Hi, thanks fro commenting.
for some reason, I had problem using the props.conf and transforms.conf .
Both file were configured to used a working regex (your regex was great, just had to tweak it so it will work on a json), yet it didn't extracted the fields.
In the splunk web page, under the fields extraction manager I saw both of the fields I tried to extract, yet when I searched they weren't extracted.
I tried also to create an extraction using the "add field extraction" in the splunk webpage, which work- well, not exactly. Instead of extracting all of the key values, it only extracted the first value.
Because of a dead line I was forced to try a fast and simple solution- I'm using rex on every search. Its not ideal, but its working.
I still need to bar chart/ column chart the two fields, but I'll try to do this my own.
thanks for your help! really appreciate that!
... View more