New to splunk so don't laugh too much at this -
I have many strings that look similiar to this:
[71] 20130226.015959.650 3512.380251 RESULT success 0 entries 1 msecs
I want to be able to grab the msecs number and graph the avg per minute. I tried this:
index=blah blah blah |regex _raw="entries (?P
Obviously that doesn't give me what I want. Any assistance would be most appreciated.
Hi,
Give this a shot:
index=blah blah blah |rex field=_raw "entries (?<msecs>\d+) msecs" | timechart span=1m avg(msecs)
The regex command is for filtering results and the rex command is used for extracting values. Take a look at both commands in the docs for more info on syntax and usage.