Difference between revisions of "Splunk"
From neil.tappsville.com
Jump to navigationJump to search (Created page with "Match Value (.*) after "want:" and turn it into a field (field_name) <pre> | rex field=_raw "some text before what we want:(?<field_name>.*)" </pre> Group results into 1 hou...") |
m |
||
Line 3: | Line 3: | ||
Group results into 1 hour chunks | Group results into 1 hour chunks | ||
− | <pre> | + | <pre> | timechart span=1h count(field_name) by field_name </pre> |
Revision as of 05:53, 21 October 2019
Match Value (.*) after "want:" and turn it into a field (field_name)
| rex field=_raw "some text before what we want:(?<field_name>.*)"
Group results into 1 hour chunks
| timechart span=1h count(field_name) by field_name