH:MM:ss:SSS format (example: 2021-04-29 18:43:07.557).  The timestamp in this log message is +5 hours ahead of the _time of the event.     So far I've got this much, which extracts the timestamp from the message but I don't know how to go about showing the difference between these two, especially with the five hour offset.  Ideally would just like to show a third value of the difference in the table.  Appreciate any instruction.    sourcetype="PCF:log" cf_app_name=app1 (msg="*message query here*") | rex field=msg "created on\s+(?<lockTime>\S+\s+\S+)" | table _time,lockTime   _time lockTime Expected 2021-04-28 12:46:37.381 2021-04-28 17:46:33.961 00:00:03.420   I should mention too that only the time portion, not the date, will need the difference calculated.  The YYYY-MM-DD will always be the same between _time and lockTime.  ... View more

Considering the following two messages:   sourcetype="PCF:log" cf_app_name=app1 msg="launch processing started" UserID: ABC sourcetype="PCF:log" cf_app_name=app1 msg="flow complete" UserID: ABC     I want to capture the elapsed time between the earliest occurrence of "launch processing started", and the latest occurrence of "flow complete", by matching on UserID (which I've regex extracted to a field).  How would I approach this?  Edit: I should mention this is timeboxed to one day. If a user launches but doesn't complete in a day, I don't care.   ... View more

Hi all, I've got two queries I'm trying to combine to track authorizations that are completed, or expire after a period of seven days.  The first query gets all of the authorizations sent, filtered by a unique AccountNum. Query 1:   earliest=-8d@d latest=-7d@d sourcetype="PCF:log" cf_app_name=app1 "Sending authorization" | rex field=msg "BAN: (?<AccountNum>\w+)" | dedup AccountNum    The second query returns all authorizations that have expired after a period of inactivity.  Query 2:   earliest=@d latest=now sourcetype="PCF:log" cf_app_name=app2 "authorizationExpired" | rex field=msg ",ban:(?<AccountNum>\w+)" | dedup AccountNum   The closest I've gotten to combining them how I need is: Query 3:   earliest=-8d@d latest=-7d@d sourcetype="PCF:log" cf_app_name=app1 "Sending authorization" | rex field=msg "BAN: (?<AccountNum>\w+)" | dedup AccountNum | append [search earliest=@d latest=now sourcetype="PCF:log" cf_app_name=app2 "authorizationExpired" | rex field=msg ",ban:(?<AccountNum>\w+)" | dedup AccountNum ] | fields msg | eval action=case( match(msg,"Sending authorization+"), "Total Authorizations Sent", match(msg,"authorizationExpired+"), "Authorizations Expired") | stats count(msg) by action     However, there are two mistakes/gaps with this third query. The first problem is I need the second query to only return results where AccountNum in query 2 is matching an AccountNum in query 1.  Secondly, I'd like to have a pie chart of Authorizations Expired (query 2) vs Authorizations Complete (total - expired = complete) but I'm struggling with the syntax on how to achieve that.  This third query shows total + expired, where expired is actually a subset of total.  I guess a third thing would be I don't know that append is really what I need or if there's a better, more performant way to construct this query?  I'd love to learn any helpful tips or tricks! Greatly appreciate any help ... View more

Hi all, I've been struggling with a good query for this for a few days. Basically I'm trying to track users that drop off between pages in a guided web application. I'm able to get the results for Page1 and for Page2 individually, but I don't know how to combine the two queries to get the desired result. I don't know if I need to work with join or distinct count. Basically on page1 I can dedup the AccoutNum, UserID (I don't care if the same user comes through with the same account), but I do care if a different user does. Users B and F both came to page one with account 567, but only F proceeded. I really want to learn so any guided help or explanation would be amazing. Please let me know if anything is unclear. ... View more