Splunk
From neil.tappsville.com
Jump to navigationJump to search
Match Value (.*) after "want:" and turn it into a field (field_name)
| rex field=_raw "some text before what we want:(?<field_name>.*)"
Group results into 1 hour chunks
|bucket span=1h _time | timechart span=1h count(field_name) by field_name