Why is the Splunk Web service not running after an upgrade to 6.2? Learn more »
Here is a snippet from my logfile:
<code>Mar 24 01:31:11,388 INFO [0x41401960]: NoSnmpMibInstance: CountWorker.ProcLoTimes = 11628^8861^1.31^0^291 </code>
I want to pull the number in between the 2nd and 3rd caret, create field called "plavg" and graph the values along the X axis:
| rex field=_raw "CountWorker.ProcLoTimess+=s+d+^d+^(?<plavg>[^^]+)" | timechart values(plavg)
The regex is working but the timechart is not. How do I graph the values from my logfile on a timechart? Do I have to convert the "1.31" from a string to a number?
Thanks in advance.
Timechart was putting the data into 10 minute buckets by default and the time interval for the events was less than a minute. This resulted in multiple values per time interval so it wouldn't graph. Here is search that worked:
| rex field=_raw "CountWorker.ProcLoTimess+=s+d+^d+^(?[^^]+)" | timechart span=30s values(plavg)
You have to use values because timechart needs a function before the field.
Removing fields from _raw or similar 1 Answer
Rex command issue in splunk views 1 Answer