I'm trying to shorten up a timechart search by removing the xmlkv function. I've tried numerous times using rex and regex but have been unsuccessful.
Current working search string takes to long to execute is this:
index=abc sourcetype=abc_123 | xmlkv | search somequery
| timechart count by somequery usenull=F useother=F
| rename Yes AS "somequery good" No AS "somequery bad"
In place of the xmlkv | search somequery I've tried regex_raw="NoALIQuery." and other variations. The search pulls results, but for the purpose of timechart it shows them as only Null. I need them to show the somequery field true values of Yes or No
... View more