I have created two letter ID's for my indexes. I would like to know how each index is doing so I search the _internal for the index name like this:
index="_internal" source="*metrics.log" per_index_thruput series="aa"
this will show me the amount of data indexed and I can count or sum or timechart.
I want to do this for all my two letter series but I don't know how to do the search without including all the unwanted series. Somehow I need to restrict the (series="**") to only two letters. All the other series have more than two letters.
Try this:
index=_internal source=*metrics.log group="per_index_thruput" | rex field=series "^(?<good>[a-z_]{2})$" | search good=*
Try this:
index=_internal source=*metrics.log group="per_index_thruput" | rex field=series "^(?<good>[a-z_]{2})$" | search good=*
Thanks that was the key