I have the following search string which I use to create a line chart:
....| timechart span=1d sum(kb) by series
The results and the graph show VALUE_internal and VALUE_audit. I just want _internal and _audit. How do I remove the VALUE so my results are less confusing?
Thanks.
Fields with a leading "_" (underscore) are hidden fields. I would guess this is why the "VALUE" is prepended to this field is so it would not stay hidden. You could use the rename command, but you would have to choose something that is not preceded with an underscore.
| rename VALUE_audit as -audit
VALUE is getting appended to _internal and _audit. I ran the following search command and got the following output:
index=_internal source=metrics.log group=per_index_thruput series!=summary | count by series -- this shows _metric and _internal. When I run this thru timechart as above, VALUE is appended - try it.
Hard to understand exactly what you are looking for. Are the x & Y access titles showing this? Or is this actual values that are displayed in the legend?
You can use eval with the trim function to remove VALUE off of your field values like this: