Splunk

From neil.tappsville.com

Revision as of 05:53, 21 October 2019 by Gonzo (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Match Value (.*) after "want:" and turn it into a field (field_name)

 | rex field=_raw "some text before what we want:(?<field_name>.*)"

Group results into 1 hour chunks

 | timechart span=1h count(field_name) by field_name

Retrieved from "https://neil.tappsville.com/index.php?title=Splunk&oldid=187"

Navigation menu