Your first solution totals up all the prefixes into "Other", but by "Other" I meant all the xml's that did not fit into any of the prefixes. so that I would need...
FOO 7
BAR 0
BAZ 1
Other 2
Total 10
And Yes, basically Monday is one long day. Saturday and Sunday and Monday "earliest" is Saturday 00:00 and latest is always now(), no matter which day.
... View more
I have a field "filename" which is an xml going through a component. I want to count the number of them with a specific prefix so that I get a table like the following.
FOO | 23
BAR | 0
BAZ | 104
other | 340
Total | 467
given that FOO is a prefix in an xml called FOO_239cjase93912ds.xml, BAR and BAZ, etc.
SO far I have the following rex
| rex field=filename max_match=1 "(?(FOO|BAR|BAZ)*.xml)" | stats count by prefix | addcoltotals
Problems and Questions:
1. I don't know how to count "other" (filename's that don't have any of the given prefixes)
2. I want to have a custom range of "last business day" that means on Monday I want to count all files from Saturday 00:00 to Monday Now() and up to last midnight on weekdays. (e.g. on Thursday apply Today())
Thank you
... View more
This is incorrect. It does not refresh. I hope you understand when I say edit the xml I mean editing the file /opt/splunk/etc/apps/ /local/data/ui/views/ .xml
... View more
It seems I can't edit dashboard and form XML's using my own editor. Upon saving, Splunk does not refresh (probably because it reads from DB cache instead of file?), how can I force it to read the file every time it changes because I'd like to use my own IDE instead of the splunk xml editor.
Thanks,
... View more