Hi VI371887,
Try this run search anywhere..
| makeresults | eval data="\"disk_bytes\":23.10,\"disk_bytes_quota\":23.13t," | rex field=data "disk_bytes\"\:(?<disk_bytes>\d+\.\d*)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>\d+\.\w+)\,"
in your environment:
base search | rex field=_raw "disk_bytes\"\:(?<disk_bytes>\d+\.\d*)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>\d+\.\w+)\,"
OR
base search | rex field=data "disk_bytes\"\:(?<disk_bytes>[^,]+)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>[^,]+)\,"
... View more