Difference between revisions of "Splunk"
From neil.tappsville.com
Jump to navigationJump to searchm |
m |
||
Line 4: | Line 4: | ||
Group results into 1 hour chunks | Group results into 1 hour chunks | ||
<pre> | timechart span=1h count(field_name) by field_name </pre> | <pre> | timechart span=1h count(field_name) by field_name </pre> | ||
+ | |||
+ | Export RAW logs | ||
+ | host=<host_name> | table _raw | outputcsv rawdump.csv | ||
+ | Then download as csv |
Revision as of 15:05, 11 April 2020
Match Value (.*) after "want:" and turn it into a field (field_name)
| rex field=_raw "some text before what we want:(?<field_name>.*)"
Group results into 1 hour chunks
| timechart span=1h count(field_name) by field_name
Export RAW logs host=<host_name> | table _raw | outputcsv rawdump.csv Then download as csv