index=”actioncenter” | search “msg.Results.TraceLevel”=Error | search cf_app_name=”AccountOpenBFFAPI*” | search “msg.Results.Message”=”HTTP Response: {\”message\”:\”Invalid Role Title Code*with Customer Type BENE combination.*” | spath output=EnvelopeId path=msg.Extended_Fields.EnvelopeId | where isnotnull(EnvelopeId) | spath output=ActionId path=msg.Extended_Fields.ActionId | eval time =strftime(_time, “%m-%d-%Y %l:%M %p”) | table time, EnvelopeId, ActionId | stats list(time) by EnvelopeId,ActionId
table 和 stats list并不都需要,看实际情况。