I have message data similar to as follows, which is the count of active user processes on a host:
host=hostA user1:0 user3:12 user10:2 user2:0
host=hostB user1:1 user4:8
host=hostC user10:2 user21:3 user2:0 user4:0 user14:8 user15:0
The format of the user fields is always the same - "user name":"number of processes" - however, the number of users reported on each host is variable. Some hosts will only have a few, some have dozens. I'm trying to create a chart to count the number of processes per user, split by user, on a given host over time, and I'm stuck. I'm assuming I need to use the format option, but I can't get the fields to split like I need. This is what I've come up with, but it returns no results:
index=_dev host=hostB | chart format=$AGG$:$VAL$ max($VAL$) by $AGG$
... View more