rex "timeStamp=(?<human_time>\d{4}-\d{2}-\d{2}.\d{2}:\d{2}:\d{2}\.\d{3})"
| eval epochTime=strptime(human_time, "%Y-%m-%d %H:%M:%S.%3Q")*1000
| table epochTime
multi value rex
| rex max_match=3 "amount:(?<amount>[\d\.]+),"
| eval IN = mvindex(amount, 0)
| eval OUT = mvindex(amount, 1)
| eval BALANCE = mvindex(amount, 2)
reading from a previous row
HealthMonitor
| rex field=log "heap.memory.used\/total=(?<heapPerc>[\d.]+)%"
| rex field=log "thread.count=(?<threadCount>[\d]+),"
| rex field=log "minor.gc.count=(?<minorGcCount>[\d]+),"
| rex field=log "minor.gc.time=(?<minorGcTime>[\d]+)ms,"
| rex field=log "major.gc.count=(?<majorGcCount>[\d]+),"
| rex field=log "major.gc.time=(?<majorGcTime>[\d]+)ms,"
| stats avg(majorGcTime) as time by _time
| streamstats current=f window=1 last(time) as prev
| eval diff= (time-prev)/1000
| table _time diff
append cols
This example allows an stack-area graph of request by website with a chart overlay of the response time 90% for all websites.
| <search term>
| timechart count(requests) as "Number of requests" by website
| appendcols [ search <search term>
| stats avg(requests) as "90% time" by _time ]
show multiple status code by website
| timechart count(eval(statusCode="OK")) as "OK" count(eval(statusCode!="OK")) as "NOT OK" by website
How to list all the indexes ?
| eventcount summarize=false index=* | dedup index | fields index
