I have data like this in splunk search 2024-10-29 20:14:49 (715) worker.6 worker.6 txid=XXXX JobPersistence Total records archived per table: sn_vul_vulnerable_item: 1000 sn_vul_detection: 1167 Total records archived: 2167 Total related records archived: 1167 2024-10-29 20:13:17 (337) worker.0 worker.0 txid=YYYY JobPersistence Total records archived per table: sn_vul_vulnerable_item: 1000 sn_vul_detection: 1066 Total records archived: 2066 Total related records archived: 1066 How can i prepare a table as below ? Basically prepare a list of tables and sum of their counts between text "Total records archived per table:" and "Total records archived: " sn_vul_vulnerable_item:2000 sn_vul_detection:2233 This is what i have so far node=* "Total records archived per table" "Total related records archived:" | rex field=_raw "Total records archived per table ((?m)[^\r\n]+)(?<tc_table>\S+): (?<tc_archived_count>\d+) Total related records archived:"
... View more
