I have data that looks like this;
When I perform my search the data returned by splunk looks like this on the dashboard;
date="date" username="username filename="filename" 1000 bytes
You can see the problem... I can grab all of the "keyed" fields but I cant get the value "1000 bytes" because its not keyed. If I had awk I could grab the second to the last value of the string and I would be done.
Is there a way to grab the value "1000" above and place it into a value to inject into my tables???
Thanks
↧