<mysearch> | rex field=_raw "bsy:\s+(?<bsy>\d+)"|timechart avg(bsy) is not giving any output

I want my output like

time	host1	host2
1	bsy value	bsy value
2	bsy value	bsy value

---

---

@kkrish0602 wrote:

<mysearch> | rex field=_raw "bsy:\s+(?<bsy>\d+)"|timechart avg(bsy) is not giving any output

I want my output like

time	host1	host2
1	bsy value	bsy value
2	bsy value	bsy value

---

When giving sample data, desired output, or search code, it is best to use text. Screenshots can be too noisy to be read accurately and difficult to translate into code samples.  According to the screenshot, the above has to output something even if it is not what you were asking.

If the desired output you described is truly in a timechart, you have to also define what stats function to use to obtain "bsy value": is it avg(bsy)? is it max(bsy)? is it values(bsy)? etc. (See Timechart.)  It is possible that you also want to include those events in which the string "bsy" and the value is not separated by colon (:).  In that case, you could use

| rex "bsy:*\s+(?<bsy>\d+)"
| timechart avg(bsy) by host

If the "bsy value" in your desired output is not a statistic but the individual value in each event, the command you are looking for is perhaps xyseries instead of timechart, e.g.,

| rex "bsy:*\s+(?<bsy>\d+)"
| xyseries _time host bsy

 

Could you please post some sample events ?

Here is the link to test

https://regex101.com/r/32TXGO/1

You also should add those "| search x y z" directly to the first part of your query without "| search". It's much efficient to reduce the search result set on first phase than add those later on search pipeline.