It might be a very simple answer, however I am not able to find it so far .
My splunk query has a field name "Size(MB)" . I can not get around with escape character, eval or Rex to run the query with this type of field .
index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d **avg(Size(MB))** by DBname
If your data is in for of like this:
bla bla Size(128)
Then you can extract it using regex like this:
index=dbx ServerName="bestserver" sourcetype=stats | rex "Size\((?<Size>[^\)]+)" | timechart span=1d avg(Size) by DBname
For me this works: avg("Size(MB)")
You can try to rename the field like this:
your search | rename "Size(MB)" AS Size | timechart span=1d avg(Size) by DBname
PS You do have a space after span in you example. This does not work. Correct is span=1d
not span =1d
It is not about the data , its Field name it self with brackets () .
@ratan2257
You just need double quotes around the name.
index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d avg("Size(MB)") by DBname
Thanks
Unfortunately that didn't worked.
@ratan2257
Is it possible to share the sample event or screenshot of this field and value?