for me works as folowing.
index="XXX" sourcetype="XXX" source=XXXX Host="10.*" Risk_Factor!="None"
| stats cont by Risk_Factor
| sort by -Risk_Factor
|head 3
"| some statistic"
.. done, so I'm Know that I'm very late, but it works
... View more
My best solution is to add a field with the folder name:
source="C:\\..\\Logs\\*" | rex field=source ".*[//\\\]+(?<folder>.*)[//\\\]+.[a-zA-Z.0-9]*"
than i can use it for timechart for example:
source="C:\\..\\Logs\\*" | rex field=source ".*[//\\\]+(?<folder>.*)[//\\\]+.[a-zA-Z.0-9]*" | timechart count by folder
... View more
When you extend your searchstring with
| table _raw | outputcsv output.csv
you can find you exprted results in $SPLUNK_HOME/var/run/splunk.
... View more