Difference between revisions of "Splunk"

From neil.tappsville.com
Jump to navigationJump to search
(Created page with "Match Value (.*) after "want:" and turn it into a field (field_name) <pre> | rex field=_raw "some text before what we want:(?<field_name>.*)" </pre> Group results into 1 hou...")
 
m
Line 3: Line 3:
  
 
Group results into 1 hour chunks
 
Group results into 1 hour chunks
<pre>|bucket span=1h _time | timechart span=1h count(field_name) by field_name </pre>
+
<pre> | timechart span=1h count(field_name) by field_name </pre>

Revision as of 05:53, 21 October 2019

Match Value (.*) after "want:" and turn it into a field (field_name)

 | rex field=_raw "some text before what we want:(?<field_name>.*)"  

Group results into 1 hour chunks

 | timechart span=1h count(field_name) by field_name