I'm using splunk 6.0.3
When I search for: "has been closed after being in use"
I have a series of hits like shown in the 4 sample lines below:
2014-06-17 18:26:47.219765 (UTC) Camera SITENAME-1.camera.CAMERANAME-1 has been closed after being in use for 175 seconds in automatic mode
2014-06-18 14:48:30.241732 (UTC) Camera SITENAME-2.camera.CAMERANAME-2 has been closed after being in use for 281 seconds in manual mode
2014-06-18 15:52:53.974993 (UTC) Camera SITENAME-3.camera.CAMERANAME-3 has been closed after being in use for 5494 seconds in Unknown mode
2014-06-18 15:53:10.312491 (UTC) Camera SITENAME-4.camera.CAMERANAME-4 has been closed after being in use for 5511 seconds in watching mode
How can a do a search, to report the total usage time, for each camera, at each site, in each mode?
and.. print pretty charts and plots?
You could either use the field extractor UI to try and solve it, or you could use rex on the search line to handle the same.
Something like (untested, but probably close);
your base search | rex "Camera (?P<CameraSite>.+) has been closed after being in use for (?P<UsageTime>\d*) seconds" | chart sum(UsageTime) by CameraSite
You probably need to modify the regex ".+" in the CameraSite field to capture the full name... I usually have to play around with it, but could either be something like
(?P[\w\d\-\.]*) or (?P.*[^ ])