Hello, I'm running Splunk 8.1.2 and I'm trying to group different sources of an Index to count them within one query. The following fields are what I'm trying to group: index: license_compliance fields: - prod - dev - other (anything that does not end in prod or dev) index=license_compliance OR source="/license_compliance-splunk-data/iCinga_ingest/*"
| rex field=source "\/license_compliance-splunk-data\/iCinga_ingest\/(?<log_source>\w)"
| eval log_source="iCinga_ingest".log_source
| stats dc(source)
| dedup source, name
| timechart span=1d count(name) by source The data looks like this currently: "/license_compliance-splunk-data/iCinga_ingest/iCingaDev_2021-07-07.csv" I would like to get something like this: 07/07:
iCinga_Prod: 5
iCinga_Dev: 0
iCinga_Other: 2 Thanks in advance!
... View more