Hey,
I am trying to use collect together with the marker -Option. Unfortunately I am not able to get any dynamic content for the marker string:
index=_internal file=* | head 10 | table _time file | collect index=test_temp marker=file
yields into _raw entries like this:
03/26/2015 23:59:27 +0100, info_search_time=1427410768.113, file=shelper, file
What I would like of course is the content of the field file and not the string file . I have already tried:
... marker='file'
... marker=\'file\'
... marker=\\'file\\'
... marker=\\\'file\\\'
But the marker is always set to the string.
I thought of using map -command. But this is very ugly since map starts a search for each event going into map ( maxsearches could be adjusted, but .... naah)
I also tried to create a macro mycollect(2) :
collect index=$index$ marker=$marker$
But the same result for either
index=_internal file=* | head 10 | table _time file | `mycollect(temp_test,file)`
or
index=_internal file=* | head 10 | table _time file | `mycollect(temp_test,'file')`
So, has anyone an idea?
Thanks in advance!
... View more