I have the following search:
"avg tx =" | timechart max(tx) by source
Where Source is the filenames, for example:
\\server1\vdi\LOGS\PCoIPLogFiles\V30040016\pcoip_server_2012_09_14_0000045c.txt
The search works perfectly however the legends (same as the source) are too long.
I'd like to only take part of the "source" as legends, remove " \\server1\vdi\LOGS\PCoIPLogFiles\ " and "\pcoip_server_2012_09_14_0000045c.txt", only leave the folder name "V300400xx" (I have many folders so I'm using xx to replace the actual number)
OR, I was thinking if I can create sourcetype using part of the source, meaning "V300400xx", and do the following search, it should also work.
"avg tx =" | timechart max(tx) by sourcetype
Is this possible? Thanks in advance.
Barry
... View more