I may use a search similar to this: index=mock_index source=mock_source | eval event = _raw | stats count as frequency by event | table event, frequency which results in a table similar to the one below: Event Frequency 2022-08-22 13:11:12 [stuff] apple.bean.34 [stuff] 2000 2022-08-22 14:18:22 [stuff] apple.bean.86 6 [stuff] 200 2022-08-22 15:17:42 [stuff] apple.bean.1 546 [stuff] 2   Some of the tables which I get from this search give an error that states the search_process_memory_usage_threshold has been exceeded.  If I know that I am not interested in rows where the frequency is less than 1,000, is there a way to limit the table so it only shows the rows above 1,000?  Would this also improve memory usage? ... View more

Given the below example events: Initial event: [stuff] apple.bean.carrot2donut.57.egg.fish(10) max:311 min 15 avg 101 low:1[stuff] Result event 1: [stuff] apple.bean.carrot&donut.&.egg.fish(&) max:& min & avg & low:&[stuff] Result event 2: [stuff] apple.bean.carrot2donut.57.egg.fish(&) max:& min & avg & low:&[stuff] I want to get Result 2 rather than Result 1.  I want to replace any series of numbers with an ampersand only if one of three conditions are true.  These conditions: The number series is preceded by a space. The number series is preceded by a colon. The number series is preceded by an open parenthesis and followed by a closed parenthesis. If I use the replace line below, the new variable created will contain Result 1 rather than the Result 2 I desire. | eval event = replace(_raw, "[0-9]+", "&") How do I get Result 2 instead? ... View more

Currently I have used a similar query to what is below to plot data on a 24 hour graph. index=mock_index source=mock_source.log param1 param2 param3 | rex field=_raw "Latency: (?<latency>[0-9]+)" | eval time = mvjoin(mvindex(split(_raw, " "), 0, 1), " ") | eval time = strptime(time, "%Y-%m-%d %H:%M:%S,%3N") | table time, latency An example event: 2022-08-16 14:04:34,123 INFO [stuff] Latency: 55 [stuff] Ideally I would like to get latency averages over 5 minute periods, and display the data to a graph where the x-axis labels 30 minute intervals.  Given this goal, is strptime() the best way to manage the timestamps in my events? ... View more

My search looks similar to the one below: index=mock_index source=mock_source.log param1 param2 param3 | rex field=_raw "Latency: (?<latency>[0-9]+)" | timechart span=5m avg(latency)   An example event: 2022-08-16 14:04:34,123 INFO [stuff] Latency: 55 [stuff] What have I got wrong in my search that it doesn't draw a graph? ... View more

Based on what I've studied, I should be able to show a new field named item with a search such as the one below: index=existing_index | eval item = "apple" | stats count by source | table source, item, count I would expect output similar to the table below. source item count a/b/123.log apple 5 a/c/915.log apple 6 a/b/574.log apple 1   Instead, this happens: source item count a/b/123.log   5 a/c/915.log   6 a/b/574.log   1   Why did I not get what I expected? ... View more

First it isn't clear to me what units the various timeseries in a metric are returning.  It feels pretty arbitrary to me.  I was wondering if perhaps the ns portion of a metric stood for nanoseconds?  That would at least make it this more clear.  But I suppose it could also stand for namespace. ... View more