I use the License Usage search (generally when I click through on a host or source from the License Usage page) and can manipulate the hosts or time blocks with no problem.
But I'd like to narrow down the information and determine how much license usage is going to DEBUG logs. If here is my original string:
index=_internal source="*license_usage.lo*" type=Usage | bucket _time span=60m | stats sum(b) as bytes by _time h | eval mb=bytes/1048576 | rename h as host | rename mb as Mbytes | search host="*-prd-*"
Where would I put the term "[DEBUG]" to only count events that include that word?
Thanks!
↧