Solved: Re: Search _internal by Series

hartfoml · ‎09-25-2012

I have created two letter ID's for my indexes. I would like to know how each index is doing so I search the _internal for the index name like this:
index="_internal" source="*metrics.log" per_index_thruput series="aa"
this will show me the amount of data indexed and I can count or sum or timechart.
I want to do this for all my two letter series but I don't know how to do the search without including all the unwanted series. Somehow I need to restrict the (series="**") to only two letters. All the other series have more than two letters.

Lamar · ‎09-25-2012

Try this:

index=_internal source=*metrics.log group="per_index_thruput" | rex field=series "^(?<good>[a-z_]{2})$" | search good=*

View solution in original post

Lamar · ‎09-25-2012

Try this:

index=_internal source=*metrics.log group="per_index_thruput" | rex field=series "^(?<good>[a-z_]{2})$" | search good=*

hartfoml · ‎09-25-2012

Thanks that was the key

Search _internal by Series

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation